It seems every aspect of our lives is available to be found somewhere on the internet. And the information available isn’t simply embarrassing browsing histories but ranges from our medical histories to the logon credentials we use to access many of our online services. This is certainly a privacy concern, but it’s also increasingly an enterprise cybersecurity hazard. The more information adversaries have about us, the more effectively they can target their attacks.
Consider the news that broke earlier this year regarding 2.2 billion unique usernames and passwords that came to light. These usernames and passwords emerged from the dark web and are being shared more openly throughout online hacker groups. As Wired’s Andy Green accurately put it, the credential troves threw “out the private data of a significant fraction of humanity like last year’s phone book.”
We can be confident that all of these emails and passwords have already been used to a great extent – both en masse against websites to try to break into online accounts and as part of spear-phishing attacks. Many accounts were probably accessed – users do tend to reuse so many passwords and usernames. Also, by industry estimates, phishing attacks are how the vast majority of cyberattacks are initiated.
It’s good news that there’s no new immediate risk from these massive credential dumps – except to those who haven’t checked or changed their passwords – but plenty remains to be concerned about. It’s a near certainty that these emails will be used for targeted attacks. And the dangerous fact remains that attackers can learn just about anything they want about anyone they want online. And now with everyone’s email essentially a matter of public record, we will likely see a lot more spear phishing in the year ahead.
Social engineers find new data, tools to attack
Unfortunately, attackers will use the vast amount of information at their disposal to improve the social-engineering aspects of their spear-phishing attacks, making them even more creative and effective.
Consider how photographs are increasingly becoming weaponized. Attackers are using manipulated photos to attempt to steal bitcoin from cryptocurrency exchanges. Researchers are getting better at fooling facial recognition, whether by using a number of photos to create a photograph that can defeat the device or by using photos to create a mask that is the likeness of their target to fool smartphone facial recognition.
Now consider deep fake videos. Not too long ago, these videos were very kludgy – so kludgy one could be spotted nearly instantly. But they are no longer so obviously fakes. Given the right skills, software and quantity of video and audio material to work with, the end result can be very good. When one considers the average pace of technological improvement, we can only imagine how difficult it will be to detect deep fakes in a year or two. It’ll become relatively trivial to fake video statements from employees, executives, the CEO – virtually anyone. Think of the potential attacks on people that could consist of believable photographs and video, along with convincing faked and forged documents. The truth may prevail (eventually), but what about immediate impact on stocks, or reputations tarnished or destroyed by the initial, fake information that was disseminated? Attacks like this won’t just affect politics; they will also hit business and community leaders.
When considering the vast amount of data that we know has been breached, it’s reasonable to expect that such attacks, along with traditional phishing and spear-phishing attacks, will continue to become more effective. According to the Privacy Rights Clearing House, which has tracked data breaches since 2005, there have been 9,071 data breaches that have collectively exposed 11.5 billion records since they began tracking. That’s financial records, health records, government and criminal records, educational records and more. In fact, there’s so much data available on the dark web that it’s possible for reasonably motivated and funded adversaries to build accurate models of our interests and how we interact with the world. That kind of data is certainly helpful in any social engineering attack.
Bracing for the inevitable
The thing is, so much data about us is available that it is bound to be used as part of phishing, spear-phishing and other targeted attacks. Increasingly, attackers are going to be able to leverage highly accurate and personal information to trick employees, contractors and even executives into clicking on a file or link that places their organization at risk. That’s why enterprises need to be prepared with powerful incident response and investigation technologies as well as employee awareness training.
Phishing and social engineering attacks are no longer just about adversaries having an email address and searching LinkedIn for a current position and work history. They are increasingly about uncovering all of the information about us that has made its way to the dark web and the broader internet. And when one considers all of the information about nearly everyone that is so widely available, it really is just a matter of imagination when it comes to how adversaries can and will use this data to socially engineer and attack enterprises and their staff.
What does this mean for enterprise security and the ability to defend against spear phishing? Straightforward, specific advice would help enterprises better protect themselves against these types of emerging attack techniques, but that information is not yet available. The best advice for now is to make sure good security practices are in place and everyone within the organization – from PR and crisis communication teams, to legal and HR, to security and incident response – who could be called upon by way of such attacks is made aware of the growing possibility.
Of course, good security practices include having the right security defenses in place – from security awareness, antimalware through good backup and recovery through incident-response capabilities. If we’ve learned one thing from the past that will certainly inform the future, it’s that despite all of the best efforts from IT and security teams, some of these attacks will succeed, and adversaries are going to come at enterprises with these new tools and data sets. You have to be ready for it.
(About Rob Juncker, senior vice president of research and development and operations at Code42. His background is in security, cloud, mobile and IT management. Before joining Code42, Juncker was vice president of research and development at Ivanti, a leader in the security and IT management space.)
(Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.)