One of your employees is sitting quietly on the porch of a summer rental over Memorial Day weekend when the annoyingly familiar bloop of a text message interrupts the quiet.
"So sorry to disrupt your well-deserved weekend, but we just became aware of an issue that could significantly delay processing your pay," reads the text message from the head of the HR department. "To address this, log into the new HR portal using the following link utilizing your credentials."
The problem is, the head of HR didn't send this. Your employee is being lured by a "smishing" — SMS phishing — message, which is an attempt to access the organization's most sensitive information via a malicious link sent through a text message.
This is just one example of "human hacking," said Peter Warmka, a former CIA operative of more than 20 years and founder of the Counterintelligence Institute, at Mandiant's Cyber Defense Summit 2021 last week. Attackers are targeting employees using personal information to get them to do things that could result in a security incident.
While Warmka has retired from his job, which involved "downright manipulation of people to facilitate the security breach," he told attendees, he was angry about how his former tools of trade have been used in multiple recent breaches. Warmka broke down how threat actors rely on soft targets, such as the organization’s own employees or third-party partners, to help infiltrate hard targets — organizations with systems containing valuable customer or employee data and proprietary information that may have better defenses.
Who Is an Insider?
Different attack groups have varying motivations for their activities. Criminal enterprises use the information for resale or financial gain. Intelligence agencies and competitors may be after proprietary data. Activist groups could be seeking embarrassing information to support their causes. Lone wolves may simply be seeking an interesting challenge.
Depending on the threat actor's objectives, everyone is in danger of being targeted as an insider, said Warmka, author of the book "Confessions of a CIA Spy: The Art of Human Hacking,"
Insiders have specific information that's sensitive, and attackers target them because they are often easier to manipulate. An insider could refer to anyone on the organizational chart — from the CEO at the top all the way down to an assistant or intern — or anyone working with the organization, such as a contractor servicing the copy machines or an employee at an accounting firm. If the attackers are interested in a hard target — a Fortune 500 company — they often go after the vendors that list that company as a client.
"[Threat actors] collect as much information as they can so that they can maximize success and minimize failure or compromise," Warmka said.
The Web: A Cornucopia of Compromising Information
Information gleaned from the gold mine that is the Internet can be dangerous. From job review sites like Glassdoor, potential hackers are able to get detailed information on the mindset of soft targets. Employees who feel like they're overworked, underpaid, and underappreciated are potential insider targets.
Sometimes the company is the one revealing specific details that can be used against it. For instance, a job posting for an IT person can detail all of the systems and databases that a company uses that can be targeted for infiltration. A press release can show how an organization is growing and changing and name potential targets and their job titles or even hobbies and interests.
Simply typing in the name of the company along the phrases "employee manual" and "PDF" in a search engine can turn up a lot of pertinent information, Warmka said. Employee manuals can reveal benefit packages, rules, and other confidential information.
Organizations should take note of what kind of company information — even if it seems completely benign — is accessible by outsiders and move it to a location limited only to employees, such as an intranet site.
Social Media Is Another Gold Mine
Social media has a bit of everything: work history, certifications, volunteer work, political leanings, relationship statuses, and favorite books and movies. Photographs can be used to ascertain socioeconomic status.
Warmka said human hackers use this valuable information to develop a personality assessment profile on targets "to identify both the motivations as well as vulnerabilities" of individuals, like education, family, and career.
"Even though we don't want to admit it, we all have vulnerabilities," Warmka said. "We all have motivations and vulnerabilities, and these change over the course of our lives."
The dark sides of our lives can be taken advantage of, such as our addictions and vices, he said, adding that ego, hate, and revenge are the most accessible human emotions to manipulate.
"Everybody is a unique human being," he said. "And if we understand what buttons we can push, this is what a human hacker is going to leverage."
Verify, Then Trust
Social engineering tactics can be used in combination with implied trust to deceive workers into thinking their payroll information is compromised without questioning it. Warmka said humans are susceptible to human hacking because we believe in developing trust.
"Trust is not a bad thing," he said. "Trust is what binds individuals together into functioning societies by something in the written word or something that's spoken. Blind trust is what can really be fatal. This is the trust that the human hacker is going to utilize. They're going to exploit that trust for the grand deception."
Organizations can’t tell employees what they can or cannot post on their personal social media profiles, but they can show employees how the information they share publicly can be used against them. Helping employees use privacy controls and restricted settings is good for their personal safety and can help the organization, as well. Security training should also include what kind of work details should not be posted online in order to minimize the amount of information available for the attackers to mine.
The best way to combat these deceptions that can lead to security breaches — besides controlling the information that's released to the public on websites and social media — is to train employees to verify information before trusting it. Training has to be bigger than short compliance videos and three-question quizzes. Employees must see the value in how keeping information secure is more than just an annual chore to keep their jobs.
"The approach needs to be that [employees] understand that if they are the target, they could be at risk personally," Warmka said. Their personal and financial security is at stake as well as the security of their family members.
"They need to be considering that protecting themselves will automatically carry over to the organization as well," he added.