Proofpoint keynote: Why do cybercriminals know more about your employees than you do?
Cyber security depends on the people in the company more than anything else. Employee data must be protected by anticipating the logic used by cybercriminals. Ryan Kalember, executive vice-president at Proofpoint, presented this conference at Les Assises de la Sécurité 2019.
An example of a data leak
For many years, Spaso House was the residence of American ambassadors in Moscow. While Averell Harriman lived there, it was one of the places in which the Soviets were particularly interested in knowing what was being said. Certain that the Ambassador himself would be the best way to achieve this goal, they had a group of schoolchildren give him a wooden reproduction of the Great Seal of the United States.
Harriman had it examined in depth and, since nothing suspicious was detected, he hung it in his office, where it remained for years. "The Thing", as it was called, had in fact been designed by Leon Theremin and contained a passive radio transmission system through which the Soviets were able to listen to the conversations from across the street. The British discovered this seven years later.
Cybercrime is based on people: An open door to risks
Many attacks in France follow the same logic. Ryan Kalember explains: "They depend on people opening the door to them. They don’t exploit technical weaknesses".
No Trojan Horse or ransomware works alone. In the area of cyber security, attacks are generally launched by small groups, including Emotet (542), which has sent the greatest number of malware around the world. Its most recent campaign affected almost all of Proofpoint’s clients.
Sent from a compromised Office 365 account belonging to a real person, the group answered all the messages in the user’s inbox, attaching the malware. Since the people were expecting a reply, they were not mistrustful and almost always clicked on the attachment, making the attack very effective. So, cybersecurity has to adapt.
The most interesting data on these attacks are reminiscent of Ambassador Harriman’s case, because they exploit the same vulnerability: CVE201711882. This represents only a very small proportion of the global cyber security problem which relies almost exclusively on "people who do all the work for the attacker," recalls Kalember.
In 1999, the I Love You attack, the first malware based on macros, already exploited this vulnerability which is still the most commonly used 20 years later. Indeed, it is very complicated to find a cyber security breach in modern systems. Conversely, it's always possible to find someone who suspects nothing to spread the threat.
Recently, a group identified as Cobalt 537 (also known as Empire Monkey) stole €13 million from the Bank of Valletta in Malta. The attackers used very intelligent bait: an email from the European Central Bank using quite legitimate email addresses. They knew that the bankers would be sure to click on an email from this authority.
This macro technique is based on the work the target does for the attacker. The reason that cybersecurity was compromised is that the European Central Bank does not authenticate its emails. It verifies the identity of the senders using a P=NONE policy and could therefore have detected Cobalt using its domains, but would not have blocked it.
A poorly adapted response
In the cyber security industry, however, most actions do not use this type of attack. In fact, 90% of data breaches start with a person who lets the threat in.
Cybercriminals are well aware of this imbalance: we protect the infrastructure, so they attack individuals. "Amateurs target systems, but professionals target people," explains Kalember. Why attack complicated cyber security when you can find all the information you need on LinkedIn?
How to respond to these threats
The targets reveal more about the cyber security situation than about the attackers. That’s why it is interesting to study them from the attackers’ point of view and to identify the human attack surface. In most firms, only a small percentage of employees are attacked. In fact, the Cobalt attack targeted no more than three people in each bank.
In cyber security, Proofpoint chooses to apply a classification system to identify the type of computer attack and the individuals at risk based on the following data:
- How many organisations does the attack concern?
- Does it involve a large number of people in the same organisation?
- Is the attack a concern for these organisations’ cyber security departments (rat, keylogger)?
- Is it sophisticated?
By considering these data from a human angle, it is possible to identify a small group of people most likely to receive attacks that can undermine the company’s cyber security by examining:
- Who they are
- How they are attacked
- Their title (CEO, finance director, marketing manager, or sometimes people in charge of a branch)
Sometimes, the criteria are even less obvious, which is why we say that cybercriminals know more about your employees than you do. They often understand an organisation better that its own cyber security team.
The attacker’s point of view as a starting point
External emails are an option that the attacker can use for spoofing, fishing, malware, etc. to compromise users and use their email address, as Emotet did, to target other important people. Most organisations don’t even monitor their internal messages.
Finally, in Office 365, the most common attack is password cracking, where a password may have been identified after having been changed and then serves as a basis to guess the new password (someone who changes his password each year, adding the numbers of the current year is not protected). The attackers then use old protocols prior to two-factor authentication and compromise these accounts.
The solution: to understand how the attack works
Once we understand how employees are attacked, we need to reflect on how to protect them. Of all people, only some are likely to be attacked, of whom an even smaller number has access to sensitive data. So more stringent surveillance measures have to be applied for these people.
These people’s access (administrator, use of the cloud without double authentication, etc.) has to be taken into account. By reducing the number of people to be protected, they can be protected more effectively.
Last, if an attacker cannot compromise the target directly, it can perhaps impersonate them, as Cobalt did.
So, the management of the logistics chain – consumers, clients, etc. – also has to be considered. All this is part of a set of simple objectives:
- To protect anyone likely to be attacked based on the methods that might be employed
- To minimise damage when cyber security is compromised
- To stop these attacks in a broader ecosystem
How to protect individuals against cyber criminals
We do this in the same way that the attackers do: by identifying the people at risk by establishing their profiles (titles, access, number of addresses with which they communicate, financial role, computer support with major access, etc.).
A CEO, for example, will not necessarily click on a phishing email because he or she is very busy. In reality, CEOs don’t even read their own e-mail, having an assistant do it. But they use a number of networks, sometimes with two-factor authentication.
CEOs are very often attacked because of the third element: the CEO’s great privilege in terms of access to important data. To protect the CEO, a CASB solution is used requiring two-factor authentication, tighter e-mail controls, and possibly training.
The same can be applied for a person with a very different profile. Customer service managers, for example, must often click on everything sent to them. This makes them very vulnerable. They may not be attacked directly, but are part of an immense group of e-mail addresses.
Their privileges are not as great as those of a CEO, but they can have access to information on their customers. So, it might be useful to secure their login and to isolate their navigation so that when they click on a link, it doesn’t open in their browser, but in a dedicated browser on the cloud that prevents malware from being downloaded directly.
These complex solutions are not necessary for everyone, but if individuals at risk are identified, they can be applied.
VAP: Proofpoint’s main cybersecurity objective
Proofpoint always begins by identifying the people likely to be attacked: VAP (Very Attacked People).
The first investigation on a "Nigerian fraud" originating in France was conducted in 1949. It is a classic example of a 419 fraud: "Send me a little money and you will receive a lot".
It is interesting to consider the historical context of cybercrime that can be traced to the period between Windows 95 and the end of Adobe Flash. This period is an exception to the rule, because for the first time in the history of humanity it was easier to find a computer vulnerability than a human vulnerability.
None of this – ransoms, extortion or 419 fraud – is new. Throughout most of our history, people have always tried to dupe other people; the Trojan Horse is well named, since it shares its name with the famous siege of Troy, when the Trojans themselves voluntarily brought the gift inside their walls.
It is crucial to identify the human attack surface, and to understand the people and the departments attacked, because all this translates directly into cyber security risks.
Speaker: Ryan Kalember, Proofpoint