Phishing Attacks are sexier than APT Campaigns
The humble phishing email is more likely to target you and your organisation than the big bad Fuzzy Duck APT
CyBeer Suggestion: Brewdog Jack Hammer
Metal Artist of the Week: Lamb of God
Welcome to my first blog of Justin Timberlake’s favourite month. This week I’ve decided to talk about one of the biggest bugbears I have with the cybersecurity industry and what I’d like to see change. With this in mind, I’ve elected to give Brewdog’s Jack Hammer the (now) coveted (and newly coined) CyBeer Suggestion for this post. This face-punching, hoppy IPA is an authentic Rockstar beer that will set the tone just right for all that’s about to come.
Can’t Go Phishing Without Beer & Metal
I recommend pairing Jack Hammer with a slice of Lamb of God and their new single ‘New Colossal Hate’. The perfect match I’m sure you agree, and if you don’t agree, try them together then tell me I’m wrong. I’ll retort about why I’m right, and then we’ll agree with me, understood? Great, let’s crack on.
Let’s go Phishing
I think that the cybersecurity industry as we know it is full of companies that claim to have a silver bullet and hang their hat on how they represent attacks by hostile actors that definitely will hack your organisation and ruin you. This concept is probably useful if you’re a defence contractor or business that has ties to sensitive Government contracts or are large enough that these actors see you as a viable target for their operations and their intelligence requirements.
This, however, is not going to be the case for the vast majority of businesses here in the UK, and I daresay, in most countries around the world.
If you ask most CISO’s or security managers what they really worry about when it comes to their organisation, they’ll usually say some/all of the following:
- A phishing attack that results in Business Email Compromise (BEC) fraud or severe ransomware/wiper attack.
- Critical vulnerabilities that are left unpatched for reasons only known to those responsible for patching them. In 2020 do you really still need to have not patched MS17–010, really?!
- If the coronavirus is going to decimate their stock options much more than it already has?
- Risk of a disgruntled employee doing something nefarious or highly detrimental to the company.
- Where to place an already tight budget on a growing list of responsibilities and concerns.
- All the other usual concerns with high-pressured roles, particularly in the wake of COVID-19 and everyone working from home, and the associated challenges and risks that brings with it.
APT (Advanced Persistent Threat) groups don’t usually keep up a regular CISO at night, a BEC however, can and does have a real-world impact on organisations. If your organisation has limited cash flow for some reason, and you inadvertently pay an invoice/expenses to a fraudulent actor, you might suddenly find yourself in a very sticky situation. This might not concern you if you’re a large enterprise with billions in revenue, but for the regular small business, this could be fatal.
APT groups are not going to target the significant majority of small and medium enterprises (SMEs), as there is no tangible benefit to them for doing so. If you happen to work for an SME and are familiar with vendors telling you how good they map the APT Cuddly Snail to Mitre ATT&CK and they visualise it through interpretive dance, then I’m sure you can understand where I’m coming from.
APT Go Brrrrrr
For most SMEs, the most substantial threats they face will originate from cybercriminal groups looking to harvest credentials or personal data for sale on underground forums. It might not be quite as sexy as Vladimir Putin himself hacking you with Kim-Jong Un by his side, but it’s still pretty hot. It’s for this reason that for most businesses, the simple phishing campaign is a ‘sexier’ threat than those from far-flung lands of the omnipotent cyber warrior.
We all dream of the cyber trenches, firing our binary bullets and our python grenades over to the adversary, but that’s not the reality for most of us. The simple truth, fortunately, is that a lot of attacks can be stopped in their tracks by employing some basic cyber hygiene.
A lot of precautions organisations should take would stop a lot of APT attacks, as well as the opportunistic villain looking to steal your data or drop some ransomware to extort you. Ensuring systems get updated, especially when critical CVE’s are announced should be paramount. Encouraging staff to use services like Have I Been Pwned to check if their details have already been stolen elsewhere make for significant first steps.
Following the NCSC’s 10 Steps to Cybersecurity or encouraging staff to follow their tips for staying secure online for individuals, would also put any small business light years ahead of most of their peers. It’s staggering that in 2020 we as an industry must still bang the drum for patching and being aware of your own compromised data. However, the majority outside of our bubble don’t think about these things, and it shows in the growing number of successful cyber attacks year-on-year.
Phishing by Sales?
With this lack of hygiene, combined with pushy salespeople who see you ripe for the picking for their Cyber X-Dragon APT Catcher Blockchain Platform™; a lot of organisations spend lots of money on tooling and protection they either can’t use or don’t need. Now I’m not saying that the products sold in the industry are all snake oil, far from it (although there is a fair amount that might fit into this category). A lot of platforms and tools will help most organisations to be more secure, but when you look at the cost vs benefit for most SMEs, it doesn’t make sense.
If you spend hundreds of thousands on software that focuses on APT actors, but you run a middle-sized business unlikely to be targeted by a Russian APT — what’s the point? You might get lucky and catch some sophisticated cybercrime from this sort of solution, but surely, you want to put that money to use elsewhere where you can get more value?
In CTI, I speak to vendors and look at different products regularly. I see crossover and similarities in a range of products and a vast difference in cost. Sometimes this is justified (you might be comparing an automated service to something that’s human-led, so there’s a salary cost to consider). Other times not justified at all — but this will only become apparent when you’ve had time to sit down and compare various products over a lengthy period. It is doubly confusing when you start comparing products that claim to be the same thing more or less, yet all look entirely at their foil in altogether different ways (Threat Intelligence Platforms are a prime example of this).
The downside to my argument here is that the majority of cyberattacks don’t make the news, and thus don’t often become of interest to those who hold the purse strings. Couple this with the fact, that management bods tend to love metrics and numbers of things they can prove success with, and you have a cybersecurity recipe for disaster.
I know of many peers who’ve made recommendations or raised issues with prospective vendors as to why one product is better suited over another, only to be told that the vendor they don’t think is suitable is getting the deal anyway. Often, it’s not the people using the product that gets to make these decisions, but they are left to deal with the aftermath of it. This can lead to burnout, stress and a rapid change in employer. Objectively, the decision wasn’t made in spite, or because of some secret handshake, more likely that the person with the money got a slicker presentation that talked about the sexy side of cyber, that in most cases, doesn’t exist for most of us in our day jobs. It’s this process that needs an actual expert to drive the decision-making process, so everybody gets the real benefit:
- The Company finds a vendor that suits the security teams needs and can provide quick results.
- A chosen vendor doesn’t risk the wrath of having their contract torn up or risk churning an unhappy customer if they feel missold or that the product isn’t fit for purpose.
- Internal security team feels valued and reaps the benefit of having tools they can get use from that make their jobs easier, and thus helps the company to be more secure.
It seems like a simple solution, and maybe for many companies, it is. However, in the Enterprise space, I don’t believe this to be so. Often decisions seem to be made way above the team responsible for implementing and using any tooling. Thus this can affect the viability of the team, their output and risks putting projects back for months, far from ideal.
Real-World Phishing and Chips
To use a real-world example, I was recently privy to a phishing email campaign that was detected and blocked within 3–4 minutes. A potentially severe incident was identified, analysed and removed from all inboxes in the time it takes to make a cup of tea. This demonstrated to me how powerful it is when the technology works in favour of the security team. I can think of cases where it’s been days or even weeks to get the same level of response. Fortunately, my organisation takes security seriously and is on a pretty intense trip to upscale our capabilities. Long may it continue.
If you imagine, however, that this attack wasn’t stopped. If it reached the CEO, who fell for the lure or didn’t recognise the URL was fraudulent, and before you know it has provided his password to criminals. For a large organisation, this can be truly devastating. I use the CEO in this example as an exaggeration, because it’s usually someone lower down the corporate ladder who’s unfortunate enough not to see the email is a fake. Any number of large-scale ransomware campaigns have relied on phishing emails to succeed, with the combination of Trickbot, Emotet and REvil becoming more prominent this year alone. The major attacks of the last six months in most cases are no longer the activities of the highly-sophisticated James Bond types, but probably some young adults in Starbucks (possibly in countries where they don’t have Starbucks). The Travelex ransomware incident in December 2019, while not driven by phishing, was run by a criminal group who probably got paid millions of dollars in ransom. It will only be a matter of time before the next ransomware incident of that scale happens and is delivered by a phishing email.
Are We The Baddies Hans?
Part of the problem here is driven by the cybersecurity industry itself too. As a community, we love to pat ourselves on the back and show how clever we are. I will never understand why someone finds a critical flaw in major software then posts it on GitHub in the name of security. It’s a self-fulfilling prophecy. Every time this happens, the door is opened just a little more for criminals to rampage through with little to no thought for the consequences. It’s great that these flaws are identified and mitigated, really it is. However, I believe that posting the code on open-source defeats the purpose. Yes, it helps penetration testers ensure their clients are safe but is this truly the best way? It might not make you cool with the Twitter kids, but it also doesn’t mean your code will potentially be responsible for bringing a small business to its knees. I stand by this thought, and I’m more than willing to be challenged on it, but as it stands, I don’t see why this such an acceptable practice.
I’d love to hear more thoughts on this topic from the community. Please do comment or reach out on Twitter or LinkedIn. It’s a fairly emotive topic, and I’m sure there are many interesting views on it. I hope I haven’t burnt too many bridges here, and if I have, well I can buy you a beer after coronavirus, and we can settle our differences. Until you agree I’m right, of course.
P.S. I am definitely available to help you name your threat actor groups, for a fee of course. Hit me up.
P.P.S. Also happy to read your phishing emails if they’re funny.