In response to numerous high-profile breaches and brand-name vulnerabilities, many hardware and software providers have opted to implement stringent protections and secure defaults. As a direct result of their actions, finding typical “low-hanging fruit” vulnerabilities to breach organizations is becoming much more difficult.
Today, the weakest link in an organization’s security has moved away from its infrastructure and on to its people. Knowing this, let’s consider how an organization can implement security controls around its people, without violating their privacy and productivity.
Defense through knowledge
Because both attackers and security penetration testers often take the path of least resistance to exploit their targets, this shifts the focus of attacks to employees—and all it takes is one vulnerable user for a breach to occur. An unaware user is an easy target, and easy targets are ripe for being swept up in a wide dragnet phishing attack (that is, a phishing attack that covers a large portion of the organization, often with the simple goal of harvesting credentials and valid identities, or compromising users’ laptops with malware).
The most straightforward way to establish a baseline of user phishing awareness is through regular, annual training, along with intermittent employee reminders reinforcing what they’ve learned in training sessions. Training should provide users with examples of phishing attacks, context on how to spot such attacks, and it also should address steps to take if they believe that they might be the target of a campaign.
During many red team engagements conducted by Synopsys to challenge an organization’s security effectiveness, we’ve discovered that this training is quite effective in guarding against even some of the more advanced dragnet campaigns. Organizations that have a phishing awareness program will often spot the campaign because of user reports and blacklist the source within a matter of hours.
Additionally, employees often advertise the certification that comes with phishing awareness programs on their resumes and LinkedIn profiles. An attacker harvesting user information from publicly available resumes and social media pages would likely take note of which users advertise such training, avoiding them as to not burn their campaign.
Of course, the only way to measure your organization’s phishing resistance is to perform a mock phishing exercise to see where gaps in knowledge may exist.
Defense through defense
It may seem like an obvious approach to avoiding being breached through social engineering, but it’s one that is rarely seen . Active defense, or a SOC (security operations center) that proactively monitors or uses tools that monitor the email perimeter, is a highly effective control. Employees cannot click on a phishing email if the SOC is notified of a dragnet attack, blacklists the associated domain and removes the email from all targets’ inboxes.
Additionally, having some level of domain typosquatting notification service could prove extremely helpful. One successful method is to take a URL that an employee would expect to see in an email, modify a character, and register it as an attack domain. Employees that are used to visiting my.example.com may have difficulty detecting the fact that they are being directed to my.exampIe.com (using a capital I instead of an L) or my-example.com. A typosquatting detection system would notify the SOC or appropriate point of contacts that someone, somewhere, has registered such a domain—enabling preemptive action to be taken.
These capabilities are slightly more difficult to test and require a more advanced version of a mock phishing exercise. Something akin to a red team engagement would be best suited to test an organization’s capability for responding to threats in a realistic manner.
Defense through segmentation
In the end, no organization is going to be perfect. Even the most technical, phishing-aware employee can be tricked by tailored attacks and the most careful, rule-following team lead can be coerced into making a simple mistake. Multiply those users by the number of people within an organization, and the realization is not far off—eventually, someone is going to get phished. Social engineering susceptibility is ultimately a question of when, not if.
Knowing this, adding a layer below phishing awareness training and a well-trained SOC armed with the right tools becomes necessary. It’s a lot simpler in writing than in practice—architecting a network to be resistant to compromise is the best way of avoiding a massive breach instigated by a single user.
That is, an organization with a flat network, weak endpoint protection and a weak credential policy could end up in the news the day after a single employee’s mistake. However, an organization with solid endpoint protection, a network that is segmented with stringent permission requirements across mandated two-factor authentication and active defense would likely detect the intrusion almost immediately and contain it to only that one user.
The best way to test an organization’s capabilities to resist compromise is by performing internal and external network penetration tests or red team assessments.
Ultimately, the best defense is having a combination of knowledgeable users, an internal security structure that is prepared to be one step ahead of the attacker and an active mindset that expects the attack to succeed one day, with a plan to mitigate damage.
The only way to know the extent of the damage potential involving a phishing or social engineering-based attack on an organization is to test employees.
Perform regular testing throughout the organization to determine a baseline security level. The importance of knowing the answer to “How easy is it to social engineer my employees?” and “If an employee’s workstation is compromised, how big of a deal is it?” should not be understated.
David Benas
David Benas is a data security consultant at Synopsys.