Endpoint
6/21/2016
11:45 AM
Joseph Opacki
Joseph Opacki
Commentary
100%
0%

Phishing, Whaling & The Surprising Importance Of Privileged Users

By bagging a privileged user early on, attackers can move from entry point to mission accomplished in no time at all.

In the world of cybersecurity, there are two wildly different approaches to phishing.

The first, which we subscribe to, recognizes the threat posed to organizations by phishing attacks, and seeks to defend against it by both educating employees and tightening internal controls. In those cases where a phishing attack is successful, our camp aims to eliminate the threat as quickly as possible, and then learn from it.

The second approach is quite different.

There are those within the cybersecurity world who believe that since it is impossible to completely prevent employees from being suckered by phishing emails, there’s no point in even trying to educate them. The theory goes that defending against any form of cyber attack (including phishing) is the responsibility of your information security team. Employees are simply too busy, and too ignorant, to be involved in the process.

I believe this is a mistake, and I’ll explain why.

Understanding your attacker

Whatever your approach to cyber security, it makes sense to start with an understanding of the people you’re trying to protect.

Image Source: PhishLabs
Image Source: PhishLabs

The Verizon 2016 Data Breach Investigation Report is a tremendous resource for this sort of research; it immediately informs us that external attackers cause the majority of breaches. The insider threat is certainly a concern, but statistically you’re far, far more likely to be breached by an external actor.

The report also explains that although you’ll need to defend against many different cyber weapons (malware, social engineering, hacking, etc.), most attacks fall into two categories: point of sale (PoS) and phishing. Unsurprisingly, our main focus is on the various threats posed by phishing attacks. But perhaps most important of all, the report provides an insight directly into the mind of your attacker. Over the past 12 months there has been tremendous speculation as to the motives behind cyber attacks, with much being made of a few high-profile instances of state-sponsored cyber espionage.

But are governments and competitors really lining up to steal your secrets? Well… no.

In an overwhelming majority of cases, the motivation behind cyber attacks is financial reward. There is a huge black market, accessible through the Dark Web, where hackers can sell proprietary and payment data to the highest bidder. Typically this is a collection of large organized crime syndicates, many of which are based in countries with no extradition treaties.

Rest assured that there is big money in play here, and successful hackers get paid extremely well for their "work."

So what does all this tell us? In short, it lets you know where to concentrate your cybersecurity efforts for maximum effect. If your organization does fall prey to an attack, it’s most likely to come in the form of a phishing email designed to grant access that can ultimately be used to steal saleable information.

The anatomy of a (successful) phishing attack

Now that we understand the methods and motivations of most attackers, it’s much easier to comprehend the format of a typical attack. Initially, the attacker needs an entry point. In most cases, this will be a phishing email that baits one of your employees into installing malicious software (malware) or giving away their login credentials (social engineering).

Once the attacker has gained access to your network, they’ll try to make lateral movements to expand their access and level of control. This could include stealing proprietary data to inform further targeted phishing attacks (spear phishing), identifying vulnerabilities, and/or stealing higher value credentials.

Finally, once they have the required level of access, your attacker can enact their primary mission: to steal and sell your data.

Going after the big phish

As you’ve no doubt gathered, your attackers’ job will be much easier if they can successfully phish someone with a high level of access. Rather than spending time gradually increasing their permissions and control, by bagging a privileged user early on they can move from entry point to mission accomplished in no time at all. This tactic is known as whale phishing, or "whaling," and it can spell disaster for your organization. Clearly, this is not what you want to happen.

Every phishing attack relies, at some point, on being able to sucker employees into clicking on something they shouldn’t. Now, while it’s true that the information security team can play a huge part in preventing this, many phishing emails can be kept out of employees’ inboxes by well-maintained filters, and more can be foiled by tight security controls.

But what about your privileged users: directors, executives and system admins who all usually have a high level of access? What if they’re targeted by spearphishing or whaling attacks?

Access controls on your whales

I know it’s tempting to overestimate access requirements, but it’s important to consider how much access these people really need. Nobody wants the finance director to fly off the handle because he can’t run a report, but in reality he probably doesn’t need read/write access to every area of the network.

Regardless of your approach to dealing with the threat of phishing attacks, tightening internal controls such as user access levels is hugely important, and can spell the difference between a narrow escape and a crushing data breach. Most users do not need to be able to install programs or access sensitive data, and if for some reason they do, they can always be granted specific access on a case-by-case basis.

Controls aren’t enough

It’s true that you can’t rely 100% on your employees to report and delete phishing emails, but you also can’t rely 100% on your security controls. Like it or not, some phishing emails are going to end up in the inboxes of privileged users, and it’s going to come down to them to determine whether that attack is successful. If you can engage and train your employees to recognize and report phishing emails, you’re adding a vital last line of defense that otherwise wouldn’t be there.

At the end of the day, it’s a choice between a reported phishing email and a successfully installed malware package. I know which side I’m standing on.

Related content:

Black Hat's CISO Summit August 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

Joseph Opacki is vice president, threat research, at PhishLabs, responsible for threat research, analysis and intelligence. Prior to joining PhishLabs, Mr. Opacki was the senior director of global research at iSIGHT Partners. Before his career in the private sector, Mr. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2016 | 3:05:40 PM
Re: BYOD
I agree with you. Plus the employee is the perfect compromise point. With their level of access you have the ability to circumvent many security safeguards.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
6/22/2016 | 7:26:42 AM
BYOD
Some great points here. It's amazing how often major corporations are cracked open when just one employee lets the hackers in. 

However it also continues to raise concerns for me around BYOD policies. It becomes a hell of a lot easier to hack into a network if it is full of devices people take home, leave around and potentially don't secure anywhere near as well as their hardware and software at work.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.