Spying is the new hacking: Here's how to fight back

How can businesses defend themselves from hackers using traditional espionage techniques?
Written by Danny Palmer, Senior Writer
internet crime

Education goes a long way to protect yourself from the wide variety of cyberthreats out there.

Image: Thea Savi, Getty Images/iStockphoto

Once upon a time it was much easier to stay safe online; as long as you used an up-to-date antivirus package and were careful how you acted on the internet, you could expect to stay safe.

But now things have changed: new forms of malware and viruses appear every single day. Meanwhile the rise of social media means everything from your pet's name to what you did at the weekend is online and could be exploited by cybercriminals to hack your devices and services.

Increasingly cybercriminals are using spying techniques better associated with intelligence agencies to identify relevant information about you and your life and turn that around to attack you.

"There are no hackers, they're all gone -- there are only spies," says Eric O'Neill, national security strategist for Carbon Black and a former FBI counter-intelligence operative.

"The new hackers are using traditional espionage techniques and they're blending it with advanced cyber penetrations in order to steal information," he says, adding "just ask the DNC".

Antivirus software was previously able to react to malicious activity but according to O'Neill, the rise of phishing and other social engineering techniques means companies are becoming more vulnerable to hackers than ever.

Ultimately, he argues, if a person can't tell if any email is bogus -- and in many cases they can't -- then antivirus has no chance.

"Antivirus can't stop spear phishing if I'm going to leverage spy tradecraft, if I'm going to learn about you and learn everything I can from your social media accounts. And when I send a spear phishing email to you, it's going to look like it's from one of your pals. Once [cybercriminals] get in [to your devices], they get a foothold and antivirus isn't going to touch that," he says.

So how can you stay safe from these threats? For a start, don't uninstall that antivirus yet because it still has a role to play.

"Many attacks can be ruled out by antivirus clients," says Dr. Siraj Ahmed Shaikh, reader in cybersecurity at Coventry University.

At the most fundamental level, some sort of protection software is still required for any computer connected to the internet, especially when you consider the sheer amount of systems shipped and the amount of patching which is required to ensure they're up-to-date.

"The role of a traditional antivirus is still useful because when you buy a computer, it's already out of date because there have been so many patches since the software was released. Antivirus at least does a good job of raising the threshold, raising the minimum bar of our security systems," says Dr. Shaikh.

But if protective software can't be relied on to detect sophisticated attempts at coercion, how do we begin to take on the threat posed by cybercriminals attempting to trick people with espionage? The answer lies in education -- training people to recognise what might be suspicious and reporting it.

"It's about raising awareness that these emails are coming in and how sophisticated they can be. It's about using examples, showing these emails, and breaking them down to show where the red flags are," says cybersecurity consultant Dr Jessica Barker.

It's also important to teach people that in the vast majority of cases, only those with malicious intent will ask for credentials and passwords to be sent over email. Even within an organisation, it's unlikely that another department is going to ask for your login credentials over email.

"It's about encouraging people that no company will ask you for your login details -- but if they do, you should find another way of contacting them," she says, detailing a simple way people can avoid falling victim to a phishing attempt. Within an organisation, that's as simple as talking to the department where the email is said to be from.

It's also important to make sure employees are aware they can come forward if they think they've fallen victim to phishing, because no matter what training is provided, it just takes one person clicking on a malicious link or accidentally providing corporate credentials to a criminal to breach a whole corporation's network.

"What you need to do is build a culture when someone can immediately report that they've clicked a link they're worried they shouldn't have, and people feel safe to question and not be punished," says Dr Barker. An organisation taking this approach can then move to minimise damage sooner rather than later.

"If you have an incident like that, where you get a phishing email and someone clicks the link, you can respond quickly and minimise the damage, whereas if someone doesn't speak up, it's harder to mitigate any damage."

For O'Neill however, there's only one way that the enterprise and cybersecurity providers will ensure that they remain secure -- and that's by using a similar level of intelligence to defend organisations.

"We need to think about spies, leverage human intelligence, not just machines. We need to start with human intelligence and use software to augment that," he says.

Read more on cybersecurity

Editorial standards