Cybersecurity threats are on the rise globally, with ransomware continuing to be the top cyber threat in 2023, according to Ashraf Koheil, Group-IB Regional Sales Director, META. In an interview with CIO Africa, Koheil discussed the increasing sophistication of cyber-attacks and the steps organizations can take to improve their cybersecurity posture.
Koheil emphasized the need for organizations to focus on two pillars, awareness building (including education) and innovation (technology stack), to maximize ROI. Koheil also talked about the emergence of Managed Extended Detection & Responsе (MXDR) solutions, growing role of initial access brokers in ransomware attacks, and the widening cybersecurity maturity gap. He also highlighted the need for human factor in cybersecurity, including employee education, and upskilling.
1: What are the biggest cyber security threats that organizations should be aware of in 2023?
Group-IB believes that ransomware will continue to be the top cyber threat to organizations and businesses across the globe in 2023. In the latest edition of our annual Hi-Tech Crime Trends Report, Group-IB researchers discovered that 2,886 companies were the victims of ransomware-related data leaks – when their data is published on the dedicated leak sites of ransomware groups – between H2 2021 and H1 2022, a 22 per cent increase year-on-year.
The actual number of companies and organizations that are the victims of ransomware attacks and do not have their files published online is much higher. Ransomware attacks are so dangerous because of the severe financial and reputational damage that the threat actors utilizing this malware can leave in their wake, along with any potential regulatory action. We are seeing ransom demands issued to companies or organizations that have been affected by ransomware now reach tens of millions of dollars.
Another major threat that organizations face is the lack of user education among their employees. No matter what investment an organization makes in their cybersecurity posture, all it takes is for one employee to open a phishing link to cause a major breach. To that end, our goal is to make sure that cybersecurity is viewed as more than just deploying the latest technologies. To maximize ROI, corporate cybersecurity policy should rest on two pillars: awareness building (including education) and innovation (technology stack). Cybersecurity policy and investment should be at the forefront of an organization’s core aims in 2023. The risks are simply too great.
2: How has the cyber security landscape changed in the last year, and what new trends and technologies have emerged?
We are seeing Managed Extended Detection & Responsе (MXDR) solutions take centre stage and become a core technology that companies and organizations are looking to implement. MXDR works to complement or cover gaps in an organization’s security operations centre (SOC) by identifying threats in real-time and providing coverage for email and network traffic, and endpoints. As we go forward, we are also seeing a convergence of information technology and operational technology security.
When it comes to malware, we’ve observed a significant trend towards the greater use of information stealers. An info stealer is a type of malware that collects credentials stored in browsers, such as logins, passwords, cookies, and in some cases, bank card details and crypto wallet credentials. All this data is sent to the operator of the malware, and, once a successful attack is launched, the scammers either obtain money themselves using the stolen data, or they sell the stolen information on to other cybercriminals. These are simple but effective pieces of malware that can be bought for an extremely low price, which is exactly why they are becoming an increasingly popular tool in a cybercriminal’s toolbox. During H2 2021 – H1 2022, more than 96 million stealer logs were offered for sale on the cybercriminal underground.
Another trend that Group-IB researchers have observed over the past year is the growing role initial access brokers are playing in ransomware attacks. Initial access brokers play the role of oil producers for the whole underground economy. They fuel and facilitate the operations of other criminals, such as ransomware gangs and nation-state adversaries, as they sell access to compromised accounts in major companies and organizations. In H2 2021 – H1 2022, Group-IB specialists discovered 2,348 instances of corporate access put up for sale on the underground market, more than double the amount offered in the preceding period.
3: How do you see the future of cyber security evolving over the next few years, and what impact will this have on organizations?
In the Middle East and Africa, we have seen governments make significant progress in their digital transformation journeys, and leading companies are devoting ever-greater financial and human resources to information security and risk management. At this stage, we are seeing a greater emphasis on industry-driven innovation rather than vendor-driven innovation.
Cybersecurity vendors are beginning to re-adjust their offerings to serve core industries such as digital government, BFSI, telecommunications, and oil and gas. Market leaders in these sectors know what they require from a cybersecurity perspective, and they are informing vendors of their demands.
Over the next few years, we are also likely to see a widening of the cybersecurity maturity gap. In all markets, buyers of cybersecurity solutions fall into three tiers. Tier one includes highly proactive enterprises that prioritize cybersecurity. Tier two features enterprises that adopt cybersecurity solutions as a box-ticking exercise to ensure compliance. Finally, tier three organizations are still trying to secure the resources and budget necessary to keep up with compliance requirements. The gap between these tiers is widening, putting greater numbers of organizations in the lower two tiers at risk, especially as the global attack surface grows amid the continued digitalization of services.
4, What steps can organizations take to improve their cyber security posture in light of the increasing sophistication of cyber-attacks?
The procurement of high-quality vendor solutions helps an organization’s security team stay up to date with current and emerging threats, and gives them a toolset to make their operations more time-effective. Such tools include monitoring of the Darknet for the sale of their employees’ credentials, access to their networks, compromised payment records in the case of financial organizations etc.
However, the human factor is no less important. Regardless of how much an organization invests in cybersecurity, the actions of a single employee who mistakenly opens a link in a phishing email can cause millions of dollars of financial damage and invaluable reputational loss. Enterprises must take ownership of their security and educate their employees on cyber hygiene practices, invest in executive education, upskill their IT and security teams, run incident response training and readiness exercises, and perhaps most importantly, treat cybersecurity as a key performance indicator.
5: What role do artificial intelligence and machine learning play in cyber security, and how are these technologies being used to improve security?
Artificial intelligence and machine learning are already playing a major role in cybersecurity, and we recognized this from an early stage at Group-IB. They make up an integral part of many of our technologies, and our innovative machine-learning algorithms, behavioural monitoring, and neural-based detectors allow us to be constantly aware of any new or emerging threats.
Over the next year, more and more companies will likely adopt cybersecurity solutions that integrate AI and ML. However, as AI continues to mature, policy covering standards and governance need to be agreed upon, tightened, and well communicated, in order for us to be able to safely leverage this technology to enhance the predictive capabilities of cybersecurity solutions.
6: Can you discuss a recent cyber security breach that had a significant impact, and what lessons can be learned from it?
In late 2022, together with the Orange CERT Coordination Center, Group-IB published its research into a financially-motivated threat actor named OPERA1ER, a French-speaking hacker group that successfully breached at least 35 banks and telecommunications companies between 2018 and 2022. The bulk of the victims were in West Africa, but the group successfully hit targets in Latin America and Asia as well.
OPERA1ER is confirmed to have stolen at least $11 million from affected companies, although it is crucial to underscore that the damage done to the affected enterprises is not just measured in dollars. While we can calculate the approximate value of the money stolen from these companies, the reputational damage caused is major, albeit unquantifiable. Attacks such as these can lead to a significant drop in consumer confidence in a brand, setting them back two or three years.
Another key takeaway from this attack was that OPERA1ER started all of their attacks with high-quality spear phishing emails targeting specific teams within an organization. The emails were written in French and were highly convincing. The pace of development across Africa is ramping up, and the continued investment in the region makes it an increasingly attractive target for cybercriminals. Organizations and companies in Africa, as is the case across the globe, need to take the growing threat of cyberattacks seriously, and look to invest in robust threat detection and response solutions.
7: What advice would you give to companies to help them better prepare for and respond to a cyber security incident?
Education is vital. As the OPERA1ER campaign shows, employees are often the weakest link in the digital security of an organization. Enterprises should strive to create a culture of cybersecurity, empower and motivate their employees to take cybersecurity seriously, and upskill them to identify and respond to the threats that they encounter during their everyday work. We call for a culture transformation, whereby cybersecurity becomes everyone’s problem in an organization to ensure cyber vigilance.
Companies should also plan correctly. Part of this planning includes crafting a comprehensive cybersecurity plan that is not just written on paper, but also tested and updated to ensure its effectiveness. Compromise assessments and penetration testing exercises are two examples of how an organization can gain visibility of their cybersecurity posture, understand where their weaknesses and vulnerabilities lie, and rectify them accordingly.
In order to recover from a cybersecurity incident, it is critical for the affected company, first of all, to understand how its network was compromised and what assets were accessed and stolen. To answer this question, victims should seek the services of a Digital Forensics and Incident Response team that has high-quality expertise and ‘battlefield’ experience. Doing this quickly is vital, because when attackers hit your company, every second counts. Perhaps the most vital part of incident response is the post-incident period. Many companies think that once their networks have been cleared of malware and passwords have been changed, that the attack is over, but security teams need to implement all the necessary changes to ensure that malicious actors cannot exploit the same vulnerabilities down the line.
Do you want to gain insights into best practices for securing your organization’s data? Join dx5 (formerly CIO Africa) at the Africa Cloud and Security Summit on March 16 and 17 at the Mercure Hotel (formerly Crowne Plaza) in Nairobi! Come learn from industry experts about the latest trends in cloud computing and security, and network with other professionals.