Cyber Attack Response: The Overlooked Step in Digital Security
Scams and cyber crime are constantly increasing. New advances in technology enable criminals to attack faster, smarter, and with ploys that look more genuine than ever. Even experts can get caught in their tricks. That’s why it’s important that we go beyond just preventing scams and cyber attacks. Prevention is part of it. But it’s equally important to have a scam and cyber attack response plan. If you know how to respond, you can minimize the damage even if you are targeted by a cyber attack.
See Preventing and Reporting Cyber Attacks with Robert Karas for a complete transcript of the Easy Prey podcast episode.
Robert Karas has been working at the Cybersecurity and Information Security Agency (CISA) for thirteen years. CISA is the government agency that protects the country from cybersecurity threats. Robert has over thirty years of experience in the information security field, including creating cyber defense education and training programs. At CIS, he runs the attack surface evaluation branch, where he works on penetration testing, red teaming, and vulnerability scanning, among other things.
Volunteering for Security
Robert started his career as a new college graduate doing systems administration and IT work as a federal employee. Later, he transitioned into compliance work at DISA, the Defense Information Systems Agency. While he was there, there was a call for volunteers with technical skills to start the first “red team” and cyber attack response team.
A red team is a group of security professionals whose job is to break into networks. They’re what you might call “ethical hackers” or “white hat hackers.” They use tools like phishing and social engineering, along with hacking tricks, to get into company networks. Each red team works for ninety days on a given company, and at the end they work with the company’s own security or IT teams to explain how they got in, what they got access to, and how the company can improve their security. They also get permission from the company first so they’re not doing anything illegal while trying to help.
Robert volunteered for the new red team and was selected. That red team eventually became the NSA’s red team. All in all, Robert has been doing this cybersecurity work for over thirty years now.
Current Trends in Cyber Attacks
What kind of threats will target you depends on a lot of factors. The attacks against individuals are different from attacks against companies, and the threats facing companies will vary depending on what kind of industry they’re in. But the important thing to know is that especially with automation and AI tools, attackers are getting more and more persistent.
Whatever industry you’re in … you’re basically under attack 24 hours a day.Robert Karas
A lot of attacks start with phishing and social engineering. That’s still the top way Robert’s red teams have been able to successfully attack. Social engineering is often extremely effective because people are good-natured and want to help. But in some ways, good security is the opposite of good customer service. Good customer service aims to be helpful. Good security is suspicious and challenges requests. It can be hard to find a balance between the two.
A Successful Social Engineering Attack
For a recent example, one of Robert’s red teams was targeting a company and found out they offered tours to students. One member sent a polite email pretending to be a teacher who wanted to take their class on a tour. They had a nice interaction, and eventually the company representative sent them a link to a web portal so they could have a list of the students who were coming.
The red team member claimed they had problems accessing the file and asked if they could email a PDF of the names instead. The company representative said yes, and downloaded the file. It looked like a list of student names, but in the background was a piece of code that ran on the representative’s computer and gave Robert’s red team access to their network.
From the company’s end, nothing about that interaction seemed like a red flag. The red team member was polite and friendly, and they built trust and rapport. The company representative wanted to help. Unfortunately, that can be a vulnerability. Especially when the attacker builds that trust, people’s guards are lower.
Trends in Data
One benefit of Robert’s work is that his teams gather a lot of data. They can use that data to see where companies are successful and not successful in cyber attack prevention and cyber attack response. They can also provide help to those companies without making their shortcomings public.
An interesting trend in the data recently is that criminals are reusing viruses after four or five years. Antivirus software only have so much capacity, and they have to rotate out their defenses. Often they do this by removing defenses against old viruses to defend against new ones. Hackers have discovered that their old viruses will be “rotated off” antivirus protection after four or five years and they can use them again. This is easier for them now with automation, as well. They don’t have to manually send out the virus anymore – it’s not much effort for them to click the button on an old virus and see if it works.
Automation and tools like AI offer a lot of opportunities for criminals to escalate their cyber attacks, but we haven’t seen that happen – yet. However, Robert has notice criminals starting to prepare AI models to exploit natural disasters. That way when an earthquake or a hurricane happens, they don’t have to do anything manually – the AI model can spot headline thresholds and deploy itself. Even though we haven’t seen it happen yet, they’re working on it and may already be ready to launch.
They prey on human nature, our vulnerabilities, and our sense of trust … if they can get you to be emotional for a second and click without thinking, they win.Robert Karas
The Human Side of Cyber Attack Response
Our default response to cybersecurity is often training in scam cyber attack prevention. We can train people, but training will only go so far. Eventually people get trained to a certain standard and they can’t get much better at prevention. When that happens, it’s important to train on the other essential aspect of security – cyber attack response. Phishing emails are getting so sophisticated now that sometimes detecting them is nearly impossible. Prevention can only go so far. There needs to be more training on what to do after you click.
People need to know how to notice an incident, when something’s not working right, or if they did something wrong, and they need to know how to respond. What should they do when they feel like they’ve been scammed? How should they respond if they clicked a phishing link? Do they know who to call or email? There shouldn’t be any shame in it – it’s human nature. But the sooner a person can react, the better chance they have of minimizing the damage. For an employee, the sooner they react, the better chance the IT team has of protecting the company.
Destigmatize Making Mistakes
A decade ago, employees weren’t reporting their cybersecurity mistakes. They would be an outcast if they did. The narrative would be, “Gosh, look what they did and how much they messed up.” But many companies have accepted that’s not right. They’re recognizing that it happens, but if people feel comfortable reporting it the company can improve their cyber attack response. Data shows that there’s been an improvement in the number of employees reporting mistakes to IT staff. However, they’re nowhere near where they need to be. One of Robert’s current projects is figuring out if that’s because people are afraid to report or because they didn’t recognize it was a phishing link even after the fact.
It’s essential to destigmatize these kinds of cybersecurity mistakes. They can happen to anyone – and Robert means anyone. Not long ago, Robert had his credit card skimmed right in front of him. Because he knew what a good cyber attack response should be, he was able to call his bank immediately and didn’t lose any money. But he has been working in cybersecurity for over three decades. If trained experts can’t get it right 100% of the time, people with no formal training shouldn’t feel bad that they can’t get it right 100% of the time, either.
How you react [to a cyber attack] is just as important as facing the reality that it happened.Robert Karas
Business Cyber Attack Response
If you are considering cyber attack response in a business or company context, it’s important to know what the internal policy is. If there isn’t an internal policy, it’s time to get one. The most important thing you can do to protect your company from cyber attacks is have your cyber attack response prepared. If you’re starting the work after the incident has happened, you’re already behind.
One of the greatest things a company can do is be prepared [for a cybersecurity incident].Robert Karas
CISA has resources available to help companies with their cyber attack response plans. They currently have 110 cybersecurity advisors across the country, in every state and major city. If your company doesn’t know where to start, they are available to advise you. They can help you build your plan, design a policy, and figure out how your company should handle incidents and who you need to report it to. You can get in touch with your local advisor by emailing [email protected].
Individual Cyber Attack Response
If you are an individual who thinks you’ve fallen for a scam or been a victim of a cyber attack, your response will be different than a company’s. The first step should be to stop communicating with the scammer immediately. It doesn’t matter if it was by email, texting, social media, or anything else, stop talking to them right away. It’s also a good idea to block them.
Your next step is to change your passwords. If you don’t have two-factor authentication enabled, turn that on immediately as well. It provides extra security on your accounts.
Next, report it. You can file a report with the FTC at reportfraud.ftc.gov. If you want to involve law enforcement, you can also report it to the FBI at ic3.gov or to your local police. If you do choose to report to law enforcement, make sure you save any messages you received from the criminal. They may be needed later for an investigation.
If you have a friend who’s knowledgeable about cybersecurity, you can ask them for advice. As you start talking about it and reporting it, you will get connected to more people who will have more information and more advice. Organizations like the National Center for Victims of Crime can also help.
Future Threats to Cybersecurity
Robert sees a few threats in the near future that put us at risk – and most of them are just ways we are more vulnerable. One is consolidation in the cybersecurity marketplace. In the past, there were dozens of different vendors of cyber defense products, making it less likely that a given attacker will know how to get around all of them. But as the market consolidates, there’s less and less, which lets attackers really focus on getting around the defenses of just a few defenders.
There’s also the risk of speed. Robert’s red teams often use a trick called “payload inflation.” When they send a phishing email or link, the malicious bit that gets downloaded is called the “payload.” Most payloads are only a few megabytes. Payload inflation makes them 250 megabytes or more. With the speed that things download these days, most protection software doesn’t have time to scan the whole thing before it’s fully downloaded. In addition, we now have “smart” technology that can make our watches, our light bulbs, or our refrigerators more places attacks can come from. With everything so fast and so connected, we don’t have the resources to find and inspect everything before it can do damage.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
Many parents assume that grooming is something that happens to other kids, not theirs. But that assumption…[Read More]
In an era where cyber threats are a constant risk rather than a possibility, businesses cannot afford…[Read More]
Knowing the specific version of your operating system (OS) is crucial for a variety of reasons. The…[Read More]
Google offers various services that allow users to upload images, including Google Photos, Google Reverse Image Search,…[Read More]