By: David Benas, Senior Software Security Consultant at Synopsys Software Integrity Group
Rilispedia.com – High-profile security breaches have prompted many hardware and software providers to implement stringent protections and secure defaults. As a direct result of their actions, finding typical “low-hanging fruit” vulnerabilities to breach organisations are becoming much more difficult, expensive, and a noisy attack vector. Instead, attackers are turning to a new organisational attack vector: its people.
Let’s consider how an organisation can put security controls in place around its people, without violating their privacy and productivity.
Training your employees
When it comes to planning an exploit, employees are the path of least resistance to attackers. All it takes is one vulnerable user for a breach to occur. An unaware user is an easy target, and easy targets are ripe for a wide dragnet phishing attack (that is, a phishing attack that covers a large part of the organisation, often with the simple goal of harvesting credentials and valid identities or compromising users’ laptops with malware).
The solution: regular training to establish a baseline of user phishing awareness, along with intermittent employee reminders reinforcing what they’ve learned in training sessions. Training should provide users with examples of phishing attacks, context on how to spot such attacks, and steps to take if they feel they might be the target of a campaign.
Another good practice is to frequently conduct red team engagements to challenge the organisation’s security effectiveness. At Synopsys, we’ve discovered that this training can guard against even advanced dragnet campaigns. Organisations that have a phishing awareness program will often spot the campaign due to user reports and blacklist the source within a matter of hours.
Employees are also likely to broadcast their involvement in phishing awareness programs on their resumes and professional social media network profiles (such as LinkedIn). This is likely to deter an attacker harvesting user information from publicly available resumes and social media pages.
Engaging in active defence
Even the best employee training can only go so far in preventing phishing attacks. Humans are fallible, and socially engineered phishing attacks target kindness, generosity, helpfulness, and other qualities most people want to encourage in themselves.
The solution (though it may seem obvious, we hardly ever see it in real-world scenarios): active defence, or a SOC (security operations center) that proactively monitors, or uses tools that monitor, the email perimeter. Employees cannot click on a phishing email if the SOC learns of a dragnet attack, blacklists the associated domain, and removes the email from all targets’ inboxes.
Another approach is to use a domain typosquatting notification service. One successful typosquatting method is to take a URL that an employee would expect to see in an email, change a character, and register it as an attack domain. Employees that often visit my.example.com may not notice that they have clicked on my.exampIe.com (using a capital eye instead of a lowercase ell) or my-example.com. A typosquatting detection system would notify the SOC or other point of contact that someone, somewhere, has registered such a domain—allowing you to take pre-emptive action.
Cut off attacks with network segmentation
There’s no such thing as a perfect defence. What happens if a phishing email makes it through your active defence and an employee clicks on it? Even the most technical, phishing-aware employee can fall for a tailored attack and the most careful, rule-following team lead can make a simple mistake. And how many people are in your organisation? Eventually, someone is going to get phished. Social engineering susceptibility is a question of when, not if.
The risk of an employee being phished extends far beyond the borders of the office. This is doubly true in the age of social media. Organisations simply cannot regulate what their employees do outside the office and during off-hours. An employee whose personal accounts get phished poses a unique risk as it opens even further avenues for an attacker: from blackmail/ ransomware style attacks to compromising corporate information an employee inadvertently passed to themselves over their personal e-mail.
In a not-so-unlikely example, a clever attacker may try to log into the victim’s place of work, which they found on LinkedIn, with the employee’s Instagram password, which they stole by pretending to be a relative on Facebook. As an organisation, there is no way of detecting whether the employee’s corporate account has the same credentials as their Google, Facebook, or other social media accounts. Especially malicious attackers certainly could coerce an employee to give them corporate credentials if their identity being stolen is on the line.
The solution: adding a layer of defence below users’ phishing awareness and a well-trained SOC armed with the right tools. Though it’s a lot simpler to talk about it than to practice it, architecting your network to be resistant to compromise is the best way of avoiding a massive breach instigated by a single user.
If you have a flat network, weak endpoint protection, and a weak credential policy, one employee’s mistake could put you in the evening news. But if you have solid endpoint protection, a segmented network with stringent permission requirements across mandated two-factor authentication, and active defence, you might detect the intrusion immediately and contain it to affect only that one user.
Test your phishing defences regularly
The best defence against phishing and social engineering is to take a multi-pronged approach with a combination of knowledgeable users, an internal security structure that can stay one step ahead of an attacker, and the expectation that an attack will succeed one day, with a plan to mitigate damage.
Knowing the answers to “How easy is it to socially engineer my employees?” and “What’s the potential impact if an employee’s workstation is compromised?” is of paramount importance. The only way to know the extent of the potential damage of a phishing or social engineering attack on your organisation is to test your employees. Perform regular testing throughout the organisation to determine your baseline security level.
As more and more of everyone’s lives become more internet-connected, more and more attack surfaces become available against employees everywhere. Targeting employees over their social media accounts, for instance, becomes a much simpler attack surface for malicious actors, as they do not have to deal with corporate IT policies. Educating employees on the dangers of social engineering attacks becomes more important, even as organisational risk is mitigated.
The first step in measuring your employee’s phishing resistance is to perform a mock phishing exercise to see where gaps in knowledge may exist. But testing your active defence, which is slightly more difficult, calls for a more advanced version of a mock phishing exercise. Something akin to a red team engagement would be best suited to test your organisation’s ability to respond to threats in a realistic manner. And the best way to test your organisation’s capacity to resist compromise is to perform internal and external network penetration tests, or red team assessments.