With COVID-19 keeping some families and friends apart, and supply chain issues limiting what’s available on store shelves, this might not feel like the normal holiday season to many Americans. But there is one thing that makes this holiday season much like every other holiday season in recent memory – there will be an uptick in cyberattacks and malicious activity.
For the CrowdStrike Incident Response team, the holiday season isn’t a time of rest, relaxation, and peace on Earth. The months of November and December are among the most active for our incident response teams.
That’s not a coincidence. The holidays have long been a time when adversaries, whether a Nation State, eCrime, or other malicious groups, ramp up their activities for their own personal or financial gain. But, why?
It’s a Holly, Jolly, Horrible Time for a Cyberattack
The answer to that question has actually shifted and changed as the security threats that face organizations have changed over time.
Back when stealing credit card data and information was one of the most lucrative ways for malicious actors to make a living, the holidays provided a fertile hunting ground of financial opportunity for hackers. If they could get malware or malicious code into a retailer’s point of sale or payment processing systems in advance of the holiday shopping season, the amount of credit card data that they could steal and then sell would increase exponentially.
Today, the financial incentive from credit card data has decreased significantly. Instead, malicious actors have moved on to other types of attacks that can generate significantly higher financial payouts for them – attacks like ransomware.
But, despite this shift, the holidays are still a hotspot for cyberattacks. That’s because retailers, manufacturers, and other organizations that do the bulk of their business around the holiday season are desperate to keep their organizations and operations moving at this critical time to their business.
Let’s say you’re a manufacturing company, a retailer, a shipping company, or any other company that finds yourself staffing up to meet holiday demand, chances are that this time of the year can make or break your balance sheet. A malicious actor taking down your networks, applications, systems, or even infrastructure equipment could put your most profitable period into jeopardy.
If that was your organization, you would be pretty desperate to get the assembly lines, the checkout lines, and the shipping lines moving again. You may consider paying a ransom – any amount less than what you’re losing in revenue – to get things back up and working. Malicious actors know this, and they exploit this for their own financial gain.
Ransomware is extortion. The more valuable the asset that hackers can take control of and deny to their target, the more they can ask for in return. Also, the more likely that their target simply capitulates and pays their demanded ransom. The holiday season provides an opportunity to hit some organizations at the worst possible time – crippling their operations at their most profitable time of the year, and then demanding an exorbitant ransom to return them to normal.
We can see evidence of adversaries exploiting popular holidays in recent cyberattacks. Ferrara, which makes some of America’s most popular and iconic candies, was hit with a ransomware attack right before Halloween. Another American company, JBS Foods, which processes and distributes meat products, was subjected to a very well-publicized ransomware attack right before Memorial Day, which is the unofficial start of the summer BBQ and cook-out season. In both instances, malicious actors leveraged holidays to execute targeted ransomware attacks against companies at the most inopportune time.
But the holidays aren’t just high-risk times for retailers, manufacturers, and other, similar, organizations. Every organization, from healthcare organizations, to schools, to state, local, and federal government agencies, are at an increased risk of cyberattack during the holidays. But for a slightly different reason.
Exploiting an organization’s weakest link
While nobody likes to hear it, the humans that make up an organization are often that organization’s weakest link when it comes to cyberattacks. Cyberattacks are – at their core – humans taking advantage of the mistakes of other humans, and many organizations fail to appropriately train and prepare their humans to avoid common cyberattacks.
Unfortunately for many state, local, and federal government agencies, the people working there are seemingly most susceptible to cyberattacks during the holiday season. And for good reason. There is a lot going on, and employees simply don’t have cyberattacks top-of-mind.
During the holiday season, people are working to wrap up deliverables and finish projects by year-end. They’re planning holiday travel. They’re writing up and crossing off to-do lists in advance of holiday seasons. They’re also splitting their attention between work priorities and holiday sales on popular retail Websites in an attempt to finish their holiday shopping.
When an employee’s attention is divided among so many different things, they’re less focused on identifying and avoiding cyberattacks, such as phishing and spear phishing attacks. They’re more likely to click on malicious links or open suspicious emails from untrusted sources.
Malicious actors know this as well, and they actively work to exploit it for their personal and financial gain. Hackers will leverage Black Friday, Cyber Monday, and other holiday sales and promotions in their phishing campaigns to great effect.
This is akin to something that we widely saw in the early days of the COVID-19 pandemic, when hackers would leverage pandemic news and announcements to get people to open emails and follow links to malicious sites and malware – just wrapped in festive holiday paper and a bow.
With the distracted workforce and malicious actors leveraging the holidays to increase the effectiveness of their attacks, the holiday season isn’t just a time for retailers to worry about cyberattacks. Any organization – including state, local, and federal agencies – can fall victim. So, what can and should they do to protect themselves.
All I want for Christmas is basic cyber hygiene
Much like cybersecurity in every other month and season of the year, cybersecurity during the holiday season is all about getting back to the basics. Part of that involves having a plan, testing that plan, and training everyone to ensure that they know how to identify and avoid cyberattacks.
All organizations – public and private sector, alike – should be working to harden that “weakest link” by providing cybersecurity training for all employees. Not just cybersecurity and IT professionals, but everyone. This can put them in a better position to spot phishing attempts and other malicious activity, and ensure that they don’t take the bait – even when their attention is split during the holiday season.
Next, organizations should be preparing for the cyberattacks that we all know are coming. In some of the incident response investigations that the CrowdStrike team handles, it becomes obvious that the security team was not set up for success. Often, they were set up to fail. This is because a plan was not put on paper for how to respond to a cyberattack. Or, a plan was put on paper, but wasn’t practiced in tabletop exercises to ensure that it was effective or could be implemented effectively.
That need for a plan only increases around the holiday season. With people taking vacation, traveling, and working remotely, there is a good chance that organizations that don’t plan and schedule accordingly can find themselves short-staffed to respond to a cyber incident. Organizations have to take this into account, and create schedules and game plans for their security professionals should a cyberattack happen over the holidays.
Finally, organizations should be implementing the tools and solutions necessary to help keep them safe over the holiday season – and all year round. This means embracing multifactor authentication to ensure that only those authorized to access endpoints and systems gain access to them. This also means implementing the platforms necessary to gain the insight, transparency, and protections security professionals need to properly defend their networks. Things like an effective Endpoint Detection & Response (EDR) or Extended Detection & Response (XDR) solutions, Identity management for Active Directory visibility and control, or a completely managed visibility and response solution for the endpoints will help bolster your organizations defenses, and lessen the risk and severity of an attack.
That process begins with a conversation. Bring together cybersecurity personnel for a frank and honest discussion about what is needed, what is working and what isn’t. Talk about the information, insights, and tools that they need to effectively do their job. Then, work with trusted industry partners to implement the solutions that can give them insights into their vulnerabilities and gaps, and the power to mitigate them.
By doing these things, all organizations – in both the public and private sector – can keep themselves from becoming a victim this holiday season.
