Getting started with a cyber security for NPOs: attack types & the attack cycle

Nonprofit Organizations play a vital role in making a difference in our local communities and across the world. Like any other business, charities are increasingly reliant on IT and technology – to stay in touch, to collaborate, and to track projects, programs, and critical information.

Losing access to this technology, having funds stolen or suffering a data breach through a cyber-attack can be devastating, both financially and reputationally. It’s not a rare occurrence for our industry. NGO’s and thinktanks are the second most targeted sector for cybercrime.

Everybody involved with charities - donors, volunteers, employees, and trustees have a role to play in protecting the sector from cyber-related harm. Knowing what these threats are and how they happen is key in understanding how to defend against them.

So, what are attacks and what do they look like?

Common attack types

Attacks vary in how and where they happen, but most commonly fall into two main categories:

Both types of attacks also have elements involved in scanning for vulnerabilities or weaknesses in the software and services you use too.

Whilst it is what we are most used to, “messages” doesn’t just include email. These messages can come in the form of WhatsApp Messages, SMS, or even on your twitter feed.

Social Media is often used to exploit nativity, good will, or even recent events – “you have a parcel that you need to pay for”, “someone you’ve been in contact with has COVID”. This is a very simple aspect of threats that evolve – we have been coached over and over in how to spot suspicious emails or URLs, or mass mails. But it’s much harder to spot one-off texts or Direct Messages – and it’s much more difficult for IT to protect against.

What happens after the first “bite” depends on the outcomes of the attackers. Un-targeted attacks often lead to targeted attacks once the opportunity is understood.

The attack cycle

That first bite is what typically leads to the targeted attack cycle. It’s a way in – a thread to pull on. But the Survey stage isn’t just about sending out mass mails and hoping for the best.

Attackers will find means to exploit any gaps in your security; The types of servers or operating systems you are using; what processes you follow for a password reset or a payment request; what encryption or passcodes you have for your laptops or mobile phones.

The aim of this stage is to best understand the most lucrative or destructive method in anticipation. Once a key weakness is identified, or one that might exist, this then moves to the Delivery stage.

This might mean targeting a high-profile person within your organization (such as your trustees, or the person that looks after your IT), or gaining access to your website or services. The goal is to pick the best method of delivery for access, malware, or commands to further exploit and ultimately lead to the next stage: Breach.

Once “in”, the plan can take time to fully execute. Attackers will look for further vulnerabilities, higher profile targets, or try to gain elevated access to systems and services. Once things are in place, this then moves to the final stage, Affect.

This is the point that the attacker is utilizing all the previous steps that lead to payoff.

Data is often captured such as IP or sensitive information, changes may be made to finance or payment systems to route money to an attackers account or entire systems may be encrypted, freezing your data and operations.

This type of firsthand access is the aim for the attacker to achieve and exploit; and it can happen across a prolonged period, taking advantage of both people and systems – indirectly, and directly. In many cases attackers remain within an environment; harvesting data and information, disrupting business processes and ways of working, utilizing your trusted accounts to trick other users or organizations. Some attackers will then sell on access to others to exploit or will cover their tracks to avoid detection. Or, what we see most of on the news, is when ransomware is then deployed to cause as much damage as possible – and try to coerce the organization to paying more to “restore” business as usual.

This is the “how” of the attack. What about the “how” of prevention and mitigation?

A change of scenery

Evolution in cyber security is rapid – medieval times were only 5 years ago!

We often used the “Castle Model” to describe IT security – you have a gate, a moat, and walls, all designed to keep people in, or people out. It was hard to work with people outside of our castle, so we shared all of our files via email. We couldn’t do our work outside of the castle, so we used memory sticks to carry information backwards and forwards. And because the keys to the castle were so complicated, we wrote them on post-it notes and attached them to our monitors.

Today, our colleagues might be outside our “castle” – working from home or overseas. They might need access to critical information from multiple devices, or access to different services that are also outside of your secure enclave.

The reason the castle model is outdated is because it focuses only on the physical protection, and not all the other essential parts that technology, process and, critically, people must play in preventing and mitigating attacks. We all have a responsibility to protect our industry from cyber-crime.

No matter how we model cyber-security – one fact remains. Regardless of the protections, training, walls, gates, awareness, blog posts… You need to win every time – every message reported to IT, every “click” to a website mitigated, every file you revoke access to…

An attacker only needs to win once.

We aren’t on guard 24/7, and as the threats are persistent and continue to evolve, a genuine mistake, or a simple lapse in judgement can lead to much greater consequences for our nonprofits and charities.