CyberSecurity through the eyes of a hacker
Hackers are targeting what companies value the most: their intellectual property, their customer data, and their reputation. Attacks are growing more sophisticated and more damaging. What these attacks reveal is that cyber-security efforts have failed and fixing this will require security officers, IT teams and company boards.
Companies need to address this issue but with a new approach. They can do that by looking at themselves through the eyes of their attackers. In the military this is called turning the map around. The point is to see the situation as a hacker would do in order to anticipate and prepare a contingency plan.
Changes in enterprise IT over the past decade mean that every company is now a technology company. By the end of the decade, there will be 50 billion devices connected to the Internet, complicating networks and generating petabytes of data. To add to that, the cloud revolution has finally dissolved perimeters – companies enjoying the benefits of infrastructure as a service must depend upon the security of networks and systems beyond their direct control. (https://hbr.org/2015/03/see-your-company-through-the-eyes-of-a-hacker)
As mobility, the Internet of Things, and the cloud change enterprises, adversaries are also becoming more sophisticated. States and state-sponsored entities spy on and attack private companies, often using military-grade tactics and capabilities. They do this within a system where offense enjoys a structural advantage over defense because attribution is difficult, deterrence is uncertain, and attackers need to succeed only once, but defenders must succeed always. (https://hbr.org/2015/03/see-your-company-through-the-eyes-of-a-hacker)
Just like any hacker, Red-Teamers invest significant time and energy into getting to know the target’s daily routine so that any phishing scam blends into your daily life naturally. Hackers also target corporate employees between two to five months of employment because it allows them to target the individual when he or she is still in that awkward transition phase, who are not yet fully settled into the corporate process, making it more challenging to decipher what is normal and what is suspicious. This increases their chance of success substantially.
Social media is another whole new and easy opportunity to enter an employee’s computer. With just a few mouse clicks, they can find out anything about a person: their dog’s nickname, their last vacation spot, and even details about their work life such as their title and how long they’ve been with a certain company. The harvesting of this publicly available information is the critical first step in any successful phishing campaign. (http://www.informationsecuritybuzz.com/articles/getting-know-phishing-story-eyes-hacker/)
Based on information gained from a previous employee who worked at a given company, hackers can deduce the type of application that is used to verify official documents, this provides valuable insight into their specific corporate procedure. To generate target emails, all that is required of the hackers is to mimic the general outline and work flow of an email using View Source. The next step is to find the right individual to use as the “sender.” Someone from in upper management, human resources or accounting usually does the trick. Better yet, the sometimes create a friendly email from the CEO directly, welcoming the target to the company, with a document containing “information” about his or her vision and how to be successful in the company. (https://www.reliaquest.com/?utm_source=hackingblog&utm_medium=blog&utm_campaign=phishingstory%22%20rel%3D%22nofollow%22%3EReliaQuest%3C%2Fa) )
If hackers don’t feel like going through the trouble of spoofing the email address, they can easily purchase a domain that is very similar to the real one. For example, a company has a domain like “Company XYZ” and the hackers buy one that is “Company XYZManagement”. The latter domain can evade the spam filter since it has yet to be marked as spam. Taking a closer inspection at the framework of malicious emails, there are usually two main “hooks,” a malicious link, or a malicious file attachment. The malicious link could potentially redirect the user to a fake login page to harvest login credentials. Or if an attachment is used, the malicious file has to be tailored in some form that fits in with the target’s daily work flow. (http://www.informationsecuritybuzz.com/articles/getting-know-phishing-story-eyes-hacker/)
Now that the target details have been established, it’s time to bait the hook. Most companies use Word documents on a daily basis, so what better way to obtain a foothold in an organization then to create a malicious link or file that you embed in a Word document? Once the user accepts the prompt asking for the malicious link or file to be enabled, the unsuspecting victim’s computer will create a reverse connection and hackers will now have full control.
See how easy it was?
The combined forces of executives, software developers, security teams, and investors all turning the map around can equip us to defend against this adversaries.