SecureWorks talks ransomware, cyber fraud and social engineering

SecureWorks talks ransomware, cyber fraud and social engineering

Gopan Sivasankaran, Security Architect at SecureWorks

Intelligent CIO caught up with Gopan Sivasankaran, SecureWorks’ Security Architect at this year’s GITEX Technology Week to discuss the evolving cyberthreats targeting organisations, and individuals, today.

Q: What is SecureWorks focusing on this year at GITEX?

A: This is the first GITEX as part of the Dell Technology family as such with all organisations within Dell Technologies showcasing our solutions in a single platform. It’s been great so far. I see this more as a networking event, where you get to be in touch with potential prospects and some existing clients, some of the partners and even get to meet your own colleagues from other parts of the business.

Q: What were the key findings of SecureWorks’ State of Cybercrime report?

A: Secureworks has been tracking cybercrime activity for over a decade now. We released an annual report State of Cybercrime publicly to educate the community about the threat landscape and the common trends we are seeing in the industry. The goal is to help organisations better protect themselves from current and emerging threats.

One of the top findings is the risk associated with business email spoofing. I personally have been involved in some of the incident response calls with organisations who were affected by such attacks. The case could be something like this: a CEO sends an email to the CFO asking to transfer funds to a particular account within specific time frame. As this email appears to be coming from the CEO of the company (it’s actually a spoof), the employee gets pressurised to complete this task without validations. These combinations of social engineering are actually compromising the systems. Our researchers assess that these kind of attacks will continue to grow due to their low barrier to entry and high payout potential.

Ransomware is another major threat that has dramatically increased in the past year or so. Ransomware has made people take information security more seriously in the modern day. SecureWorks has observed nearly 200 new named ransomware variants in 2016 alone, up from the 90 in the previous year and this is continuing to grow. Everyone has heard about Wannacry, Notpetya etc, those attacks were able to generate massive impact including a number of systems within the region. These are not isolated events, we should expect more of these primarily due to the profitability nature of the attacks.

We have also observed large scale cyber fraud in the banking industry by organised criminal groups. There are numerous banking Trojans observed recently that will infect the computers of the victims and steal the victims’ banking credentials. These credentials will be used to steal money from the victims’ online accounts. One thing to understand here is the fact that malware targeting is diverse and not limited to major banks. Wealth management companies or even payroll processing portals could be their targets.

Q: Do you foresee an increase in cyberattacks that are utilising people’s personal social media?

A: Yes. Big time. I personally believe that human beings are the weakest link in any organisation. Whatever security awareness training we do, still you see lots of vulnerable resources. Social media is a top platform to launch such attacks.

In early 2017, our research team observed phishing campaigns targeting several entities in the Middle East, with a focus on Saudi Arabian organisations. The campaigns delivered a remote access Trojan named PupyRAT, a research and penetration-testing tool that has been used in attacks. If installed, PupyRAT gives the threat actor full access to the victim’s system. When observed closely, these were highly targeted spearphishing and social engineering attacks from a threat actor using the name Mia Ash.

We found that this was a well established connection of fake social media profiles under the name of a London-based photographer who has connections within IT department of targeted organisations. What has a photographer to do with IT? First the connection is made on LinkedIn. After establishing trust, Mia sent a Facebook invite and continued the conversation there. Then established other communication channels such as WhatsApp and then sent an Excel sheet to the victims personal account, disguised as a survey, and encouraged the receiver to open the sheet on their work system. The survey contained macros that, once enabled, downloaded PupyRAT.

We have been tracking a particular threat actor group, COBALT GYPSY, since 2015 and the methods they use suggest that the group is associated with Iran. Our researchers conclude that COBALT GYPSY is the group behind the Mia Ash campaign who created the persona to gain unauthorised access to targeted computer networks via social engineering. We would be expecting more of these attacks in the future, which reinforces the importance of recurring social engineering training. Organisations must provide employees with clear social media guidance and instructions for reporting potential phishing messages received through corporate email, personal email, and social media platforms. Don’t accept connections from people whom you don’t know.

Q: What are the top challenges you see for the next two years?

A: Two years is a long time for security – one thing that we observe is lack of skill sets in the region, it’s a big, big challenge. Every organisation I meet, I ask, “How big is your security team?” And they say, “We’ve got one resource, one and a half resource,” so there is clear shortage of skill sets. According to the statistics, for every 20 jobs published in security, there is only one right resource. There is no security professional without a job, so it’s very difficult to retain people which is a top challenge.

The other challenge we see is incident response. You got hit, now what to do next? It’s predicted that in the coming years the maximum amount of budget on security will be spent on incident response, which is an indication of what is to be expected. We are going to see massive trends moving in that direction when people are being targeted, lots of money-related financial fraud is happening. We don’t see the right level of expertise in the region to perform incident response activities to the fullest, barring very few organisations.

I personally see four dimensions to what organisations must focus on; there is people, process, technology and intelligence. In this part of the world, (I’ve lived here since 2006) I’ve seen the majority of organisations invest a lot on technology, but the other three areas are generally ignored. There is a lack of people, processes and intelligence. Organisations should look at where they stand on these areas and look for ways to improve and find the right balance.

A blog written by Gopan on this subject is available here.

Browse our latest issue

Intelligent CISO

View Magazine Archive