The Lessons From the MGM Breach
Ok lets do a quick run down of what we know so far:
But what does this mean?
Today I had a chat with a wonderful reporter who asked me a question about why social engineering is so hard to fix. It is a good question but the answer is not so good. We are dealing with humans, as I will not be the one to say things like, "the human is the biggest risk/flaw" or "the human is our weakness"... but the challenge is we can patch software, we can patch networks, but patching humans is not so easy and not 100% fool proof.
From what I can gather from the reports, ALPHV found an employee on LinkedIn. They created a document on that employee or what is called a d0x, they then called MGM as that employee to gain access to their account. Once they had access is when they were able to take over the network and plant the ransomware.
In that tiny paragraph there is a lot to unpack. So let's start.
OSINT IS THE LIFE BLOOD
I have said this for over 15 years, OSINT or Open Source Intelligence, is the life blood of all social engineering. In this case, no difference. ALPHV did heavy OSINT on their target ensuring that when security questions came up they could quickly and naturally answer.
I never want to give a malicious group kudos, but this is exactly what I would do and is the way a true attacker would operate. Not relying on gut instinct.
DO NOT UNDERESTIMATE VISHING
I think personally it is time we start taking vishing more seriously. Vishing is a huge threat, but one that if often overlooked. Phishing is all the rage (as the kids used to say) but now vishing has taken first place.
Yeah i get it, phishing is still the largest vector due to ease and ability to compromise - that won't change anytime soon. But vishing is becoming so deadly we are seeing the body counts rack up and I feel like it is being ignored.
But the question is WHY....
Because there is not a quick, easy fix. So we tend to look away and say "UNCLEAN... UNCLEAN" (if you get the Monty reference you are old like me). This is problematic though.
I will use a medical reference - when the Black Plague hit Europe in the 14th century one of the cures they thought would work would be to pluck the tail of a live chicken and fasten it to the open wounds of the infected. If the chicken died they assumed it was pulling the infection from the sick.
In modern science we would laugh at this, if it was not rude to laugh at millions of deaths. But sometimes when I read solutions from infosec folks for vishing it is akin to strapping a plucked chicken to your wounds.
Vishing is the new "plague" and it is devastating to the tune of $1.2 billion USD per year.
Vishing is easy, cheap and low risk for the attacker so we can expect to see it being used more and more.
Ok But What Can I Do?
So this is the million dollar question, and seriously i wish i had an answer you can take away and be safe. The reality is there is not ONE thing anyone can do to be 100% safe. So here are a few thoughts:
领英推荐
Here's The Final Reminder
It is easy when we see these breaches to jump on the bandwagon and tout what should'a, could'a, would'a been done with them. The reality is this is hard, it really is. We are getting attacked in ways that didnt exist in the 1940s
We have to remember just because you and I are in security doesn't mean everyone has heard about these attacks.
A modicum of patience, empathy and nonverbal works out. Remember phrases like "Humans are the weakest link" don't help you.
The bad guys share data, support each other and are not limited to a company - if we can follow the same method we can be more secure.
As far as i am concerned we are going to see a lot more vishing attacks, and very soon. So lets start talking about how we can help and fix the problem to give us a leg up against these attacks.
Till next time, ask your questions and lets discuss.
Chris
Director of Technical Services at ClipTraining
1 年Great write up Chris. Very insightful!
Human Risk Analyst ? Professional Visher ? OSINT Investigator at Social-Engineer LLC
1 年Great information! No matter the industry, we’re all susceptible to these attacks. It’s important to never let our guard down or underestimate just how effective a Vishing call can be. A lapse in judgement by even one employee can put an entire organization at risk. Reminders like these help keep us all vigilant!
Fights the bad guys with math and programming
1 年Do you have any resources on in best practices for optimizing the human + tech security performance. Eric Horvitz has done some excellent work on optimizing the performance human+AI teams in the medical space.
Another great analysis, Chris - thank you. I agree completely about having a mixture of technical and human strategies to build security defences (and accepting that neither will always work). I am a big fan of 'nudging' behaviour to try and make good security hygiene easier for people - with the ultimate goal of turning good practice into habits, and so also making it easier for people to avoid the panicked 'emotional decision making' that often leads to trouble. And you are right - we need to stop the finger pointing, encourage reporting, demonstrate professionalism and humanity, and treat people with more respect. Keep up the excellent work!
VP, Cybersecurity Compliance; QTE, CMMC CCA and Provisional Instructor; Insider Threat Vulnerability Assessor and Program Manager
1 年Excellent breakdown, Chris. “The bad guys share data, support each other and are not limited to a company - if we can follow the same method we can be more secure” indeed! When I see you at the Innocent Lives Foundation gala, I’m going to get the info on your social engineering boot camp!