Imagine the scene: you arrive at your desk to find a package, likely from a source. You carefully slice open the envelope to reveal a USB drive. Sensing a story, you go to plug it in. As a journalist, you’re hungry to crack open a corruption case or uncover proof of wrongdoing in the halls of power.
Instead, a flash of light and a crack of sound followed by complete and total confusion.
When news broke last month that unknown actors were mailing exploding USB sticks to newsrooms in Ecuador, I remarked to a colleague and on LinkedIn that it fits a pattern of threat actors returning to their old tricks to attack their targets.
While explosive capabilities may be new, threat actors have been smuggling malicious payloads into USB sticks since at least 2008, a lifetime ago in the security industry. In 2022 and 2023, law enforcement and threat researchers drew the public’s attention to two campaigns using malicious code hidden on USB drives, dubbed BadUSB and PlugX, respectively.
In my experience as the CISO for a hospital group in Singapore, these incidents are part of a trend of cybercriminals continuing to rely on decades-old tactics to compromise their targets.
Attackers going against the grain
In recent years, the prevailing narrative is that cybersecurity threats are becoming more sophisticated, and attackers have become better armed. Take a recent scare in the U.S. over “juice jacking,” or snooping via compromised public USB chargers in places like airports. While this may seem like a slick new maneuver, it’s actually been happening since around 2011. Indeed, many of the techniques hackers use today are not new. Instead, they rely on time-tested tricks – and tactics – used to compromise targets for decades.
Malware including viruses, Trojans, and ransomware were among the original internet threats, but they are still effective simply because so many people are unaware of the risks associated with downloading and installing unknown software. Some users still don’t use anti-malware software. In November 2022, a hospital was infected with malware that halted its operation for days. Meanwhile, hackers stole confidential information in what’s known as a double extortion attack. Requiring continuous monitoring of devices and applications for suspicious behaviour could have helped mitigate this incident.
Social engineering is another time-worn tactic where attackers use psychological manipulation to trick people into divulging sensitive information or performing actions that compromise their security. In January 2023, a marketing automation company was compromised by multiple social engineering attacks over 12 months, leading to multiple data breaches.
Phishing is a particularly effective subset of social engineering that’s proven difficult to eradicate even with modern defenses. Phishing attacks have been around for decades (online and offline), but they are still effective because they are well-crafted and designed to look like legitimate communications, and the victims are not vigilant enough to detect them. Users must be well informed on spotting the phish and differentiate it from the real. The Cyber Security Agency of Singapore published a simple-to-understand article in educating the public on phishing prevention.
Finally, another resurgent subset of phishing is business email compromise (BEC). BEC scams involve hackers impersonating a trusted person within a company and sending emails to trick the victim into revealing sensitive information or money transfer. This technique is increasingly effective as pretense emails become easier to craft and users fail to remain vigilant against them.
None of these techniques is new, yet are behind the vast majority of breaches, suggesting legacy defenses haven’t been as successful as we would like to think.
Modern solutions for (relatively) ancient problems
Fortunately, we can refine our approach to help mitigate even long-standing threats. One powerful rethink involves a combination of zero trust principles and intensive security awareness training.
Zero trust is a security model that assumes that everything (e.g. user, device, and application) is untrusted unless proven otherwise. Until then, no resource access is granted. This approach starkly contrasts traditional security models, which rely on perimeter-based security, to prevent security incident networks.
Security awareness programs are made up of activities designed to educate individuals about security threats and how to prevent them. It is about setting up a culture of security by providing every employee with the knowledge and skill they need to protect themselves in cyberspace. The goal is to increase awareness of risks associated with technology use, empowering users to take responsibility for their own security.
A zero-trust security model is one example of how organizations are adapting to meet the changing landscape of cyber threats. It's also important to remember that security awareness programs and education initiatives are critical components of a robust cybersecurity defence. By promoting a culture of security, we can help to prevent social engineering attacks like BEC and minimize the damage from successful attacks.
Even if cyber threats continue to grow in sophistication and frequency, it's crucial to remain vigilant against time-tested techniques. While hackers can continue to rely on what works, cybersecurity leaders don’t have that luxury. We must evolve our approach, or face losing the same battles for the same reasons. By taking a proactive approach and staying informed about the latest threats and trends in cybersecurity, CISOs like myself can better protect ourselves and our organizations from both old and new cyber threats.
What to read next