The critical data of your business gives off an odor and the information rats smell it, they see the cracks. Every day tens of thousands of cyber attacks occur in Spain. There are no reliable figures, but the consulting firm Deloitte says that 94% of companies suffered at least one serious cybersecurity incident throughout 2021.
Rats sniff devices and connections. They use our outdated sewers and take advantage of any vulnerabilities. They will pass like Pyotr through your house if we have not applied the appropriate measures. And they will return with the loot through the labyrinth to countries where judicial extradition does not exist. Then they will extort us…
In the influential Chinese military treatise The Art of War , believed to be written by General Sun Tzu, we can read: “Know your enemy and know yourself, and in a hundred battles you will never be defeated.”
What would Sun Tzu think if he were the CISO (Chief Security Officer) of our company? I would say, “First, meet the cybercriminal.”
The enemy is silent and fast. It attacks SMEs and large companies , seeking to maximize profit. Today it has become professionalized and uses all kinds of methods. From the most sophisticated (such as imitating the real voice of a CEO, through artificial intelligence , a deepfake) to simple brute force to take down an unreliable password (surprisingly “1234” is still the reference password) or social engineering ( sending you a USB, posing as a close associate).
Their tactics are well known, but they continue to work: phishing (mass email attacks that allow the user to leak data); ransomware (encryption of information through a virus), or access through a breach that was resolved years ago, but that the company has not updated.
“The art of war is based on deception,” says our CISO Sun Tzu. They have two strategies: the massive and indiscriminate attack and the selective and directed one. They carry out infection campaigns using an army of previously infected zombie computers, botnet networks. “Depending on the type of attack they want to carry out, they use techniques that have a higher success rate than others,” explains Marco Antonio Lozano, head of Cybersecurity for Companies at INCIBE.
They seek “access to corporate networks and theft of information, such as email credentials, remote access, or the confidential information of the company and its users,” says Josep Albors, director of research at ESET, a cybersecurity company.
Most of the attacks that occur in Spain have two objectives: obtain the information to sell it to the competition or extort money by threatening to publish it. There is also ransomware, hijacking computers for ransom in cryptocurrencies. As the culture of backups has increased, today they use the “double combo”: they encrypt and steal at the same time.
Various groups and clans operate and sometimes cooperate with each other. Some are highly organized and compartmentalized. This already gives more money than drug trafficking .
There are also thieves who have obtained their exploit kit on the deep web (a kit with malicious applications that costs between five and two hundred euros). It is cybercrime as a service. “There are markets for malicious applications with all purposes,” explains Lozano. It is a “big button” attack, they are given a control panel, some templates, and they attack without great knowledge. “We have a great variety of vermin in the labyrinth and various forms of plague,” our Sun Tzu would conclude.
Most of us will suffer from indiscriminate attacks . Thousands of them are launched and the criminal waits for someone to bite. They have a listening system that tells them who has downloaded the malware or entered their data.
They can carry out a sextortion indicating that they have recorded a user masturbating (they show their password, but it is only to scare them and see if it stings). “If they throw a million emails and it bites 0.5%, they have already made the action profitable,” says Lozano. “It’s the art of fishing, not cyber warfare,” complains Sun Tzu.
The other type of attacks are targeted. They look for SMEs or companies that they consider interesting. They spy on the organization chart, monitor the LinkedIn accounts of the employees. CEO fraud, for example, consists of impersonating the manager through emails or Zoom calls (vishing is when they use phone calls) while he is away. In 2019, a UK energy company lost €220,000 because their CEO’s voice was imitated.
They use homographic attacks: the url or email address will be very similar to the legitimate one, they change one or two letters. “They play the mistake,” explains Jordi Serra, an expert at the Open University of Catalonia (UOC). Or through WhatsApp (it’s called smishing, impersonation by instant messaging or SMS). They can attack from a provider that has been previously infected and sends you an invoice with malware.
We also have human resources fraud : the cybercriminal compromises email accounts and poses as someone from the personnel department, who asks that payroll be directed to other bank accounts. Other times they use what is called fileless malware (it does not require a malicious file, they will send you a usb).
“The arts of the enemy are multiple,” concludes CISO Sun Tzu. “The one who attacks only needs one hole to enter, the one who defends has to cover them all,” says Serra.
We are left with “know yourself”, because “most of the incidents tend to come from user errors” , says Lozano. Very rarely “they are advanced threats, if they are successful it is more because of the defenders than the attackers,” concludes Albors.
You have to be “cyber-resilient”. You must know what your company’s critical assets are, apply preventive and reactive measures, carry out a security audit, know the vulnerabilities and encrypt the information, you encrypt it before they do. Determine how updated the equipment is (they are drains). Establish double authentication factors . “Backup copies of everything and well done,” adds Serra. Have a culture in which employees learn to identify dangers… In short, you must know the enemy, but above all yourself: this is the art of anticipating the attack. Pure Sun Tzu.
