The Lingering Threat: The Resurgence of Old-School Attacks in a Digital Age

The Persistence of Non-Sophisticated Cyber Attacks and the Role of Human Behavior

Introduction

The world of cybersecurity is often focused on new and emerging technologies, such as ChatGPT, and the increasing sophistication of cyber attacks. However, it is important to note that many cybercriminals still rely on non-sophisticated attacks because they are effective. These attacks target human behavior and exploit vulnerabilities through tactics like phishing and credential harvesting. In this report, we will examine the prevalence of these attacks, the role of automation in facilitating them, and offer advice on how individuals and organizations can defend against them.

The Prevalence of Non-Sophisticated Attacks

According to a recent report by the Cybersecurity and Infrastructure Security Agency (CISA), valid account credentials are the root cause of most successful intrusions into critical infrastructure networks and state and local agencies. The compromise of valid credentials, often combined with spear-phishing attacks, accounted for nearly 90% of infiltrations last year. In fact, valid accounts were responsible for 54% of all attacks studied in the agency’s annual risk and vulnerability assessment.

One reason why these attacks continue to be successful is social engineering, which exploits human error. Threat actors are skilled at manipulating individuals into revealing their credentials through tactics like impersonating trusted entities or creating a sense of urgency. As long as human error persists, these attacks will remain a potent threat.

The Role of Automation in Non-Sophisticated Attacks

Automation plays a significant role in enabling non-sophisticated attacks. Cybercriminals are leveraging automation to carry out attacks more quickly and easily. For example, money launderers are automating recruitment campaigns to find their money mules. This level of automation is particularly effective because it relies on user credentials and social engineering, which are easy to automate.

Another example is credential stuffing, a common and effective cyberattack. With automation, cybercriminals can enter stolen usernames and passwords into multiple login fields, gaining unauthorized access to accounts. This attack works because many people reuse the same usernames and passwords across multiple systems. While the success rate may be low, the sheer volume of attempts makes it a viable attack strategy.

In addition, bad actors are increasingly using artificial intelligence (AI) to facilitate various nefarious actions. AI can be used to fool algorithms that identify abnormal network activity or to create convincing deepfake content. The advent of generative AI has also enabled criminals to quickly generate malicious code. These advancements in AI provide an additional layer of sophistication to non-sophisticated attacks.

Defending Against Non-Sophisticated Attacks

Given the continued efficacy of non-sophisticated attacks, organizations and individuals must prioritize bolstering their defenses. One crucial aspect is cyber awareness and hygiene training. Regular training sessions can educate employees on the latest threats, tactics, and best practices. This not only helps protect organizations but also empowers individuals to safeguard themselves in their personal digital lives, particularly with the rise of remote work.

Training programs should emphasize the importance of creating unique usernames and passwords for each application used. This basic practice may seem obvious, but it is essential to reinforce security measures. Additionally, organizations can consider incorporating phishing simulation services to help employees recognize and counter phishing attempts effectively. These services provide real-world simulations that assess users’ knowledge and attention to phishing risks and reinforce corporate processes.

To further strengthen defenses against non-sophisticated attacks, employees should be trained to:

– Watch for typos and grammar mistakes in emails, as these are often signs of phishing attempts.
– Verify the validity of domain names in the sender’s email address to avoid falling for spoofed emails.
– Exercise skepticism and caution with unfamiliar or unexpected phone calls and emails.
– Use a virtual private network (VPN) when connecting to public Wi-Fi to prevent criminals from intercepting sensitive information.
– Refrain from sharing sensitive information like Social Security numbers or credit card details over email or phone calls.

Conclusion

While the cybersecurity landscape is evolving with advanced techniques and technologies, non-sophisticated attacks continue to thrive due to their effectiveness in exploiting human vulnerabilities. Social engineering, phishing, and credential harvesting remain significant threats, as they target human behavior and rely on human error. Automation has further elevated the success rates of these attacks.

To counter these pedestrian threats, organizations must prioritize ongoing cybersecurity awareness training to empower employees with the knowledge and skills needed to identify, counter, and report attacks. Safeguarding both professional and personal digital lives is paramount, particularly with the rise of remote work. While sophisticated attacks may capture headlines, investing in the basics of cybersecurity can provide a strong defense against tried-and-true attack types aided by automation and AI.