Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
Hackers are a crafty lot. They know that brute-forcing an attack or relying on high-tech tools can only get them so far.
The real opportunity lies in tricking the people who work in the organisations they are targeting. But tricking people requires a skillful blend of con artistry, technological wizardry and a lot of patience. That’s why adversaries who are going for the big heists play the long game, carefully orchestrating and carrying out a multi-dimensional cyber deception strategy to con their victims.
Mimecast’s CEO Peter Bauer notes: “These are sentient attackers playing a chess game against you. And it‘s a game you cannot ever win, but certainly a game you cannot afford to lose, and you have no choice but to play it.”
Malicious actors use both psychology and technology to achieve cyber deception
Adversaries have evolved blended attacks that exploit advanced digital tools as well as human psychology to increase their chances of success. Modern attacks and spear phishing campaigns combine techniques like impersonation via look-alike domains and websites with non-email communication channels.
The good old days of just filtering out suspicious email attachments and calling it cybersecurity are long gone. Today, hackers use everything from messages on LinkedIn and fake login pages to using web-hosted content repositories like Dropbox or OneDrive to host malware.
Perhaps even more concerning is the fact that hackers are moving from short spray-and-pray campaigns to well-targeted, persistent cyber stalking approaches, often letting their campaigns play out for weeks or even months before making a move.
The unfortunate reality is that attackers can be ferociously successful with these plans after just a little thought and planning. People are susceptible, the technology is imperfect and adversaries are becoming more skilled, organised and persistent.
Defending against cyber deception
A comprehensive cyberdefence must focus on preventing adversaries from achieving their desired outcome, rather than simply relying on a point solution that blocks bad emails from getting in. That means understanding how cyber deception campaigns work as a whole.
Cyber deception campaigns are typically carried out in three stages:
The attacker meticulously researches their target organisation, identifying the key people to target, their decision-making structure and their tech stack. The sheer wealth of publicly-available information from public sources like Google and LinkedIn makes it pretty straightforward for hackers to find the info they need.
In this stage, the hacker compromises the credentials of employees to send internal emails. Emails, especially from senior management, are still implicitly trusted in most organisations. Hackers usually test the waters by sending out a few fake emails to see if they’re detected. If no one picks up on them, they can maneuver themselves in a position to glean sensitive corporate info. But email isn’t the only channel attackers use. Some even set up fake profiles on LinkedIn, impersonating company executives to scam people in their network. Their goal is to either hijack a fund transfer, sneak malware into their target organisation’s network, or harvest credentials from the organisation’s employees and partners.
This is the money-maker. Adversaries exploit their target’s hard-earned brand, reputation or identity and imitate them to infiltrate and compromise others in the company’s network. At this point, they redirect a fund transfer, get employees to download malware, or set up a fake domain or site that impersonates the business. Unsuspecting customers and clients, seeing an email or LinkedIn message that looks like it's from a trusted business partner, can easily fall victim to the scam.
Building a multi-dimensional cybersecurity architecture
They key to building an effective cyber defence is understanding an attacker’s motivations. By and large, making money is the biggest motivator for cybercriminals. That means they’re out to get data or info that can help them do that. Our cyber defence strategy should focus on disrupting all three stages of a hacker’s cyber deception plan.
First, we need to look inward and assess our internal security. Email gateways are still a crucial pillar in a cyberdefence strategy, since email is still the default communication channel in most organisations. This gives hackers a direct pathway into the machine and mind of all of a company’s employees.
Phishing detection and awareness training are some of the most effective ways to strengthen email security. The time has come for companies to take a zero-trust approach for internal emails to maximise their defences.
This also means watching out for signs of compromise, which is where awareness training comes in. Awareness training strengthens your human firewall and greatly boosts your chances of thwarting an attack in the ‘execution’ stage, before any real damage is done.
Remember, hackers are very good at tricking people into downloading malware-ridden attachments, which can be disguised as anything from resumes to leave applications to fake invoices. Alert and aware employees are your greatest defence.
Next, we need to see how we can secure our company’s assets beyond our perimeter. Setting up DMARC correctly can protect against abuse of your actual domain. Companies must also proactively hunt for fake domains and web content that impersonates their organisation and take immediate steps to have them removed. Speed is key: the faster you can detect and respond to fake content, the better.
Cybersecurity needs to be holistic
An effective cyber defence needs to consider the attacker’s journey, covering both the technology side and the human side of your digital environment. Viewing cyber deception as a holistic strategy means we don’t get caught up in specific tactics, and can make a better defence architecture that thwarts the attacker at every step. What’s more, your cyber defence strategy needs to evolve with time and incorporate new knowledge, tools and practices to keep your security up-to-date and well-rounded.