The winter season, with the end-of-year celebrations, is a very specific and sensitive period for cybersecurity. It starts with employees, who have their mind focus on wrapping up the business year and fourth quarter closing. They are also busy preparing for their upcoming vacations and holiday shopping, The expansion of homeworking adds another layer of challenge to it. And cyber criminals – who are constantly looking up for our weaknesses or breaches – will for sure exploit our lack of focus and our decreased vigilance. And I even conjecture that attackers have their own year-end target to achieve, as we see they are quite active in the last weeks of the year.
It starts with phishing…
Phishing remains the main worry in this period, as it is the privileged attack vector of cyber criminals to get a foot in our organizations. Email phishing, spear phishing, smishing, search engine phishing … As the winter season is an intensive commercial period, we could expect that final customers are the main target, however B2B actors are also highly targeted with business-specific phishing email campaigns alike president scam urging to close a deal, provider scam with a limited-time offer …. Attackers don’t showcase much creativity here, as they simply leverage a business truth: the best offers we get from providers are usually at the end-of-year season, for renewal purposes for example, urging to be signed at last on December 31st. For that reason, the employees highly involved in contract signing will mostly be targeted, and hardly pushed. Cyber criminals also leverage a lot the CEO fraud – also named president scam – because the substitute staff members, during the permanent staff holiday, are not as up with the processes, guidelines and rules. Hence the increased vulnerability leveraged by cyber criminals and opportunity for them to spoof identities of top managers for example. It can be through WhatsApp, phone calls, fake emails, etc., to ask them to do operations – that are unusual and that they would not be willing to do in the normal period – and anticipates victims’ reluctancy justifying the unusual aspect of the operation by the holiday season.
Besides, one call to make to all employees is: be extra vigilant when receiving an email in the year-end period, take the mandatory security training.
…and can turn into your worst attack scenarios
All CISOs must have the worst-attack scenario on their agenda in order to best prepare for the Holiday season. Mine would be a vulnerability scoring 9 or 10 on the CVSS, targeting a high number of systems (Windows, workstations or servers), being disclosed with an immediate exploit – a couple of days before the vacation period for example – or attackers launching a worm virus, or succeeding at exploiting a vulnerability through phishing ending with many systems compromised. To prepare for that worst case scenario, companies need to organize and prepare themselves throughout the year with SOC, EDR, etc. to run controls. All the worms that targeted organizations in the past – WannaCry, Nimda, … – also helped to structure our protection, control and response.
The worst-case scenario can also be an attack that will impact a high number of systems in less than an hour. Then your key focus is to rely on security operations, tools, crisis management processes, etc.
These can happen during the winter and holiday season, as well as any time of the year. You need to build extra resilience and vigilance during that time, but you need to prepare for the worst attack scenarios throughout the year.
Top 3 recommendations to prepare for incident response
1 – You need a crisis management plan
THE #1 recommendation is to have a crisis management policy. It must include names, contacts, workflows being designed to address such a challenge.
Then comes the need to have a clear organization by gathering the people with the understanding of the crisis management process. Hence not only people from the security department are required, but also from the IT department, from Finance to unlock potential investments to be done in crisis mode, from Communication, from the business lines … They must all be involved, ready, prepared and trained.
Besides, the crisis management team once set and the policy defined, it is essential to organize training sessions and simulation. Making regular crisis-scenario simulation helps to make sure we can contact the right people, that they understand their role in a crisis situation.
Finally, whether it is for simulation or real crisis response, applying the Eisenhower matrix is an efficient way to drive decisions during a crisis identifying actions that are important or urgent. For example, if an action is not important and not urgent, it can simply be deleted.
First important tasks.
Do them now.
Tasks that can be delegated.
Not added-value tasks.
Important tasks to plan or they will become urgent and turn onto “DO”.
Tasks to be eliminated or they will become urgent.
If everything is recognized as important and urgent, the crisis will turn into chaos. Therefore, this matrix helps to decide on what actions to take, in what order of priority and at what time in the crisis management and response.
Of course, in addition to all this, having the right cybersecurity experts is essential.
2 – Build your ability to decide quickly
The first step is to regroup within thirty minutes following a confirmed sign of ransomware or malicious activity. It is essential to gather right away the right cybersecurity experts, and the crisis management team’s leads – from the IT department, Finance, Procurement, Communication, … And then define every important-urgent elements – with the Eisenhower matrix – in order to take decisions. Decision is the key point in crisis management. The first decision can be for example to understand the threat or what is happening – which is a challenge. This first important and urgent task can be assigned to cybersecurity experts for them to provide the crisis management team with guidance and the of what is occurring. It could be consequently decided to shut down Internet access, isolate some parts of the network, push a software update, etc .
We must, however, always remember that every situation will be unique. So, organizations need to train and prepare themselves for the usual suspects (ransomware, APTs, known attack techniques …) to be able to provide a fast answer to the threat.
3 – Just like sports, good level of security requires training
On top of the list are the anti-phishing campaigns to improve users’ awareness. For example, running quarterly email-phishing campaigns, each tailored by geography, in the local language, and targeting all your employees. Also having one of them, or specific-targets campaigns should be related to the winter season. Besides, employees must all have completed their yearly mandatory security training before the end of the year. It aims to help them recognize the major threats they can face, how we are all vulnerable to these threats, and how to react to them (e.g., forwarding suspected emails to security).
There still is a big challenge to make employees understand what impact clicking a simple link, by mistake, in a malicious email can have on the organization’s information systems. Clicking on a compromised link can lead to the load of malicious code to the web browser or employees can be invited to re-enter their credentials on a fake mirror version of the true platform, either to steal them, or to get access to the computer and all the applications. Then, malicious actors can start to do reconnaissance activity inside the company, and propagate laterally, injecting their malware and ransomware. And all this starts with a phishing email, a lack of attention and a simple click.
Thereby strong advice to cascade to employees are do not believe it is easy to recognize a phishing email, and “it is better to be safe than sorry”.
30 days to go until 2023, and a World Cup in attackers’ sight…
Besides the Holiday season, the 2022 year is also special because of the FIFA World Cup currently taking place in Qatar. It is expected to be heavily targeted, and even cause a hike in cyberattacks by cyber gangs, and state-sponsored advanced persistent threat (APT) groups. The finale on the upcoming December 18th is expected to be a very sensitive moment cybersecurity wise.
Some cybersecurity threats already arose: fake domains impersonating the World Cup web properties, phishing websites for data thefts, fraudulent social media pages for spear phishing or scams, and malicious mobile apps. In addition the French National Council on Information and Liberties (CNIL) already warned about the two applications supporters are required to download, and which appear to be very similar to spyware: Hayya, dedicated to the World Cup 2022 logistics, and Ehteraz for Covid-19 watch purposes.
Given the highly intense activity of malicious actors this year, we can expect that the 2022 FIFA World Cup will be targeted in a way: potentially with DDoS, defacement or data destruction attacks.