In a recent survey of CISOs’ concerns about remote work environments, cyber risk analytics firm Arceo.ai uncovered illuminating data. When asked to rank their concerns, the CISOs responded:
- 49%: cloud usage vulnerabilities
- 45%: vulnerabilities stemming from personal device
- 41%: new risks with unvetted apps/platforms
- 39%: new vulnerabilities in existing apps or platforms.
CISOs are right to be worried. The remote work threat surface introduces a variety of new challenges. One of the subtlest, most dangerous, and fastest-evolving new threats is the so-called “soft attack.”
What is a Soft Attack?
Typically, cyber-attacks are delivered by files or links that deliver malicious payloads. Bad actors can automate these attacks en masse, with fairly crude campaigns running over short timeframes. Soft attacks – or “soft hacks,” as the The Wall Street Journal has recently called them – are far more targeted.
Typically, they contain an element of social engineering. This means that bad actors are researching potential victims on channels such as LinkedIn and Twitter, and then crafting a message based on a target’s interests, predilections, etc. The attacker might pose as a colleague, or a conference organizer with a keynote invitation, and dupe the end user into sharing confidential information.
This sort of attack starts and progresses in the text and language of messages, and therefore easily evades traditional threat detection techniques. There is nothing obviously dangerous that might sound the alarm of legacy technologies.
Brian Honan, CEO of BH Consulting in Ireland, explained how easy it is for bad actors to conduct soft attacks on social media during an episode of the Zero Hour podcast. “Once you’ve made connections to people on a social media account’s private messaging feature,” he explained, “you can send people links to all kinds of attacks.” Companies might possess robust email security, “but an employee might access a link via instant messaging, and that may not be covered by any of your security tools. It’s a nice easy way into the core of your systems.”
Labryinth Chollima: Using LinkedIn & WhatsApp
Despite the subtlety and patience of these soft attacks, though, the consequences are serious: data loss, payroll fraud, account takeover, vendor invoice fraud, blackmail, credential theft, and more.
Even the world’s richest and most powerful people aren’t safe, as proven by Jeff Bezos suffering a soft attack on WhatsApp in January of 2020. Bezos received a video containing NSO Group spyware through a WhatsApp group conversation. The attack managed to exfiltrate a large amount of data from Bezos’ phone.
A more recent example of the soft attack comes from the Labyrinth Chollima threat actor, attributed to North Korea. Labyrinth Chollima leverages digital channels to deliver malware payloads to its victims. It profiles enterprise employees through LinkedIn, connects with them, and lures them to WhatsApp. Here, it hits employees with malicious messages and payloads.
The remote working surge has seen many staff, executives included, operating outside the traditional security perimeter. Home offices are far less secure than traditional offices; Q1 of 2020 saw spear phishers launch over 100,000 attacks against remote workers.
Safeguarding Against Soft Attacks
To guard against soft attacks, CISOs need to protect their enterprises in three key areas.
People - Key stakeholders and line of business owners must be communicating about the risks of their evolving tech stacks. For example, if sales now relies more on LinkedIn (or even WhatsApp) in the remote work environment, then security teams need to know this.
These channels are prime vectors for soft attackers, where communications are invisible to security teams. Security needs to know what channels are being used by their colleagues, so that they can calculate risk and put controls in place.
Process - All lines of business need to inventory their tech stacks on a quarterly basis, and establish roles and responsibilities for different risks. If IT procures collaboration software like Microsoft Teams or Slack, do they also own the monitoring of employee conduct, or is that HR’s responsibility? What about data leakage risks; is that the responsibility of the legal team? If so, do they have the oversight tools they need?
These questions have broad implications for how security is applied, and whether teams need to share budgets on these solutions. These discussions need to be had in order to secure the cloud infrastructure that is critical to remote work against soft attacks on employees and executive leaders. Ninety percent of companies in a recent Wall Street Journal survey said remote work brought by the pandemic has created new risks or exacerbated existing ones.
Technology - The cloud channels that drive modern business generate hundreds of thousands of messages per day. CISOs need controls that can keep pace with the volume and velocity of digital communications.
These new risks and channels are in the cloud, and as such you need cloud-native defense. You need to detect soft attacks at the app layer, in the DMs, and catch them before opened links or files can release malware that transits through VPNs to corporate systems. Enterprises need a platform that leverages machine learning to monitor 100% of cloud communications. If necessary, the platform should offer rapid deployment for multi-regional teams.