Impersonating Your Cybersecurity Provider: Think Twice Before Phoning Your Locksmith
Every organization assembles and deploys technology to protect its assets, whether those assets are physical or virtual. But even the best-designed security fabric is subject to an end-run where an attack occurs outside expected parameters. If a criminal is trying to break into your house full of secrets, one which is protected by a top-grade proprietary lock, that adversary may find it is easier instead to break into your locksmith’s house and steal a master key.
Attacks involving your trusted partners or third parties, where you and your business are the ultimate targets, are a time-tested approach by criminals and nation-states alike. And while there is no shortage of technology that can help protect your infrastructure, there is almost always a way to short-circuit your thoughtfully curated collection of technical controls…which brings us to several attack techniques documented in the news recently.
A close cousin of the classic business email compromise (BEC), the vendor impersonation attack, is making the rounds, and what’s new is that the brands and reputations of cybersecurity vendors are being leveraged as part of these attacks, where the ultimate goal is to deposit malware into your production environment. An urgent email purportedly sent from a security vendor drives victims to make a phone call to initiate “an audit on your workstation.” A billing notice from a security subscription service entices victims to phone in to cancel the (non-existent, exorbitantly priced) subscription. A spoofed email leads to a spoofed website built to resemble that of a security vendor. And in support of all this lucrative criminal activity, is it any surprise that Impersonation-as-a-service (IMPaaS) is a thing today?
Adversaries always chase the low-hanging fruit, the path of least resistance. They want to achieve their goals following the easiest, and/or fastest method possible. One way they can and will do this is by taking advantage of poor visibility into your own internal processes and internal environment. And from the adversary’s perspective, exploiting those poorly defined processes by including carefully crafted content that appears to be part of an existing email thread, combined with a “you need to do this NOW!” urgency, puts even more pressure on the employee-victim. Especially when that employee is trying to be a good corporate citizen and wants to help resolve the situation.
A target’s lack of visibility into the defensive business processes within their organization is almost always a contributing factor to successful attacks. Think about your organization and the information security awareness training you provide to your employees. What exactly should an employee do if an outside vendor directly contacts them? Does the employee’s response change if that unexpected contact is via email, phone, in-person, or some other method? Are there specific steps the employee should take to verify the identity of that external contact before taking any action, or sharing any information?
This type of business process visibility is important. Without it, any technology you have deployed does not stand a chance. But make no mistake, “visibility” is definitely also part of this conversation as a technical construct – and in the context of defending your organization, the umbrella of technologies known as extended detection and response (XDR) is the best way to achieve that comprehensive visibility.
Too many organizations today believe they have sufficient visibility into their environments with their SIEM (security information and event management), decades-old technology designed primarily to collect and aggregate logs. But SIEM by itself is not the answer. It is only one of several lenses you should have at the ready to protect your organization. Aggregating logs, network traffic, endpoint information, and even data sourced from the Internet of Things (IoT) is foundational as part of today’s XDR.
But those data planes or data ingestion methods can be super-charged by marrying up that data with threat intelligence (TI), the fuel that drives the engine of the SOC (security operations center). TI can be both externally sourced and internally sourced. Internal TI is sometimes known as business intelligence, or business context, and it provides essential color to make all the data your XDR solution is collecting even more powerful and actionable. Fully integrating all TI sources, external and internal, directly with the automated workflows leveraged by your incident responders is a key marker of success of any SOC. The ability to effectively manage TI is a critical component to any XDR solution.
So, how can XDR help with an impersonation attack? Done right, XDR can tell you there are probable embedded phishing links within your inbound email, pointing out instances where a hyperlink’s displayed target URL does not match the actual target URL in the link. Leveraging threat intelligence, XDR can show you that a phone number referenced in that email is a known-bad number associated with a criminal or nation-state campaign, and automatically generate an alert. XDR can show you which of your users clicked those links, as well as the corresponding devices which may now be compromised. XDR can help you determine if any witnessed user behavior is expected as part of the normal baseline of your environment, or if that behavior is truly anomalous and worthy of a closer look. And XDR can guide your SOC team members, who are on the front lines responding to the incident, through defined and automated workflows and runbooks designed to compress the time needed to identify and remediate threats.
Let’s close out where we started: the adversary, their target, and their target’s “locksmith” or security vendor. Whether or not your locksmith was attacked in an effort to reach your organization becomes less relevant, when it is so much easier for that adversary to create an email that simply looks like it’s coming from the partner you trust most to protect you: your security vendor.
The best way to combat this scenario is through visibility: visibility into your existing business processes plus visibility into what is happening right now on your network, within your infrastructure, on your endpoints equal to the central tenets of today’s XDR.
Gloss