frenta - Fotolia
“But savvy, well-meaning employees can be fooled into doing something to allow attacks access to company networks,” he told a Storm Guidance seminar in London.
Few people, he said, would not click on an email that appeared to be a subpoena sent by their personal lawyer – but that would be enough to let attackers into their company network.
Once on the network, Codling said the most common tactic by attackers is to seek out privileged users to compromise their accounts and use their credentials to move freely in the network.
“In this way they are able to circumnavigate all firewalls and other security controls to map the network and carry out reconnaissance,” he said.
Next, attackers will either locate and exfiltrate the data they are targeting or identify employees with financial authorisation capabilities.
“If attackers are after money, we have seen them identify and compromise key employee credentials to make unauthorised payments to accounts they control in ten minutes,” said Codling.
Hackers coerce employees
In one case, the attackers had arranged for a series of transfers to bank accounts around the world in seconds of the money arriving in attempt to make the funds untraceable.
But in this particular case, said Codling, FBI investigators apprehended the cyber criminal behind the operation as he arrived from Ukraine in the Seychelles, where the money had ended up.
Read more about internal cyber threat
“As long as cyber criminals operate and remain in countries that have no extradition treaty with the country where the crime is taking place, they are untouchable,” he said.
Another tactic is to coerce employees of target organisations into providing credentials by threatening them or their family members.
Codling said that, in one case, the attackers had coerced an employee into helping them by sending an employee in the target organisation a copy of their child’s private school bus timetable.
Cyber risk calculation
“Attackers are becoming increasingly adept at using all the information they can collect from social media to coerce people into co-operating with them,” he said.
In other cases, Codling said the FBI saw how cyber criminals used mobile sniffing tools that cost just €150 to monitor everything their targets do on their device; or pay hackers just €400 to get access to the accounts of someone negotiating a deal with €1.2bn.
Despite a huge and growing arsenal of tools available to cyber criminals, with the barriers to entry being lowered all the time through service-based models, he said some companies are failing to take adequate precautions because they think they are insured against loss and that they are unlikely to be targeted.
“It is essential to assess the risk properly by creating a cyber risk calculation framework that is underpinned by an understanding of data assets and the business,” said Codling.
Businesses should also subscribe to cyber threat intelligence feeds, he said, so they know who is likely to target them; what they are likely to target and why; and how they are likely to do it.