By now you've heard that a joint investigation by the Federal Bureau of Investigation (FBI) and the US Department of Homeland Security has led to a report that Russian operatives had hacked into companies that are part of the power grid in the US. The attacks are outlined in detail in a report from the US Computer Emergency Readiness Team (US-CERT) that describes how the attackers were able to penetrate the energy facilities and what they did with the information they stole.
What wasn't in the media reports was a fact that should cause concern to an IT professional, whether they work for a small to midsize business (SMB) or a larger organization. That fact: The path that the attackers exploited went through smaller partners of the ultimate target. They started their attack by penetrating the defenses of those smaller partners because they were likely to have weaker defenses, and then they used information and resources gleaned from there to attack the next facility up the line.
Anatomy of a Smart Phishing Attack
A primary means of getting access to the smaller partner was to find public information, which, when put together with other information, would provide the level of detail needed for the next step. For example, an attacker might examine the website of a company that does business with the ultimate target and there he might find the email address of a senior executive at either the partner's company or the ultimate target. Then the attacker might examine other information from both company's websites to see what the relationship is, what services are being provided by whom, and something about each company's structure.Armed with that information, the attacker can start sending highly convincing phishing emails from what appears to be a legitimate email address; ones with enough crafted detail that might well defeat any phishing filters put in place at the firewall or managed endpoint protection level. The phishing emails would be designed to harvest login credentials for the person being targeted, and if any of them is successful, the attackers would instantly bypass any identity management measures that might have in place and be inside the target network.
With the revelations about harvesting user information from Facebook, the nature of the threat expands. In a breach conducted under the guise of academic research starting in 2014, a Russian researcher gained access to about 50 million user profiles of American Facebook members. Those profiles were turned over to Cambridge Analytica. Subsequent investigations have revealed that this data was taken without the permission of those Facebook users and then misused.
Auditing External Communications
This brings up the question of just what information cautious businesses should make available via their websites. Worse, that query likely needs to extend to the organization's social media presences, third-party marketing channels like Youtube, and even high profile employee social media profiles.
"I think they have to be circumspect about what's on their company websites," said Leo Taddeo, Chief Information Security Officer (CISO) for Cyxtera and former Special Agent in charge of the Cyber Division of the FBI's New York City field office. "There's a great potential for disclosing information inadvertently."
Taddeo said that one good example is in job postings where you can reveal what tools you're using for development or even what security specialties you're looking for. "There are a lot of ways that companies can expose themselves. There's a large surface area. Not just the website and not just deliberate communications," he said.
"Social media is a risk," Taddeo explained, pointing out that an employee posting on social media can reveal a great deal inadvertently. He pointed out that employees saying that they're not happy with their job could reveal a target for exploitation. "Employees who talk in detail about their work or their accomplishments are a risk. Social media mining is very productive for adversaries."Taddeo warned that professional media websites, such as LinkedIn, are also a risk for those who aren't careful. He said that adversaries create fake accounts on such websites that disguise who they really are and then use information from their contacts. "Whatever they post on social media sites may compromise their employer," he said.
Given the fact that the bad actors who are targeting you may be after your data, or may be after an organization with which you work, the question is not just how do you protect yourself but how do you also protect your business partner? This is complicated by the fact that you may not know whether the attackers might be after your data or just see you as a stepping stone and perhaps a staging location for the next attack.
How to Protect Yourself
Either way, there are some steps you can take. The best way to approach this is in the form of an information audit. Enumerate all the channels your company is using for external communications, certainly marketing, but also HR, PR, and supply chain among others. Then build an audit team that contains stakeholders from all affected channels and start analyzing what's out there systematically and with an eye towards information that might be useful to data thieves. First, start with your company website:
- Examine your company website for anything that might provide details about the work you do or the tools you use. For example, a computer screen appearing in a photo might contain important information. Check for photos of production equipment or network infrastructure, which can provide clues useful to attackers.
- Look at the staff listing. Do you have email addresses for your senior staff listed? Those addresses not only provide an attacker with a potential login address, but also a way to spoof emails sent to other employees. Consider replacing those with a link to a form or use a different email address for public consumption versus internal use.
- Does your website say who your customers or partners are? This can provide an attacker another way to attack your organization if they're having trouble getting past your security.
- Check your job postings. How much do they reveal about the tools, languages, or other aspects of your company? Consider working through a recruitment firm to separate yourself from that information.
- Look at your social media presence, keeping in mind that your adversaries will definitely be trying to mine information via this channel. Also see how much information about your company is revealed in the postings by your senior staff. You can't control everything about your employees' activities on social media, but you can keep an eye on it.
- Consider your network architecture. Taddeo recommends an as-needed approach in which administrator access is granted only when it's needed and only for the system needing attention. He suggests using a software defined perimeter (SDP), which was originally developed by the US Department of Defense. "Ultimately, each user's access entitlements are dynamically altered based on identity, device, network, and application sensitivity," he said. "These are driven by easily configured policies. By aligning network access with application access, users remain fully productive while the attack surface area is dramatically reduced."
- Now consider your cloud services the same way. It's often a default configuration to make senior company executives administrators on third-party corporate cloud services, like your company's Google Analytics or Salesforce accounts for example. If they don't need that level of access, consider dropping them to user status and leaving administrative access levels to IT personnel whose email logins would be harder to find.
Finally, Taddeo said to look for vulnerabilities created by shadow IT. Unless you look for it, you could have your hard security work bypassed because someone installed a wireless router in their office so they could make easier use of their personal iPad at work. Unknown third-party cloud services also fall into this category. In large organizations, it's not uncommon for department heads to simply sign up their departments for convenient cloud services to bypass what they see as IT "red tape."
This can include core IT services, like using Dropbox Business as network storage or using a different marketing automation service because signing up for the official corporate-backed tool is too slow and requires filling out too many forms. Software services like these can expose gobs of sensitive data without IT even being aware of them. Make sure you know what apps are being used in your organization, by whom, and that you're firmly in control of who has access.
Audit work like this is tedious and sometimes time consuming, but it can pay big dividends in the long run. Until your adversaries come after you, you don't know what you have that might be worth stealing. So you need to approach security in a manner that's flexible while still keeping an eye on what matters; and the only way to do that is to be thoroughly informed about what's running on your network.