Give a man a zero day, and he will have access for a day, teach him to phish and he’ll have access for life
Phishing, in particular a well-crafted spear phishing campaign, is one of the scarier attacks that someone could take aim at your company with.
When tech companies like Facebook and Google are getting caught for over $100 million each (link)- where does that leave the small-to-medium sized companies that don’t have a fraction of the expertise/resources of these giants?
The truth is you can have whatever solutions you fancy. Endpoint protection, SIEMs, firewalls, hardened servers, strict GPO’s to lock down your users and workstations etc etc but then it all gets undermined by a user who unwittingly wires funds directly into the attackers bank account because they fell foul of a phishing email.
And to combat phishing we trot out some droll in-house user training every other year.
Gone are the days of having to run into a shop with your trusty shotgun and balaclava to rob whatever pocket money is in the till. With a well-executed phishing attack you can pull funds straight from a company’s bank account.
To infiltrate a company’s infrastructure with pure tech skills alone is not easy. Phishing on the other hand?
Your aunt Maisy could be trained up in a weekend. She doesn’t need to have years of experience and training. There are plenty of dedicated frameworks that make it easy to create, deploy and manage phishing campaigns.
Obviously Maisy is not going to pick up phishing any time soon. But what about that 16 year old just discovering the world of hacktivism? Maybe he doesn’t agree with some of your business practices. Or what about the 18 year old hustler with nothing to lose and everything to gain?
You could argue that the 16 year old hacktivist might not have the first clue where to even begin with a set of O365 credentials. Doesn’t matter though, at the end of the day, if he managed to get those credentials that was a breach of security that you failed to stop.
Of course, attackers who mass mail thousands of phishing emails aren’t hugely problematic. (I’m not writing them off either- they still have a good hit rate.) It’s the ones that delve into spear phishing- this is where things get real interesting.
Some of these attacks are brilliantly sophisticated. We are looking at months of planning out and staging the attack. Profiling the company. How the company operates. Finding out whos who. Sometimes even building a working relationship with the company. All the while just waiting for the right moment.
Usually the best advice to combat phishing is often around policy and procedures on how tasks can be carried out securely. (Of course, we do have a few technical tricks up our sleeve to help). But well thought out policy and procedure will help you most.
Here’s your biggest problem though. People bend and break rules from time to time. The attacker either has to wait for the right opportunity to come about naturally, or get creative and force a persons hand.
Forget company policies for a minute. Think about your own golden rules that you’ve picked up from years of experience. Have you ever broken any of those rules over the last year or two?
Maybe that new machine that’s after been sent to site without AV? You really should arrange to have it sent back. We all know golden rule #3 says you can’t put a machine on a production network without AV….. EVER.
But then that means having to leave that new user, Joe, on his first day without a laptop. It might even be two days before he gets it back. That’s a headache you don’t need. It’s OK, you’ll just give him a call first thing on Monday morning and get remote access to the machine and install the AV. Be grand.
This situation is not ideal, and is probably sitting somewhere in the top 3 tickets you want to get sorted on Monday. You’re probably not expecting that anything will come out of it and most likely you will get the AV installed without incident.
But these are exactly the kind of scenarios an attacker will try to manoeuvre you into. Awkward situations that a quick bending of a rule could save you so much time and hassle.
I’m not suggesting for a moment that an AV would stop a phishing attack- but lets just stick with this same scenario with new user Joe for a minute. What if an attacker was profiling your company for the last 4 months?
He’s waiting for an opportunity to find a way in. Maybe Joe posted up on social media last week how he’s excited to start his new finance position with your company. The attacker gets alerts any time your company is mentioned publicly on social media so of course he sees Joes post. That’s low hanging fruit in any mans language.
Do you think Joe is going to question or second guess anyone that calls him during his first day or two claiming to be from IT? Maybe a techie wants to confirm Joes read/write permissions are set up properly? We could test by actioning one of these change requests. Update a customers banking details maybe?
Do you think for a second that other people throughout your company aren’t bending/breaking rules from time to time? Jenny from finance who has been posting on social media about her sun holiday, she’s so excited, todays her last day in the office and there’s no way shes staying a minute past 5pm. What happens if someone sends her an awkward request at 4:20pm?