Mark Your Calendar! Hack Timing Patterns

Companies and governments know they are targets for people looking to cause harm or profit by attacking their networks. Those threat actors are constantly evaluating networks and looking for ways to gain access. Most public and private organizations take this as a given and prepare appropriately. Those who aren’t already actively thinking about security should begin to do so immediately, and everyone should recognize that, yes, there are times when threat actors are particularly active.

When a malicious actor decides to attack an organization, they consider a few things. First, they decide what they are trying to achieve with the attack. The list of typical goals includes:

  • Proving their reputation in the community
  • Driving some social change or awareness of a cause
  • Deriving financial gain from attacking the target

Then, depending upon their goal, attackers develop a plan that best fits their strategy. They ask themselves a few key questions:

  • What time of the day, week, or year will maximize their probability of success?
  • Based on the rhythm of the business, is there a specific, opportune time to strike?

First, let’s take a look at the events with generic timing. Then, I’ll cover the specific dates you need to have on your radar as the most popular hack times.

Generic Attack Timing

At a very basic level, the probability of a successful attack is a function of the skill of the attacker and the amount of time they have to penetrate the network without detection. In the long run, an attacker has control of their own skill level and can work on the first variable in the function. However, specific attacks generally happen in the short run. The time to detect a threat depends on the target’s ability to detect attacks, and an attacker has some control over that because there are times when organizations unintentionally let their guards down.

Average weekends are one clear option. Corporate and government security teams may not run at full capacity on weekends so their ability to detect and respond to an attack will be diminished, especially for smaller companies and governments. In this case, attackers may even look to start early on a Friday afternoon. Some security personnel may take off early or simply let their guard down a bit on a Friday. Attackers will try to take advantage of that. An even more likely time for an attack is just before a long weekend when more members of the security team may leave early or be gone and there is an extra day before the full team is back at work.

Another low-staffing opportunity arises over holidays like Christmas or Thanksgiving. Employees want to be with their families, and the already smaller staff may be distracted from their business at hand. Even if it may be rare to catch someone completely not paying attention at work, attackers must play the odds, and a slight increase in the probability of success is valuable.

Specific Events

Black Friday: Probably the most well-known shopping day of the year is Black Friday and it is an attacker’s dream. Many companies rely on Black Friday to sell enough of their product to get them through the rest of the year so it is a meaningful opportunity for hackers to hold either online or physical stores hostage.

Originally hackers may have run a coordinated DDoS attack, and then ransomed the company for money to shut the attack down. These attacks have become so successful and well known that attackers may even send companies ransom notes well in advance of Black Friday threatening an attack, and then backing off when they receive payment. Hackers may also use ransomware to attack companies. They could attack well in advance and then deploy shortly before the holiday. Cyber Monday would be another opportunity for hackers to do the same.

Tax Season: Tax season is an active time for criminals looking to steal identities because, if they have all the information they need, they are able to file your taxes before you do and claim your refund. In the months leading up to tax time, corporate security teams and all individuals should have their guards up to avoid turning over sensitive data to those looking to defraud innocent people. As phishing becomes more and more sophisticated, tax season has become a bigger target that should be carefully monitored by self-filing individuals, companies, tax consultants, and security pros alike.

4th of July (or other Patriotic Holidays): As mentioned, holidays are a common target because of the increased time available, but specific patriotic holidays are great opportunities for attackers looking to prove a point against the U.S. or about the U.S. In that case, they might choose the 4th of July or other patriotic day like Memorial Day to hit popular or strategically meaningful U.S. institutions or monuments.

Company Announcements: Companies are almost always targets for attacks. However, when your organization is in the news due to a funding round, merger or acquisition event, IPO, large round of hiring, or any other news that indicates there may be confusion, churn, or new roles involved, you can expect the number of attacks to increase. Watch out for an increase in phishing, fake invoices, CEO impersonation, and other attempts to leverage that confusion. This is especially true for those organizations that have financial or accounts payable responsibilities.

Geopolitical Events: Currently, this is highly predictable. When discussions between countries have become acrimonious, sanctions are levied, or accusations made regarding behavior on the world stage, you may expect the level of activity to rise. Depending on the nation in question, tactics may range from primitive techniques such as website defacement and distributed denial of service all the way to sophisticated methods of disrupting operational continuity.

Unpopular Positions or Actions: In the public sector, you can be assured that taking a position on a socially sensitive matter will offend a hacktivist with skills. Coal trains, LNG terminals, and law enforcement behavior are all well-known triggers for hacktivism. The private sector should also be on the lookout. For example, in 2013, Anonymous attacked Bank of America because they thought they caught Bank Of America hiring security professionals to spy on them.