Way, way back when I was in college I majored in government and international relations. It was a cool time to study that space – the early and mid 80’s were the peak of the cold war – and through my studies and the people I subsequently came to know I learned a decent amount about “tradecraft”. Tradecraft is the means and methods employed by intelligence personnel to do their jobs, such as getting their hands on valuable information. Much of the basics what we call tradecraft hasn’t changed in hundreds of years. So as I sit here today, thirty years after college, I guess I shouldn’t be surprised to see the same tradecraft being adopted to cyberspies and cybercriminals.
This week, iSight Partners released a ThreatScape Intelligence Report titled Newscaster: An Iranian Threat Within Social Networks. This report dug into a “network of fake personas…sending social engineering content to senior military and government officials and the private sector in the US and Israel.” As I read the report I was struck by how many methods employed by the attackers mirrored the tradecraft employed by intelligence services. But also, it was readily apparent how much of the threat could have been mitigated with a little awareness training and a healthy sense of skepticism.
- Personas - The investigators uncovered more than a dozen fake personas being used to create connections with the attackers targets via social media platforms like Facebook, LinkedIn and Twitter. Many of these personas were extremely well developed and their social media activity included active endorsements and social networking connections. To the average person receiving a Facebook friend request or a LinkedIn request from one of these personas, a quick glance at their profiles and their activity would lead you to believe that they were legit.
- Media surrogates – This really harkens back to intelligence tradecraft: using journalism as a cover. Many of the personas established by the attackers claimed to work for NewsOnAir.org (what is now known to be a fictitious news website) – or were somehow related to its founding family. The attackers even went so far as to establish the NewsOnAir.org website and populate it with content from other media sites, crediting their own staff as the authors. But in this case it’s authors were not real people. They were the ficticious personas.
For years many have understood the risks from social media, but this activity really puts those risks into perspective. By establishing fake, yet highly developed, personas who are associated with what appear to be a legitimate media website, the attackers are more easily able to gain access to their targets social networks and thereby increase the effectiveness of their social engineering efforts. If you think about it, it’s one thing to have someone pick up the phone and try to social engineer a password out of you, it’s another thing if someone, with whom you have been connected on social media for several years, uses the collective information they have been able to get from you to get around your, or your organizations, defenses. This is an advanced degree of dedication and sophistication.
This type of “low & slow” attack is nothing new. If you’ve ever heard of APT (advanced persistent threat – I’d be shocked if you haven’t) you know exactly what I mean. But the thoroughness with which there efforts were undertaken is something quite different. It goes right to the weak underbelly of security: the user. Give someone a good story and they inherently want to believe it to be true. It’s basic psychology and everyone is susceptible to it in one way or another. The attackers build a level of trust with their targets and, over time, collect information from those targets while building familiarity and trust. They then use that information to socially engineer the targets to unknowingly give up their login credentials to, not only innocuous sites like Google or Yahoo, but also sensitive accounts. It’s an old methodology but it can work really well.
You have to ask, why aren’t people more skeptical when they get a friend request or a LinkedIn connection request from someone they don’t know? (Now don’t go getting too skeptical on me as I may some day try to connect with you even though we may not personally know each other.) Again, it’s because they are inherently trustful. That seems fine, but what we really need to counteract these types of cybercrimes is employees, customers, partners, etc. with a healthy degree of paranoia and skepticism. People who are aware of the risks and who will ask questions.
If nothing else this should be yet another rallying cry in support of security awareness training. Through our own research at CSO we know that only 59% of businesses have any sort of security awareness training for their employees. This is something I have been personally harping on for years: awareness training is the biggest bang for your security buck – if you’re not doing it today, you damn well should be doing it tomorrow. At CSO we even launched a security awareness newsletter called SecuritySmart several years ago to help businesses in that regard. But for many organizations, it remains an afterthought.
It’s important for us all to realize the risk here. Every business – every business – has information that they should be protecting. Unfortunately there are also people out there that would like to steal that information. The risk is not new and your competitors, and maybe even some intelligence services, would love to get their hands on those secrets. The question is: will businesses learn from reports like this and learn from the past - or will they continue to think they aren't the targets? Remember the George Santayana quote: “Those who cannot remember the past are condemned to repeat it”, because in security this is a maxim that holds true for the ages.