Operations
3/2/2015
10:30 AM
Saryu Nayyar
Saryu Nayyar
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
67%
33%

Why Security Awareness Alone Wont Stop Hackers

End-user training is a noble pursuit but it's no defense against "low and slow" attacks that take months and years to carry out.

We’re all familiar with the infamous quote: Insanity is doing the same thing over and over again and expecting different results.
 
News headlines from around the globe recently told the story of how hackers were able to steal hundreds of millions of dollars from banks using malware. The story was based on a report released by Kaspersky Labs.
 
The singular most important element of this breach is that it was done in a “low and slow” fashion over several months. The threat actors used extended term, flat and insidious attack and exfiltration methods that went virtually undetected via all defense-in-depth security solutions in place.

Think about that for a second. Banks are the most invested, mature, and aware institutions when it comes to stopping the bad guys. They put millions of dollars toward security infrastructure to guard against this type of loss (cash!).  But still, the hack and loss cycle continues. 
 
Hackers are getting really good at exploiting the most boring, repeatable, and accepted activities of normal employees behind the firewalls and advanced perimeter defenses they sit behind today. A simple phishing exploit is all it takes to break through the castle door or jump the moat. The holy grail of any breach is to get full access to an identity and its credentials to traverse the network, plant malware and call home.  
 
Why not just stop the phishing attacks by training end users not to click on email that seems out of band or odd. Don't click on attachments or links to subscribe, login or answer any questions on web-based forms. While training is a noble pursuit and necessary, the phishing attacks just have to be right one time. When a threat actor launches an attack that is planned to take months or years to carry out, all they have to do is spam and wait. One new employee, one new contractor, one new business associate. That’s all it takes to p0wn a target.  Keystroke loggers and botnet malware will do the rest. So what is the alternative to training and awareness?  
 
The first, most critical aspect of recognizing these destructive attack patterns is to build a baseline around users and the applications, data and machines (networks) they access on a regular basis. But that alone isn't enough. For example, if Betty was phished on her second day on the job, looking at all her activity over a year may be meaningless from an anomaly perspective. She's been hacked all along and nothing would look out of the ordinary. 
 
Instead, we can put Betty in a peer group to contrast her activity against others with her similar job function and role in the company. This way, peer group analytics can zero in on suspicious or outlier patterns that don't just rely on huge shifts in behavior (like massive downloads or unusual geo-location login activities). The low and slow activities of moving money around and using Betty's ID to go to unusual places it does not normally require to perform her job suddenly become threat indicators that are 'High' not 'Low' or 'Normal.'
 
The problem with the type of attack exposed in the Kaspersky report is that it blurs the line between cyber and insider threats. Hackers are focusing on and exploiting human factors as they know full well that most security tools aren't smart enough to put patterns of human behavior in context. That's why low and slow is so effective. 

One way to detect these attacks is using a concept called “self-audit.” Imagine if Betty routinely received a credit card-like statement of her activity. It could highlight anomalous behaviors and enable her to automatically alert the security team if she noticed any transactions not made by her. This and other techniques can help transform humans from being a weak link to weapons in the fight against threats.

We can’t keep doing the same thing over and over again and expecting different results. We know attackers are exploiting human factors to cover their tracks. Once an identity is compromised, you can be dead certain that odd or deviant behavior patterns will show up. The type of activity that is out of band, which a typical employee just would never attempt. So let’s gather security intelligence that monitors and measures users’ behavior to identify risky events very early in the kill chain. Ideally, in the reconnaissance phase.

Saryu Nayyar is CEO of Gurucul, a provider of identity-based threat deterrence technology. She is a recognized expert in information security, identity and access management, and security risk management. Prior to founding Gurucul, Saryu was a founding member of Vaau, an ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SSERGIO123
50%
50%
SSERGIO123,
User Rank: Apprentice
3/6/2015 | 10:16:04 AM
Re: Weak link
But that´s exactly my point, it is NOT easy. It´s hard work. That´s why almost nobody does it.
xmarksthespot
100%
0%
xmarksthespot,
User Rank: Strategist
3/6/2015 | 9:00:33 AM
Re: Security culture
The article brings up important details about the basics of information security. 

Unpatched Microsoft Office was necessary for this ploy to work.  The attack highlights the importance of applying all security patches in a timely manner.  Most banks were not susceptible to the attack due to proper patching.

The Open Web Application Security Project (OWASP), non-profit organization focusing on improving software security, places Security Misconfiguration as number 5 in it's top ten list of security concerns.

Exploitability is specified as Easy, but detectability of misconfiguration is specified as Easy.  Prevalance is specified as Common but I would assume that the banking industry as a whole is well protected compared to all other industries.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/5/2015 | 11:51:40 PM
Re: Security culture
@Preeti: I had the pleasure to attend a cybersecurity conference some time ago where a representative from the Israeli consulate spoke, and he told the audience that in Israel, cybersecurity is indeed something that is focused on at an early age -- and that students are given the opportunity to focus their studies on cybersecurity as early as high school.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/5/2015 | 11:49:56 PM
Re: Weak link
@SSERGIO123: Good point.  But then, if it was easy, everyone would do it.  ;)
jefawcet
50%
50%
jefawcet,
User Rank: Apprentice
3/3/2015 | 6:44:12 PM
Reduce the attack surface by taking out the user (somewhat)
Even with the best end user training you are doing well to get 50% effectiveness.  Supplement the end user training with removing the chance that they user will click on the spam link with a secure email gateway.   Remove the chance that a user is going to a compromised site (poison well) using a secure web gateway, secure cloud gateway.   I find doing the above is quite effective.
PreetiS347
50%
50%
PreetiS347,
User Rank: Apprentice
3/3/2015 | 11:28:15 AM
Re: Security culture
 I believe the concept of security should start right from the elementary school. The kids in school use computers. They should be given security classes as well. This process in the long run will inculcate the security culture. Just like we teach our kids to be aware of strangers, not be over friendly with people you don't know well and to let your parents know of everything that's happening with you, We can teach them how to be safe in the cyberworld. What are the signs that you are being hacked, not to release your PII to random forms and surveys etc. All this will develop the approach of being alert and logging all important security rules in the back of your  mind just like a well developed IDS.

 For the corporate world, the periodic emails showing the unusual activity is a good option but I guess there should be a team that re-screens these emails and then give  the employees an alert when an action is required. Like it is mentioned that people from bank have so many emails in a day that it is quite possible for them to miss out on the important one from security. Training I guess has no substitute. The more you know , the more you do.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/3/2015 | 10:09:08 AM
Re: Security culture > self audit
I think a  self audit could work for me, if the emails/reports were concise and showed me my activity in a manner that was easy to scan and spot anomalies. I get a spam filter report every day. And while I don't religiously open it, I do read it often enough so that I can tag emails that are mistakenly quaranteened. 
SSERGIO123
50%
50%
SSERGIO123,
User Rank: Apprentice
3/3/2015 | 7:46:49 AM
Weak link
The weak link is the hacker´s command and control server. If we analize all outbound IPs, we will detect those which are not kosher and will be able to block them. Hard work? Yes. So?
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
3/3/2015 | 5:40:15 AM
Security culture
This is the difference between security awareness in certain offices (the C-suite, the compliance/audit department, the general counsel's office, etc.) and security culture.  It comes down to convincing everyone, from the top down, that security is important.

Of course, in the particular example given, I'm not convinced a "self-audit" would be particularly helpful.  People in banking deal with thousands of emails a day; in numerous organizations they are even routinely encouraged -- if they do not take the initiative themselves -- to fudge the seeming "minutiae" a bit simply to satisfy the audit department because they feel they wouldn't ever get anything done otherwise.

So it's nice to have the policy in place...but you have to convince your staff that the policy is worth following.  That can often be easier said than done.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.