Month: August 2016
By bagging a privileged user early on, attackers can move from entry point to mission accomplished in no time at all.
In the world of cybersecurity, there are two wildly different approaches to phishing.
The first, which we subscribe to, recognizes the threat posed to organizations by phishing attacks, and seeks to defend against it by both educating employees and tightening internal controls. In those cases where a phishing attack is successful, our camp aims to eliminate the threat as quickly as possible, and then learn from it.
The second approach is quite different.
There are those within the cybersecurity world who believe that since it is impossible to completely prevent employees from being suckered by phishing emails, there’s no point in even trying to educate them. The theory goes that defending against any form of cyber attack (including phishing) is the responsibility of your information security team. Employees are simply too busy, and too ignorant, to be involved in the process.
I believe this is a mistake, and I’ll explain why.
Understanding your attacker
Whatever your approach to cyber security, it makes sense to start with an understanding of the people you’re trying to protect.
Image Source: PhishLabs
The Verizon 2016 Data Breach Investigation Report is a tremendous resource for this sort of research; it immediately informs us that external attackers cause the majority of breaches. The insider threat is certainly a concern, but statistically you’re far, far more likely to be breached by an external actor.
The report also explains that although you’ll need to defend against many different cyber weapons (malware, social engineering, hacking, etc.), most attacks fall into two categories: point of sale (PoS) and phishing. Unsurprisingly, our main focus is on the various threats posed by phishing attacks. But perhaps most important of all, the report provides an insight directly into the mind of your attacker. Over the past 12 months there has been tremendous speculation as to the motives behind cyber attacks, with much being made of a few high-profile instances of state-sponsored cyber espionage.
But are governments and competitors really lining up to steal your secrets? Well… no.
In an overwhelming majority of cases, the motivation behind cyber attacks is financial reward. There is a huge black market, accessible through the Dark Web, where hackers can sell proprietary and payment data to the highest bidder. Typically this is a collection of large organized crime syndicates, many of which are based in countries with no extradition treaties.
Rest assured that there is big money in play here, and successful hackers get paid extremely well for their “work.”
So what does all this tell us? In short, it lets you know where to concentrate your cybersecurity efforts for maximum effect. If your organization does fall prey to an attack, it’s most likely to come in the form of a phishing email designed to grant access that can ultimately be used to steal saleable information.
The anatomy of a (successful) phishing attack
Now that we understand the methods and motivations of most attackers, it’s much easier to comprehend the format of a typical attack. Initially, the attacker needs an entry point. In most cases, this will be a phishing email that baits one of your employees into installing malicious software (malware) or giving away their login credentials (social engineering).
Once the attacker has gained access to your network, they’ll try to make lateral movements to expand their access and level of control. This could include stealing proprietary data to inform further targeted phishing attacks (spear phishing), identifying vulnerabilities, and/or stealing higher value credentials.
Finally, once they have the required level of access, your attacker can enact their primary mission: to steal and sell your data.
Going after the big phish
As you’ve no doubt gathered, your attackers’ job will be much easier if they can successfully phish someone with a high level of access. Rather than spending time gradually increasing their permissions and control, by bagging a privileged user early on they can move from entry point to mission accomplished in no time at all. This tactic is known as whale phishing, or “whaling,” and it can spell disaster for your organization. Clearly, this is not what you want to happen.
Every phishing attack relies, at some point, on being able to sucker employees into clicking on something they shouldn’t. Now, while it’s true that the information security team can play a huge part in preventing this, many phishing emails can be kept out of employees’ inboxes by well-maintained filters, and more can be foiled by tight security controls.
But what about your privileged users: directors, executives and system admins who all usually have a high level of access? What if they’re targeted by spearphishing or whaling attacks?
Access controls on your whales
I know it’s tempting to overestimate access requirements, but it’s important to consider how much access these people really need. Nobody wants the finance director to fly off the handle because he can’t run a report, but in reality he probably doesn’t need read/write access to every area of the network.
Regardless of your approach to dealing with the threat of phishing attacks, tightening internal controls such as user access levels is hugely important, and can spell the difference between a narrow escape and a crushing data breach. Most users do not need to be able to install programs or access sensitive data, and if for some reason they do, they can always be granted specific access on a case-by-case basis.
Controls aren’t enough
It’s true that you can’t rely 100% on your employees to report and delete phishing emails, but you also can’t rely 100% on your security controls. Like it or not, some phishing emails are going to end up in the inboxes of privileged users, and it’s going to come down to them to determine whether that attack is successful. If you can engage and train your employees to recognize and report phishing emails, you’re adding a vital last line of defense that otherwise wouldn’t be there.
At the end of the day, it’s a choice between a reported phishing email and a successfully installed malware package. I know which side I’m standing on.
Brian Krebs, JUL 16, 2016
Most organizations only grow in security maturity the hard way — that is, from the intense learning that takes place in the wake of a costly data breach. That may be because so few company leaders really grasp the centrality of computer and network security to the organization’s overall goals and productivity, and fewer still have taken an honest inventory of what may be at stake in the event that these assets are compromised.
If you’re unsure how much of your organization’s strategic assets may be intimately tied up with all this technology stuff, ask yourself what would be of special worth to a network intruder. Here’s a look at some of the key corporate assets that may be of interest and value to modern bad guys.
This isn’t meant to be an exhaustive list; I’m sure we can all think of other examples, and perhaps if I receive enough suggestions from readers I’ll update this graphic. But the point is that whatever paltry monetary value the cybercrime underground may assign to these stolen assets individually, they’re each likely worth far more to the victimized company — if indeed a price can be placed on them at all.
In years past, most traditional, financially-oriented cybercrime was opportunistic: That is, the bad guys tended to focus on getting in quickly, grabbing all the data that they knew how to easily monetize, and then perhaps leaving behind malware on the hacked systems that abused them for spam distribution.
These days, an opportunistic, mass-mailed malware infection can quickly and easily morph into a much more serious and sustained problem for the victim organization (just ask Target). This is partly because many of the criminals who run large spam crime machines responsible for pumping out the latest malware threats have grown more adept at mining and harvesting stolen data.
That data mining process involves harvesting and stealthily testing interesting and potentially useful usernames and passwords stolen from victim systems. Today’s more clueful cybercrooks understand that if they can identify compromised systems inside organizations that may be sought-after targets of organized cybercrime groups, those groups might be willing to pay handsomely for such ready-made access.
It’s also never been easier for disgruntled employees to sell access to their employer’s systems or data, thanks to the proliferation of open and anonymous cybercrime forums on the Dark Web that serve as a bustling marketplace for such commerce. In addition, the past few years have seen the emergence of several very secretive crime forums wherein members routinely solicited bids regarding names of people at targeted corporations that could serve as insiders, as well as lists of people who might be susceptible to being recruited or extorted.
The sad truth is that far too many organizations spend only what they have to on security, which is often to meet some kind of compliance obligation such as HIPAA to protect healthcare records, or PCI certification to be able to handle credit card data, for example. However, real and effective security is about going beyond compliance — by focusing on rapidly detecting and responding to intrusions, and constantly doing that gap analysis to identify and shore up your organization’s weak spots before the bad guys can exploit them.
Those weak spots very well may be your users, by the way. A number of security professionals I know and respect claim that security awareness training for employees doesn’t move the needle much. These naysayers note that there will always be employees who will click on suspicious links and open email attachments no matter how much training they receive. While this is generally true, at least such security training and evaluation offers the employer a better sense of which employees may need more heavy monitoring on the job and perhaps even additional computer and network restrictions.
If you help run an organization, consider whether the leadership is investing enough to secure everything that’s riding on top of all that technology powering your mission: Chances are there’s a great deal more at stake than you realize.
Organizational leaders in search of a clue about how to increase both their security maturity and the resiliency of all their precious technology stuff could do far worse than to start with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), the federal agency that works with industry to develop and apply technology, measurements, and standards. This primer (PDF) from PWC does a good job of explaining why the NIST Framework may be worth a closer look.