It’s no big secret the majority of security incidents companies grapple with are a result of human error. Maybe a user opens the wrong email attachment. Or maybe they visit the wrong website or plug in the wrong USB drive. People are people. They’re going to make mistakes. Cyber criminals know this and actively prey on user error as the path of least resistance inside any network they’re targeting.
In the first post in this two-part series, I offered recommendations to make users more aware of the threats they’re most likely to be exposed to, ways to increase their awareness and lower their risk. In this post, I’d like to cover why awareness alone isn’t enough.
The idea that educated users should be able to identify all attempts to fool them makes the flawed assumption that all attacks have clear tells that they can pick up on. That line of thinking tragically underestimates the creativity and complexity of today’s advanced attacks. Not only are there numerous ways of tricking the most paranoid users into opening malicious attachments or clicking on links, there are also ways of infecting them that require no clicking or interaction at all.
Counterfeit emails and websites have gotten far more personal and convincing
Gone are the days when the only malicious emails in a user’s inbox were poorly constructed spam messages, in marginal English, from fake Nigerian princes. Today’s most advanced phishing attacks leverage information from social media accounts, company websites, and previously compromised inboxes. As a result, well-crafted phishing emails appear to come from a contact you know and may even include a file attachment shared between the two of you sometime in the recent past. In the attack, however, this version of the attachment will result in infection and an additional compromised account to exploit. (For a specific example, read this blog post from Wordfence.)
Getting locked out of critical files and systems is increasingly likely following a successful phishing attack, but as prominent as ransomware has become, there are other types of infections that are equally damaging but far more stealthy.
With ransomware, a user typically knows within minutes that they’ve been infected, because suddenly they have fullscreen ransom demand or an inoperative system. Other attacks are intended to be more insidious, like banking trojan infections, which can go unnoticed until a victim’s financial accounts have been drained dry.
In those scenarios, the malicious code waits silently on a user’s machine until he or she visits a banking website, at which point one of two credential-stealing attacks unfolds:
1. The trojan redirects the user to a realistic counterfeit version of the banking website to capture their credentials. At the same time, the trojan automatically enters the credentials into the intended, legitimate, website, triggering any SMS or other two-factor authentication code that it also captures via the fake website.
2. The trojan injects malicious code directly into the legitimate banking website as it loads, adding additional fields to existing forms or creating new pop-ups specifically designed to mimic the bank’s design and brand.
In either of these scenarios, it is is a mistake to assume the user can recognize something isn’t right. In these scenarios, who could? They need help from tools that can identify the presence of banking trojans and other malware on their systems, and benefit most from blocking their installation in the first place.
The latest wave of ransomware attacks have not relied on users at all
While phishing and other attacks that rely on tricking users still pose a significant risk, some of the most prominent and widespread recent infection scenarios haven’t involved users at all. Take the WannaCry and NotPetya outbreaks, for example. Following initial infections, both exploited vulnerable, unpatched, remote systems to spread the infection, while NotPetya also abused otherwise legitimate system tools like PsExec and WMIC to move laterally across compromised networks.
These are complex developments in attack vectors, and simply blaming the user for providing an easy access point isn’t credible anymore. Knowing that raising user awareness of security issues and training them to identify and report attempted attacks is one crucial brick in the wall of security, companies also need to dedicate themselves to protecting users and eliminating the blind spots caused by unpatched systems and a lack of strong endpoint protection.