Cybercriminals are always looking for ways to exploit the exposed personal data of high-value targets to breach companies. High-value targets (HVTs) are those individuals within an organization who have access to sensitive information or assets and have the potential to significantly impact an organization’s operations or reputation, making them attractive and valuable targets for cybercriminals. These individuals include executives, board members, high-profile employees, individuals with privileged access, and those who support them. Because threat actors always begin their attacks by conducting reconnaissance on high-value targets via publicly available data (especially info found on LinkedIn, data broker sites, and breach data repositories), taking preemptive steps to address this data is crucial for protecting HVTs.
In this blog post, we will explore the different ways cybercriminals exploit the exposed personal data of high-value targets and the proactive remediation steps security teams should take to safeguard their VIPs.
Ways Cybercriminals Exploit Exposed Personal Data of High-Value Targets
Threat actors can leverage exposed HVT personal information in a number of different ways in order to compromise the HVT, other employees, and the organization with which they are associated. Below are three of the top ways that this can happen.
1. Social Engineering
Social engineering is a tactic used by cybercriminals to manipulate HVTs into performing an action that gives the attacker access to sensitive data, assets, or networks. High-value targets often have public profiles that provide cybercriminals with a wealth of information about their personal and professional lives. LinkedIn accounts are the typical starting point for threat actors conducting reconnaissance and gathering information on high-value targets. Cybercriminals use the information they have gathered from the public digital footprint of HVTs to craft messages that are appealing or legitimate-looking based on the target’s interests, associations, or role. These messages, whether in the form of phishing emails, LinkedIn chats, text messages, or phone calls, are designed to trick high-value targets into unwittingly giving up sensitive information, such as passwords or login credentials, or performing another action that benefits the attacker. The more personal data that a social engineer has on an HVT, the more convincing and ultimately successful the attack can become. With threat actors now having the capability to feed the personal data of HVTs into AI tools, the effectiveness and scale of social engineering attacks is increasing to unprecedented levels.
2. Impersonation
Cybercriminals may use the personal data of high-value targets to impersonate them and trick other employees into transferring funds or executing another task that is harmful to the company. Using the publicly available information of a high-value target and spoofing their email, phone number, or LinkedIn account, cybercriminals can craft convincing messages that appear to come from the executive, making it more likely that an employee will follow the attacker’s instructions. The practice of impersonating a LinkedIn account also extends beyond the HVT and can include spoofing the accounts of mid-level managers or other relevant individuals for the purpose of conducting reconnaissance and/or building trust with an HVT in preparation for an attack. If there are publicly available video or audio recordings of the HVT, AI now makes it easy for attackers to leverage these in order to create deepfakes of the HVT that can fool employees into doing the attackers’ bidding.
3. Credential Stuffing
Credential stuffing is a type of attack in which cybercriminals use exposed or stolen login credentials to gain access to an organization’s systems or applications. The credentials of high-value targets are especially valuable to attackers because of the privileged access they provide. Attackers obtain HVT credentials through breach repositories, social engineering, or stealer malware. These credentials can then be used to take over HVT accounts, breach their organizations, and cause devastating financial and reputational damage. As far as the volume of exposed HVT passwords available to attackers, the amount of cleartext credentials associated with personal identities is around 9x larger than those of work identities. Accordingly, attackers are increasingly focusing on using cleartext credentials from HVTs’ personal accounts, making this data source highly relevant for organizations that want to block the reuse of the credentials or force password resets when appropriate. Once an HVT’s personal account is compromised, an attacker can use this to gain access to the HVT’s corporate account, either through password reuse or through social engineering tactics such as an MFA fatigue attack.
Proactive Remediation Steps for Safeguarding VIPs
While HVTs are attractive and often vulnerable targets for threat actors, security teams can preemptively reduce the risk of their HVTs being successfully targeted by taking the actions outlined below.
1. Identify your High-Value Targets
Security teams should identify who in the organization is a high-value target based on their role, level of access, and public digital footprint. Who your HVTs are will vary across industries but generally these are going to be your C-Suite and Board, those who support them directly, those with access to your ‘crown jewels’ and those who work directly with them, and any remaining employees who have access to your security controls or who work directly with those who do. Look at your company from the perspective of an adversary and ask the following questions.
- If a threat actor were to target you, what systems would they want to get access to?
- What security controls do you have in place that, if bypassed through social engineering or credential stuffing, would lead to catastrophic damage?
- Which of your people has access to either the systems or to the controls?
- Whom do you think an attacker would most likely target in a social engineering scam in order to gain access and why?
Once you have a list of these individuals, answer the following questions for each person’s LinkedIn profile.
- Do they list their location?
- Do they list anything in their profile that would suggest they are an attractive target? (When answering this question, power your evaluation with a list of words or phrases related to the technologies and processes your company uses along with attractive job titles such as ‘administrator’ since these will stand out to an attacker.)
- Do any of these employees provide their contact information on their LinkedIn page?
For the HVTs’ work and personal emails, run these through any breach repositories you have access to and denote the quantity of cleartext credentials available for each person. Those individuals with attractive roles who have more exposed data should be at the top of your list of HVTs. Security teams need to identify these HVTs and know the channels through which an attacker can find information on their work and personal life, what that information is, and how it can be leveraged in an attack. For instance, what information is revealed through a Google search? What additional information is available through LinkedIn and social media, or data broker sites? Does the HVT have a personal website? Are there publicly available conference videos featuring the HVT which could be fed through AI for use in an impersonation attack?
2. Identify the Vulnerabilities Presented by your High-Value Targets’ Public Data Footprints
What vulnerabilities does the HVT’s exposed information present? Embrace the attacker mindset and ask the following questions:
- How would an attacker use this data for social engineering?
- What personal details are likely to be exploited and through what means?
- Is the HVT highly active and accessible through LinkedIn? Is the HVT connected with any suspicious LinkedIn accounts?
- Are there exposed email addresses, either work or personal, which could be spoofed or used to target the HVT?
- Does the HVT have exposed credentials, either work or personal, that are still in use and could be used to take over their accounts or launch credential stuffing attacks on your company?
- Are there exposed phone numbers that could be spoofed or leveraged in a smishing attack?
- Are there support staff or family members of the HVT whose data could be leveraged in an impersonation attack against the HVT?
- Are there publicly available recordings of the HVT which could be leveraged in a vishing attack?
3. Remove or Neutralize Personal Data and Attacker Infrastructure
Once data vulnerabilities are identified, security teams should remove or neutralize as much of the personal data as possible that could be leveraged against the high-value targets and the company. This process includes such steps as initiating data broker takedowns, removing sensitive personal data from social media platforms and maximizing privacy settings, switching to alternative channels of communication to neutralize exposed contact information, and ensuring any exposed credentials found across breach repositories, either work or personal, are not being used by the HVT.
In addition to reducing your HVTs’ exposure, you will also want to proactively neutralize any attacker exposure that can be leveraged against them. To do this, identify and block any newly registered or suspicious domains similar to your company’s. Attackers set these up for the purpose of harvesting HVT credentials for use on legitimate pages in order to compromise your organization. Expand this practice to include trusted 3rd parties. Also identify and block any suspicious social media accounts that could be used to conduct reconnaissance and build trust with your HVTs, or to impersonate them. These can be detected by their profile creation date, connection requests sent to employees, and claims to be associated with your company.
4. Educate your High-Value Targets about their Specific Risk
Because not all public information can be removed, it is important that security teams inform VIPs of how their exposed personal data could be used in an attack. This process should involve regularly emulating attacker reconnaissance on the HVT’s digital footprint and providing detailed personalized reports on the HVT’s specific risks and any mitigation actions that should be taken. Since LinkedIn provides a fertile ground for impersonation attacks, HVTs need to be informed about the various ways these attacks could occur and best practices to protect against these. While HVTs may be reluctant to increase their privacy settings on a professional network like LinkedIn, they can reduce their risk of falling victim to impersonation by taking some basic precautionary steps. For instance, when they receive a request to connect or a message, they should first look at the about this profile portion of the profile of the person to see whether the profile was created or updated very recently as that can be an indicator of impersonation. Another good practice is to confirm the contact is legitimate through a second channel–whether via text, email, or chat, so long as it is outside of LinkedIn.
5. Secure the Devices of HVTs and their Inner Circle
Ensure all of the devices your HVTs use are secure along with those of their families and support staff. Security teams should implement anti-phishing measures, such as spam filters and email authentication protocols, to protect against social engineering attacks. Securely configure MFA on all accounts, using physical FIDO2-compliant tokens as another factor of authentication where possible. Ensure DNS DMARC settings are enforced to mitigate against impersonation attacks. Have your HVTs and their inner circle use a virtual private network (VPN) such as Google One or Express VPN to encrypt their personal data, hide their physical location, and make it harder for hackers to access their internet activity and personal devices.
6. Monitor and Detect
Security teams should continuously monitor the digital footprint of your HVTs, including the footprints associated with personal identities, as digital footprints are constantly changing, and new risks will inevitably present themselves. Any new risky data, as well as any new suspicious domains or accounts, should promptly be addressed before they can be exploited.
Cybercriminals are constantly looking for ways to exploit the exposed personal data of high-value targets to breach companies. By taking the steps outlined above, however, organizations can significantly reduce the risk of their HVTs being successfully targeted.
How Picnic Protects HVTs
Proactively and continuously protecting your HVTs can be a time-consuming and resource-intensive process, particularly for large organizations with complex systems and multiple access points. And when security teams lack the visibility of exposed HVT personal data and their support staff OSINT vulnerabilities necessary to prevent credential stuffing, impersonation, and other types of social engineering attacks, it becomes challenging to predict pathways to compromise and implement reasonable preventative measures successfully.
For those looking to automate and scale the process of high-value target protection, Picnic includes automated HVT protection as part of our human attack surface protection solution.
Picnic protects against attacks that leverage HVT and support staff public information by proactively addressing and reducing the human attack surface data that fuels them. Through a combination of Picnic’s technology and services, Picnic maps threat actor TTPs to HVT risk, identifies the most likely digital pathways to compromise against your company’s HVTs, and preempts them by breaking up the attack chain through sensitive data removal and neutralization, identifying and blocking suspicious domains and accounts, and delivering other customized remediations informed by your HVTs’ unique digital footprints.
Picnic’s first-of-its-kind technology automatically emulates attacker reconnaissance on your HVTs’ exposed data across the open, deep, and dark web, and provides the data-driven threat modeling and mitigations necessary to prevent the exploitation of this data in an attack. Picnic delivers unprecedented, continuous visibility of the social engineering and compromise risk of HVTs across their personal and work identities and targeted remedial actions that reduce their attack surface.
In addition to the automated reconnaissance, analysis, and remediations provided by Picnic, our Global Intelligence team conducts advanced Red Team reconnaissance on your HVTs to identify additional vulnerabilities. The results of this analysis include detailed insights from both work and personal identities about the types of risk an HVT is exposed to based on their online footprint along with mitigations. Picnic also offers on-demand private consultations that give HVTs a guided tour of their online footprint with the opportunity to problem-solve in real-time and benefit from direct access to Picnic’s leading social engineering experts.
As a necessary part of Picnic’s reduction of the human attack surface, Picnic provides continuous digital footprint cleansing for HVTs such as the removal of exposed personal and corporate PII from data brokers, neutralization of exposed clear-text passwords across data breach repositories, and exposure from surface websites. Because threat actors often target those close to HVTs, including their families and support staff, Picnic’s coverage extends to the HVT’s inner circle for holistic protection.
For more on how Picnic protects your HVTs, their dependents, and support staff, see here: https://getpicnic.com/high-value-target-protection/
While attackers will undoubtedly continue to try and exploit the personal data of HVTs to compromise them and their organizations, Picnic is here to help you protect your high-value targets by providing an enterprise-wide layer of prediction and prevention against attacks that leverage the personally identifiable information of HVTs. Through automated and continuous reconnaissance, personalized threat modeling, and digital footprint cleansing covering both work and personal identities, you can rest assured that you are getting the most advanced and comprehensive level of HVT digital protection possible today with Picnic.
Become a Subscriber to receive timely articles on human-centric security issues: