Background information
How your intuition can guide you towards better decisions
by Mareike Steger
Cyber attacks on companies: «There’s certainly been an increase in cases»
7.2.2022
Translation: Veronica Bielawski
No company seems safe from cyber attacks at the moment. In this interview, Senior Cyber Security Analyst Stefan Rothenbühler explains how companies become victims, what the hackers want and how you can protect yourself.
Stefan Rothenbühler has been working for the Baar-based cyber security company InfoGuard AG for six years. What’s behind the current wave of cyber attacks? The experienced security analyst explains.
Stefan, your employer InfoGuard focuses on cyber security – do you deal with hackers on a daily basis?
Stefan Rothenbühler: You could say that. I work in the Computer Security Incident Response Team, which is InfoGuard’s «fire brigade». We come in when a company has suffered a hacking attack. Not a week goes by without one or two new cases.
So, have cyber attacks really increased or is this just smoke and mirrors perpetuated by the media?
Cyber attacks have increased very sharply in the last few years; this is definitely not just smoke and mirrors. Sure, the media addresses it more often – there’s more openness these days – but there’s certainly also been an increase in cases.
Which companies turn to you?
A lot of SMEs. Nowadays, fewer large companies such as banks or insurance companies are hacked. The larger companies that do contact us are mainly industrial companies. Like many SMEs, these industrial companies have not yet built up as strong a protection as banks, for example.
How does a hacking attack occur?
There are three most common gateways. First, a lack of multi-factor authentication (MFA) – i.e. when access authorisation is granted via one point only. MFA is mandatory in companies nowadays. Nevertheless, attackers were able to penetrate the system due to a lack of MFA in 70 to 80 per cent of our cases. It’s very easy to guess a password. There are bots on the Internet that do nothing else all day. A weak combination of the company name and the year is very quick to crack. This means that if a company doesn’t consistently use MFA everywhere, it’s gross negligence and only a matter of time before things go south.
What’s the second gateway?
Phishing or spam e-mails. For example, the kind that invite you to download a program to track a supposedly lost package. Virus protection often fails, and so-called remote access Trojans are installed on the computer as a result. If MFA isn’t enabled and an employee enters a password on a phishing website, attackers can immediately access the network, too.
The third attack surface is security vulnerabilities in products, which are exploited very quickly. This could be a vulnerability in the Microsoft Exchange server or on collaborative platforms such as Confluence, which hackers are able to exploit within hours.
«Does the company want to focus on protection alone or also prepare for an attack?»
Is a company safe if it has these three points under control?
It’s certainly well positioned. But there’s no such thing as one hundred per cent security. The question is: does the company want to focus on protection alone or also prepare for an attack? Banks and insurance companies have already undergone a paradigm shift. They preemptively prepare for hacking attacks. In the past, security meant that a company would create a «moat» around its infrastructure. We’ve since moved away from this castle-style thinking. Now, it’s more important to quickly detect an attack and correctly respond to it.
Does this mean that sooner or later companies will be hacked anyway?
Yes, that’s right. This is because there’s an entire industry with many players behind the attacks. First, a password collector tests passwords – if he finds one that works, he takes it to a darknet forum, where he sells it for five to ten dollars. Passwords from larger companies are available for as little as a hundred dollars. This is bought by an access broker, who enters the network and looks at what he can learn from it. He collects information about the company, its annual turnover and the user’s permissions.
What happens next?
The access broker in turn goes to the darknet and sells his work – a verified access point – to a so-called affiliate. This is a petty criminal or crypto kiddie. The affiliate is the first to enter the network for the purpose of stealing or encrypting data. However, he doesn’t actually do the encryption himself; he purchases ransomware. Hence, it’s known as «ransomware as a service». The ransomware operators get a share of the spoils, which is how the whole operation is financed.
So, it’s become easier to hack someone?
Exactly. That’s why ransomware is on the rise like it is. In the past, you had to be on top of your game and know something about hacking and programming to launch a cyber attack. You had to do every step yourself. But today, a large market with a whole ecosystem has materialised. As a result, it’s significantly easier these days for petty criminals to encrypt data than to rob a bank.
How long do victims have to deal with the consequences of a cyber attack?
That varies greatly – but at least several weeks, if not months. Most of the time, we support the victim for one to two weeks. After that, the company has been back on its feet long enough to continue on its own. A cyber attack can be a serious blow to a company. It results in immense, unexpected costs. The ransom demands are only a small part of that. Depending on how much revenue a company generates, the cost of the interruption in business can reach millions. Then you need to factor in overtime: external IT service providers and the company’s own employees have to put in countless hours of work – often on weekends.
How high are ransom demands?
Typically two to three per cent of annual sales. Cases that go beyond this are rather rare. Of course, if a company makes 500 million in annual sales, you quickly reach a sum of 20 million.
The National Centre for Cyber Security (NCSC) recommends not paying ransoms – do you follow the same principle?
Yes. In the end, you’re financing crime or even terrorism and authoritarian regimes like North Korea. Sometimes, unfortunately, payment is unavoidable. For example, if the attacker has encrypted the backups, too. If the payment isn’t made in this case, the entire company is just gone. However, payments are also made if the hackers could publish sensitive data of private individuals. These days, extortion isn’t done on the basis of encryption only, but also on the threat of publication.
«We always conduct mock negotiations in an effort to find out more about the attackers.»
Does that mean the attackers communicate with you?
Yes. We always conduct mock negotiations in an effort to find out more about the attackers. This allows us to find out the ransom demand and to see how the attackers are to deal with. Based on that, we can guess at their origin. Sometimes we even find out how the attackers got into the system. They sometimes brag about how easy it was to penetrate it in a specific way.
How do you communicate with the attackers and in what language?
So far, we’ve always gone for English. The response may come in broken or very good English. In the case of ransomware, the chat takes place over the Tor network on the darknet. We’ve also had cases where the attacker picked up the phone and called the company.
Can you pick out any differences between the different attackers?
Yes – by now, I can sense very quickly what kind of attacker it is. The tone of voice alone tells me whether I’m dealing with organised crime or just a petty criminal. The exchange with a professional attacker is quite the interesting affair. The conversation takes place on a business level. With petty criminals, on the other hand, certain mistakes occur that wouldn’t happen in an organised group – a password being forgotten, for instance.
These negotiations are very similar to police work. Did you have special coaching sessions, or did you learn on the job?
Our supervisor previously worked as a cyber investigator. And you do learn a lot on the job. We work very closely with law enforcement and the federal government as well as with the NCSC and the cantonal police departments. We maintain a lively exchange with them. To my knowledge, however, the police themselves don’t conduct any negotiations.
Some attacks are reported to the NCSC. People in our comments section have claimed that what happens then is a single line is entered into Excel, and that’s problem solved – is this true?
(laughs) I don’t know what the internal processes are at the NCSC. We experience our cooperation with the NCSC as very valuable and purposeful. A single line of Excel can, in fact, be very valuable. In addition to the attacks, any transactions are also registered. If the attacking group makes a mistake at some point that allows the attack to be pinpointed to an individual, the victim might be able to get the money back. Listed companies, companies subject to the FINMA, and certain players in critical infrastructure are already obliged to report hacking attacks. In addition to the reporting obligation, it’s also important that the public is informed. There has been a change in this respect: companies are reporting attacks much more openly, because the topic is not as taboo as it used to be. This bears great advantages.
«It's always better when companies themselves communicate the attack, rather than the public finding out through the media.»
How so?
It's always better when companies themselves communicate the attack, rather than the public finding out through the media. When communication is clear, people are more understanding. It can even lead to unexpected outside help. We had customers who went to the press after an attack and were then suddenly offered help from other parties who had experience with that type of attack. I find that commendable.
What lessons can private Internet users learn from this wave of attacks?
Use common sense and be more deliberate in what you do. Of course, there are also concrete technical measures you can take: first, MFA. Activate it whenever possible. MFA offers great protection. While not invulnerable to attacks, it sets the hurdle much higher.
And second: be mindful of what you do. Ask yourself, «Do I really need a program to track my package? Why do I have to click on this exact link?» Visiting illegal websites, such as illegal streaming sites, is especially problematic. It’s very easy to click on the wrong thing. I often deal with patient zeros, i.e. people who clicked on something they shouldn’t have. And they always tell me that they realised their mistake a second after clicking. So, think twice before you enter your password anywhere.
And your third tip?
A concrete tip for online banking: create a separate user account on your computer to do your online banking. I say this because banking Trojans usually infect only the user, and not the entire system. This means that in an attack only the isolated user is infected. My fourth tip: don’t reuse passwords. You should use a different password for each website, which is why it’s recommended you use a password manager. In addition, you should change your passwords once a year. Finally, my last tip is to perform regular security updates. They’re done automatically, but it doesn’t hurt to periodically double-check in your apps.
«I’d like Switzerland to be a safe haven again like it used to be – not only for people, but also for data.»
If you could look into a crystal ball, what would the ideal cyber security situation be in your eyes?
Unfortunately, we probably can’t get rid of the attacks. But we could take the focus off Switzerland a bit. Our wealth is well known, and that makes us a lucrative target. I’d like Switzerland to be a safe haven again like it used to be – not only for people, but also for data. I think that’s suffered a bit lately.
Because of the general conditions, or because Switzerland has missed a trick somewhere?
You can always argue about whether or not Switzerland has missed a trick in view of digitalisation. I know the companies’ perspective: they want to produce goods. So, security understandably isn’t their number one priority. But if we could strengthen the network of those touched by such attacks, we’d be well on our way.
So you’re hopeful?
I’m very hopeful, though certain facts do scare me. Today, it’s industrial companies that get hacked. But what if an attack hits a nuclear power plant or a hospital? What happens when it costs actual lives? In light of digitalisation, more and more areas of our lives are dependent on digital infrastructures. Imagine you’re driving 100 kilometres per hour on the highway, and your self-driving car gets hacked. What do you do then? I’m certainly haunted by thoughts like that.
«I want it all! The terrifying lows, the dizzying highs, the creamy middles!» – these words spoken by an iconic American TV celebrity could have been mine. It's a take on life I also apply to my job. What does this mean in concrete terms? That every story has its charm; no matter how small, large, exciting or trivial. The more eclectic the mix, the better.
16 comments
later