Author: Reginald Wilkerson II

Categories
Social Engineering

Unmasking the Manipulators: Identifying and Avoiding Social Engineering Tactics

Social engineering, a technique involving manipulation to gain confidential information, has seen a significant rise in recent years. As of Q3 2023, it emerged as a preferred method of “human hacking” by threat actors. This escalation, covering various tactics like phishing, smishing (SMS phishing), voice phishing (vishing), along with others, highlights the urgent need for robust mitigation strategies. 

Some Recent Trends in Social Engineering Attacks include:

Malicious QR Codes:

What are Malicious QR Codes?

  • A cyberattack where an initially innocent QR code leads to a harmful website or even downloads malware onto your device. Threat actors tend to post these heinous QR codes in various places such as public advertisements, emails, and even physical objects such as public transportation benches, etc.

How do you mitigate against them?

  • Be Paranoid: Avoid scanning QR codes from unknown sources.
  • Verify the URL: If possible, hover over the QR code with your scanner without clicking the link. Once you see the URL, manually type in that URL using a tool like urlscan in your browser to ensure its legitimacy. 
  • Keep Software Updated: Always keep your device’s operating system and security software up to date to assist in protecting against the latest threats posed towards said software.
  • Enable MFA: Utilizing multi-factor authentication will add additional layers of security to your online accounts making it less attractive for threat actors to obtain your information.
    • Monitoring your MFA logs and performing quarterly simulated phishing campaigns are some best practices to utilize in your environment.
    • As a SecurIT360 SOC MDR client, we can add this particular log source type in our SIEM solution to best accommodate your environment’s real-time monitoring.

Deepfake Recordings:

What are Deepfake Recordings?

  • As the hype of Artificial Intelligence continues to rise, Threat Actors are rapidly finding ways to manipulate this technology for malicious gain as well. Deepfake recordings are artificially generated audio or video files that convincingly mimic the voice or video recordings of a specific person saying or doing things that they never actually have. This technological advancement has made it increasingly difficult to distinguish real from fake.
  • Deepfakes are generated from collecting large datasets from the targeted individual. The audio data is then fed into a machine learning model to train it into recognizing the speech patterns along with other vocal characteristics of the target.
  • As a Security professional, you can see the dangers of deep fakes and how a Threat Actor can utilize them to social engineer their way into breaching a company’s data.

How do you mitigate against them?

  • User Education: Staying up to date on the latest TTPs (Tactics, Techniques, and Procedures) especially as technology is forever changing will assist in keeping your data safe. As we all know, Companies are only as strong as their weakest link. Keeping your company’s employees educated can be the difference between a Data Breach and Data Security.
  • Stay Vigilant & Verify Sources:  Be skeptical of audio messages that seem out of character for the speaker. “When in doubt, shout it out” meaning if you get an unexpected message from someone always verify it came from the source before acting on the message.
  • Critical Analysis of Media: Pay attention to the context of the video or image. Often, deepfakes are used in implausible scenarios.
  • Use Technology to your advantage: There are plenty of deepfake detection tools available that one can use to assist in distinguishing manipulated content. Additionally, regularly updating your cybersecurity software can defend against malware that could be used to produce deepfakes.
  • Legal and Policy Awareness: Stay informed about deepfake regulations in your jurisdiction. Support laws and policies aimed at preventing the misuse of deepfake technology.
  • Use of Code Words: Create a unique, private code phrase with your family and close contacts. This phrase should be used as a verification method during unexpected calls to prevent falling victim to scams. 

Typesquatting:

What is Typosquatting?

  • A cybercrime where attackers register domain names that are very similar to legitimate websites (often with just a single letter or character difference).
    • Example: “Gooogle.com” instead of “Google.com”
  • The goal is to deceive users who make typos when entering a website address. The fake website is often designed for credential phishing, where the user connects to the fake website and then inputs their username and password.

How do you mitigate against it?

  • Utilize URL registration tools: As mentioned earlier in this article, tools such as URLVOID.com or urlscan.io can be used to verify if a URL was recently registered (a clear indicator of malicious activity). See the reference list at the bottom of this post for links to the suggested tools.
  • Double-check URLs: Always verify the website address before entering sensitive information. A tool you can use to verify the legitimacy of a URL is ANY RUN Sandbox. This a tool where you can type in the suspect URL into a virtual environment and see where it leads to without risking harm to your physical device.
  • Use Bookmarks: Save your frequently visited websites as bookmarks or favorites to avoid typing the incorrect URL.
  • Educate Yourself and Your Organization: Stay informed about the latest cyber threats and how to properly protect yourself. Perform regular phishing simulations in your environment to ensure your users are always prepared.
    • As a company, your best line of defense is your employees. Making sure they are aware of the latest TTPs will make your defense strategies unquestionably better.
    • The SecurIT360 SOC Team can assist with this through our KnowBe4 managed services. Through this service, we can set up Phishing Simulations along with Awareness Training.

Targeted Industries: Professional services, particularly legal firms, manufacturing, and construction, have been prime targets of these type of attacks. These sectors often face Business Email Compromise (BEC) and Ransomware threats that all stem from Social Engineering. 

Notable Attack Groups: Groups like LOCKBIT, BLACKCAT, and newer entities like CACTUS and RHYSIDA have been active recently. RHYSIDA has been known to target the healthcare sector specifically. 

The continuous evolution of social engineering tactics demands a multi-faceted approach to security. By combining policy enforcement, employee education, technological safeguards, and robust response plans, organizations can significantly reduce the risk and impact of these types of attacks. As these threats become more sophisticated, staying vigilant and proactive instead of reactive is the key to safeguarding valuable data and resources. 

Tools Referenced:

Categories
General Cyber and IT Security

Decoding Digital Dangers: Common Cybersecurity Threats Explained – Part 2

Security should be a lifestyle and not just a “To-Do” list. As a Cybersecurity Professional myself, I cannot preach enough about the importance of Layered Security. No matter how big or small your environment, remember that even David took down a GIANT with a slingshot and pebble. Threats in our industry are diverse and dangerous. Staying ahead of the curve is no walk in the park and that is why a series of this magnitude is important for proactive reasoning.

In the first installment, we briefly covered threats such as Phishing (BEC Attacks), Malware Attacks, and Insider Threats. In this second installment, we will dive into Ransomware Attacks, Distributed Denial of Service attacks, and Zero-Day Exploits.

4. Ransomware Attacks:

Ransomware involves the encryption of a victim’s data by an attacker, who then demands a ransom in exchange for the decryption key. The impact of ransomware attacks ranges from financial loss to severe disruption of operations. This form of attack is huge in critical sectors such as healthcare, finance, and government.

Motions to Mitigate:

Mitigation against Ransomware attacks can consist of:

· Endpoint Security: Install and regularly update endpoint security software to detect and prevent malicious software from running on a user’s device.

o Some popular Endpoint Detection and Response solutions include Microsoft Defender for Endpoint, VMware’s Carbon Black, and CrowdStrike Falcon Platform.

o If Endpoint Security is something your company is interested in implementing, SecurIT360 would love to assist you on this journey through our SOC services.

· User Behavior Analytics: Using user behavior analytics tools to identify deviations from normal user behavior can help detect compromised accounts more efficiently.

o This can be achieved through SecurIT360’s 24/7/365 security operations center, which provides real-time monitoring through utilization of MDR and EDR solutions.

· Disable Unnecessary Services: Disabling or restricting services and features that are not essential for business operations can prevent Ransomware from exploiting these services.

· Network Segmentation: Segmenting your network to isolate critical systems and data from the rest of the network can help contain the spreading of ransomware.

· Backup and Disaster Recovery: Regularly backing up critical data and systems to offline or secure locations is another helpful tip. Ensuring backups are not accessible from the network and testing data recovery procedures can go a long way when ensuring you can restore your systems in case of an attack.

· Patch and Update Software: Keeping operating systems, software, and applications up to date with the latest security patches will combat and address vulnerabilities that ransomware may exploit.

5. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks:

DoS and DDoS attacks aim to make a network, service, or system unavailable to its intended users. This type of attack is aimed to hinder the “A”, availability, within the CIA (Confidentiality, Integrity, and Availability) triad. This is achieved by overwhelming the target with a flood of internet traffic that the target was not built to withstand. In a DDoS attack, the attacker uses multiple compromised computers (Botnets) as sources of traffic, making these attacks particularly challenging to mitigate.

Motions to Mitigate:

A few ways to mitigate this are by implementing Distributed Traffic Filtering, Content Delivery Networks, and Geographic Blocking in your environment. Other forms of DOS/DDOS mitigation consist of:

· IP Reputation Lists: Utilize IP reputation lists and databases to block known malicious IP addresses and networks. This should be updated quarterly due to the frequency of IPs switching hands or ISPs (Internet Service Providers).

o We know that this can become quite a task but our Security Operations Center can help relieve this pressure through our managed firewall services.

· Network and Server Redundancy: Build redundancy into your network and server infrastructure to ensure that a failure in one component does not result in a complete service outage.

· Intrusion Prevention Systems (IPS)/Intrusion Detection Systems (IDS): Deploy IPS solutions to detect and block malicious traffic and behavior at the network level.

o The SecurIT360 SOC Team can assist with detecting malicious activity through our MDR solutions and blocking known malicious with some of our other managed services (EDR, Managed Firewalls, etc).

· Black Hole Routing (BGP Sink holing): Configure your network to use black hole routing to discard malicious traffic. BGP sink-holing can redirect DDoS traffic to a “black hole” where it is discarded.

6. Zero-Day Exploits:

A zero-day exploit targets a software vulnerability that is unknown to the software’s developer. The term “zero-day” refers to the fact that the developer has zero days to fix the vulnerability once it becomes known. This method is one of the most dangerous to defend which is why organizations need to have a more proactive approach rather than reactive when regarding this subject.

Motions to Mitigate:

· Advanced Threat Detection Solutions: Deploy advanced threat detection solutions that can identify zero-day attacks based on abnormal behavior and anomaly detection.

· Application Security Testing: Conduct regular security assessments, including penetration testing, to identify and address potential weaknesses in your applications and systems.

o If a Pentest is something your organization is interested in having conducted, contact SecurIT360’s Offsec Department to set up an engagement.

· Behavior-Based Analysis: Employ behavior-based analysis tools that can detect unusual or malicious behavior on endpoints and networks. Zero-day exploits often exhibit abnormal patterns.

o This can fall under the umbrella of EDR services. Detecting User/Behavior-Based Analytics to determine your environment’s baseline behaviors in comparison to anomalies is something SecurIT360’s SOC works with daily.

· Threat Intelligence Sharing: Participate in threat intelligence sharing communities and organizations to stay informed about the latest threats, including zero-day vulnerabilities.

· Sandboxing: Use sandboxing techniques to run potentially risky or untrusted code in an isolated environment, preventing it from affecting the rest of the system.

· Vulnerability Management: Proactively discover and mitigate weaknesses in your systems before attackers can exploit them. This includes software, hardware, and even human behaviors.

o SecurIT360’s ISSO department specializes in internal scan assessments.

o SecurIT360’s Security Operations Center services include External Scan Assessments monthly or per request.

As you can see, there are many threats in our industry and the need for persistent protection is constant. My goal for this second installment was to provide easily digestible information on some common threats Cybersecurity Professionals like myself witness on a day to day.

If you have enjoyed this second installment of the Decoding Digital Dangers: Common Cybersecurity Threats Explained series, be sure to go back and check out Part 1 as well.

Additionally, If your company needs expert cyber security and IT services for ongoing risk management and operational excellence, such as SOC services, please contact us here at SecurIT360 to be of assistance: Contact – SecurIT360.

Categories
General Cyber and IT Security

Decoding Digital Dangers: Common Cybersecurity Threats Explained – Part 1

Have you heard the phrase “Don’t bring a knife to a gunfight”? Well, this phrase holds the same truth within the realms of modern cybersecurity. There are a wide range of dangers in our industry and one must know what they are, to properly prepare for the battle against these. The sheer volume of these risks alone should emphasize how critical it is to comprehend them while also developing mitigation solutions.

One might ask, well what are a few common threats that we as cybersecurity professionals should look out for in this constantly changing digital environment? This series was created to highlight just that. In this first installment, we will cover Phishing (BEC Attacks), Malware Attacks, and Insider Threats.

  1. Phishing Attacks:

Phishing attacks are the most common form of cybersecurity threats. This is where an attacker masquerades as a legitimate entity to “reel” victims into revealing sensitive data such as usernames, passwords, and credit card information. Phishing attacks often take the form of emails, website pop-ups, or text messages. Which stresses the importance of always verifying that you are communicating with whom the entity states they are.

Once a successful Phishing Attack has occurred this can lead to a Business Email Compromise or BEC for short. As Cybersecurity professionals we must empower ourselves against BECs. Implementing the following recommended strategies can assist in strengthening your cybersecurity posture:

Motions to Mitigate:

A few ways to stay proactive against Phishing attempts are:

  • User Education and Training: Provide regular cybersecurity training and awareness programs to educate users about the risks of phishing.
    • The SecurIT360 SOC Team can assist with this through our KnowBe4 managed services. Through this service, we can set up Phishing Simulations along with Awareness Training.
  • Email Filtering and Authentication: Implement email filtering solutions to block or flag potential phishing emails before they reach users. Configure email authentication protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance) to verify the authenticity of incoming emails.
  • Multi-Factor Authentication (MFA): Enforce MFA for email and other critical accounts. Even if a phishing attack results in stolen credentials, MFA can provide an additional layer of security.
    • SIEM and MDR services can even help to identify and respond to suspicious MFA activity. These services can collect and analyze logs from a variety of sources, including MFA devices, applications, and servers. This data can be used to identify patterns of behavior that may indicate an attack, such as MFA Bombing, logins sourced from known malicious IPs, and logins originating from non-approved countries.
    •  As a SecurIT360 SOC MDR client, we can add this particular log source type in our SIEM solution to best accommodate your environment’s real-time monitoring.
  • Phishing Simulations: Conduct phishing simulations and tests within your organization to assess user awareness and response. Use the results to tailor training and awareness efforts.

Additional helpful articles for improving awareness of BEC attacks/Phishing:

  1. Malware Attacks: 

Malware, short for malicious software, refers to any software designed to damage or disrupt a computer system. Types of malware include viruses, worms, Trojans, spyware, and adware. Malware attacks typically involve the installation of this malicious software onto a victim’s device without their knowledge, leading to data loss or theft. Another way Malware can be downloaded unknowingly is by clicking unfamiliar links such as from a Phishing email. This illustrates how some of these attacks can be combined to get what the Threat Actor is after.

Motions to Mitigate:

Malware can be a pest but implementing the following can assist in reducing the appearance in your environment:

  • Application Whitelisting: Implement application whitelisting, which allows only authorized and known applications to run on endpoints. This can prevent unapproved applications, including malware, from executing.
  • Network Monitoring and Alerting: Implementing network monitoring tools to detect unusual network traffic and behaviors that may indicate a malware infection can be helpful.
    • The SecurIT360 SOC Team can assist with this through our 24/7/365 operations of real-time monitoring and utilization of MDR and EDR solutions.
      • Through our EDR services, we can detect User Behavior Analytics to assist with determining baseline behaviors in comparison to anomalies.
  1. Insider Threats: 

Insider threats involve cybersecurity threats that originate from within an organization. These can be intentional – for instance, a disgruntled employee causing harm – or unintentional, such as an employee unknowingly clicking on a phishing link or accidentally uploading sensitive login credentials of your company’s own infrastructure on a site like GitHub (In reference to: https://www.vice.com/en/article/m7gb43/microsoft-employees-exposed-login-credentials-azure-github

Motions to Mitigate:

  • Least Privilege Access: Limit user and system access to only the resources and data required for their tasks. This principle minimizes the potential impact of a ransomware infection.
    • A great way to test your current Access Controls is by performing a Pentest. It is recommended to get a Penetration Test done once to twice a year at a minimum. If a Pentest is something your organization is interested in having conducted, contact SecurIT360’s Offsec Department to set up an engagement.
  • Data Loss Prevention (DLP): Use DLP solutions to monitor and prevent the unauthorized transfer or leakage of sensitive data. This can help prevent both accidental and intentional data breaches.
  • Secure Offboarding: Ensure that when employees leave the organization, their access is immediately revoked. This includes disabling accounts, collecting company-owned devices, and updating access control lists.
  • Data Access Auditing: Implement auditing and logging for data access to track who accessed sensitive data and when.
  • Secure Mobile Device Management (MDM): Manage and secure mobile devices that employees use for work, including the ability to remotely wipe devices in case of loss or theft.

All mitigation strategies require a comprehensive approach that includes a combination of technology, user education, and proactive security measures. By implementing these practices, your organization can significantly reduce its vulnerabilities and minimize potential damage.

One takeaway is the mantra of the “12 P’s”:

“Positive Proper Preparation Prevents Piss Poor Performance; Piss Poor Performance Promotes Pain” and we don’t want your organization to experience the pain of improper preparation.

Understanding the common cybersecurity threats listed in this first installment is the initial step toward strengthening your cybersecurity defenses. Your organization’s defenses should mimic that of an Onion. An onion has many layers to it and your defense should follow this same blueprint. We recommend investing in regular staff training and maintaining a culture of cybersecurity awareness to protect against these threats along with utilizing robust cybersecurity solutions. For instance, utilizing a Cybersecurity Framework could be essential to your business long term.

To get more information on implementing the best Cybersecurity Framework for your environment, check out: The Building Blocks of Cyber Defense: Why Your Business Needs a Cybersecurity Framework – SecurIT360

If your company needs expert cyber security and IT services for ongoing risk management and operational excellence, such as SOC services, please contact us here at SecurIT360 to be of assistance: Contact – SecurIT360.

Additionally, be sure to be on the lookout for the second installment of this Decoding Digital Dangers: Common Cybersecurity Threats Explained series releasing in the coming weeks.