Humans make the best attack vector

Who?  Me?

As a Managed IT Service provider looking at the state of affairs in multi-stage chained attacks we can say this: if you want to be an effective hacker, take a persuasive writing course.

That’s also the lesson delivered in a report last week by US-based Proofpoint, a leading Security-as-a-service vendor shows that automated attacks that take advantage of zero-day flaws in operating systems and productivity software have declined dramatically in favour of attacks that target the weakest link in any network: the human.

The “new” attacks fall into three categories:
1. They get users to ignore safety warnings and execute dangerous code,
2. They get them to hand over credentials, or
3. They get them to transfer money directly to the attackers.

Each of those attack methods requires social engineering: the art of persuading someone that you deserve their trust and that they should act on your instructions.

Here are the high (or is that low?) points of the report:

The human is the most important link in the chain
99.7% of documents used in attachment-based malware campaigns relied on social engineering and macros, rather than automated exploits. In other words, a human had to act on them to enable them to work, in some casing actively disabling security software on the instruction of the attachment.

That tells you that the ability of threat detection software and firewalls to detect and cancel out automated threats has increased to the point where it’s more effective to target a human than an application. It’s easier to trick a human into infecting themselves than to fool software.

Moving day is Tuesday
The most popular day of the week for attacks is Tuesday morning between 9 and 10am. The monitoring conducted by Proofpoint showed that attackers frequently launch campaigns that cascade across the globe to deliver payloads inside the same time window in different geographies.

Apps from trusted app stores aren’t necessarily trustworthy
More than 12,000 apps containing malware that could steal information, create backdoors and more were downloaded a total of more than 2 billion times for Android devices alone from authorised app stores in 2015.

There’s no such thing as a free cloned app
Around 2 in 5 large organisations that Proofpoint inspected had malicious apps from DarkSideLoader marketplaces—that is, rogue app stores—on them.

The most common “lure” used in these rogue stores was a free copy of a game or other app that users would normally pay for, like Minecraft. The brand of the game or other app was sufficient to get the user to bypass multiple security warnings and install the software, which was then able to deploy a malicious payload.

If you want to trick people, just act like the real thing
Accounts used to share files and images – like Google Drive, Adobe and Dropbox – are the most effective lures for identity theft.

Google Drive links were the most clicked credential-phishing lures. Phishing emails that use these brands are more likely to succeed at tricking the user into clicking, especially if the victim receives the message from someone in their contacts list. These brand lures are effective because these services are familiar, and the user is used to clicking to sign-in to view shared content.

What can you do?

There are numerous ways in which to protect your company against the human element of malware.

The first is Education. If the user doesn’t click, most malware identified in this report can’t do anything. The users in your organisation need to be educated to be more suspicious of links and attachments then they have been in the past.

The second is Group Policy. Deploying good policy over what resources can be accessed by users, their computers, servers etc is key to controlling the potential spread of malware.

The third is Application Control. Locking down the operating environment of your company to a “known good” state so that only authorised applications that have been tested with each other can run. Application Control severely limits the ability of malware to be installed or to run in the App Data space (we’re looking at you, Google Chrome).

There are other barriers that can be put into place as well. Just this week we attended a Cisco breakfast that described their Advanced Malware Protection solution where all their products work in sync to identify signature-less attacks that have never been seen before.

Of course, assuming those steps don’t work, you need a quality backup system. Many organisations have detailed backup processes, but surprisingly, only a small percentage of companies regularly test their backups in a scientific manner. This introduces extra, unnecessary risk. When was the last time you performed a complete back-up test?

If you’d like to read the Proofpoint report for yourself (and we recommend you do as it is quite well-written and interesting) you can go here.