Lessons Learned: Cyber Security Awareness from a Security Researcher POV

This week we're excited to learn about Cyber Security Awareness from a Security Researcher's point of view and who is a strong advocate for security awareness, Ohad Zaidenberg.
Ohad is Threat Intelligence Strategic Leader for Anheuser-Busch InBev as well as founder for the non-profit CTI League - the first Open Global Volunteer Emergency Response Center to create a safer cyber space for hospitals, the medical sector, and life-saving organizations world wide.

Influencer-based Operations

One interesting perspective Ohad brings from his research is through his focus on "influencer-based operations". He looks at how cyber attacks not only affect the organization itself, but how it can affect moral motivations and interests, for example, making political gain for profit, or even something seemingly 'harmless' such as memes. He looks for the connections between these types of 'influence' and the technological aspects.

Who's Keeping Us Safe?

It was observed that even in Israel - a country that is known as a leader in cybersecurity - attacks against the general populace is still successful. Why? In part, due to the everyday citizen attributing the liability of protecting the country itself to the governing cyber authority or other security entities in Israel.  

"People don't understand their role in protecting themselves and the organization."

While individual residents (and employees) ascribe the role of 'security' to those in charge, as Ohad puts it "we are in a different game now". A game where everyone is playing whether they want to or not because of the nature of the interconnectedness of society as a whole across the digital and physical worlds. As such it's critical to help the 'everyday digital citizen' understand their actions don't just affect themselves but can very easily impact their business organization, their family, and their nation. 

"People don't understand their role in protecting themselves and the organization. It's not only the organization as a legal entity that protects them and the employees won't be affected. We are in another game now."

"It's a game that focuses on influencing individuals. In many cases, it's the human factor that makes the attack successful. The organization can be very good in security (from a technology perspective) and build many walls to protect the organization. But we need only one [employee who unwittingly] allows the attacker into the organization - and in many cases that is all the attacker needs...people don't understand that a threat actor focuses on them as employees in order to get to the entire organization."

Pawns are such fascinating pieces, too ... So small, almost insignificant, and yet they can depose kings. Don't you find that interesting? — Lavie Tidhar

As an example, he related a relatively recent instance of an attacker by the handle "BlackHat" who stole a lot of company data around its employees and business partners. The attacker used the data on the employees as leverage against the company by publishing the employee data on a public domain to then urge the employees to pressure the business into paying the ransom.

It's typical to hear the reasoning "so what if my credit card gets compromised, I'll just get the money back". However, what we must communicate to these unsuspecting persons is they are merely a stepping stone for an attacker towards a larger prize. While a seemingly 'insignificant' attack on an individual appears laughable to them, in many instances, these attacks are strategic working towards a bigger target - the individual is merely a pawn.

Making an Impact Without Tools

Ohad is a strong supporter of the impact awareness can have even without a budget for any snazzy security technology. Some of the important points to emphasize according to him include:

• Why am I a target? 
• How can I be targeted? 
• How can I protect myself to defend against different attacks?

(To answer the first and second questions, Wizer has videos exactly on these subjects - short and sweet as always. Why Did We Hack You & Here's How I'll Hack You) 

In reverse perspective, similarly attackers also can make impact with limited technology. In fact, some of the most successful attacks - and most difficult to defend against - are social engineering attacks that simply trick the user into handing over their information. From a tech perspective, it's almost like an arms race - the 'bigger and better' the tech an attacker develops, defenders come and create bigger and better tech to protect against it. All the while simply getting one employee to click or download from a criminal bypasses all that fancy tech.

Sophisticated Job Scam In Action

2021 was the year of prolific job scams in a desperate time. While it's easy to spot some fake profiles in what seems almost an insult, attackers have greatly evolved their tactics to appear as legitimate as possible. For prime targets, criminals will build out a decent profile and connect with all your LinkedIn connections before ever reaching out to you directly in an attempt to build veracity. And some go even more in-depth, carrying out prolonged interview processes to further legitimize the ruse.

Ohad shared one particular attack that originated from North Korea. Posing as a recruiter for the multinational corporation of Boeing the attacker(s) reached out to individuals with specific positions, complete with detailed job description, and pushed to speak further off platform via phone. From there, the scam prolonged over a period of 7-12 days per 'candidate'. This in-depth back and forth allowed the attackers to build trust while learning the pattern of the target's availability to make their attack more successful.

When it came time to send documents with more details about the job to the target, attackers were instigated the final stage of their attack that involved sending a legitimate document for download, however, it was such that only one of the multi-page document was visible. This prompted the victim to then initiate contact with the attacker to troubleshoot. At this point the malicious software was sent to 'aid' the victim in viewing the full document which in reality is now a executable file with malicious code. 

Hear a dramatized account of a real-life scam via LinkedIn 

How to Defend Against These Attacks?

Zaidenberg is quick to point out that the individuals in an organization should not be punished for falling prey to an attack that affects the organization. Yet the business is responsible for ensuring employees are trained to identify common attacks and have regular awareness campaigns beyond generic emails and training no one pays attention to. 

Communicating business impact is an important factor to include in helping employees understand attacks can affect the ability of a company to make payments, send paychecks, or even shut down operations for a period of time. 

A good awareness program includes clear communication how employees should report any instances of an attack as well. Having a reporting channel is not effective if it's not promoted and encouraged.

CTI League

If we have the information, why don't we share it?

As COVID 19 ramped up back in 2020-21, Ohad noticed a rise in attacks against healthcare organizations, mainly hospitals. He was motivated to step up and do something about it understanding the limited resources healthcare typically has. As such he established the CTI League (Cyber Threat Intelligence) making it a collaborative effort from the global security community. Originally, it was positioned to address the need during the peak of COVID and now they are working to shift the organization to be a long-term support arm for the healthcare community with a mission to:

1. Reduce the level of threat by preventing cyber-attacks.
2. Neutralize cyber threats looking to harm hospitals and public healthcare
3. Support the law enforcement organizations in their fight against threats that are a danger for the public safety.
4. Create a disinformation resilience for the healthcare sector

CTI League has enjoyed strong support from institutions such as CISA and well-respected figures within cyber such as Christopher Krebs and were recognized by SANS as the recipient of the 2020 Difference Maker Award

Tips for NonProfits and Healthcare

• "In a lot of cases, people think of cybersecurity as a whole strategy that you need to develop for years before you begin. Start somewhere. Expand your capabilities. Put more walls. Invest in cyber threat intelligence - just read blogs online. There are so many blogs out there and see threat actors...keep reading it and look at social engineering attacks...If you invest in learning the tactics, techniques, and procedures, you don't need to be technical."
• Know what the cyber authority is in your country and utilize their resources. CISA for the United States, Israel has the Israel National Cyber Directorate
• For individuals who want to learn more, simply start researching 'social engineering campaign' and begin educating yourself and begin to see yourself as part of the 'game'. "Understand this is a real threat and anyone can be attacked. Then start to understand who can attack me and how can I protect myself from this."

"When you are more aware, you are more secure."