The old adage that the weakest part of any machine is the part that sits between the chair and the keyboard bears itself out again and again, as attackers continue to find profit in savvy social engineering. But while the classic human target is the average consumer with no security training, in 2014 criminals decided to head to the office.
Kevin Epstein, vice president of advanced security and governance at Proofpoint, told Infosecurity during RSA 2015 that there has been a radical increase in targeting toward office workers, particularly middle management.
Last year, the company’s Human Factor Threat Report, which takes an annual look at the “uncontrolled portion” of the kill chain, i.e., us, found that the top three phishing lures were: social networking-based; financial warnings about banking problems; and order confirmations. And, they were mostly delivered on Thursdays and Fridays in the “pre-coffee” hours of 5 a.m. to 6 a.m.
Now, there’s been a staggering 90% reduction in that traffic. Instead, phishes tell the victim that he or she has a voicemail; that he or she has an e-fax; or that there’s been an issue with a wire transfer. Messages are typically delivered on Tuesdays and Thursdays, with 10 a.m. being the sweet spot for timing. And the number of middle managers being targeted has doubled. Clearly, it’s an office play.
“This is the year that attackers put on a suit and tie and went to work,” Epstein said. “The ROI is different—if you’re a criminal, you want the biggest haul that you can get. If you compromise a private individual, you may might gain access to their bank account. But if you can compromise middle management, they have access to a lot of critical systems, including wire transfer, patient databases, or even purchase and procurement mechanisms. Consider that credit card information is worth 10 times less than personal information about customers or patients.”
He also pointed out that consumers have been much more aware in the wake of data breaches, which means that social engineering has gotten more difficult in that demographic. “Training works in that it increases people’s awareness of dangers, but attackers merely go to where training may not be as effective,” Epstein said.
It’s not just the targets that are business-oriented. Gone are the days of the stereotypical teenager sitting in a darkened garage, acting alone; today’s attackers sit in office cubes, sign in every day, go home at night, and have weekends and vacations. As such, the attackers tend to be highly sophisticated operations that involve a multilayer kill chain with different supply levels.
“There are people that specialize in being botnet herders, or malware developers that are the heavy codewriters,” explained Epstein. “The operation will have financial transfer folks to handle the money flows, and filter owners who make sure you’re a target via a series of redirect sites. This is a multi-tier, extremely sophisticated, very complex ecosystem—because crime is big business and extremely profitable. Suddenly, defense looks cheap.”
He also said that the company has seen operations based “pretty much everywhere,” with the possible exception of Antarctica. “They’ll use compromised infrastructure everywhere, because computing power has value, and can be used to help a cyber-attacker crack other targets. Even in Antarctica. If its online, it’s useful.”
The key to mitigating the threat is to expect that humans will be, well, human, and fall prey to a phish. At some point, perhaps after not enough coffee and a busy morning answering 1,400 messages, it will probably happen.
The key is to have predictive defense, according to Epstein.
“Most of the defenses we see are reactive, and can tell you the equivalent of, ‘someone threw a brick through the window.’ You may know what kind of brick it is, but do you know if it was thrown by a vandal, or if it’s the work of a gang trying to distract you in order to steal the keys and come back later to rob you blind? You have to be able to correlate data.”
Gateway security may check inbound URLs, but its possible now for malicious links to be customized. They may be programmed to remain harmless for three hours after delivery in the mail, or unless clicked on from an Android device.
“So there needs to be layers of security in place,” he said. “You need to follow up on suspicious mails, and know that they’re suspicious by using automated, large-scale, cloud-based correlation engines like ours. And in the hopefully fractional situation that something gets through and is clicked, you want to be able to respond quickly to quarantine the user. If you see a workstation start exchanging traffic with a C&C server located outside of the country at odd times of day, you need to seal the routers immediately and get the forensics team on the case.”
As for the users themselves? They should do what they can to be vigilant. “Don’t be paranoid, but recognize that you’re living in a big city when it comes to cybersecurity,” he said. “You may be able to leave your doors unlocked, but why tempt fate. There’s a reason we have strong doors with a peephole and a couple of good locks. Use it.”