Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Triangulating Beyond the Hack: Stolen Records Just One Tool in a Comprehensive Kit

Technical Hacks to Compromise Sensitive Systems Are Just One Tool in a Much Larger Toolkit

In simpler times, cybersecurity was a fairly straightforward proposition. You had your firewall, your gateway. You monitored traffic and scanned for viruses. The bad guys weren’t even always that bad, per se. Sometimes they were just there for kicks.

Technical Hacks to Compromise Sensitive Systems Are Just One Tool in a Much Larger Toolkit

In simpler times, cybersecurity was a fairly straightforward proposition. You had your firewall, your gateway. You monitored traffic and scanned for viruses. The bad guys weren’t even always that bad, per se. Sometimes they were just there for kicks.

But these are not simpler times. In today’s world of sophisticated criminals, hacktivism, espionage and cyber warfare, threats can come from anywhere, and for a variety of more malevolent reasons than 10 or 15 years ago. 

One of the most pressing security challenges is the way “hacks” are evolving to include more than just an intrusion to an IT system. Yes, hacking into protected information is still a critical concern. And we’re seeing more efforts to triangulate information from separate hacks to increase its value, as well as an evolution of how stolen information is used. 

But there is also an increasing triangulation of methods that go far beyond compromising IT systems. They include much more sophisticated social engineering and phishing techniques brought about by the availability of rich data from the market-profiling capabilities of today’s social media platforms. They also include the use of stolen information not just for monetary gain, but to deceive and to advance a greater objective. They include actual “boots on the ground,” real actors behind spoofed accounts.  

The motivations for this range from simple theft to information warfare. Take the emerging picture we’re seeing of Russian influence on elections in the United States and elsewhere. There is a clear body of evidence that, despite the progress made by official U.S. investigations into the election meddling on the part of Internet Research Agency that occurred between 2014–2016 and beyond, the activity hasn’t stopped. In fact, it may have intensified. 

What’s interesting about this ongoing attack from a security standpoint is its sheer scale and comprehensiveness. Take a look at some of the tools and tactics involved, as described in the recent indictment of 13 Russian nationals involved in the scheme: 

• The group first conducted careful research into the influence of certain politically affiliated groups on social media platforms like Facebook, Twitter, Instagram and others. 

Advertisement. Scroll to continue reading.

• They obtained travel visas to enter the U.S. and, while here, set up an extensive operation with a monthly budget of more than $1 million, with dozens of employees working in shifts. 

• They developed hundreds of fake email accounts, social media accounts and group pages and managed to build a substantial following — reaching hundreds of thousands, if not millions, of Americans. They also kept deep metrics of the activity, reach and influence of these accounts, continually refining messages and tactics just like any good marketing agency would. 

• They bought social media advertising and used their accounts to drive interest in and attendance at rallies and protests. 

• They stole and used American citizens’ dates of birth and Social Security numbers to obtain driver’s licenses and other identification documents.

• Using those documents, they posed as Americans, not only to promote a political agenda, but also to obtain cloud server space and set up VPNs in the U.S. that were connected directly to the parent organization in St. Petersburg. This use of VPNs kept the direct involvement of the Russian parent organization hidden. 

Ultimately, these efforts were undertaken not to enrich the organization, but to sow mistrust and discord in American democracy — both in elections and in the institutions that support them, such as the free press and the independent judiciary. 

Perhaps most alarming is a theme that anyone in the cybersecurity industry will be familiar with: Despite identifying, outing and filing indictments against this particular group, the overall effort to disrupt the U.S. political process remains. In early August, Director of National Intelligence Dan Coats held a press briefing at the White House during which he pointed out a continued and “pervasive messaging campaign by Russia to try to weaken and divide the United States.” 

What does all of this mean for security pros? Well, as citizens we should take a page from the security trainings we give to users. Be skeptical. Be aware. Question things that are out of the ordinary. And whatever you do, don’t click on that. 

But as an industry, we need to understand that attack vectors are evolving in ways we never would have imagined a few years ago. Now almost any business, whether it’s a property management firm, a cloud provider or a social media platform, needs understand all of the potential ways their services could be used, even as malicious actors continually evolve their tactics. As entire industries go digital, there will be ramifications we haven’t anticipated, simply because we are navigating uncharted territory. 

It goes to show that the industry must diversify and expand its talent base beyond technical skills to include real industry, geopolitical and other expertise. Yes, technical hacks to gain entry into sensitive systems are still an important part of the equation, but today they are just one tool in a much larger toolkit. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.