What does an adversary know about your company before they initiate an attack? Better yet, WHO have they contacted within your company before they initiated an attack? The answer may surprise you. The reconnaissance performed by an adversary has always been one of the keys to their success, but the information and touch available online through multiple methods has made their job much easier. Utilizing simple social engineering techniques, which have been honed over time, can enable a cyber-criminal to gain access to any corporate enterprise. A weakness in your enterprise security may not be an undiscovered vulnerability or a blind spot in your overall security monitoring, but an individual employee.
Every employee will make dozens of security decisions each day.
An employee only needs to interact with a malicious link, a weaponized attachment, provide an adversary with one key piece of information or willingly perform what appears to be a simple act to help facilitate a point of entry into your corporate network. Executives have to understand that every employee will make dozens of security decisions each day as they interact with unknown individuals on the telephone, on social media and company email. Employees need to make good decisions during each of these exchanges to keep the organization secure. This is why information security should always be considered as a corporate-wide requirement.
Below are common strategies used by adversaries every day to target employees and executives.
- Company Website
The website is a company’s gateway to the world. Adversaries will use open-source means to gather intelligence as a first step to evaluate a company’s potential as a target. A corporate website contains a wealth of information that an attacker can use in their reconnaissance to include the company leadership, board of directors, key staff or teams, strategic partners and all public information regarding their mission, products and services. Corporate websites are considered “soft targets” for information gathering that can produce very successful social engineering attacks. As an example, even if business email addresses are not published on the website most attackers can obtain one address from a sales person to determine the pattern used and target executives or other employees with a spear phishing campaign.
If the spear phishing campaign is successful against an executive, the next step the attacker may take is to perform a Business Email Compromise (BEC). A BEC is done by taking control of an executives email account credentials and use the account to steal money from the victim organization. The FBI’s Internet Crime Complaint Center (IC3) reports BEC and email account compromise (EAC) attacks caused $5.3 billion in exposed loss for global and domestic companies between October 2013 and December 2016.
Antidote: Companies should evaluate their website on a regular basis to determine what information they are providing to cyber criminals. Allowing internal information security personnel to perform this function and make recommendations can go a long way towards reducing a corporation’s attack surface.
- Social Networking
Social networks are designed to share personal information. This can expose employees and corporations to information security threats. Adversaries are using social networking sites such as Facebook, LinkedIn and Twitter to harvest large data sets for analysis on companies and their employees. Social media is a double-edged sword, as employees work to expand their personal brand and network they grow their attack surface by the very fact they may be unaware with whom they are connecting. As an example, every time your employee receives an invitation to connect on LinkedIn, they could be allowing an unknown person access to their employment history and a description of the current job responsibilities. In fact, they are exposing that same unknown individual to their professional network and lending credibility to their existence. Employees in Sales, Marketing, Public Relations and Recruiting can rely heavily on building their network connections for their jobs. Attackers may send direct messages in ways that seem legitimate to lure a target into what seems to be a closer business relationship, but in fact are looking for a weakness to exploit.
Antidote: As a security leader, I have advised employees to avoid social media altogether. Realizing this is not a reasonable request though, I do encourage people to be particularly careful on two fronts; 1) Sharing personally identifiable information. Pet names, addresses, even colleges and favorite teams can be used to gain access to information, 2) Connections. Only connect to people with whom you have a personal relationship and you know to be trustworthy.
The Multi-State Information Sharing & Analysis Center (MS-ISAC) has recently observed an increase in malware that is most often disseminated through “Malvertising.” Malvertising, or malicious advertising, is the use of online, malicious advertisements to spread malware and compromise systems. Generally, this occurs through the injection of unwanted or malicious code into ads. Adversaries then pay legitimate online advertising networks to display the infected ads on various websites, exposing every user visiting these sites to the potential risk of infection. Generally, the legitimate advertising networks and websites are not aware they are serving malicious content.
After detailed intelligence gathering, attackers have used malvertising in a targeted manner to infect employee endpoints by victimizing known sites employees would visit. This could be local restaurants, event websites or business partner sites with minimal security.
Antidote: The best defenses for these types of attacks are a strong endpoint security solution, which includes next-gen anti-virus, behavioral analysis and anomaly detection. In addition, the ability to reduce the attack surface by proper patch management, endpoint benchmarking and other cyber hygiene methodology is recommended. Lastly, the ability to continuously test the exploitability of endpoints against real-world threats and remediate any gaps can be instrumental in preventing a successful breach.
Employees are conditioned to be professional, helpful, and kind with every interaction as it pertains to sales, customer service, partner relationships, and vendor management. Attackers know this and use it to their advantage. As an example, an adversary could call an administrative assistant to the CEO claiming to be a reporter with a prestigious news agency. They may need a quote for a time-sensitive positive article regarding your company and “any assistance would be greatly appreciated.” The assistant is happy to help and the posing reporter sends them an email with an attachment that should contain the article for comment. Instead the attachment is a weaponized document that is opened or forwarded to the CEO without a second thought.
Antidote: Proper training, policies, and guidelines are critical to combatting these types of approaches. Giving employees the tools to explain why they need to verify the caller and not accept email attachments until they do will help them comply and avoid seeming rude.
Stress is the flipside of kindness. Employees who are placed in stressful situations or circumstances can make bad decisions to include giving sensitive information without verifying a recipient’s identity. Attackers have fabricated elaborate stories to induce stress with employees over the phone such as posing as a respected law firm suing the organization or a government agency investigating criminal activity. The employee feels stressed by the circumstances presented by the attacker and is willing to assist in any way possible to avoid being implicated.
Antidote: Sensitizing employees to this tactic can go a long way. And again, training, policies, and guidelines should be established so people have the tools and questions prepared in advance to react properly.
As a CISO, I have considered employees a possible weak link in the past, but over time my opinion has changed. At Nehemiah Security I view the staff as a component of security monitoring that is hard to duplicate. A comprehensive security awareness training program once every two quarters, open communication and threat intelligence sharing has enabled each employee to monitor the sources identified above and alert Security Operations of potential threats. The central guidance is that when confronted with a decision, employees should take a minimum of five seconds and think before they act. This simple action alone can help prevent an employee from performing an action which may lead to a security incident or even a security breach.