Developing a Security Mindset
We've all sat through them or, if you are in my profession, given them – the endless phishing security trainings of "don't click on this until you look at the link, make sure the sender looks right, blah, blah, blah". There's no doubt that these instructions protect against some attacks, but I think two things are increasingly becoming true:
As tools get better to prevent users from clicking on bad links or for falling for malicious emails, the above training becomes less effective. Many systems are now identifying bogus domains, not allowing fake links, or are sandboxing and checking each link before letting people open them.
Because of this, threat actors (what we in the security profession like to call the bad guys) are moving towards more organic attacks that aren't as simple as clicking on a bad link or attachment. Some of the most effective attacks that I have worked on have had no malicious payload (bad links or attachments) or have come from completely legitimate senders. These attacks have resulted in millions lost. Although I can't go into specifics about cases I work for my clients, here is a great example of one that happened to me:
No one is above being compromised; it doesn't matter if you are the 80-year-old kindly grandmother playing a puzzle that gets the suspicious email from their grandkid who is trapped in Mexico or the security professional in the prime of their career that is always watching out for the next threat. It was just a regular day at work when I received an email from my daughter. Nothing suspicious about that, right? She was a junior in college and we often communicated by email. The previous weekend she had let me know she was giving a presentation on Monday morning. The email I received was identical to many I had received in the past - she was letting me know that the presentation went really well, plus there was a OneDrive link to let me watch it if I wanted to – no pressure. What dad doesn't want to watch their kid shine? As I was about to click on the link, I paused for a moment and realized, wait a minute - I'm supposed to be paranoid about this sort of thing. Instead of clicking on the link, I grabbed a copy of it and ran it through a couple security testing tools to see if it was malicious. Sure enough, the video file contained a zero-day variant of a virus called Emotet (zero day means that the traditional antivirus companies have not seen it yet and are not equipped to deal with it). If I had clicked on that link, the results could have been devastating for our company. It's always possible that our endpoint protection (the proper term for what used to be called antivirus) would have caught it, but we can't just rely on one layer of security. Eventually something will get through.
So, let’s summarize this attack:
I was expecting this e-mail and had verbal and written communications about it previous to receiving it.
It came from a known trusted sender.
The writing was stylistically identical to how my daughter communicates.
The link to the file was to her OneDrive account and she had used this exact method to share in the past.
This is a simple example, but a highly effective one. So, how do you protect yourself from this kind of attack? I believe is it less about learning the mechanics of what to look for that may make an email suspicious and more about developing a security mindset. Train yourself to see every e-mail as possibly suspicious and ask the right questions every time:
What are the consequences if I reply to this email?
What are the consequences if I give out protected information?
What are the consequences if I call the phone number in the email?
What are the consequences if I complete the requested wire transfer?
And yes, what are the consequences if I click on this link or open this attachment?
With this mindset you will be far better equipped to identify and handle future attacks that we haven't even thought of yet.
Another way to think about this is to equate cybercrime to physical crime. If I use words like carjacking, bank robbery, or murder, odds are everyone reading this knows exactly what I'm talking about. There is a visceral and emotional response. I don't think anyone would have difficulty identifying the potential ramifications of these crimes or identifying them if they were happening. Unfortunately, cybercrime is much more common and happens to many more people, but the emotional response and recognition isn't there. Train yourself to have that understanding, recognition, and even emotional response and I believe you will be much more secure for it. Please let me know your thoughts in the comments below and thank you so much for reading. Be safe out there!
Craig Sixta, CISSP is the Chief Technology Officer at Element Technologies. As an industry-leading expert in networking, communications, and security, Craig has been living out his passion to help organizations develop best-in-class technology solutions for over twenty years. On behalf of his clients, he has been consistently successful in mitigating attacks, determining root cause, and collaborating with local and federal law enforcement in apprehending offenders and recovering stolen funds.