6 things hackers know that they don’t want security pros to know that they know

Security professionals have good insights into the technical tactics, techniques, and procedures (TTPs) that threat actors use to launch cyberattacks. They are likewise well-versed in key defensive strategies, such as prioritizing patching based on risk and implementing a zero-trust approach.

But the world of enterprise security collectively seems to remain one step behind the hackers, who continue to successfully launch a growing number of attacks year over year.

Here’s one reason why: many CISOs underappreciate, overlook, and sometimes underestimate all the knowledge that hackers are bringing to the table — the nontechnical insights that they’re using to gain the upper hand.

“Hackers know that the average CISO has a lot on their plates and they don’t have enough [resources] to get everything done. So CISOs really have to pay attention to what hackers are doing and what they know so they can best defend against them,” says Stephanie “Snow” Carruthers, chief people hacker at IBM.

What, then, do hackers know that may not get enough credence? Here are six strategies that hackers employ to craft their attacks that may not be on a CISO’s radar according to security researchers.

Organizations don’t train aggressively enough for the way hackers actually attack

When COVID hit, executives focused on shepherding their organizations and employees safely through the crisis. Hackers, on the other hand, saw an opportunity to exploit.

In fact, hackers willingly seize on any vulnerability they can — no matter how low, says Erik J. Huffman, founder of cybersecurity services firm Handshake Leadership. They’re willing to take down the CEO, embarrass the CFO, ruin careers, and cripple critical services to get what they want.

“Criminals are stooping to levels we didn’t expect them to stoop to,” Huffman says.

Most CISOs haven’t internalized that fact, even if they’re aware of it, Huffman says. Instead, they generally craft anti-phishing campaigns, security awareness training programs, and security drills that don’t incorporate below-the-belt punches. For example, they generally don’t devise highly personalized emails that mimic targeted phishing campaigns because it might be perceived as an overly aggressive move.

That’s a mistake, and it’s one that hackers exploit because “they’re willing to attack in ways that CISOs don’t. That means we don’t quite train how the fight is happening,” Huffman says. He advises security executives and devises anti-phishing campaigns, simulations, and drills that more closely mimic the down-and-dirty strategies that hackers use. “Take the gloves off; really challenge your team.”

Hackers know the best times to attack based on your schedule

It’s not a coincidence that many attacks happen at the most challenging of times. Hackers really do increase their attacks on weekends and holidays when security teams are lean. And they’re more likely to strike right before lunchtime and end-of-day, when workers are rushing and consequently less attentive to red flags indicating a phishing attack or fraudulent activity.

“Hackers typically deploy their attacks during those times because they’re less likely to be noticed,” says Melissa DeOrio, global threat intelligence lead at S-RM, a global intelligence and cybersecurity consultancy.

DeOrio acknowledges that many hackers are located in countries whose daytime work hours neatly coincide with the nonworking hours in the Americas and Western Europe. But she says evidence shows hackers do indeed take advantage of that difference by calculating the timing of their attacks.

Additionally, threat actors look for periods of organizational change (i.e., mergers, acquisitions, layoffs, etc.) to exploit, says Tomer Bar, vice president of security research at SafeBreach. “Threat actors will try to launch an attack at the most difficult time for the CISO and the blue team.”

Although CISOs generally know that hackers time their attacks, experts say some may be unaware of just how strategic hackers are when it comes to researching and plotting opportune times. Moreover, Bar says CISOs may not be as attentive as they should be to this issue.

To counter this hacker strategy, longtime security leaders advise CISOs to account for it in their own defense strategies. They should leverage third-party services during off-business hours to complement the security team’s work schedule, add more automation to boost staff efficiency at all hours, add extra layers of security such as more monitoring or tighter filters at times of heightened risk, ensure priority security work happens before busy times such as holidays, and educate all staffers about the heightened risks that exist during such times.

DeOrio also recommends running an incident response drill as if the incident was happening at a particularly problematic time — perhaps the middle of the night during summer vacation season — so that the security team can identify and close any gaps in its response.

Hackers gather lots of intelligence on your organization

Threat actors actively engage in open-source intelligence (OSINT) gathering, looking for information they can use to devise attacks, Carruthers says. It’s not surprising that hackers look for news about transformative events such as big layoffs, mergers and the like, she says. But CISOs, their teams and other executives may be surprised to learn that hackers also look for news about seemingly innocuous events such as technology implementations, new partnerships, hiring sprees, and executive schedules that could reveal when they’re out of the office.

Granted, such low-level activities don’t produce the same worker anxiety or organizational confusion that downsizing and M&As do — and, thus, don’t present the same opportunities for hackers. However, Carruthers says they still create changes that hackers can use to their advantage. “They all breed opportunities for attackers.”

Carruthers knows firsthand how effective such hacker strategies are. Her team of ethical hackers runs exercises that start by gathering information from six months’ worth of announcements, blogs, social media posts, and online forums where employees share their own thoughts. Then her team determines where and how to strike based on that information-gathering, just as hackers would. She says her team might use something positive against the company by crafting a phishing campaign that says a popular employee perk is ending. Or the team might seize on a migration to a new technology to more easily get employees to share login or credential information.

Although CISOs can’t shut off the flow of news, they can counter hackers’ ability to successfully use it against their organizations, Carruthers says. They can monitor OSINT about their organizations, work with other executives on announcements and the timing of those announcements, and run simulations on how such announcements play out from a business perspective. All that helps CISOs and their teams see what hackers see, better understand their thinking and prepare for possible targeted attacks.

Today’s corporate culture works in the hackers’ favor

Security awareness training typically instructs individuals to take time to review emails or think through requests to help determine whether a request is legitimate or suspicious. Yet workplace culture today generally works against that approach, Huffman says. “We praise ourselves for putting ourselves in an emotional hot state,” he says, pointing to job postings that use phrases such as “fast-paced,” “dynamic” and “high-intensity” to describe the workplace culture as evidence.

Employees in such environments don’t have — nor are they encouraged to take — extra time to evaluate incoming messages (whether they’re via email, phone, video, text, etc.), Huffman says. “And that’s why hackers are successful: they catch us in constant emotional hot states when you’re clicking through 1,000 emails.”

CISOs and their executive colleagues could create a more secure organization by lowering the temperature.

“Most companies I consult with don’t understand how hard their teams are working and how much pressure their teams are under. They think they have great cultures but little do they know they’re teams are working overtime. But if they encourage them to slow down, if they can [identify] what can wait for tomorrow, if they could allow people to relax, they’d do better securing [their organization],” Huffman says.

Deepfakes really work

Deepfakes are absolutely good enough to trick employees, as evidenced by reports earlier this year that an employee at British engineering firm Arup was duped by scammers who used a deepfake of the company’s CFO to request a $25-million transfer.

“Deep fakes have been around for almost 10 years but the technology has gotten much better,” says Kev Breen, who as senior director of cyber threat research at Immersive Labs researches new and emerging cyber threats. He notes that deepfake audios are particularly mature today. “A deepfake video is still hard to do, but it doesn’t take much audio to create convincing clips.”

He says most CISOs are aware that audio and video deepfakes are now good enough to be convincing but many other executives and employees aren’t as aware of this emerging threat. And while these deepfake attacks are highly targeted, hackers are counting on that widespread lack of awareness to help boost their success rates.

Although security tools to detect and block deepfakes don’t exist, CISOs can blunt the threat by educating workers on the threat and how to detect possible deepfake audio and video as well as by updating protocols around business processes such as money transfers to ensure those requesting such actions are legit.

Companies forget to make controls independent

Defense-in-depth can boost an organization’s security posture, yet many organizations aren’t getting that benefit because their controls aren’t independent, says Lou Steinberg, founder and managing partner of CTM Insights, a cybersecurity research lab and incubator, as well as a member of MITRE’s Science & Technology Advisory Committee and former TD Ameritrade CTO.

“I’ve seen cases where what should be independent controls are all run on the same box. And hackers know when they compromise that one server, they can compromise multiple controls all at once,” Steinberg says.

He also had worked with one company in the past where a penetration test revealed that a network control and a non-network control were both running on the same on-premises server.

“Both controls could get bypassed together, which isn’t good,” he says.

He also has heard of similar scenarios in the cloud, such as where the credentials for the security control — such as a cloud access security broker (CASB) or a web application firewall — were the same as the credentials for the organization’s cloud administrator.

Steinberg says closing this security gap is relatively easy: Make sure controls are independent so that a compromise of one doesn’t compromise any others so that the organization truly has defense in depth — and not just the illusion of it.