Post-mortem data breach review reveals much of today’s cyber-attacks are front ended by phishing campaigns. The new Twitter Hacker on CryptoForHealth is only one of several examples. This is not shocking, since the simplest way for a threat actor to access sensitive data is by compromising the identity and credentials of an end-user. Things get even worse if a compromised identity belongs to a privileged person who has much wider access and therefore gives “the keys to the kingdom” to the attacker. While paying careful attention to existing hackers’ methods, techniques , and procedures (TTPs) enhances the capacity of an enterprise to adopt successful cyber protection strategies, companies need to remain attuned to emerging TTPs. Vishing is a popular example which is a modern take on an old scam.
Security professionals are now painfully aware of phishing which uses tactics in social engineering to request personal information from unsuspecting users. Threat actors typically craft phishing emails to look as though they were sent from a reputable entity or a recognised person. These emails also try to entice users to click on a connexion that will take them to an legitimate looking fraudulent website. Then the user might be asked to provide personal information, such as account usernames and passwords that would further expose them to potential vulnerabilities. These fraudulent websites can also contain malicious code.
Threat actors have increased their TTPs to leverage the widespread use of smartphones and are now distributing their attacks through SMS or direct phone calls. The Federal Investigation Bureau (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint security advisory on 20 August 2020, warning of a growing wave of vishing attacks targeting the US private sector.
Vishing is a type of criminal phone fraud combining custom phishing sites with one-on-one phone calls. The threat actor ‘s aim is to convince the victim either to reveal their credentials over the phone or to manually enter them to a website set up by the cyber adversary, which impersonates the gateway of the company’s corporate email or virtual private network ( VPN).
According to the advisory, the increase in the usage of this TTP is motivated by the COVID-19 pandemic, resulting in a mass change from home to work, increasing use of corporate VPNs, and lack of in-person verification.
How to defend against errors
The following constructive steps can be taken by IT security practitioners to protect their organisations:
• Security awareness training: Integrate security awareness education into the overall safety awareness training programme. This is a good reminder that you need to update your training material periodically to account for changes in TTPs. In addition , increase the training with phishing exercises to gauge the level of sensitivity of your employees and correct their behaviour.
• Limited VPN Connections: Use mechanisms such as hardware checks or enabled certificates so user input alone is not sufficient to access the VPN. Limit VPN access hours, if necessary, to minimise access outside of permitted times.
• Employ Domain Monitoring: Track the development of brand-name domains, or changes to them.
• Hard use of MFA: Once enforced, introduce multi-factor authentication (MFA) involving multiple verification methods (something you know, something you have, and something you are) and is also one of the safest ways to prevent unauthorised users from accessing confidential data and moving laterally within the network. If MFA has been introduced, harden the use by deploying NIST SP 800-63-3 Assurance Level 3 authenticators to enable this. These hardware-based devices are known to be a reliable deterrent (e.g., YubiKey, Titan Security Key).
• Apply Least Privilege: Configure access controls, including permissions for file, directory and network sharing, with the least privilege in mind. If a user only needs to read specific files, write-access to those files, directories or shares should not be needed. Over the past two years, Gartner has listed Privileged Access Management as one of the Top 10 information security initiatives, as it is an environment where organisations can make the greatest return on Their security investments.
Phishing campaigns are actually the precursor to credential-based attacks, which are the leading cause to today’s data breaches. Organizations will improve their cyber resilience by aligning their cyber protection policy on the basis of TTPs from threat actors. However, as demonstrated by the advent of vishing, organisations need to remain alert and adapt their strategies in response to shifts in TTPs of their adversaries.