Ray Kafity, the Vice President for Middle East, Turkey and Africa (META) at Attivo Networks, speaks about the current threat landscape and how to handle recent cyber threats
What sort of threat landscape, both current and emerging trends, have you seen in the region and how are they evolving?
The continuing digitization efforts in the Middle East, along with the increased demand and emphasis on remote learning, have added to the growing risk and concern for cyberattacks. The regional cyber threat landscape has become complicated due to the emergence of multiple eminent actors with varying capabilities, motivations, and targets.
In the Middle East, conflict has moved onto cyberspace, where nations with geopolitical interests have pursued attacks and espionage utilizing the infrastructure of other nations to mask their identity. Saudi Arabia has been identified as a potential target due to its size and a rapidly digitising economy. There are many aggressive sources for many nation-state attacks in the Middle East, Turkey, and Africa region, recently being held responsible for interfering with the significant events and organizations worldwide.
These include nations’ election campaigns, major national infrastructure, utility/energy grids, regional events like FIFA 2022, World Expo 2021, etc. In addition, Ransomware attack campaigns have been on the rise in the Middle East. A recent survey revealed that nearly half of the UAE based organisations have been on the receiving end of a ransomware attack.
The attacks have increased both in frequency and variety. Its evolution over the years has made it more targeted, efficient, and mature as a criminal endevour. The survey estimates the financial impact of a ransomware attack to $730,000, discounting the actual ransom.
Traditional digital phishing attacks are still commonplace in the Middle East, with a study reporting that countries such as UAE and Saudi witnessing over 600K and 900K phishing attacks just in Q2 2020. Phishing scams usually take advantage of a lapse in awareness. Usually, they deceive unsuspecting victims into either providing the cybercriminal with confidential data or an entry point into a secure network. Similarly, a cyber actor’s digital identity impersonation can grant them access to confidential or financial data that can cause disruption.
Apart from ransomware attacks, what are the other concerns most responsible for raising anxiety levels?
There aren’t many things that can raise anxiety levels as the loss of proprietary data. Insider threat is a significant security challenge for organisations, especially now since COVID19 has increased VPNs’ use to access confidential data. It’s not always that the disgruntled employee is the source for data loss/leak, but unwitting employees or suppliers/vendors can be targeted by actors to gain access.
Accidental insider exposure is a significant issue, one perpetuated by the use of unauthorised devices or software, orphan credentials, downloading sensitive data on their unsecured home system, or providing access to unauthrised personnel on the cloud. There are many ways to tackle this problem.
The first involves training and educating the employees on security policies and protocols. You’ll be surprised how such a small step has a significant impact. The CSIO can also track behavior to determine which employee is at risk. But constant tracking or monitoring can be stressful to the employee.
In my opinion, the best way is to employ cyber deception, which creates alerts only on unauthorised access, as decoys have no relevance for daily operations and are only accessed when an actor infiltrates the network. Cyber deception will attract the attacker to decoy environments, help secure the Active Directory (AD), inhibit the attacker’s lateral movement to infect the network any further, and provide additional coverage for cloud-centric security.
Emotet, the highly destructive banking trojan, has become the most prominent threat in the cyber-landscape. How do you think companies can prepare themselves for such threats, which lay dormant for a while and then resurface during tough market conditions?
Emotet the banking trojan acted by spreading through spam emails and targeted sensitive information such as banking credentials in the network. The best way to prepare any company to protect themselves for any such attack is to prepare themselves well in advance and proactively defend themselves against Emotet or any other destructive trojan.
And when a cyber-attack does manage to land inside their corporate network, the defenders should be able to mitigate and lessen the severity of the cyber-attack. In addition to EDR solutions, companies need to invest in security tools that prevent the actor from moving laterally in the network by securing the Active Directory (AD) and user credentials.
What do we learn from the recent Twitter hacks, campaigns such as Trickbooster, and so on? Is there really a framework to handle such instances?
Cyber attackers are using new attack surfaces to launch their campaigns. Social Media is one attack surface. Many existing frameworks can be utilized to handle such attacks, like MITRE ATT&CK Framework, MITRE Shield Framework, NIST framework, and others.
How are you handling such security challenges for yourself, your customers, and your partners?
The most important advice for any CISO or organisations is to be aware of the emerging cybersecurity challenges and threats. Furthermore, to be convinced that proactive and active cyber defense strategy is the best way forward to mitigate the risk of a cyber-attack into their digital infrastructure and networks.