Category: Guest Blog Post

Cybercrime is a big business. And like any other large industry, specialization has emerged.

Related: IABs fuel ransomware surge

As data becomes more valuable, criminals can profit more from stealing, selling or holding it for ransom, leading to a massive black market of information.

Initial access brokers (IABs) play an increasingly central role in this cyber underworld. IABs specialize in finding vulnerable targets and sell their details to other cybercriminals.

They search for weak points and perform the challenging, technically demanding work of breaking past an organization’s security, then offer access to the victim to the highest bidder.

IABs on the rise

IABs can gain this access through many different means. In some cases, they find vulnerable third parties that provide ways into larger targets, which is how hackers infiltrated the Red Cross in 2021.

In others, they try brute forcing their way through a company’s security; and sometimes, they’re malicious insiders who already have access to sensitive files.

Regardless of the specifics, the outcome is the same. IABs perform the difficult first few steps of breaking into a target’s systems, allowing other well-paying cybercriminals an easy way in to do whatever they want.

IABs aren’t necessarily a new threat, but they’ve seen tremendous growth over the past few years. Cybersecurity firm Positive Technologies found 88 new IAB sales on dark web marketplaces in the first quarter of 2020, compared to just three in all of 2017.

Amos

The rise of IABs corresponds with the increase in digital transformation. Early in the COVID-19 pandemic, companies started implementing digital tools at an unprecedented pace. Digital resources became increasingly critical for businesses, and targeting them became a more profitable type of crime, leading to a surge in demand for IABs.

IABs’ ease of access helped spur this growth. With an IAB, cybercriminals don’t need advanced technical knowledge or skills to pull off a successful attack. That makes them the ideal solution for new, inexperienced hackers trying to profit from this wave of digitization.

Ransomware correlation

This uptick in IAB activity has several far-reaching impacts on cybersecurity. Reliable security is becoming increasingly important to investors, requiring businesses to meet high standards to secure investment and new partnerships.

Because IABs can make it easier to breach a company’s security, their rise could make meeting those expectations harder, creating more demand for expert cybersecurity services.

As IABs continue to grow, so will ransomware. Ransomware is already the fastest-growing type of cybercrime, and IABs make it more accessible to novice criminals. It’s far easier to steal and encrypt sensitive data when someone else manages the first and hardest step in the breach process. Consequently, security professionals should prepare for an uptick in ransomware threats.

Mitigating IABs

Businesses should also focus on practices that mitigate IAB-related risks amid this rising threat. These include:

•Using multifactor authentication (MFA) on all accounts.

•Monitoring the dark web for IAB listings.

•Restricting access permissions to minimize insider threats.

•Keeping all software, especially VPNs, up to date.

General cybersecurity best practices like using strong passwords and offering regular security training will also help. While this trend is concerning, these widely recommended steps are still effective.

As the data revolution continues and cybercrime grows, IABs will become all the more prominent. Recognizing these threats early is the first step in addressing them. Once businesses know what to watch out for, they can make the best decisions about defending themselves, even with risks as pressing as IABs.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

There is much that can be gleaned from helping companies identify and manage their critical vulnerabilities 24X7.

Related: The case for proactive pentests

Based on insights from our team of elite security researchers here at Bugcrowd, these are three trends gaining steam as 2022 comes to a close – trends that I expect to command much attention in 2023.

Continuous pentesting

For years, penetration testing has played an important role in regulatory compliance and audit requirements for security organizations. However, a longtime challenge with pentesting has been the “point-in-time” nature of the tests.

At some pre-defined period-of-time, the test is completed against the then-current version of the application and a report is delivered. The challenge is that application development has changed significantly in recent years; often by the time a pentest is completed and the report is delivered, the information is already out of date due to changes in the application.

Over the coming year, we will see an accelerating shift from traditional pentesting to more PenTesting-as-a-Service (PTaaS). Rather than point-in-time assessments, organizations are leveraging pentesting as an important tool in their risk and security program, rather than a necessary-evil to maintain compliance with internal or external requirements.

By completing incremental testing on the application, security organizations can gain current and ongoing visibility into the security posture of the application as the smaller scope allows for faster testing turnaround. This enables security organizations to receive real-time information into the current security posture of the application, network, or infrastructure.

Gerry

It’s important to remember that every change to a network or application, whether a major release or incremental release, represents an opportunity for new vulnerabilities to be introduced. Security organizations must maintain the ability to gain real-time visibility into their current posture – both from a risk governance perspective and from a compliance perspective.

Security vendor consolidation

The rapid expansion of new security products has led to many organizations purchasing the “latest and greatest” without having a strong integration plan in place. Without a clear deployment and integration plan, even the best security product will go underutilized.

For the past few years, the industry has seen an incredible amount of M&A consolidation. As a result, security organizations are looking internally for ways to leverage existing tool sets or upgrade existing tool sets versus adding to their ever-growing technology stack.

This growing need for security vendor consolidation will continue to be driven by both the cost of the security products and the limited internal resources to effectively operate the products.

Narrowing the talent gap

Attracting strong candidates has always been a core part of any business, and, like all businesses, finding senior talent, whether in cybersecurity or another function, requires a combination of attractive compensation, career growth, flexibility to work anywhere, and a mission that employees want to support.

It’s also important to find talent from non-traditional and diverse backgrounds, provide them with the necessary training and enablement, pay them well with additional equity incentives, and empower them to do what needs to be done.

For years, we’ve been led to believe there is a significant gap between the number of open jobs and qualified candidates to fill those jobs. While this is partially true, it doesn’t provide a true view into the current state of the market.

Employers need to take a more active approach to recruiting from non-traditional backgrounds, which, in turn, significantly expands the candidate pool from just those with formal degrees to individuals, who, with the right training, have incredibly high potential.

Additionally, this provides the opportunity for folks from diverse backgrounds, who otherwise wouldn’t be able to receive formal training, to break into the cybersecurity industry providing income, career and wealth-creation opportunities that they otherwise may not have access to.

Organizations need to continue to expand their recruiting pool, account for the bias that can currently exist in cyber-recruiting, and provide in-depth training via apprenticeships, internships, and on-the-job training, to help create the next generation of cyber-talent.

About the essayist: Dave Gerry is CEO of Bugcrowd, which supplies a security platform that combines contextual intelligence with actionable skills from elite security researchers to help organizations identify and fix critical vulnerabilities before attackers exploit them.

Over the years, bad actors have started getting more creative with their methods of attack – from pretending to be a family member or co-worker to offering fortunes and free cruises.

Related: Deploying employees as human sensors

Recent research from our team revealed that while consumers are being exposed to these kinds of attacks (31 percent of respondents reported they received these types of messages multiple times a day), they continue to disregard cyber safety guidelines.

This neglect is not only a threat to personal data, but also a threat to corporate security. As we continue to live a majority of our lives online, there are many ways that both consumers and enterprises can better protect themselves against hackers.

According to our survey, the majority of consumers (77 percent) are confident they can identify, and report suspected malicious cyber activity despite general apathy toward proactively securing their devices and personal data.

Confidence gap

This overconfidence is cause for concern for many cybersecurity professionals as humans are the number one reason for breaches (how many of your passwords are qwerty or 1234five?). When it comes to protecting themselves and their devices, few are practicing the basics:

•Only 21 percent use email security software

•Only 33 percent consistently use two-factor authentication (2FA)

•Only 28 percent don’t use repeated passwords•Only 20 percent use a password manager

The gap between confidence in oneself when it comes to cybersecurity hygiene and actual implementation of protection against cybersecurity threats leaves much room for bad actors to execute successful malware and ransomware attacks.

Blurred lines

Guntrip

The hybrid workforce is here to stay, along with the blurring of work and home. Most people have work email, files, messages and more on personal devices, and use corporate devices to shop or stream content (our research says 56 percent of consumers engage in personal activity on a work device). This, combined with expanding attack surfaces due to the infinite number of networks being used by employees, has created the perfect storm.

Bad actors today enact Highly Evasive Adaptive Threat (HEAT) attacks with more frequency and success. Enterprises are scrambling to find better and more effective ways to secure their data and decrease the number of breaches occurring.

But since many employees are apathetic toward implementing security practices and prevention methods, it becomes a more and more daunting task for cyber professionals.

While cyber experts cannot save everyone from ransomware or other forms of threats, there are plenty of preventative ways for both consumers and enterprises to try and stop attacks before they occur.

Both consumers and enterprises can better protect themselves by:

•Enabling 2FA

•Using strong passwords (random combinations of letters and numbers are best) and storing them securely in a password manager

•Not using repeated passwords

•Reporting suspicious communications

•Installing security software and ensuring all your devices are running the latest software

•Backing up = files to a cloud or offline location regularly

•Not responding to, clicking on links or opening/downloading attachments from any number or email you don’t know (we promise your CEO isn’t really texting you about how your bonus will be paid via gift card you can download by clicking on that weird looking link)

What needs to get done

For corporations, additional steps that should be taken include:

•Having cloud security that spans web and email to prevent ransomware and other attacks

•Setting up systems to require 2FA for all employees

•Ensuring employees review security protocols as part of training and development

•Enforcing strong password requirements for email and other applications

Bad actors are not going away anytime soon, and we can predict that in 2023, we’ll see even more threats and attacks than in years past. Still, there are many ways that consumers and enterprises can protect their data and educate one another on the very real threat that these invisible enemies are. The more awareness raised about cybercrime and malicious activity, the more we can do to try and prevent attacks from occurring before it’s too late.

 About the essayist: Mark Guntrip is senior director of cybersecurity strategy at Menlo Security, a Mountain View, Calif.-based web security vendor that provides secure, cloud-based internet isolation.

Much more effective authentication is needed to help protect our digital environment – and make user sessions smoother and much more secure.

Related: Why FIDO champions passwordless systems

Consider that some 80 percent of hacking-related breaches occur because of weak or reused passwords, and that over 90 percent of consumers continue to re-use their intrinsically weak passwords.

Underscoring this trend,  Uber was recently hacked — through its authentication system. Let’s be clear, users want a better authentication experience, one that is more secure, accurate and easier to use.

The best possible answer is coming from biometrics-based passwordless, continuous authentication.

Gaining traction

Passwordless, continuous authentication is on track to become the dominant authentication mechanism in one to two years.

Continuous authentication is a means to verify and validate user identity —  not just once, but nonstop throughout an entire online session. This is accomplished by constantly measuring the probability that an individual user is who he or she claims to be; a variety of behavioral patterns sensed in real time and machine learning get leveraged to do this.

Passwordless, continuous authentication addresses the dire need for higher and better security. Cyber attacks continue to grow in sophistication, and ransomware attacks are only the tip of the iceberg. Compromised credentials represent the most usual way attackers penetrate networks. That simply is not tolerable, going forward.

Schei

With a market and a society ready to go for it, passwordless authentication expansion is about to accelerate. In fact,  demand for passwordless systems is expected to grow 15 percent per annum – topping $5.5 billion by 2032. It’s no surprise that passwordless authentication is at the core of Gartner’s report on emerging technologies and trends for 2022.

Invisible security

Authentication systems that leverage machine learning and biometric technology are now ready to replace legacy password-centric technologies. Machine learning can be applied to facial recognition data, for example, to provide an invisible security layer, with no actions required from the user.

This invisible authentication is very difficult to hack. This is because it relies on biometric features that can’t be shared. Widely adopted from healthcare to law enforcement, it  can deliver secure, accurate authentication even when the user is wearing a mask; it prevents unauthorized access that can now be done by compromising devices we use as a second factor of authentication.

In industries such as banking, healthcare and law enforcement, where employees work under pressure to handle sensitive information, cybersecurity and productivity often contradict each other.

Password-based multi-factor authentication (MFA) systems, for instance, require constantly logging in and out of user sessions; employees waste working time, and can even suffer from MFA fatigue. These inefficiencies can open the gate to cyber attacks.

By contrast, passwordless, continuous authentication affords a double gain for companies: cybersecurity is materially improved, while authentication friction gets erased. This improves daily productivity, not to mention employees’ happiness.

Continuous vigilance

Current authentication tools focus on single sign on. This means that the authentication mechanism confirms the user at the beginning of the session but offers no guarantees during a user session.

One opportunity attackers seek out is when an authenticated user leaves the device unattended. Up to 95 percent of cyberthreats are successful because of a human error, including unattended sessions or visual hacking incidents, such as shoulder surfing.

This lack of extended security cannot be addressed through legacy sign-on authentication tools such as Microsoft Hello, that  rely on one-time image authentication.

Fortunately, there’s a growing trend towards passwordless, continuous authentication

One touchless delivery model is through face recognition, and a good example is the core  functionality built into GuacamoleID, supplied by Hummingbird.AI.  GuacamoleID uses sophisticated vision AI to recognize and secure user sessions, thus enabling touchless automated access to computers for security, privacy and compliance in law enforcement, healthcare and financial services.

Passwordless, continuous authentication improves the user experience by making it frictionless – and it materially boosts security by ensuring that there’s always the right person behind the device.

About the Author: Nima Schei,  is the founder and CEO of Hummingbirds AI, a supplier of technology that leveraging artificial intelligence to automate access to computers through face matching.

 

One must admire the ingenuity of cybercriminals.

Related: Thwarting email attacks

A new development in phishing is the “nag attack.” The fraudster commences the social engineering by irritating the targeted victim, and then follows up with an an offer to alleviate the annoyance.

The end game, of course, is to trick an intended victim into revealing sensitive information or it could be to install malicious code. This is how keyloggers and backdoors get implanted deep inside company networks, as well as how ransomware seeps in.

Spoofed alerts

A nag attack breaks the ice with a repeated message or push notice designed to irritate. The nag might be a spoofed multifactor authentication push or system error alert – a notification message that annoying repeats on a seemingly infinite loop.

The idea of this first part of the nag attack is to annoy the targeted victim. Most of us don’t like random messages out of nowhere, much less dozens of them.

The second part of the attack is the scam. If your smartphone or computer is displaying a faked alert, then this means the criminal can contact you directly on the same channel. Usually, they’ll claim to be from the IT department or perhaps from a software or service provider.

The con artist sympathetically confirms that the victim has been deluged  with notices and apologize profusely. Distracted, aggravated and eager to put a stop to it, the victim gratefully accepts the extended solution.

Paxson

Usually this requires divulging login credentials and other details. Wham: the attackers gain unauthorized access — and a foothold to probe deeper into the breached network.

Human nature

Nag attacks add to the litany of phishing techniques. Over the years, endless phishing variants have emerged, including:

•Bulk phishing. This is when mass emails are sent out

•Spear phishing. The targeting of specific individuals or organizations.

•Whaling. Putting senior executives in the cross-hairs.

•Smishing. Lures sent via text message.

We can now add nag attacks, which take full advantage of human nature. Nag attacks are proving effective because no one likes to be nagged.

The attacker sets notification fatigue in motion and then adds credibility by sympathizing with the victim’s plight, while also being able to make references to details about the nuisance alerts.

Nag attacks are simplistically clever and most effective. Even employees in well-known organizations have fallen victim of the nag, including those at Microsoft, Cisco, and Uber.

Best defense

Large scale nag attacks that randomly targeting wide swaths of email addresses or phone numbers are referred to as spray attacks. Spray attacks are noisy and thus can be mitigated with detection and response software that leverage machine learning and automation.

However, nag attacks are intrinsically difficult to stop, especially attacks targeting individual employees. This is because phone numbers and email addresses are easy to obtain. Thus, targeting specific employees in certain organizations is straight forward. This limits the effectiveness of automated detection and response tools.

The most effective defense is alert, well-trained employees. Cybersecurity training needs to be timely and relevant. This can include simulations to raise awareness and train people so when they see unprompted, persistent and annoying messages, they’ll know the real reason for the harassment.

Messages with even a hint of suspiciousness in every instance need to be validated. This needs to become engrained workplace behavior.

About the essayist. Audian Paxson is Director of Technical Product Marketing at  Ironscales, an Atlanta-based email security company.

Government assistance can be essential to individual wellbeing and economic stability. This was clear during the COVID-19 pandemic, when governments issued trillions of dollars in economic relief.

Related: Fido champions passwordless authentication

Applying for benefits can be arduous, not least because agencies need to validate applicant identity and personal identifiable information (PII). That often involves complex forms that demand applicants gather documentation and require case workers to spend weeks verifying data. The process is slow, costly, and frustrating.

It’s also ripe for fraud. As one example, the Justice Department recently charged 48 suspects in Minnesota with fraudulently receiving $240 million in pandemic aid.

The good news is that an innovative technology promises to transform identity validation is capturing the attention of government and other sectors. Self-sovereign identity (SSI) leverages distributed ledgers to verify identity and PII – quickly, conveniently, and securely.

Individual validation

Any time a resident applies for a government benefit, license, or permit, they must prove who they are and provide PII such as date of birth, place of residence, income, bank account information, and so on. The agency manually verifies the data and stores it in a government database.

Whenever the resident wants to apply for services from another agency, the process repeats. Every transaction involves redundant steps and is an opportunity for fraud. Meanwhile, PII in government databases is at risk for cybertheft.

SSI – sometimes referred to as decentralized identity – uses a different strategy. Rather than rely on centralized databases, PII is validated via a distributed ledger or blockchain. Data is never stored by the government agency, yet they can still be sure they are transacting with the right person. This approach makes the data fundamentally secure and makes identity theft virtually impossible. Once the data is initially validated, it can be trusted by every agency, every time.

SSI also puts residents in control. They decide which data to release to which agencies and can revoke access at any time. They don’t need to worry about data privacy or whom the data might be shared with. Finally, they don’t have to endure a lengthy process of gathering data and waiting for approvals.

Conceptually, SSI functions the same way in any scenario. But three use cases demonstrate its promise.

Simplifying applications

Bhatnagar

For programs that benefit families, applications can run 20 pages and take weeks to process. An example is the Supplemental Nutrition Assistance Program (SNAP). Applicants must provide details on the entire household, including dates of birth, incomes, assets such as bank accounts, and expenses such as utilities.

Many people who receive SNAP benefits are also eligible for Medicaid, Temporary Assistance for Needy Families (TANF), and the Children’s Health Insurance Program (CHIP). Without SSI, residents must manually submit the same information to each program, and each program must manually verify the information before storing it in a database.

Furthermore, benefits applications like SNAP aren’t one-off processes. Say a mother with two children suddenly finds herself a single parent with no employment. She might qualify for SNAP until she gets a job. Then she might have another child and qualify again. Without SSI, each time she re-applies, her data needs to be re-verified and re-stored.

With SSI, applicants submit their household data for verification only once. When that information is verified, each datapoint is stored in the resident’s digital wallet as a credential. When they need to share that information with another agency, it’s validated via the public ledger in minutes.

With SSI, once a credential is in the digital wallet, all programs can trust it. The process is faster and easier for both the applicant and the benefits administrator.

Preventing fraud

Government-backed loans for college, certificate, and vocational programs help residents achieve financial wellbeing and contribute to society, but they’re also opportunities for fraud. For instance, California community colleges received 65,000 fraudulent loan applications in 2021.

What’s more, institutions collect, verify, and store vast amounts of student data. When a specific department needs student data for its own needs, it often repeats the process. Meanwhile, all that data makes colleges targets for cybertheft.

SSI solves these issues. Once their identity is verified via the distributed ledger, students can release data to any institution or department. Schools can trust the data, and they no longer need to store it in their own databases. Plus, identify theft and loan fraud become virtually impossible.

The student’s digital wallet can expand over time with relevant data such as course credits, grade point averages, and degrees. Once the data is verified, it remains trustworthy – even if, say, the school that issued a degree no longer exists.

Medical marijuana access

More than 30 U.S. states and territories have legalized cannabis products for medical use. To access medical marijuana, patients typically require a medical marijuana card.

The process normally starts with a doctor’s prescription. The patient then applies to the state for a card. Once the card is issued, the patient presents it at a dispensary to purchase a cannabis product. In cases where the patient isn’t mobile, a caregiver is authorized to make the purchase.

SSI streamlines and provides assurance throughout this process. The state can trust any patient identity or PII already verified via the distributed ledger. The doctor’s credentials can be validated in the same way. Prescriptions and authorized caregivers can be stored as patient credentials.

The dispensary needn’t worry about being held liable for accepting a fake medical marijuana card. In fact, once patient data is validated in the distributed ledger, no party in the supply chain needs to independently verify it.

For residents, SSI provides control over PII and eases worries about confidentiality. For governments, it streamlines data verification and strengthens cybersecurity, saving significant time and cost. For both, it can build trust and enable easier access to services that benefit individuals and communities. Ultimately, SSI promises to transform how people and organizations manage sensitive data across a multitude of use cases.

About the essayist: Piyush Bhatnagar, Vice President of Security Products and Platforms at GCOM Software. A graduate of Cornell University, Bhtnagar received his MBA in General Management and Strategy from Cornell’s Johnson Graduate School of Management. In addition he holds Masters Degree in Science (Computer Science) from Allahabad University as well as a Bachelor’s Degree in Science from University of Delhi.

Consider what might transpire if malicious hackers began to intensively leverage Artificial Intelligence (AI) to discover and exploit software vulnerabilities systematically?

Related: Cyber spying on the rise

Cyber-attacks would become much more dangerous and much harder to detect. Currently, human hackers often discover security holes by chance; AI could make their hacking tools faster and the success of their tactics and techniques much more systematic.

Our cybersecurity tools at present are not prepared to handle AI-infused hacking, should targeted network attacks advance in this way. AI can help attackers make their attack code even stealthier than it is today.

Attackers, for obvious reasons, typically seek system access control. One fundamental way they attain access control is by stealthily stealing crypto-keys. Hackers could increasingly leverage AI to make their attack code even more  undetectable on computers – and this will advance their capacity to attain deep, permanent access control of critical systems.

If AI-infused hacking gains traction, breaches will happen ever more quickly and automatically; the attack code will be designed to adapt to any version of an OS, CPU or computing device. And this would be a huge game-changer – tilting the advantage to the adversaries in command of such an AI hacking tool.

Wittkotter

This scenario is nearer than we might think or expect. Consider the approach to AI taken by the software firm DeepMind; their system turns technical problems into rules for games — and can deliver extraordinary results even if their developers are non-expert in the underlying problems.

We assume we are okay or safe if responsible humans are in the loop, i.e., switch things off or press a button. But every button/switch is linked to software; and advances like those made by DeepMind can be adopted to malicious purposes, such as to continually make unauthorized modifications at the access control level.

Cybersecurity must become better prepared to defend against super-hackers, master-thieves of crypto-keys and digital ghosts who are driving in this direction. Here are three fundamental practices that I believe need to become engrained:

Never commingle security code and regular code. We must make every change or manipulation of anything security-related detectable. Security operations should be separate from the main operating system and CPU. This independence makes attacks on security easier to detect.

Hashcodes need to be registered. Hashcodes are unique values linked to software that can be associated with the manufacturer. Registering — and thus whitelisting hashcodes – will reduce and eventually eliminates unauthorized code from circulating.

Protect crypto-keys. Crypto keys processed in main CPUs, as well as the public keys in PKI, should always be referred to via their registered hashcodes; and they should never stored in clear text. In short, crypto-keys must be extremely well-guarded and processed on separate, independent security systems.

I’d argue that these practices make good, common sense; they are practices that make code changes updateable and deployable, so device owners remain in control. Unauthorized access control needs to become next to impossible.

To get there, cybersecurity must become much more proactive and incorporate more fundamental preventative elements. Once we create overkill in our security measures, in a way that goes unnoticed by regular users, we’ll achieve effective countermeasures to global cyber-threats

About the essayist: Erland Wittkotter is an inventor and technology architect. He is the founder of No-Go-* —  a grassroots developer community focused on the promise to make our digital life much safer.

Consider what might transpire if malicious hackers began to intensively leverage Artificial Intelligence (AI) to discover and exploit software vulnerabilities systematically?

Related: Bio digital twin can eradicate heart failure

Cyber-attacks would become much more dangerous and much harder to detect. Currently, human hackers often discover security holes by chance; AI could make their hacking tools faster and the success of their tactics and techniques much more systematic.

Our cybersecurity tools at present are not prepared to handle AI-infused hacking, should targeted network attacks advance in this way. AI can help attackers make their attack code even stealthier than it is today.

Attackers, for obvious reasons, typically seek system access control. One fundamental way they attain access control is by stealthily stealing crypto-keys. Hackers could increasingly leverage AI to make their attack code even more  undetectable on computers – and this will advance their capacity to attain deep, permanent access control of critical systems.

If AI-infused hacking gains traction, breaches will happen ever more quickly and automatically; the attack code will be designed to adapt to any version of an OS, CPU or computing device. And this would be a huge game-changer – tilting the advantage to the adversaries in command of such an AI hacking tool.

Wittkotter

This scenario is nearer than we might think or expect. Consider the approach to AI taken by the software firm DeepMind; their system turns technical problems into rules for games — and can deliver extraordinary results even if their developers are non-expert in the underlying problems.

We assume we are okay or safe if responsible humans are in the loop, i.e., switch things off or press a button. But every button/switch is linked to software; and advances like those made by DeepMind can be adopted to malicious purposes, such as to continually make unauthorized modifications at the access control level.

Cybersecurity must become better prepared to defend against super-hackers, master-thieves of crypto-keys and digital ghosts who are driving in this direction. Here are three fundamental practices that I believe need to become engrained:

Never commingle security code and regular code. We must make every change or manipulation of anything security-related detectable. Security operations should be separate from the main operating system and CPU. This independence makes attacks on security easier to detect.

Hashcodes need to be registered. Hashcodes are unique values linked to software that can be associated with the manufacturer. Registering — and thus whitelisting hashcodes – will reduce and eventually eliminates unauthorized code from circulating.

Protect crypto-keys. Crypto keys processed in main CPUs, as well as the public keys in PKI, should always be referred to via their registered hashcodes; and they should never be stored in clear text. In short, crypto-keys must be extremely well-guarded and processed on separate, independent security systems.

I’d argue that these practices make good, common sense; they are practices that make code changes updateable and deployable, so device owners remain in control. Unauthorized access control needs to become next to impossible.

To get there, cybersecurity must become much more proactive and incorporate more fundamental preventative elements. Once we create overkill in our security measures, in a way that goes unnoticed by regular users, we’ll achieve effective countermeasures to global cyber-threats

About the essayist: Erland Wittkotter is an inventor and technology architect. He is the founder of No-Go-* —  a grassroots developer community focused on the promise to make our digital life much safer.

Phishing emails continue to plague organizations and their users.

Related: Botnets accelerate business-logic hacking

No matter how many staff training sessions and security tools IT throws at the phishing problem, a certain percentage of users continues to click on their malicious links and attachments or approve their bogus payment requests.

A case in point: With business losses totaling a staggering $2.4 billion, Business Email Compromise (BEC), was the most financially damaging Internet crime for the seventh year in a row, according to the FBI’s 2022 Internet Crime Report.

BEC uses phishing to trick users into approving bogus business payments to attackers’ accounts. BEC succeeds despite years of training users to recognize and address BEC emails properly and next-generation tools that harness AI, machine learning, and natural language processing to block phishing and BEC attempts.

The truth is that neither humans nor machines will ever be 100 percent successful tackling the phishing and BEC challenge. Even harnessing both side by side has not proven 100 percent effective.

What is the answer? Meld humans and AI tools into a single potent weapon that can beat the clock and catch just about every phishing email and BEC that attackers throw at it. Let’s examine how each of these strategies works and why both working together stands the best chance of solving the problem.

Leveraging AI/ML

Most people have a pretty good idea how phishing emails and BEC use social engineering to trick their unwitting victims. After extensive research and target identification, the attacker sends an innocent looking email to the victim, who is often someone in the finance department.

Ovadia

The email appears to come from the CEO, CFO, or a supplier, who requests with great urgency that the recipient update a supplier, partner, employee, or customer bank account number (to the attacker’s) or pay a phony late invoice. Thanks to careful research, the invoice is likely to look very convincing.

Legacy secure email gateways (SEG’s) miss these phishing emails because they lack the malicious attachments and links these tools typically look for. SEG’s are also only good at identifying widely known threats and require a lot of time and resources to maintain.

A more recent alternative, next-generation email security tools use advanced AI/ML with natural language processing, visual scanning, and behavioral analysis to recognize potential phishing emails.

Machine learning identifies and even predicts advanced attacks simply by analyzing large data sets, including emails, for similarities, correlations, trends, and anomalies. It requires few instructions and little maintenance.

As with many security tools, however, machine learning often fails to identify zero-day attacks–in this case spear phishing emails–if they’re different enough from previous ones.

With new types of phishing emails released by millions of attackers daily, it’s no surprise that a few get past the best designed ML models. ML can catch 99 percent of phishing emails, but you need more help to catch the remaining one percent.

Human-machine melding

Fortunately, it turns out that while some people can be fooled by phishing emails, others are adept at spotting suspicious emails and the phishing attempts that ML often misses. Multiply that human capability by thousands across hundreds of organizations of all sizes and you can create a very valuable threat intelligence system.

Such a system could potentially feed new phishing information right back into the machine learning models in real time, so they can start identifying similar phishing exploits immediately. Obviously, a machine learning system trained on phishing information only seconds or minutes old will spot potential zero-day attacks much more competently and rapidly than a machine with information that is days or weeks old.

The key is to meld the capabilities of human and machine into one, as the two-working side by side with no interaction cannot be nearly as effective. This melded process must constitute a constant feedback loop with an army of hundreds of thousands of human eyeballs.

The only way to solve a problem that grows exponentially is with a solution that grows exponentially as well. This is a similar strategy used by Waze, Google Maps, and Uber to keep users out of heavy traffic and allow them to share rides.

No doubt phishing and BEC will continue to grow in both frequency and sophistication. Technology and humans cannot catch all of them alone but working tightly together they can come very close.

About the essayist: Lomy Ovadia is Senior Vice President of Research and Development at  Ironscales, an Atlanta-based email security company.

Cybercriminals are becoming more creative as cybersecurity analysts adapt quickly to new ransomware strategies.

Related: How training can mitigate targeted attacks

Ransomware has evolved from classic attacks to more innovative approaches to navigate reinforced security infrastructure.

Here’s how hackers crafting new ransomware extortion tactics to keep analysts on their toes:

Data exfiltration is no more. Most ransomware attacks follow a familiar formula — the hacker gets into a network, grabs data and takes it out to hold onto until the company pays. This storyline is flipped on its head if ransomware hackers decide to destroy information when companies don’t pay the ransom.

This increases the stakes, primarily if entities did not engage in proper backup protocols before the attack. This is known as data destruction. It makes scenarios worse if hackers remain in the network, and instead of taking any information out, they stay and destroy everything from within.

This method means hackers don’t need to create additional infrastructure to combat new security methods. Once they’re in, they can delete everything in the attack’s wake.

However, companies can teach employees proper backup techniques, and IT departments can institute rules for an ideal recovery time objective (RTO). That way, recovery will not exceed the max time before irreversible damage is done.

Amos

Double extortion is twice the ransom. Hackers continue to find more ways to make up for the rising costs of cybercriminal activity by making ransoms cost double. They do this by encrypting the stolen data and forcing victims to pay for a decryption key on top of the ransom fee.

There are ways to decrypt the data without paying this portion of the ransom, utilizing programs that perform actions like changing file extensions to manipulate them to a usable format.

There is even triple extortion. A therapy center in southwestern Finland was the first hit by this intense variation of the ransomware attack. The hacker added another layer of extortion by making the center pay, as well as the individual victims whose files the hacker had in possession.

Governments expect ransomware attacks to cost more than $265 billion by 2031, meaning every dollar invested now to prepare will not be wasted paying ransoms.

Physical intimidation for enhanced digital attacks. Imagine if a ransomware attack happened in a business and a physical ransom note appeared out of the printer among a stack of analytics reports.

What could have been isolated to management and the IT department to crowd control is now known among every employee, causing hysteria and potentially leaking the news to local reporters.

This is the aim of physical intimidation attacks with ransomware. It also causes victims to remain distracted, buying the hacker time to solidify their position in the attack. The more time they buy with physical distractions, the less time the victims have to consider how they will or won’t pay the ransom.

During this frenzy, hackers could initiate a ransom denial-of-service (DDoS) attack, adding more stressors to the already intense situation.

Every moment focused on reaching out to authorities or attempting to find freelance analysts when a company should have had a business continuity plan in place gives cybercriminals more opportunities to take advantage of more information.

Diversifying ransomware attacks. Analysts must take the time to educate themselves about new and upcoming risks. When a unique tactic appears, they cannot waste time lingering in surprise when they need to take action to stop the threat.

Investing in solid cybersecurity, crafting a business continuity plan and staying informed about current trends will save companies millions, if not billions, of dollars. Businesses and individuals can work collaboratively, sharing their experiences to broaden the scope of ransomware extortion tactics for everyone to prepare equally.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.