Think Like the Enemy: Leveraging OPSEC to Stop Social Engineering Exploits

Think Like the Enemy: Leveraging OPSEC to Stop Social Engineering Exploits

Globally, organizations spend billions of dollars trying to prevent their networks from hackers, terrorists and even nation states. They’ve built fortresses of technologies designed to keep the bad actors out. And yet, there’s not a CISO in this world who isn’t worried that their network was compromised last night. (By the way, I’m sure there was a network that was totally compromised last night, so one of the aforementioned CISOs is having a bad day.)

Why is that? Well, it comes down to you. Yes, you, and your colleagues, your team, and heck, even your boss. Cyber attackers know that these fortresses exist, and so, they look for an easier way to get in – a weak link. Most often that weak link is people.

Cyber attackers recon publicly accessible personal information on Facebook, LinkedIn or any publicly accessible social media or database on a daily basis. They know about you. Public information and social media accounts are the easiest way for attackers to gain access to your passwords and security questions. Where did you go to High School, what’s the Mascot? What’s your Mother’s Maiden name? What’s your daughter’s birthday? (Nice picture of her eating birthday cake by the way!) It’s all there; waiting on a silver platter for an attacker to leverage for their own gains.

As an Army officer, one of the simple principles we learn very early on is Operations Security. In practice, OPSEC is about protecting information that could be pieced together for enemy exploitation and then reducing exposure of that information. This information may not mean much when disconnected from the current situation or larger operation, but when pieced together by enemies, it makes for a bad day. When an enemy can gather information from all sorts of places and piece together when that supply convoy or next operational will occur, it makes all other efforts useless.

Strip away the military jargon and this is the same way cyber attackers are compromising passwords every day. Seemingly disconnected information is pieced together until there is enough of a picture to act on.

Maintaining OPSEC in the business world is a hard problem to solve. Even in the security business, companies want to highlight the great talent they have fighting cybercrime. This talent now has a huge target on its back.

The key is this: targets must understand they are targets. From the basic system administrator to the CFO, attackers will continually engineer ways to get critical information from people they consider high value. Training targets  in the organization, from the top down, to identify and stop a social engineering attacks is the best defense.

CISOs need to think like the enemy:

  • Perform your own recon to find out what attackers “see” and how they target high value people.
  • Build information assurance policies, cyber defenses and countermeasures that prevent exploitation of that information.
  • Drive this from the top down. Everyone in the organization is partly  responsible for its security. Know the weak links and hunt for activity aimed at them.

The team at Kudelski Security is here to help you get started or compliment an already mature program. Get in touch with us for a discussion more tailored to your specific needs.

The Cyber Pressure Model

The Cyber Pressure Model

Nearly every organization and government entity around the world has a media arm to promote its activities. Today’s terrorist organizations are no exception. Top targets such as Al-Qaeda, ISIS and Al-shabaab all have elaborate media mechanisms to promote and recruit for their organizations.

In my role as an Army Officer at US Central Command, I was privileged to support the fight against radical terror and particularly the effort to stop ISIS from creating and publishing videos of their gruesome acts. We also fought to put a stop to magazines that promoted radicalism and the spread of information on how to create IEDs and counter coalition tactics.

Our efforts centered on identifying the Islamic terrorist media apparatus from  producers, disseminators and leaders and putting ‘pressure’ to all the places that would impact their operations.

This same pressure model can be used to fight cyber terrorists and criminals. By adopting an end-to-end look across the kill chain or lifecycle of a cyber attack, actions  can be taken at specific stages to have the greatest impact in degrading the attacker’s ability to be successful in their objectives or get to the next phase of the kill chain. Organizations must build a “’pressure’ model based on their infrastructure, their tools, their goals and business requirements.

To build this pressure model, you have to  look at what can be done to identify attacker recon efforts and degrade or deter the attackers recon operations as well as what can be done to keep them from moving further along the kill chain. Even if the ‘pressure’ placed during recon is not enough, then the organization must move to put pressure on the attacker’s ability to build tools against your specific infrastructure.

This may require purpose placed defense, active hunting, active intelligence collection identifying and stopping delivery of  tools or malware and so on for every step of the attackers kill chain, from reconnaissance, design and build, delivery, installation, exploitation, command and control, all the way to combatting their final intended actions of theft, denial of service or ransom. Place enough “pressure” along each step, and attackers will lose interest or at least move on to weaker and less resource intensive targets.

Kudelski Security built its Cyber Fusion Center around the concept of putting pressure at each stage of the kill chain. We take a nonlinear approach to the traditional phases of the kill chain which enables us to identify patterns and disrupt adversary movements throughout the stages of an attack. This results in reduced time to detection, contextualization of the threat and minimizing of the overall impact when an attacker does penetrate border defense.

It starts with information gathering. We collect, enrich and analyze threat data within the context of the environment. This gives our analysts insight on threats and the tactics, techniques, and procedures of adversaries.

Armed with this intelligence, we can help configure and managed defenses to thwart attackers’ advances throughout the kill chain.   Should an attacker reach their intended target, virtual tripwires and decoys can stop them from achieving their objectives.

You can read more about the services provided by our Cyber Fusion Center here.

The Might of a (Cyber) Nation!

The Might of a (Cyber) Nation!

Recently, Andrew Howard, Kudelski Security CTO was asked to comment in CSOonline on the need for a Cyber National Guard. A US congressman recently proposed the idea, citing digital security as a component of national security amidst headlines of other nations meddling in government business. The cyber national guard would be a team of cybersecurity reservists that could “occasionally be called on to protect the country against cyber threats, and strengthen national security on the digital level.”

My colleague’s response touched on the gap between IT and the military. Military requirements and obligations are often less appealing to tech workers than pursuing a career in the private sector. “Our government, similar to corporate America, is struggling to find qualified cyber security experts. The concept of a national guard cyber security capability is a good idea, but only to help grow the number of qualified military experts, not to actively defend US interests.” That begs the legal question of whether the military should be involved with enforcing domestic policies at all. The Posse Comitatus Act says no.

If the military and the National Guard cant, then the active defense of US interests in cyberspace will be driven by the “might of the nation.” When we talk about “might,” we’re talking about “the power, authority or resources wielded (as an individual or a group (at least according to Merriam Webster). National might is the power of the people, the businesses that create economic wealth, and the organizations that support our way of life, not just the military.

Every day in America, and across the globe, good, patriotic people are defending the world’s way of life in cyberspace. These people are the “might” that must defeat cyber attacks. . Whether it’s a government organization or a company that provides valuable services and economic power, there are cyber “forces” fighting to ensure our way of life continues.

Having spent 22 years in the US Army, helping operate and defend the Army’s networks, and at times, the entire Department of Defense’s networks, I see former Department of Defense military and civilian cyber professionals, serve this nation every day as part of the cyber ‘might’ in the civilian sector. Although they moved outside the military, their commitment to serve by fighting cyber attackers has not wavered. To all of them, thank you for your service and your continued service!

To CEOs, COOs, and CISOs, look for the Might. The nation needs your help, and it needs your employees’ help. Many companies want the world to be safe from cyber attacks, but it’s your team that has to accept the challenge. Ask yourself these two questions:

  • Does your team understand their purpose – within the organization and their impact to the Nation?
  • Are they prepared to fight? Do they have the attitude and the drive to do what they’ve been called to do?

It’s up to all of us to be part of the “Might” that will defend our nation against cyber attacks, cyber crime and cyber terrorism. The nation depends on it!