While we keep hearing in the news about advanced technical cyberattacks launched by sophisticated hackers, the reality is that most hacking is somewhat routine. Contrary to popular belief, most hackers are not stealthy hooded cyber masterminds sitting in the dark by the glow of a computer screen and not every attack must utilize state backed capabilities. Most don’t have a deep technical understanding and they instead spend their time repeating steps as they look for the easiest way to gain access to an organization.
Essentially, hackers strive for maximum success with minimal investment while still maintaining anonymity. This is why hackers usually use public tools, rather than more sophisticated ones. Nevertheless, hackers are often successful because they only need to find one weak point, while defenders must protect all assets 24/7.
We spoke with one of CYE’s red team leaders to better understand how hackers successfully break into organizations. Here are three techniques that have proven to be the most effective.
1. Social Engineering Attacks
The goal of a social engineering attack is to trick victims into revealing private information. The success of social engineering attacks is based entirely on the human factor failing; that is to say, the attacks specifically exploit human behavior.
Phishing is a classic social engineering attack. In phishing, an attacker sends fraudulent emails that appear to be coming from a reputable source who urges the recipient to disclose private information, login information, or click on a link that can launch malware. For example, an email might look like it comes from a trusted bank, asking for more information such as a password or Social Security number. In spear phishing, the attacker will thoroughly research a particular target on social media and Google, and then create an email that appears to be sent from a place familiar to the user.
The best way to prevent such attacks is with a healthy dose of cybersecurity awareness. Employees must be trained to recognize the telltale signs of phishing emails, as well as to not respond to any emails that request sensitive information.
2. Brute Force Attacks
A brute force attack is essentially a glorified guessing game. In such attacks, hackers will attempt to crack credentials and encryption keys by systematically attempting combinations of usernames and passwords until the right guess is inputted. In a simple brute force attack, a hacker does this manually by using standard password combinations or PIN codes.
In password spraying, an attacker attempts to use one or two common passwords to access numerous accounts on one domain, like “123456” and the name of the organization. Interestingly, this method is extremely effective, because many organizations still have legacy passwords or service accounts that lack strong, robust passwords or don’t implement measures to freeze accounts with unusual login activity. Once credentials are discovered, hackers can “bomb” an employee with multiple MFA requests until the employee, confused about the unexpected notifications, approves one.
In general, a lack of password quality continues to be the most common way that hackers get their feet in the door of organizations. Reuven Aronashvili, CEO and co-founder of CYE, has said that he continues to be surprised to see “how many organizations fall victim to attacks that stem from weak passwords.”
Preventing brute force attacks involves using complex passwords that are difficult to crack. For this reason, using a password manager that automatically generates robust passwords is essential for every organization. Also, implementing 2FA with a one-time password can freeze accounts with unusual login activity.
3. New Vulnerabilities
Another very effective way of breaking into an organization’s systems is by exploiting recent vulnerabilities. Hackers frequently check software vendor bulletin boards for new CVEs, which enable the hackers to infiltrate an organization’s network. The reason this works is because companies often do not promptly update their apps or website, and that leaves them wide open to attacks.
Such attacks can be prevented by staying updated about new vulnerabilities and promptly patching. Of course, there are always challenges, because mitigating vulnerabilities takes time.
The Common Thread
What do these three methods have in common? They are all widespread, they are all simple tactics, and they all have straightforward fixes. This is why an essential part of protecting an organization from cyberattacks involves simply blocking the easiest entry points, making it that much harder for the less sophisticated attackers.
Want to learn more about common vulnerabilities found in organizations? Download our Cybersecurity Maturity Report 2023.