Think Like a Hacker to Stop Attacks Before They Strike

By Matt Polak, CEO of Picnic

Cyber threat intelligence indicates that there is a high probability of digital retaliation against Western companies and governments that have supported Ukraine or distanced from Russia. Russia has validated this intelligence and their cyberwar strategy is evident: they harvest personally identifiable information (PII) about individuals and use it to power social engineering schemes to conduct attack and compromise campaigns that cause damage, collect intelligence, and generate income.

Organizations that have cut (or iced) ties with Russia, or those supporting Ukraine, are most likely to be the direct targets of Russian cyber aggression and retaliation. There are three things you should know about how threat actors like Russia operate: 

  1. Their #1 attack vector is social engineering.
  2. Their #1 target is high-value employees.
  3. Every attack begins with reconnaissance of public data footprints (i.e., OSINT data).

Unfortunately, existing controls are not likely to stop sophisticated social engineering attacks: training doesn’t work (people can’t be trained to spot these well crafted attacks), and technical controls like mail gateways and endpoint protection can be defeated with staged operations that identify (to evade) such technical controls.

In addition to the #shieldsup activities that are ongoing, below are some simple steps companies concerned about retaliation should take immediately.

What Should You Do

  1. Embrace the attacker’s mindset
  2. Identify your targets
  3. Remediate
  4. Repeat

1. Embrace the Attacker’s Mindset

Start by approaching this problem as the attacker. Ask yourself some key questions:

  • What systems would I want to gain access to?
  • What security controls, if exploited, would lead to catastrophic damage?
  • Who has access—either to the systems themselves or to the controls?
  • Who do you think would make the best target if you were the attacker? Why?

This last question is key and leads into the next activity: identify your targets.

2. Identify Your Targets

Make a list of your people as follows:

  • Group 1: People (probably your C-Suite and Board) whose personal brands and reputations are intertwined with your company’s brand and reputation.
  • Group 2: People who work directly with and support “Group #1”
  • Group 3: People with privileged access to your “crown jewels”
  • Group 4: People who work directly with and support “Group 3”
  • Group 5: If not already considered, the people who have privileged access to your organization’s security controls
  • Group 6: People who work directly with and support “Group 5”

I recommend putting these people into a spreadsheet for simple management, since you’ll want to capture some additional information on each one.

First, for person in each group:

  1. Add their LinkedIn profile (assuming they have one) to your spreadsheet
  2. Add their work and personal (if available) emails to the spreadsheet

Create a few columns on which you can track some basic data about each person with a simple Yes or No.

For their LinkedIn profile:

  • Does the person list a specific geography where they are located?
  • Does the person list anything in their profile that would suggest they would be an attractive target? Words like “administrator” or listing technologies or processes they are responsible for are dead giveaways.
  • Does the person list any contact information on the page?

For their work and personal emails:

  • Run through whatever breach repos (sites on the public, deep, and dark web where people’s usernames, passwords, and other personal information are stored and sold) you have access to and denote the quantity (as a count) of cleartext credentials available for each person.

When you are done, your spreadsheet should look something like this, sorted by seniority:

You can use some basic approaches to analyze this kind of data that leverages your knowledge of your company and its security practices, as well as the questions you asked yourself upfront when you thought like the attacker.

For example, as seen above, you might decide that people with the most amount of breaches in their work emails are important to triage first. In this view, the EA to the CEO is most likely to be targeted, so you might increase sandboxing for their account, have a direct 1:1 security coaching session with them, and make some reasonable requests to modify personal data to neutralize oversharing in social media. At a minimum, you should make sure that none of the cleartext credentials you found are being used in your company’s infrastructure, and ideally not used in an employee’s personal life. After all, attackers want to find the easiest path in, and it’s usually smooth sailing into unmonitored personal email and interconnected social media.

If you want to apply more analysis, you could associate a score of 1 point with any “Y” and weight everything equally. Doing so would yield a target list that looks quite different and makes your RDP Admin (yikes!) to the #1 target for attack:

What’s equally valuable about this exercise is knowing who is not the most likely to attack. Maybe your gut instinct told you that your Security Tools Admin was likely your top target, but your quick analysis shows this person would be difficult to target, which would de-prioritize them in the eyes of an attacker.

Organizations have limited human analyst resources capable of solving problems that computers can’t solve, so knowing where to invest valuable staff resources is critically important in our current elevated threat environment.

There are many approaches that can yield valuable insight into how to secure your organization based on the view of the attacker. Remember, the way the attacker prioritizes their targets is based on reconnaissance of public data. Seniority is a useful metric, but it’s only one consideration. Oftentimes it is those people who are accessible rather than valuable who are the first line of attack for hackers who seek to leverage credential escalation and lateral movement. For example, the executive assistant to the CTO could be easily overlooked by an internal security organization, but someone in this role likely has shared access to certain systems that are sensitive, and therefore would likely be a prime target for an attacker.

3. Remediate

Now that you know who is most likely at risk, we recommend a quick scrub of OSINT data to make your team harder to target. In order of priority:

  1. Passwords. Confirm that all cleartext credentials are not in use and ideally banned from your systems and also ask employees to confirm they are not using these credentials either.
  2. LinkedIn. Go back to the list of words or phrases that powered your evaluation of LinkedIn. Send a quick email to your team asking them to change or remove these words with an explanation as to why. (see “resources” below for a sample communication)
  3. Data Brokers. Find and remove data brokers, which are an easy source for threat actors looking for PII on your employees. To do this, run a series of Google searches for the people in your list such as: “Full Name” + “work email”; “Full Name” + “personal email”; and “Full Name” + “home address”. Results will commonly include data brokers such as Whitepages, Spokeo, MyLife, and ZoomInfo. These data broker sites support removal requests, though the process can take time and is not uniform. If you want help with this, please contact me or comment.

4. Repeat

This type of exercise should be run continuously in good times and in bad. Digital footprints and employee populations are in constant flux, and so are attacker motives and methods. Building capacity for this type of capability will help build a security culture and create good operational security practices that should be the backbone of any security strategy.

Remember, hackers scout your organization to find an easy way in so they can compromise your people, your company, and your brand (in that order).

Picnic solves this problem at scale, so if you want to learn more about how to come upstream of the attack to stop hackers, please get in touch with us to schedule a demo.

Resources

After reducing the attack surface of the human, the next step would be to consider something like what has been proposed by Krebs Stamos Group, who provided helpful advice for those exiting the Russian market (or icing) ties with Russian connected organizations.

Sample Communication

[EMPLOYEE],

In light of [COMPANY’s] position in the global market and recent actions with respect to Russia, we conducted a threat assessment to identify ways to protect our highly valued employees like you from hackers who might retaliate against [COMPANY].

Hackers are targeting the personal lives of employees to gain access to company systems, so it’s important we take this threat seriously for both the company and you.

Based on the threat assessment we conducted, we are asking employees with the following information in their LinkedIn profiles to change or remove it.

Please remove the following references:

  • System Name 1
  • System Name 2
  • System Name 3

We believe that by removing these references it will make you less likely to be the target of malicious activity, which will make you safer online both at work and home.

This small change will make a big difference for you and your colleagues.

Thank you for your help,
[NAME]

How to sharpen your corporate social media policy for today’s threats

Using social media is, without a doubt, one of the most popular online activities that internet users engage in. Businesses have also discovered how to leverage social media to create opportunities for their brands. However, the use of these platforms has also created many risks. Not only can a bad social media post spiral into a full-blown PR crisis, but social media has become a data channel that cybercriminals exploit regularly to steal sensitive corporate information or cause huge reputation damage. Many businesses create a social media policy for their organization but often don’t understand how to fully protect themselves.

The Social Media Policy

It is said that 3.96 billion people and 88% (and rising) of companies currently use social media platforms worldwide. Despite its high usage, social media culture is still relatively new territory for both employers and employees. Businesses have recognized that unwise social media can create detrimental outcomes, but the social media policies these companies develop show a level of naivete when it comes to understanding risk.

The corporate social media policy is often a document that resides in a company’s intranet rarely unchanged from the date of inception. It is often a standard practice to include the social media policy at point of employee on-boarding as part of the contractual process between employee and employee. Typically, the contents of the policy are centered around the do’s and don’ts of employee usage, regulatory or compliance obligations and will explain expectations in terms of employee conduct online. For example, Dell Global’s Social Media Policy is reported to be as follows:

  1. Protect Information
  2. Be Transparent and Disclose
  3. Follow the Law, Follow the Code of Conduct
  4. Be Responsible
  5. Be Nice, Have Fun and Connect
  6. Social Media Account Ownership

The overall goal is to set expectations for appropriate behaviour and ensure that an employee’s usage will not expose the company to legal problems or public embarrassment.

The example policy is also remarkably vague. There are probably a couple of reasons for this. Today’s HR departments are very sensitive to employee privacy concerns. There may be a reluctance to lay down specific rules for behaviour that may seem subjective and intrusive.

However, there is a difference between something that is embarrassing and something that is dangerous. Many companies like this are clearly not concerned about network security implications and how employee actions online may compromise both personal and corporate security. The reality is that there is a real need for specific rules (or at least “tips”) regarding how employees present personal data about themselves on social media.

Social media content is highly susceptible to cybercriminals

Social media usage exposes company networks to hacks, viruses and privacy breaches. How? Social media encourages people to share personal information or Personally Identifiable Information (PII). Even the most cautious and well-meaning employee can give away information they should not or accidentally disclose sensitive company information. With this data, cyber criminals who use social engineering techniques can more effectively exploit the gullibility and misplaced trust of many social media users – having serious consequences for those users and their employers’ networks.

All it takes is one mistake. According to the latest EY Global Information Security Survey 59% of organizations had a “material or significant incident” in the past 12 months. Research also found that 21% of organizations have been infiltrated by malware via Facebook and 13% report that their organization has been infiltrated by malware via YouTube. So, what can be done to reduce the risk and ensure your employees and your brand are protected?

The Social Media Policy: What you can do to safeguard against potential attacks

The first step should be to implement a detailed and effective social media policy. While 80% of businesses report having a social media policy in place, the reality is the majority of policies (58%) could be described as general in nature – only 28% have a detailed and thorough policy. So, what additional guidance should your social media policy include? Be focused on data exposure as much as reputation. Here are just a few examples of some rules to publish to get started:

  1. Don’t accidentally describe your tech stack: If you are a technical person, like an engineer, you may want to post your technical proficiencies online. However, combined with your job title, you could end up describing the technical infrastructure of your company, which, of course, may give information to a hacker or social engineer that they need to attack the company. So, what might seem like a clear description of your current employment and career path, in today’s world, you are only revealing information that won’t actually help you but might harm you if it falls into the wrong hands.
  2. Don’t post your resume online: Yes, your LinkedIn page is a resume…but it isn’t. Resumes typically contain personal contact information that can be protected by LinkedIn’s UI structure. Remember that resumes are artifacts from old one-to-one communications between job seeker and employer. In today’s world, you are only revealing information that won’t necessarily help you, and but might actually harm you if it falls into the wrong hands.
  3. Pay attention when providing personal information online: In general, we all should be wary of giving out information that helps make us personally identifiable. For example, middle name, birth place, marriage status, check-in and sharing current location status. Each of these bits of information are innocent in themselves, but used in combination with other information, social engineers are equipped with more tools to attack you or leverage your personal data to get access into sensitive parts of your company.
  4. Help employees spot suspicious activity: While employees can be your weakest link when it comes to potential cybersecurity risks, they can also be your greatest asset in protecting your company. Educating and teaching employees on how to spot and identify suspicious activity such as dubious links or downloads will also go a long way in reducing potential attacks and malware intrusion in your computer systems.

For any businesses, social media platforms can be a gateway to reaching larger audiences. However, they have also gained the attention of cyber-criminals who are more than willing to use them against you. Considering the average data breach costs companies in the U.S. $7.91 million, protecting company, customer, partner, and employee data cannot be understated. Businesses with a holistic social media policy in place will be in a better position to protect both their employees and organization against potential attacks.

How to spot a phishing email

Would a Company Send Me That?

We’ve all heard of a phishing email. If you haven’t heard of a phishing email, now is the time to familiarize yourself with this must-know threat lurking online. In this article, we’ll show you how to spot a phishing email and examples of common phishing emails.

What is Phishing?

Modern-day fraudsters attempting to obtain sensitive information from a person or organization by posing as another person or a company online is known as phishing. They might be after your user information, such as passwords or usernames, or credit card and banking information. Employers should also be concerned as fraudsters have been known to steal sensitive or damaging information from employees or gain control of an entire company’s software.

According to a report by Symantec, 96% of phishing scammers are focused on intelligence gathering.

Scammers are known to use the information gained through phishing for:

  • Identity theft
  • Intellectual property theft
  • Industrial or Government Espionage
  • Corporate Sabotage – ex. stealing patent secrets
  • A total takeover of a website or online controls
  • Stealing money

How Does Phishing Work?

We frequently receive emails from our banks, our work IT administrators, or a trusted social media site. The email might ask for details, to log in with a username and password, or simply to click a link. Phishing is when a scammer sends you one of these emails in an effort to steal your information or gain access to your network. The perpetrator is setting a trap for users by pretending to be an authority figure, a legal entity or a company you recognize.  

It’s a lot like fishing, where an angler casts bait on the hook in the river. Eventually, a fish falls for the trap and bites on the bait. Fraudsters lure you to what seems like a legit request from a trustworthy source and wait for you to click on it. 

Instead of ending up at the end of a fishing pole, phishing victims may find themselves in a damaging situation. The consequences of a phishing attack could be the installation of malware on your computer or mobile phone or your phone or computer being frozen due to ransomware. One of the worst outcomes is your personal and sensitive information being exposed to the fraudulent entity. 

The results of phishing can be very devastating, whether you are an individual or a company. It may enable the fraudulent party to steal your bank account credentials, credit card details, and other sensitive information such as your driver’s license and social security numbers. This could lead to unauthorized purchases, identity theft, and money stolen from your bank account. 

According to the Data Breach Investigation from Verizon, 70% of online espionage was due to Phishing.

All of this might seem scary and treacherous but once you know the signs of a phishing email, you will be able to protect yourself and your employees.

Types of Phishing Emails

There are various ways impersonators and fraudsters attempt to make phishing look like a request from a company or person you trust. There are three major types of phishing. 

Email Phishing

Like fishermen casting a wide net hoping to catch the most fish possible, email phishing is all about numbers.  

An attacker sends out a fraudulent email or a message to thousands of people. Even if a small percentage of people end up clicking a link or providing their user information, an online imposter could end up with a significant amount of money and information. 

Scammers go to extreme lengths to make their emails and messages look legit. It can be difficult to tell the difference between a real email and a phishing attempt unless you look closely. Fraudsters will use the same taglines, same logos, and even signatures to mimic the authentic organization. Even the links within the email appear to be from the company they are impersonating.

Did you know that over 7,700 companies get attacked by an email scam every month? According to research, approximately 56% of all the emails you receive are spam, which includes phishing and other email scams. 

Spear Phishing

Spear phishing is a more focused attack aimed towards a specific organization or a person.

It is probably the most sophisticated form of phishing, where the impersonator does a lot of research on their part to know about the company or an individual.

To target individuals, they may look at your online habits, shopping history, websites you visit frequently, and your social media. 

For a company phishing email, they may look into your websites, social media, employees, financial commitments, and even the company structure for useful information. The perpetrator will send out an email to the most relevant employee for a project. An example phishing email might look like an email sent to the project supervisor of a specific campaign.  

The email will appear as if it was sent from the organization; it will feature the company’s logo, images, the same font, and might even have a signature from a higher-up at the company. The email will request the project supervisor to click on the enclosed invoice, which is password-protected and can only be open if the accounts manager enters his credentials. The attacker will then use this information to gain full access to the company’s network for more sensitive information and financial gains. 

According to the Symantec Internet Security Report, 71.4% of targeted attacks used spear-phishing techniques. 

Whaling

Whaling is a phishing technique that takes it up a notch. In these cases, attackers target senior management or people in power.

The subject and content of these phishing emails will be more in-line with something only a senior member in a company’s hierarchy has an authority to deal with, for example, a legal notice threatening for a penalty, or a customer’s complaint. 

Other forms of Phishing

There are other known forms of phishing, such as website forgery, where impersonators go through the hassle of actually creating a duplicate website. The cloned website looks exactly like the original, except if you look closely, the website link will be slightly different from the original. For example, a bank clone website may have the address www.ebay.shopping.com.

Similarly, Covert Redirect is another method, where the phishing email may have a link that looks legit. However, once you click on it, it will take you to the attacker’s website.

Voice phishing is more linked to the mobile world. For example, you may receive an email or a message that appears to be from your bank asking you to call to resolve an urgent matter. Once you dial the number, they will ask you to enter your name and account number and use that information for nefarious purposes.

How do I Spot a Phishing Email?

It is of utmost importance that you know how to recognize the signs of a phishing email. This will prevent you from falling for a company phishing email or one targeting individuals.

Are you sure that the email you received from your bank is actually from your bank? Or is it just one of the myriads of phishing emails floating in the sea of the World Wide Web? It is time you learn some techniques on how to spot a phishing email. 

A Legit Email will Never Request Your Personal Information

Always remember no matter how professional or authentic an email may look, no legitimate organization will ask you to offer up your bank account number, credit card details, or social security number. If you receive an email that requests your account information, consider it a phishing email. This email will ask you to enter your credentials by either clicking on an attachment or a link. This alone is a big indicator that it is a phishing attempt. 

It is All in the Name

Legitimate business partners and companies such as your bank, eBay, PayPal, etc. will always address you by your name in an email such as Dear Mr. /Ms. (your name). Whereas, a phishing email is sent out to thousands, so it will use a generic salutation such as “Dear User” or “Dear Valued Customer,” etc. Some perpetrators might leave the salutation out altogether, hoping that you would not notice. Take a second to look closer and spot this common sign of a phishing email.

Domain Emails Should Match the Address

You may notice the familiar name of your bank account manager, or of a company colleague and you might do what the email asks you to. Remember to hover your mouse over the “from” address in your email. This will reveal the email address it is sent from. If it looks dodgy, then it actually is. 

A legitimate company will have the domain address that matches their website. For example, an email from PayPal will have [email protected], not [email protected]. Get in the habit of checking the e-mail address.  

Watch for Spelling Mistakes

It might be easy to laugh at or overlook silly spelling or grammar mistakes, but these errors are the easiest way to weed out the phishing attempt sitting in your inbox. Reputable companies make the effort to appear professional and have pride in the content sent to their clientele. Therefore, legitimate communication from companies won’t feature spelling errors.

Be wary of emails featuring frequent mistakes. Hackers are hoping that you don’t take the time to read an email carefully and will miss a spelling error or two and follow a link or provide your information.

Clicks versus a Call

Phishing emails will often ask you to click a website link. A reputable company will provide many avenues for you to contact them or access your information. Hackers will force you to visit their fraudulent website. Visiting fraudulent websites or following links in phishing emails can lead to installing a virus or malware on your system.

If a company really wants to speak with you, they will request you call a secure phone number or provide the information in an email. 

Beware Unsolicited Attachments

Why would your bank or any other company send you a word file or a photo as an e-mail attachment? They wouldn’t and this is probably one of the most effective and harmful tools in a hacker’s arsenal. If you get an unsolicited email with an attachment, just report it or delete it without clicking on anything.

Confirm Legitimate URLs

Appearances can be deceiving, and phishing emails are no exception. If you get a phishing email with a seemingly legitimate link, chances are it will direct you somewhere fraudulent. Always question the legitimacy of the link in question. Don’t click the link. Hover your mouse over the link to reveal where the link intends to take you.  

If the link appearing in the URL seems fishy or does not match the website you’re expecting, it is a phishing attempt. A secure and authentic link will begin with https://.

According to APWG, over a quarter of a million phishing websites were reported in the 3rd Quarter of 2019 alone.

Ways to Protect Yourself

After seeing some example phishing emails and the tactics scammers use, you should feel prepared to spot a phishing email. It is essential to know how to safeguard yourself or your business against phishing. It’s important to be vigilant and to pay attention to the details.

If you get an email with a suspicious attachment or asking you to provide some personal information, think before you react. Use common sense and logic to identify a phishing email.

In addition to the knowledge and skills you have, you can increase your security with reliable internet tools and features. It’s important to choose what you use for your security wisely and use multiple tools if possible.  

2FA or Two-Factor Authentication

Two-factor authentication (2FA) is the most effective way to counter phishing scams. Many service providers are asking users to upgrade to 2FA. Apple and Google users may have already been prompted to upgrade to two-factor authentication.

Two-factor authentication is based on two separate pieces of information to verify the legitimacy of the user. The first piece of information will be your username and password, and the second can be a security question or a code sent to you separately.

Many banks apply this to avoid any unauthorized purchase or money theft. Once you login to the account using your login credentials, your bank will send either a text message or email a one-time passcode. This passcode needs to be entered into the webpage or app to authenticate that it is really you making a transaction. 

Even though this sounds like a hassle, it can protect you or your company in the face of a phishing attack.

If you or a your employee end up falling for the phishing attack and give out your login credentials, they will be safe because the attacker will not be able to get past the second security barrier because the additional log-in information will be sent to your email or phone, not the hacker’s. 

Make sure to opt for 2FA, or if you are a company, it in your best interest to implement this security feature into your current IT infrastructure. 

Password Management 

It’s in your organization’s interest to use a strict password management policy. Create a policy that passwords must contain a combination of various alphabets, numbers, and special characters and that passwords must change frequently. Old passwords should be not reused.

As an individual, you should practice the same strategy. Change your password with regular intervals and do not use older passwords. 

Security Software

Install security software on your computer and smartphone. Security software notifies you about a potentially harmful emails and attachments that may contain malware, ransomware, or a virus. 

Controlled Access

In environments like schools and colleges, a policy that states “Do Not Click on External Links” must be enforced. Not only does it save children from phishing scams but also from their exposure to other harmful material. 

What If I Have Already Clicked On a Phishing Link?

You may have been busy or distracted. You may have been in a hurry and clicked a malicious link by mistake. Do not panic; follow these steps to prevent further damage. 

  • Disconnect your device
  • Back up Your Files
  • Scan your laptop or mobile phone device for malware
  • Change your Passwords
  • Report the attempted phishing attack to your local law enforcement agency’s cybercrime division
  • And most importantly, be careful in the future. 

Phishing Projection: 2021 and Beyond

The level of sophistication in phishing attacks will increase in the future. As technology changes and evolves, human error will always be something for hackers to exploit as they create more sophisticated phishing attacks.

The more technologically advanced society becomes, the more connected society becomes. Phishing and other malicious attempts by hackers are not to be taken lightly. Stay vigilant and pay attention to what you get in your inbox to spot a phishing email.