Posted May 26, 2011
As the CTO of a leading cyber-intelligence company, I’m often asked about the biggest game-changer in IT security today: What’s the latest technique that hackers are deploying to compromise networks with advanced persistent threats (APTs)?
I tell them that it’s not really about some highly advanced but ill-intended technological strategy. It actually boils down to a simple concept: building and exploiting trust.
That’s right. Yesterday’s hacker spent all of his time looking for holes in the network to exploit, to penetrate and trigger a malware attack. They cultivated legendary status as whiz kids of the tech underground who routinely outsmarted corporate IT security pros at their own game.
Today, these would-be intruders still command a high level of technological aptitude (not to mention unsavory attitude). But they are cultivating another highly useful skillset: the ability to manipulate the human behavior.
That’s because social media has changed everything.
Individuals and Organizations are now embracing the use of Facebook, Linkedin, Twitter and other outlets. As well they should. These sites are remarkably effective when it comes to peer networking and connecting with customers to get product feedback, test marketing strategies and build brand loyalty. However, not surprisingly, cyber crooks are flocking to social-media sites to plot their next attack. Why wouldn’t they? That’s where they can pinpoint executives and employees who hold key positions within the organizations that they seek to compromise. Because the very concept of social media encourages these professionals to display their business associations publicly, their corporate background is highly valued data that’s easy for the bad guys to find.
Once they zero in on which employees to target, they then work on the “trust” factor.
For certain, taking advantage of the human capacity for trust is nothing new. The term for the computer virus, Trojan, refers to the legendary deception of the city of Troy on the part of the Greeks, with that “gift” of a large, wooden horse. During Pontiac’s Rebellion, European soldiers were said to have given Indian natives blankets outside Fort Pitt, blankets that were intentionally infected with small pox. And Bernie Madoff is far from the first Ponzi artist to destroy personal fortunes by promoting a financial house of cards built upon the concept of trust.
Today’s cyber attacker – at least from a psychological standpoint – operates in very similar fashion. He’s a phisher who finds individuals who can lead him to where he wants to go within the network and emails them with some kind of message that, on the surface, brings something of value to the intended victim and raises sufficient curiosity to take some action. If that intended victim is a high-level finance executive, for example, the email could contain a URL to click on to find out about a new accounting regulation that’s in the works. A sales staffer could get an online invitation to download online coupons for discounts at a local golf club.
Only the URLs are simply disguised links to malware. Since anti-virus technology is typically based upon blocking signatures, it’s useless against this kind of tactic. That’s because the chances that the hacker’s signature hasn’t been seen before is greater than 99 percent. And if you haven’t seen it before, your anti-virus technology won’t block it. Web proxies are also generally ineffective as well. They’re intended to serve as gatekeepers to distinguish “good” URLs from “bad” ones. But they’re too often outdated, and it doesn’t take much effort for a phisher to come up with newer “bad” URLs that won’t get tripped up by the proxy solution.
Once inside the network, these hackers execute their intrusion in a manner very unique to the modern era. In the recent past, such intrusions were all about disruption. Today, they’re about stealth. The hacker doesn’t want to announce his presence. He’ll lay low for days, weeks and even months at a time, quietly looking for backdoor channels to gain credentials, so he can access more and further secure entry points within.
To fight this, education/training of enterprise users is necessary if not sufficient. They need to know how to spot suspicious messages, and to resist the natural inclination to click on a link that looks benign but really is a hidden front for malware. In addition to training, IT security staff must remain on top of phishing trends and pro-actively monitor their traffic for high-risk behaviors. And above all, next generation security systems must examine the content and context of the email along with the methods and behavior of embedded Web Page links to judge the trustworthiness of the emails
Ultimately, organizations need to realize that their weakest link is a curious employee who also happens to be a trusting one.
Manoj Srivastava , Chief Technical Officer, Cyveillance
Question to consider: How much training/education does your organization conduct with internal users on detecting and avoiding intrusion attempts?