Cybersecurity Awareness Month

Have you ever received a phishing email? If so, you have experienced an attempted cyber-attack.
 
Cyber threats are a very real and persistent risk to us all, both personally and professionally. Cyber-attack attempts happen every single day. They are low-risk, potentially high-reward, and advances in technology have made it easier than ever.
 
No one is immune to a cyber-attack and everyone is a target.  Even the most experienced technical professionals can fall victim to a cyber-attack, so vigilance is critical.
 
We must understand what a cyber-attack is, what cyber-criminals hope to gain, how to identify suspicious requests and network activity, and how to implement proper countermeasures to foil their attempts.
 
Understanding Cyber Threats and Attacks
A cyber-criminal is any individual or group that uses technology to commit illegal acts, such as stealing data, conducting fraud, or disrupting services. They can be petty criminals, hackers, terrorists, foreign intelligence agents, or even a compromised insider.
 
Cyber-criminals exploit vulnerabilities to obtain information they can sell or use to exploit people or organizations. They may be lone actors or part of organized, sophisticated teams. They will use anyone, they can attack from anywhere, they can obfuscate their trail and may target multiple assets at one time. Worse still, they do this behind a keyboard from place of total anonymity.
 
A cyber-threat is any malicious act with the intent to steal data, disrupt digital systems, damage information, or gain unauthorized access to a computer network or sensitive data.
 
A cyber-attack is any deliberate attempt to access, damage, or disrupt a computer system, network, or digital device. With technology, the possibilities are endless, and cyber-attacks can be carried out through various methods.
 
Common Types of Cyber-Attacks

• Phishing/Spear Phishing/Spoofing: Deceptive emails, messages, or websites designed to trick individuals into revealing sensitive information, such as passwords or credit card numbers.
• Malware: Malicious software like viruses, worms, and spyware that can steal data, disrupt systems, or gain unauthorized access.
• Ransomware: A type of malware that encrypts a victim's files and demands a ransom for the decryption key.
• Man-in-the-Middle (MitM) attacks: An attacker secretly intercepts and possibly alters communications between two parties who believe they are communicating directly.
• Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS): Attacks that overwhelm a server, service, or network with traffic, making it unavailable to its intended users.
• SQL Injection: A technique where attackers insert malicious code into a server's database to execute commands, which can reveal or damage data.
• Zero-Day Exploit: An attack that targets a vulnerability in software before the developers are aware of it or have had a chance to create a patch.
• Password Attacks: Attempts to gain access to accounts by guessing passwords or using other methods like "brute force" or keylogging to steal credentials.

 
Cyber-criminals intentionally design their actions to appear harmless and legitimate. They know that humans are a weak link in cybersecurity and count on us being uniformed or simply too busy to pay close attention to their attempts.
 
That email asking you to login and fix your account settings…could be a cyber-attack.
 
That text message from a manager asking you to send them a password they forgot…could be a cyber-attack.
 
That attachment or link you received…could be a cyber-attack.
 
That weird, unexpected phone call asking you to provide or verify information…likely a cyber-attack.
 
That unknown person looking to collaborate on a business opportunity…could be a cyber-attack.
 
 
What is the Goal of a Cyber-Attack?
Ultimately, cyber-criminals want to obtain or steal information that can be sold or used to exploit an individual or organization. They do this for many reasons, such as personal gain, financial gain, espionage, disruption, to damage reputations, etc. Some go for a simple cash grab. Some want to steal personal, sensitive, or even classified information or technology. Foreign intelligence agents will aggregate unclassified or proprietary data to paint a picture of CUI or classified.
 
Cyber criminals will seek personal data, business data, passwords, usernames, bank data, contract data, CUI, classified information, military information, defense information… anything that could lead to information they can use is of interest to a cyber-criminal and even partial data can be helpful.
 
High value targets include, but are not limited to:

• User login IDs and passwords
• Personally Identifiable Information (SSN, date of birth, addresses, etc.)
• Personnel information (Names, contact information, rosters, phone directories, etc.)
• Financial and Banking information
• Sensitive organizational documents
• Proprietary information (Business strategy, financial, human resource, email, and product data)
• Information regarding U.S. government funded contracts
• Administrative and user credentials (usernames, passwords, tokens, etc.)
• Information and Technology (Classified, CUI, Sensitive, Export-Controlled, etc.)
• Sensitive technological specification documents
• Classified and unclassified networks (internal and extranets), partner and community portals, websites
• Military Critical Technology: Any technology that would allow potential adversaries to make significant advances in the development, production, and use of military capabilities
• Dual Use Technology: Technology that has, or could have, both military and commercial use

 
Spotting a Cyber-Attack
Identifying a potential cyber-attack can be tricky. Cyber-criminals have become increasingly sophisticated in their attempts and will do their best to hide their true intentions. Below are some examples of activities that should raise a red flag.
Phishing/Spear Phishing/Vishing/Smishing/Spoofing/etc.

• Deceptive emails and messages: Any emails or messages that seem to be from a trusted source but are not. Look for email addresses or phone numbers that do not match with legitimate known info of the trusted source. Be cautious with suspicious links or attachments. Be wary of messages with odd verbiage, significant spelling or grammatical errors, etc.
• Urgent and suspicious requests: Emails or messages asking you to take immediate action, offering something that seems too good to be true, or pressuring you to provide sensitive or personal information.

 
Unusual System and Performance Issues:

• Slow performance: Your device or network becomes sluggish, freezes, or crashes more often than usual.
• Disabled security software: Your antivirus, firewall, or endpoint protection suddenly turns off without your input, which indicates an attacker is trying to bypass security measures.
• Unexpected system behavior: Applications begin crashing, files become inaccessible, or system settings change on their own.
• Unknown software: New programs, browser toolbars, or applications appear that you did not install.
• Constant pop-ups: You see frequent pop-up ads or error messages, which can be a sign of malware.

 
Suspicious Network and Internet Activity

• Abnormal network traffic: You notice unexplained spikes in network activity, or your internet speed is unusually slow. This can indicate a Distributed Denial-of-Service (DDoS) attack or data exfiltration.
• Redirected searches: Your browser redirects you to unfamiliar search engines or websites.
• Outgoing spam: Your contacts report receiving strange emails from your account that you did not send.
• Intelligent pointer movement: Your mouse pointer moves on its own, suggesting remote access by an attacker.
• Frequent connection to the internet: Your computer or mobile device connects to the internet frequently even when you aren't using it.
• Unauthorized hardware and software modifications
• Unauthorized data storage or transmission
• Unauthorized access to systems or system access attempts
• Unauthorized disclosure of information

 
Unauthorized Access and Account Changes

• Locked-out accounts: You find you cannot log in to your accounts, which indicates a password compromise.
• Unusual account activity: Your credit card, bank statements, or online accounts show unfamiliar transactions or purchases you did not make.
• Unauthorized payments: You receive requests for payments you did not approve.
• Credential theft: Multiple failed login attempts occur from unusual locations or at strange times, indicating a brute-force attack.

 
All data is useful to a cyber-criminal in their efforts. They are patient, they are persistent, and they have time. This is why protecting both personal and professional is imperative.
 
Applying Countermeasures to Protect Against a Cyber-Attack
Countermeasures are critical to safeguarding against cyber-attacks. This is not an exhaustive list but, here are some things that you can do to protect yourself and your organization.
 
All Personnel

• Remember that everyone is a potential target.
• Never use default passwords. Make your passwords complex, change them regularly, and don’t reuse.
• Never share your passwords with anyone.
• Never open emails, attachments, or click links from unfamiliar sources, even if they look official.
• Never install or connect any personal software or hardware to your organization’s network or equipment without permission from your IT department.
• Report any suspicious or unusual issues with equipment or devices to your IT department immediately.
• Be extremely cautious when connecting with unknown individuals on social networking sites.
• Know that Phishing and Spoofing can happen on any account or device, including personal ones.
• Know what to report and who to report it to within your organization.

 
Management and IT Departments

• Implement Defense-in-Depth; a layered defense strategy that includes technical, organizational, and operational controls.
• Apply technical defenses: firewalls, intrusion detection systems, internet content filtering, and a DNS proxy.
• Update anti-virus software daily and download vendor security patches as soon as they are available.
• Do not use manufacturer default passwords on software or hardware…change them!
• Monitor, log, analyze and report attempted and successful intrusions to your systems and networks – even unsuccessful intrusions present a counterintelligence value!
• Train all personnel on proper cybersecurity procedures, how to spot cyber threats, proper use of social networking, and how to report concerns.
• Maintain open communication within your organization and encourage reporting of suspicious activity.
• Be proactive and offensive in your security posture. Defense only is not a comprehensive strategy!
• Comply with the measures in your company’s technical manuals and Technology Control Plan (TCP)
• Conduct frequent computer audits - Ideally: Daily / At minimum: Weekly
• Do not rely on firewalls to protect against all attacks.
• Avoid responding to any unknown request and report these requests.
• Disconnect computer system temporarily in the event of an attack.
• Report any cyber intrusion attempts appropriately.

 
In many situations, attackers will attempt to disguise themselves as a trustworthy entity and contact their target via email, social media, phone calls (“vishing” / voice-phishing), and text messages (“smishing” / SMS-phishing). Don’t fall for it! Do not click on links in emails or text messages unless you know they are legitimate and safe. If it seems off in any way, verify with the individual through a known and confirmed email address or phone number!
 
Care what you share! Publicly available information helps cyber-criminals and foreign intelligence agents identify people who may potentially have access to information they want. Whether you have access, or not, every one of us is a potential steppingstone. Information on public facing sites can help them identify people of interest, and any information they can obtain from a person of interest is useful to them in putting together a bigger picture.
 
Why Reporting is Critical & How to Report Concerns
Personnel should report any suspected cyber-attack to the company’s IT department and their FSO immediately. A good rule of thumb is: If anything seems off, or you suspect you have been the target of a cyber threat, report it.
 
Organizations that do business with the U.S. Government must report any cyber intrusion or attempted intrusion through proper USG channels. Cyber intrusions must be reported within 24 hours of occurrence!
 
Report all Cyber threat concerns to your organization's IT Dept and FSO!
  
Want to learn more?
Resources and Additional Learning:

• Cyber Awareness Challenge
• CDSE Cybersecurity Shorts
• The Triple Threat: Counterintelligence, Cybersecurity, and Insider Threat
• Cybersecurity Toolkit
• Suspicious Emails
• DCSA Reporting the Threat Slick
• CISA Cyber Incident Reporting Act
• DCSA Cyber Threats
• DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
• DoD Cyber Crime Center – Report a Cyber Incident
• Case Study Library
• 32 CFR Part 117 (NISPOM Rule)
• 32 CFR Part 147 (Adjudicative Guidelines)

 
As always, if you have any questions about whether or not a situation requires reporting, ask your FSO! Your company’s FSO is the best person to help you navigate any questions you have about security compliance, briefing, and reporting requirements. As security professionals, we are here to help you navigate things to ensure you fulfill all requirements