Think Like a Hacker to Stop Attacks Before They Strike

By Matt Polak, CEO of Picnic

Cyber threat intelligence indicates that there is a high probability of digital retaliation against Western companies and governments that have supported Ukraine or distanced from Russia. Russia has validated this intelligence and their cyberwar strategy is evident: they harvest personally identifiable information (PII) about individuals and use it to power social engineering schemes to conduct attack and compromise campaigns that cause damage, collect intelligence, and generate income.

Organizations that have cut (or iced) ties with Russia, or those supporting Ukraine, are most likely to be the direct targets of Russian cyber aggression and retaliation. There are three things you should know about how threat actors like Russia operate: 

  1. Their #1 attack vector is social engineering.
  2. Their #1 target is high-value employees.
  3. Every attack begins with reconnaissance of public data footprints (i.e., OSINT data).

Unfortunately, existing controls are not likely to stop sophisticated social engineering attacks: training doesn’t work (people can’t be trained to spot these well crafted attacks), and technical controls like mail gateways and endpoint protection can be defeated with staged operations that identify (to evade) such technical controls.

In addition to the #shieldsup activities that are ongoing, below are some simple steps companies concerned about retaliation should take immediately.

What Should You Do

  1. Embrace the attacker’s mindset
  2. Identify your targets
  3. Remediate
  4. Repeat

1. Embrace the Attacker’s Mindset

Start by approaching this problem as the attacker. Ask yourself some key questions:

  • What systems would I want to gain access to?
  • What security controls, if exploited, would lead to catastrophic damage?
  • Who has access—either to the systems themselves or to the controls?
  • Who do you think would make the best target if you were the attacker? Why?

This last question is key and leads into the next activity: identify your targets.

2. Identify Your Targets

Make a list of your people as follows:

  • Group 1: People (probably your C-Suite and Board) whose personal brands and reputations are intertwined with your company’s brand and reputation.
  • Group 2: People who work directly with and support “Group #1”
  • Group 3: People with privileged access to your “crown jewels”
  • Group 4: People who work directly with and support “Group 3”
  • Group 5: If not already considered, the people who have privileged access to your organization’s security controls
  • Group 6: People who work directly with and support “Group 5”

I recommend putting these people into a spreadsheet for simple management, since you’ll want to capture some additional information on each one.

First, for person in each group:

  1. Add their LinkedIn profile (assuming they have one) to your spreadsheet
  2. Add their work and personal (if available) emails to the spreadsheet

Create a few columns on which you can track some basic data about each person with a simple Yes or No.

For their LinkedIn profile:

  • Does the person list a specific geography where they are located?
  • Does the person list anything in their profile that would suggest they would be an attractive target? Words like “administrator” or listing technologies or processes they are responsible for are dead giveaways.
  • Does the person list any contact information on the page?

For their work and personal emails:

  • Run through whatever breach repos (sites on the public, deep, and dark web where people’s usernames, passwords, and other personal information are stored and sold) you have access to and denote the quantity (as a count) of cleartext credentials available for each person.

When you are done, your spreadsheet should look something like this, sorted by seniority:

You can use some basic approaches to analyze this kind of data that leverages your knowledge of your company and its security practices, as well as the questions you asked yourself upfront when you thought like the attacker.

For example, as seen above, you might decide that people with the most amount of breaches in their work emails are important to triage first. In this view, the EA to the CEO is most likely to be targeted, so you might increase sandboxing for their account, have a direct 1:1 security coaching session with them, and make some reasonable requests to modify personal data to neutralize oversharing in social media. At a minimum, you should make sure that none of the cleartext credentials you found are being used in your company’s infrastructure, and ideally not used in an employee’s personal life. After all, attackers want to find the easiest path in, and it’s usually smooth sailing into unmonitored personal email and interconnected social media.

If you want to apply more analysis, you could associate a score of 1 point with any “Y” and weight everything equally. Doing so would yield a target list that looks quite different and makes your RDP Admin (yikes!) the #1 target for attack:

What’s equally valuable about this exercise is knowing who is not the most likely to attack. Maybe your gut instinct told you that your Security Tools Admin was likely your top target, but your quick analysis shows this person would be difficult to target, which would de-prioritize them in the eyes of an attacker.

Organizations have limited human analyst resources capable of solving problems that computers can’t solve, so knowing where to invest valuable staff resources is critically important in our current elevated threat environment.

There are many approaches that can yield valuable insight into how to secure your organization based on the view of the attacker. Remember, the way the attacker prioritizes their targets is based on reconnaissance of public data. Seniority is a useful metric, but it’s only one consideration. Oftentimes it is those people who are accessible rather than valuable who are the first line of attack for hackers who seek to leverage credential escalation and lateral movement. For example, the executive assistant to the CTO could be easily overlooked by an internal security organization, but someone in this role likely has shared access to certain systems that are sensitive, and therefore would likely be a prime target for an attacker.

3. Remediate

Now that you know who is most likely at risk, we recommend a quick scrub of OSINT data to make your team harder to target. In order of priority:

  1. Passwords. Confirm that all cleartext credentials are not in use and ideally banned from your systems and also ask employees to confirm they are not using these credentials either.
  2. LinkedIn. Go back to the list of words or phrases that powered your evaluation of LinkedIn. Send a quick email to your team asking them to change or remove these words with an explanation as to why. (see “resources” below for a sample communication)
  3. Data Brokers. Find and remove data brokers, which are an easy source for threat actors looking for PII on your employees. To do this, run a series of Google searches for the people in your list such as: “Full Name” + “work email”; “Full Name” + “personal email”; and “Full Name” + “home address”. Results will commonly include data brokers such as Whitepages, Spokeo, MyLife, and ZoomInfo. These data broker sites support removal requests, though the process can take time and is not uniform. If you want help with this, please contact me or comment.

4. Repeat

This type of exercise should be run continuously in good times and in bad. Digital footprints and employee populations are in constant flux, and so are attacker motives and methods. Building capacity for this type of capability will help build a security culture and create good operational security practices that should be the backbone of any security strategy.

Remember, hackers scout your organization to find an easy way in so they can compromise your people, your company, and your brand (in that order).

Picnic solves this problem at scale, so if you want to learn more about how to come upstream of the attack to stop hackers, please get in touch with us to schedule a demo.

Resources

After reducing the attack surface of the human, the next step would be to consider something like what has been proposed by Krebs Stamos Group, who provided helpful advice for those exiting the Russian market (or icing) ties with Russian connected organizations.

Sample Communication

[EMPLOYEE],

In light of [COMPANY’s] position in the global market and recent actions with respect to Russia, we conducted a threat assessment to identify ways to protect our highly valued employees like you from hackers who might retaliate against [COMPANY].

Hackers are targeting the personal lives of employees to gain access to company systems, so it’s important we take this threat seriously for both the company and you.

Based on the threat assessment we conducted, we are asking employees with the following information in their LinkedIn profiles to change or remove it.

Please remove the following references:

  • System Name 1
  • System Name 2
  • System Name 3

We believe that by removing these references it will make you less likely to be the target of malicious activity, which will make you safer online both at work and home.

This small change will make a big difference for you and your colleagues.

Thank you for your help,
[NAME]

Psychology is the social engineer’s best friend

Social engineering cyber-attacks have rocketed to the forefront of cyber-security risk and have wreaked havoc on large and small companies alike. Just like a Renaissance actor drawn to Shakespeare’s genius work, the modern social engineer is attracted to the ever-growing pool of information fueled by data brokers. These criminals ply their trade by exploiting the vulnerabilities of an individual and their tactics are known as phishing, baiting, scareware, and tailgating, just to name a few. What is so unique about the social engineer is that their methods are designed to take advantage of the common traits of human psychology.

Social engineers may simply send phishing emails to the target of their choice, or they could work to build a relationship with the target in person, through conversation, or even through spying. Most victims are only guilty of trust. For example, take the case of Barbara Corcoran, famous Shark Tank judge. She fell victim to a phishing scam in 2020 resulting in a loss of roughly 400,000 USD. The social engineer simply posed as her assistant and sent emails to her bookkeeper requesting renewal payment on real estate investments.

In order to combat social engineering, we must first understand the nuances of the interaction between social engineer and target. First and foremost, we must recognize that social engineering attacks are a kind of psychological scheme to exploit an individual through manipulation and persuasion. While many firms have tried to create technical barriers to social engineering attacks, they have not had much success. Why? Social engineering is more than a series of emails or impersonations. It includes intimate relationship building – the purposeful research and reconnaissance into a person’s life, feelings, thoughts, and culture. The doorway to social engineering success is not a firewall – it is the human response to stimuli. As such, we should analyze these attacks through a psychological lens.

In Human Cognition Through the Lens of Social Engineering Cyber Attacks, Rosana Montañez, evaluates the four basic components of human cognition in psychology centered around information processing: perception, working memory, decision making, and action. Together, these pillars of cognitive processing influence each other and work together to drive and generate behavior. To illustrate by way of example: when driving on a highway, you must first evaluate your surroundings. Where are the cars around you? Is there traffic ahead? What is the speed limit? Next, you must use your working memory to pull information from past experiences. The brain sends out a code; last time there were no cars around you, and you were below the speed limit, you were able to change lanes to go faster. With this new information, you now have a decision to make. As the driver, you use this information, and perform the action of changing lanes.

In the context of cyber-attacks, social engineering is a form of behavioral manipulation. But how is the attacker able to access the complex system of cognition to change the action and behavior of the target? To further dissect cognition, Montañez considers how “these basic cognitive processes can be influenced, for better or worse, by a few important factors that are demonstrably relevant to cybersecurity.” These factors are defined as short and long factors and may be the opening that attackers can leverage to strengthen the success of their attack. Short term factors include concepts of workload and stress. Long term factors evaluate age, culture, or job experience.

In a recent study, researchers evaluated phishing behavior and the likelihood an employee would click a phishing link. It was found that those who perceived their workload to be excessive were more likely to click the phishing email. Cognitive workload causes individuals to filter out elements that are not associated with the primary tasks. More often than not, cyber security is not actively thought about and therefore results in the greater likelihood of being overlooked. This effect is known as inattentional blindness and restricts a person from being able to recognize unanticipated events not associated with the task at hand.

Stress also may be responsible for weakening the ability of an employee from recognizing the deceptive indicators that are present in cyber messages or phishing emails. Other factors such as age or culture, domain knowledge, and experience have anticipatory principles that can determine the likelihood for being deceived. As most would expect, having more cyber-security knowledge and experience in a given job reduces the risk of cyber-attacks victimhood. Similarly, as age increases there is a decrease in risk for cyber-attacks because of job experience and accumulated cyber-security knowledge. However, eventually the impact of age and experience reaches a plateau and inverts when seniors (with less experience in modern technology) become exposed. Interestingly, gender or personality were inconclusive when evaluating their impact on cyber-attack susceptibility.

So how do we go about defending against cyber-attacks and improving the untrustworthy mind? The short answer is we don’t. As the age-old security acronym PICNIC suggests, the Problem exists “in the chair” and “not in the computer.” Across many different studies and the experiences of companies themselves, training methods that ask people to make conscious efforts to defend against social engineering cyber-attacks have been unsuccessful. If technological barriers don’t work and cognitive responses can’t be changed, then what is the answer? The solution requires addressing the condition that attracts the social engineer in the first place – data exposure. Companies that manage data exposure will reduce the attack surface, and thus, take the psychological advantage away from the social engineer.

Ethan Saia