Special Feature
Part of a ZDNet Special Feature: A Winning Strategy for Cybersecurity

The hacking strategies that will dominate in 2019

If you thought sophisticated cyber criminal gangs were the only threat to your organisation, think again. Now almost anyone can access the tools to conduct hacking campaigns.

Five hacking tools attackers use to target your data Free - but powerful - tools are being used by everyone ranging from cyber criminals to nation-state operators, says a report by five government security agencies.

Special feature

Special report: A winning strategy for cybersecurity (free PDF)

This ebook, based on the latest ZDNet/TechRepublic special feature, offers a detailed look at how to build risk management policies to protect your critical digital assets.

Read More

If an organisation is connected to the internet and holds any type of data, it's almost inevitable that it's going to end up in the sights of hackers.

Pretty much any data from personal information and bank details to email addresses and passwords can be attractive to cyber attackers. They could take this information and sell it to others on the dark web, they could use it as a jumping-off point for larger campaigns — they could even dump it in public view, just to cause chaos.

The types of potential attacker are also broader than ever. Some large organisations will need to have the ability to fight off skilled cyber criminal gangs and nation-state backed hacking campaigns. But, for the most part, it's likely that those attempting to breach an organisation won't be the most advanced attackers in the world, especially now many cyber criminal marketplaces sell do-it-yourself kits. All of this is visible in the two very different hacking trends that will likely dominate this year. First, the mass adoption of sophisticated attacks by much less skilled attackers, and second, hyper-targeted attacks going after particular companies or even individuals.

Strategies and hacking techniques that may have once required specialist expertise are now sold in easy-to-use bundles, complete with tutorials for the non-tech savvy.

"There's an entire as-a-service ecosystem and it's really everywhere. It started as malware as-a-service, but now there's also phishing as-a-service, exploit kits as-a-service, botnets as-a-service. Anyone can mix-and-match their own attacks, almost without knowing anything," says Maya Horowtiz, director of threat intelligence and research at security company Check Point Software.

SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)

There are various examples of ransomware, malware and other malicious as-a-service campaigns that haven't been conducted by criminal masterminds, but have still caused plenty of damage

"These tools are available on the open web, not even the dark web — you can really easily get your hands on them," says Horowitz.

When it comes to the entry point for cyber attacks, phishing emails are still the most common means of forcing a way into the network.

Even simple phishing attacks can be surprisingly effective — lures like fake invoices or phoney requests from colleagues or customers are tried-and-tested techniques used by hackers to dupe victims into letting them in.

But with social media profiles and the wider internet providing attackers with vast and free resources to gather operational intelligence about victims, it's entirely possible to scope out individual targets and tailor phishing attacks directly towards them.

Dubbed 'rose phishing', this could potentially supercharge phishing attacks by making it almost impossible for the victim to ignore the bait.

"With rose phishing, people are utilising social media to do that reconnaissance and really digging into it. The reconnaissance provides a much higher return on investment — you have a much higher probability of that person clicking on something of a personal nature about them," says Amanda Fennell, chief security officer at Relativity.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

For example, if someone publicly posts that they're on a business trip to a specific city, perhaps even staying at a specific hotel, attackers could take that information and use it to craft a highly specific lure.

"If you travel and post you're at company headquarters in Chicago, next thing you know you could get a targeted email stating you left a document at O'Hare airport. You'd get really worried, it could be very compelling to click on," Fennell explains.

"Or if you post about checking into a hotel in Chicago and then you get an invoice phishing attack [that] references that hotel. That's enough for somebody who is savvy enough to use it to their advantage," she adds.

As with any phishing attack, targeting the right person or people could give attackers the keys to the kingdom, allowing them to slowly but surely make their way across the network for whatever malicious goals they intend to carry out.

But it won't end here: hackers are always looking for new and ingenious ways to conduct campaigns. While organisations may not be able to predict every type of attack vector hackers could use, they can develop a cybersecurity strategy that does the utmost to prevent attacks from being successful, no matter how they're delivered.

READ MORE ON CYBER SECURITY