It was a busy summer for healthcare IT staff. The Minnesota Department of Human Services potentially breached 21,000 patients’ personal data. Gold Coast Health Plan emailed 37,000 patients to warn them their data had been exposed. And UnityPoint Health had to notify 1.4 million patients about a data breach—only months after the organization’s last data breach. The cause of all these data breaches? Employees falling for phishing attacks.
High-profile breaches have prompted many hardware and software providers to implement stringent protections and secure defaults. As a direct result of their actions, finding typical “low-hanging fruit” vulnerabilities to breach organizations is becoming a much more difficult, expensive, and noisy attack vector. Instead, attackers are turning to the newest weakest link in an organization’s security: its people. Since October is National Cybersecurity Awareness Month, let’s consider how an organization can put security controls in place around its people, without violating their privacy and productivity.
When it comes to planning an exploit, employees are the path of least resistance to attackers. All it takes is one vulnerable user for a breach to occur. An unaware user is an easy target, and easy targets are ripe for a wide dragnet phishing attack (that is, a phishing attack that covers a large part of the organization, often with the simple goal of harvesting credentials and valid identities or compromising users’ laptops with malware).
The solution: regular training to establish a baseline of user phishing awareness, along with intermittent employee reminders reinforcing what they’ve learned in training sessions. Training should provide users with examples of phishing attacks, context on how to spot such attacks, and steps to take if they feel they might be the target of a campaign.
Synopsys frequently conducts red team engagements to challenge an organization’s security effectiveness, and we’ve discovered that this training can guard against even advanced dragnet campaigns. Organizations that have a phishing awareness program will often spot the campaign due to user reports and blacklist the source within a matter of hours.
Employees are also likely to broadcast their involvement in phishing awareness programs on their resumes and LinkedIn profiles. This is likely to deter an attacker harvesting user information from publicly available resumes and social media pages.
Even the best employee training can only go so far in preventing phishing attacks. Humans are fallible, and socially engineered phishing attacks target kindness, generosity, helpfulness, and other qualities most people want to encourage in themselves.
The solution (though it may seem obvious, we hardly ever see it in customer engagements): active defense, or a SOC (security operations center) that proactively monitors, or uses tools that monitor, the email perimeter. Employees cannot click on a phishing email if the SOC learns of a dragnet attack, blacklists the associated domain, and removes the email from all targets’ inboxes.
Another approach is to use a domain typosquatting notification service. One successful typosquatting method is to take a URL that an employee would expect to see in an email, change a character, and register it as an attack domain. Employees that often visit my.example.com may not notice that they have clicked on my.exampIe.com (using a capital eye instead of a lowercase ell) or my-example.com. A typosquatting detection system would notify the SOC or other point of contact that someone, somewhere, has registered such a domain—allowing you to take pre-emptive action.
There’s no such thing as a perfect defense. What happens if a phishing email makes it through your active defense and an employee clicks on it? Even the most technical, phishing-aware employee can fall for a tailored attack and the most careful, rule-following team lead can make a simple mistake. And how many people are in your organization? Eventually, someone is going to get phished. Social engineering susceptibility is a question of when, not if.
The solution: adding a layer of defense below users’ phishing awareness and a well-trained SOC armed with the right tools. Though it’s a lot simpler to talk about it than to practice it, architecting your network to be resistant to compromise is the best way of avoiding a massive breach instigated by a single user. If you have a flat network, weak endpoint protection, and a weak credential policy, one employee’s mistake could put you in the evening news. But if you have solid endpoint protection, a segmented network with stringent permission requirements across mandated two-factor authentication, and active defense, you might detect the intrusion immediately and contain it to affect only that one user.
The best defense against phishing and social engineering is to take a multipronged approach with a combination of knowledgeable users, an internal security structure that can stay one step ahead of an attacker, and the expectation that an attack will succeed one day, with a plan to mitigate damage. Knowing the answers to “How easy is it to socially engineer my employees?” and “What’s the potential impact if an employee’s workstation is compromised?” is of paramount importance. The only way to know the extent of the potential damage of a phishing or social engineering attack on your organization is to test your employees. Perform regular testing throughout the organization to determine your baseline security level.
The first step in measuring your organization’s phishing resistance is to perform a mock phishing exercise to see where gaps in knowledge may exist. But testing your active defense, which is slightly more difficult, calls for a more advanced version of a mock phishing exercise. Something akin to a red team engagement would be best suited to test your organization’s ability to respond to threats in a realistic manner. And the best way to test your organization’s capacity to resist compromise is to perform internal and external network penetration tests, or red team assessments.
David Benas is an Atlanta-based security consultant at Synopsys. He specializes in web application vulnerability assessments, architecture risk analysis, code review, enterprise static analysis tools, red teaming, network pen testing, and threat modeling.