Video: 10 Minute IT Jams - Security expert discusses changing cyber-attacker behaviour

Cyber criminals have seized on uncertainty brought by the global pandemic.

Brooke Chalmer, Senior Manager of Product Marketing at SonicWall, says cyber attackers have swiftly adapted to the world's new working norms, deploying targeted scams and exploiting vulnerabilities exposed by mass remote working.

Chalmer outlined these challenges in a recent discussion, noting that as with any major trend, cyber attackers are quick to exploit unfolding events for their own ends. "Ultimately, just like anything that's trendy, people like to name things or jump in on the bandwagon and try to get more attention," he said. "In the case of Covid-19, we're seeing a lot of people develop Covid-19-themed or coronavirus-themed malware, ransomware, etc."

Attackers have demonstrated remarkable creativity, especially with email-based threats. "The most creative attacks I saw were where people would actually email an infected PDF or Office document to someone and say, 'Here are your new standards for operating with the new business normal,'" Chalmer explained. These emails appeared to come from legitimate sources, such as government agencies or employers. "People were clicking on this because this looks like it should come from a third-party source and not from inside your domain, so people were falling victim for those type of scams," he said, adding, "We saw over 20 different scams very much like that during this time."

When asked about how criminal tactics have shifted, Chalmer argued that while motivation is largely unchanged, the methods have evolved. "Obviously there probably will never ever be a change in motivation - it always varies from person to person. But ultimately we're seeing more targeted attacks," he stated.

He highlighted his past experience with Russian hackers, noting that even highly organised groups are refining their techniques, becoming "more focused." This change is clearly visible in industry data. "We're seeing, roughly over the first half of this year, a 33 percent drop in the overall malware volume," Chalmer said. However, he cautioned against complacency. "Naturally you would think that this is very good news, but what this means is it's less spray and prey and far more targeted attacks."

This apparent decrease in general malware has coincided with an increase in sophistication. "A 33 percent reduction in malware, but we're seeing a 63 percent rise in new variants that we're finding with real time deep memory inspection," Chalmer observed, referencing SonicWall's proprietary technology designed to detect advanced threats.

Cyber attackers are also moving more aggressively. "We're seeing intrusions up by 19 percent. Obviously that's designed to get in, exfiltrate data or ransom servers," he said. Ransomware remains a significant concern, with a "20 percent rise" in attacks, and a growing preference for using Office files as attack vectors. "Now Office documents are the method of choice for attacking people," he noted.

Specific vulnerabilities are being mined for weaknesses, especially in widely-used software. "Naturally, it's whatever new vulnerabilities are being exposed," said Chalmer. Microsoft Office, he explained, is a major target. "With Microsoft Office you're going to see a few more vulnerabilities than you would see with some other things like PDF. PDF was only 10.6 percent of all of the attack factors that we see out there today… conversely, Microsoft Office and the suite there about 22 percent of all of those attacks." The preference shifts, he said, depending on what the vulnerabilities permit. "It always shifts and changes based on what that vulnerability will allow for you to do in terms of take control of an Office desktop or take over control of an administrator's device that can then allow him or her to infect the rest of the organisation," he said.

Big IT service providers have found themselves squarely in the crosshairs. "Which is why last year, 2019, we saw a lot of hosting providers, MSSPs, MSPs being attacked - because they can try to infect a lot of different properties," Chalmer said.

Turning to the cyber security sector's own response, Chalmer sees progress but acknowledges the scale of the challenge. "Now naturally over the last number of years the industry has always been leaning more towards behaviour-based and analytics-based defences for malware and malware defence ultimately," he said.

SonicWall itself has moved to support remote working by extending protections to home users. "We do have our own client security, which is becoming more and more popular all the time because now people are working from home 100 percent of the time, just like me, and we need to make sure that people's endpoints are safe as they are often away from the perimeter," he said.

A shift to remote work has left many relying on less secure connections. "Often just going out to the wild internet and sometimes checking into VPN as they need to," Chalmer observed. "So ultimately, we're seeing that shift on the cyber security front."

The pandemic, Chalmer noted, also triggered a boom for security providers, with companies investing heavily in new technologies to accommodate remote workforces. "The first half of this year, all the different types of technologies and remote technologies were a big balloon for security companies to sell those to their customers," he said.

Whereas, before, a minority of staff worked remotely, now, "it's 100 percent all the time, right?" Chalmer said, reflecting on the remarkable changes over the past year.

Pressed on the industry's performance, Chalmer concluded, "The industry has done a good job of keeping up, but the threat landscape keeps evolving. We all have to stay one step ahead."