Welcome back to my in-depth discussions of my eight predictions for 2021! I hope you found the dive into my first prediction on ransomware helpful. Today, we’re going to tackle prediction #2: Forget headline-making data breaches and DoS attacks; the battle for your organization’s reputation is going to be waged in a whisper campaign.
Suffering a data breach or DoS attack is bad, but something even worse is coming.
A big data breach or denial of service (DoS) attack in the headlines is bad for any organization. However — and maybe it’s sad to say this — data breaches are getting more common and people tend to forgive, and often even forget. Do you even remember exactly which hotel chains have had the personal information of their guests stolen, and actively seek out ones that haven’t? It reminds me of Raymond from “Rain Man” insisting that he would fly only on Qantas because it was the only airline that had “never crashed.” Most of us simply don’t have as good a memory as Raymond, and we’re usually far more pragmatic.
Don’t get me wrong; data breaches are bad in multiple ways, including all the expensive forensics, restoration work, credit monitoring for customers, regulatory fines, and so on. But the damage to the organization’s reputation and ability to do business tends to be short-lived. The same is pretty much true of denial of service (DoS) attacks.
Your organization has a digital reputation, which is different from its online reputation.
In the coming year, however, I expect to see far more of a new type of attack that can have more profound effects on your organization’s ability to conduct business and gain market share: dynamic denial of reputation attacks.
What exactly do I mean by “reputation” here? To be clear, I’m not talking about online reputation, which is how your organization is regarded by people on the internet in general. Attacks on online reputation are nothing new; they include bitter complaints on social media, scathing reviews on various sites, negative media coverage, fake or mocking websites, and parody accounts on Twitter. Dealing with these sorts of things is hugely important, of course, but they’ve been around a long time — so long, in fact, that there’s an established market for getting help with them, aptly called online reputation management services.
But these days, it’s not just your organization’s online reputation you have to worry about. You also have to pay close attention to its digital reputation as well. A digital reputation is kind of like a consumer’s credit score, which is based on multiple factors, such as the number of accounts you have and their types, your used credit versus your available credit, the length of your credit history, and your payment history. Your credit score is calculated by the credit reporting agencies without your knowledge or consent, and potential lenders, employers and others often use it when deciding whether to establish or continue a relationship with you.
Each organization has a digital reputation, too, whether they know it or not. You’re probably already taking advantage of this fact: Your various spam and threat prevention tools rely heavily on the digital reputations of other organizations to determine which emails to let through, which sites to block and so on. In particular, Microsoft Exchange Online Protection, which is part of Microsoft Defender for Office 365 (the new name for Office 365 Advanced Threat Protection), relies on the digital reputation of an email sender when determining what email to reject outright or filter to the recipient’s Spam folder.
Damage to an organization’s digital reputation can be devastating.
Many of us have never thought about what it would mean if our own organization’s digital reputation were slapped with a proverbial scarlet letter and those same threat prevention tools flagged our web pages and emails as untrustworthy. But it’s worth pondering.
If you know anyone who’s had to try to restore their credit history after, say, having a big default being put on their record by mistake, you have some idea of the scope of the problem. But at least your credit score matters only when you’re trying to get a credit card, a loan or a new job. When an organization’s digital reputation is trashed, the effects are immediate and far-reaching. Your emails to customers, partners, vendors — everyone — will be blocked, so you won’t be able to communicate. Anyone trying to access your website will likely be presented with a big fat warning to proceed at their own risk, so your traffic will vanish. In short, your business will be dead in the water.
Why and how do reputation attacks happen?
In 2021, savvy attackers will increasingly exploit this avenue to harm organizations. Their reasons can include anything from misguided activism (maybe you make a product they object to on moral grounds) to shady business practices (clearly competitors have a lot to gain by using this attack path) to dirty politics (attacking you might serve some local or national agenda).
How would such an attack work? Well, an organization’s digital reputation is based on factors like sender reputation, IP reputation and domain reputation. If, for example, tons of emails are sent from your company domain at once, the activity might be seen as spamming, and your domain reputation will be damaged. Similarly, if one particular user in your environment exhibits behavior that is seen as spam, the associated IP reputation will take a hit.
So, to damage your digital reputation, all an attacker might have to do is to compromise one user’s account and generate spam using it. If attackers gain access to more accounts or systems, your domain could become a spamming platform or part of a botnet, or used in part of a distributed denial of service attack, or for corporate espionage.
In fact, it can actually be a lot simpler for an attacker to shatter your digital reputation than to pull off a headline-making breach. That’s why I predict such attacks will be increasingly common in the coming year.
Reduce your AD attack surface.
How to defend your organization’s digital reputation
So, what can you do to thwart attacks on your company’s digital reputation? Well, as I noted, attackers can plant malware to do their dirty work for them, so all of the advice from my earlier blog post about combatting ransomware is useful here as well. These best practices include:
- Enforcing least privilege
- Educating all your users about phishing and other threat vectors
- Filtering incoming mail
- Restricting code execution
- Keeping all your software up to date
But that’s not all you should do. It’s also imperative to have comprehensive auditing and alerting in place. For example, if an account starts firing off email after email, you want to know about that immediately, so you can intervene before the IP address, or your entire domain, gets a black eye.
More broadly, you need to be able to quickly spot and investigate any improper or unusual activity in your IT environment, including — but by no means limited to — email activity. Remember, although dwell time has dropped dramatically over the past decade, attackers still lurk in networks for nearly two months on average. The quicker you can spot them, the less chance they have to damage your digital reputation.
Stay tuned…
Watch for my next blog post, when I’ll dive into my third prediction and explore why Zerologon, a critical Microsoft vulnerability, will continue to haunt us into 2021. See you then!
