The recent embarrassing hack of Twitter that led to the compromise of some very famous accounts (Bill Gates, Elon Musk, Barack Obama, et. al.) for use in a bitcoin-stealing scam grabbed global headlines for a few days. The story started winding down with the arrests of three young men in the UK and Florida. The attack showed some sophistication, combining surveillance of Twitter-internal Slack channels, SIM-swapping, the creation of a fake Okta authorization-server landing page, and social engineering of Twitter IT techs via voice calls, but did not rise to the level of state-actor or professional-cybercriminal attacks. Twitter should feel lucky today that the thieves only set their sights on a small payday (netting less than $120K before they got caught) rather than broadcasting false headlines that might have shaken global financial markets.
It’s a useful reminder that phishing remains among the most popular and successful attack vectors for a variety of cybercrimes, accounting for some 30% of all breaches, according to Verizon’s most recent Data Breach Investigations Report. That statistic kicked off today’s panel discussion hosted by the Massachusetts Technology Leadership Council (MassTLC) entitled “A Multi-Layered Approach to Combat Social Engineering”. The one-hour session was moderated by Deb Brigs, CISO of NETSCOUT, and included Katie Ledoux, Senior Manager of Trust and Security Governance at Rapid7, Rob Mitchell, Customer Success Lead and Threat Intel Manager at GreatHorn, and myself in my role as Director of Cyber Protection at Acronis. (Watch discussion below).
In addition to the recent Twitter breach, the panel recalled other phishing war stories drawn from their personal experience as well as the press. Examples ranged from the scarily commonplace (“employee clicks on trustworthy-looking but malicious email and lets in a ransomware attack on their entire company”) to the stupidly embarrassing (“Pathé executives pay out over $21M to a fraudulent recipient before realizing the source of their email instructions was not actually their CEO”) to the futuristic (“criminals impersonate a CEO’s voice using AI-enabled deepfake audio technology to direct fraudulent wire transfers of $250K”.) This is a new type of attack and may be worth talking to your finance teams about “deepfakes.”
Panelists discussed social-engineering attacks of both of the technical variety (e.g., malware delivered from poisoned email attachments or websites) and non-technical sort (e.g., sweet-talking an employee over the phone into giving away sensitive, high-privilege credentials). We ascribed their prevalence and success to several factors:
- The boom in credential theft and resale. An estimated 8 billion sensitive credentials were exposed by breaches in May 2020 alone, per ITgovernance.co.uk. When used in credential stuffing attacks (exploiting the too-common practice of password reuse across applications and websites), cybercriminals can often make their first successful steps inside an organization, where social-engineering attacks can be employed to further escalate their privileges and access to sensitive systems and data.
- The sheer volume of messages (SMS, chat, email, voice, collaboration app, etc.) that typical workers must process every day. The law of averages, fatigue, and deadline pressures practically guarantee that somebody, somewhere is going to make a mistake and click on a link or open an attachment they shouldn’t.
- The difficulty that many organizations, particularly SMBs, face in trying to keep up with the cost and complexity of a complete cyber protection regime, including backup, behavioral anti-malware, vulnerability scanning, patch management, URL filtering, security configuration management, and other planks of a solid defense-in-depth strategy.
- The industrial scale and ingenuity with which modern cybercriminals prosecute their attacks, from cheap, effective ransomware-as-a-service operations to the clever introduction of malware into companies via giveaways of malware-delivering USB sticks and cables.
The panelists concluded the session with a recap of white-hat cybersecurity professional wisdom in the form of key recommendations to fight social engineering attacks:
- Reduce access to privileged accounts, and add multi-factor authentication to them first if not throughout the organization
- Monitor users, applications and networks for anomalous behavior, including suspicious failed logon attempts and uncommon network traffic patterns
- Conduct regular security awareness training, including exercises that test users’ ability to spot phishing emails and voice attacks, and don’t forget to include prize targets like your C-suite executives
- Assume that eventually a social-engineering attack will get through, develop a cybersecurity incident response plan, and rehearse its execution it regularly
- Make sure that any employee authorized to transfer major sums of money is regularly briefed on tactics like whale phishing, voice impersonation, etc., and equip them with additional measures for out-of-band verification of payment instructions
- Consider shrinking the social-media footprint of privileged executives like your CFO to limit intelligence-gathering opportunities for black-hat social engineers.
As with any cyberattack, no single solution will ever be enough to fend off the phishers or overcome the susceptibility of humans to the wiles of modern social engineering. Businesses must deploy defense-in-depth solutions that reinforce the weakest link in the attack chain (i.e., people) and buttress them with AI-enabled countermeasures and automation to detect, contain, and recover from phishing-based incursions. For one example, Acronis and GreatHorn are currently partnering to integrate Acronis cyber protection solutions with GreatHorn email security products to protect sensitive data before, during and after social-engineering based attacks. For more information, visit us here: https://www.acronis.com/en-us/cloud/cyber-protect/
My thanks to my fellow panelists, moderator, and to the MassTLC and host Sara Fraim for including us in this timely and lively cybersecurity discussion.