How to defend against zero-click attacks

By Vimal Raj Sampathkumar, technical head, UK and Ireland, ManageEngine [ Join Cybersecurity Insiders ]
225
Nist Cybersecurity Framework

Cyberthreats never stay the same. Just as fast as cybersecurity providers shut down an attack vector or develop a fix for a particular form of attack, cybercriminals develop new exploits and tactics to burrow their way in. One major newer attack type is the zero-click attack, which can create a devastating impact from the smallest user action. Businesses need to ensure they’re aware of how these attacks work – and what they can do to protect themselves.

Zero-click attacks can rapidly compromise social media accounts or other systems through innocuous-looking messages. These insidious malware attacks are transmitted through DMs within social media apps and don’t require a download, click, response, or any other act from users beyond opening a message. Anyone could fall victim to them, and the business impacts could be huge.

Indeed, the official TikTok accounts of CNN and possibly Sony have recently been compromised as a result of zero-click attacks. These attacks were in turn capitalising on a zero-day weakness – a flaw in TikTok’s software that hadn’t yet been patched. When the users opened the messages, the malware launched itself and rapidly (and quietly) took control of the account.

This is the hallmark of a zero-click attack; code is surreptitiously delivered to the target’s account or device through a call, message, or text, and that code then exploits vulnerabilities to begin extracting data or granting access. It’s not just brands at risk of petty cybercrime, either – in 2018, Jeff Bezos’s phone was compromised in a zero-click attack apparently launched via a WhatsApp message sent from the personal account of Mohammed bin Salman, the crown prince of Saudi Arabia. The bottom line? No-one is safe – not even the richest man in the world.

So how can businesses protect themselves quickly and effectively? Here are some of the key steps businesses and individuals can take to stay ahead of zero-click attack methodologies, as well as potential other new attacks used by fraudsters.

First, it’s essential to have powerful data protection systems in place to ensure your security teams are alerted as soon as sensitive data is in danger. Hackers do not immediately obtain access to sensitive information the moment a website is compromised; there is a brief window of opportunity in which attacks can be curtailed and data can be made safe. A robust, intelligent data protection system can be the difference between a zero-click attack being mitigated, and one turning into a major data breach.

Likewise, it’s important to invest in cybersecurity tools to avoid network breaches. For example, advanced threat intelligence systems and behaviour-based analytics can proactively detect and mitigate the risks posed by highly sophisticated scammers. These forms of cybersecurity rely on the increasing availability of next-gen analytics and AI to identify suspicious behaviour and potential threats on a much more nuanced level than older systems. Threat intelligence also enables businesses to benefit from insights gathered across a wide user base, so that when a zero-click attack is detected and mitigated in one organisation, the intel gained is fed back into the industry, enabling other users to more quickly identify and stop the same type of attack.

As well as technological defences, training staff and raising awareness remain critical parts of a strong defence. Although zero-click attacks are, by definition, harder to stop through good user practice – even a perfectly vigilant employee can’t know whether a message contains malicious code before they’ve opened it – there’s still a great deal that can be done to mitigate the impact if a breach does take place.

Good user education is the cornerstone of a good defence strategy, so businesses need to train staff on cybersecurity best practices, including through conducting security skills assessments and developing standard operating procedures to follow in the event of a suspected breach. For example, staff can be trained to pay attention to unusual difficulties logging into a social media account or to recognise tell-tale signs in messages that can point to potentially suspicious behaviour.

Finally, utilising basic security hygiene procedures can make a significant difference to the quality of your defence against emerging attack types. That might mean incorporating MFA controls as standard for all users, enforcing password changes on a regular basis, or implementing frequent vulnerability scanning and patching on devices, apps, and cloud-based systems. Covering the basics is key; for example, even if a hacker gains access to an account through a zero-click attack, MFA places limitations on the actions they can take. Likewise, regular patching ensures the number of possible vulnerabilities for zero-click attacks to exploit is kept to a minimum.

Businesses need to remain vigilant in the face of an ever-changing cybersecurity landscape. Zero-click attacks are just one example of an emergent threat that has the potential to damage companies’ reputation and finances. But with the right technologies, training, and processes in place, they can stay one step ahead of hackers.

Ad

No posts to display