When hackers send a friendly note – Impact das Wissenschaftsmagazin

Many small and medium-sized businesses are ill-prepared when it comes to cyber security. Researchers of the "ELITE" project therefore want to help raise awareness among decision-makers and employees by providing an interactive simulation, which demonstrates the disastrous consequences that may lurk behind a single click.

By Nico Damm. 05.07.2022

Anyone would be alarmed at a message stating that "Personal and sensitive information pertaining to your company has been added to your LinkedIn profile", sent along with a request for the user to check the data they've provided to the professional networking platform. The message then prompts the user to click on a link that takes them to an unencrypted website. Users who decide to ignore their browser's subsequent warning will end up on a perfectly legitimate-looking site featuring a loading screen. Once the bar reaches 100 percent, the damage is done: all files on the computer are now encrypted and a window pops up, demanding that the user pay a hefty ransom to get their files back.

At h_da, however, this nightmare scenario is luckily just a drill: Its IT experts involved in the "ELITE" project have developed an interactive simulation of real-life cyber-attacks, aiming to provide users with a genuine experience of digital hazards. ELITE stands for "ErLebbare IT-SichErheit durch mobile IT-Sec.PopUp-Labs" (Experiencing and Learning about IT sEcurity through mobile IT-Sec.pop-up labs). Just like its title implies, the project involves a roadshow across Germany in November, featuring a "demonstrator" lab with four custom-configured PC workstations where visitors can experience the simulation. The project is a joint initiative of h_da, the Fraunhofer IAO and FOKUS Institutes, and the University of Hamburg. It receives funding from the German Federal Ministry for Economic Affairs and Climate Action as part of the "IT Security in Business" initiative. While the participating universities focus on developing the simulation and related learning resources, Fraunhofer is mainly responsible for setting up the demonstration booth.

"Our primary target group is small and medium-sized enterprises," says Professor Andreas Heinemann, who leads h_da's share of the project. "They account for a large percentage of our economic output, but in the past, it's been difficult to get them to understand that investing in IT security is a necessity." Heinemann refers to businesses such as small landscaping or skilled-trade companies that don't have an in-house IT department. To reach this target group, the project team also plans to appear at events such as those organised by local Chambers of Commerce and Industry. In addition, the pop-up lab can be set up at companies' premises upon interest and request. The project is uncharted territory for all stakeholders, as it's the first interactive simulation for SMEs in Germany that covers such a wide range of attacks.

However, the initiative, which was launched in April 2021, successfully passed its first trial by fire this past May at the Hanover Trade Fair, where the project partners presented a functioning simulation prototype. Visitors to the booth were greeted by far more than just a few lacklustre computers: the exhibition stand was designed as a smartly lit, hip office space that featured four fully equipped workstations and a server cabinet with a plethora of flashing lights to set the scene. The idea behind the mock office was to give visitors a real-life impression of what it's like to be hit by a cyber-attack – and to motivate them to adopt at least a minimum of protective measures, such as using secure passwords or malware blockers in their browsers. The project team aims to provide an immersive experience instead of fear-driven messages.

Patrick Renkel is in charge of the didactic portion of the project. Renkel has been working as a research assistant for the project since completing his master's in "Leadership in the Creative Industries" at h_da's Dieburg media campus. "We received a lot of positive feedback at the Hanover Trade Fair, but there were also suggestions for improvement. We are now implementing a part of that", says Renkel. He is assisted by computer science student Ugurcan Albayrak, who developed the platform architecture and design for his master's thesis. At present, users can choose between four ransomware or phishing attacks: In some scenarios, the threat lurks in an e-mail attachment, in other cases the attack is triggered by clicking on a link. In all scenarios, the interface looks entirely unsuspicious, just like a standard Windows environment. The simulation shows various Excel or Power Point files stored on the desktop, and users even get e-mail messages from pretend co-workers popping up in their inbox. All that's required to get caught in the trap is a mouse and a keyboard.

To help users recover from the simulated hacking strike, ELITE offers an interactive Cyber Security for Users 101 course: Students are taught how to create a secure password and how to use the two-factor authentication method, which many people know from their bank's online portal. This method supplements a knowledge factor – the password – with a possession factor, such as a smartphone, that is used for receiving a confirmation code.

"We're not striving for perfection here. We try to promote a basic level of protection and hope to raise awareness around the issue", says Heinemann. He adds that attacks aimed at a specific target are much harder to fend off, but also much rarer than standard attacks. According to Heinemann, most cybercrime is simply about extorting money: "Hackers scan systems for loopholes in order to sell them to people looking to hijack these targets, sometimes for five-figure sums." Most cybercriminals will target users as the initial vector for their attacks. They may trick users into clicking on a malicious link, opening a genuine-looking e-mail attachment, or lure them to a seemingly legitimate website that prompts them to enter their login credentials. Some hackers will steal their victims' contacts and e-mails, sending scam replies to existing e-mails that look like perfectly legitimate messages from a co-worker. Once the perpetrators have their foot in the door, they can start working their way through the system bit by bit, intercepting data or hijacking entire company networks to extort a ransom. The recent attack on Darmstadt-based utility provider Entega highlighted just how much harm this can cause. In 2021, the German Federal Office for Information Security (BSI) identified 144 million new malware variants, which corresponds to a 22 percent increase over the previous year. According to the BSI, users continue to be a popular vector for attacks as time pressure, pandemic-induced overwhelm, and a lack of risk awareness make them easy to target.

Nevertheless, "Users are not the enemy – they are the first line of defence", explains Heinemann. Companies should therefore be encouraged to introduce security mechanisms that are effective and easy to manage at the same time. "It's like ATMs. People used to take their cash and then forget their cards – until, at some point, ATMs started to dispense the money only once the card had been removed."

ELITE does not use pressure in order to encourage businesses and users to change their cybersecurity practices, but instead relies on low-threshold services that feature playful and interactive elements to illustrate threats and risks – hoping that users will remember what to look out for whenever they spot a suspicious message in their inbox.