Phishing: The 'sophisticated' Snare
15 March 2017
Recent reporting on the Russian hacking group APT 28 (Advanced Persistent Threat 28) – also known in cyber security circles by a range of other names including “Sofacy,” “Strontium,” and “Fancy Bear” – highlights the fact that while the group’s technical expertise is “top level” the thing that distinguishes their work from other attackers is their use of intelligence.
Drawing on human and open source intelligence, as well as their knowledge of human behaviour, the group has been able to execute highly-successful cyber-attacks, by focusing on social-engineering attack vectors like phishing. Through these campaigns they have acted against a large number of highly-sensitive military, political and diplomatic organisations.
Attacks like these highlight the urgent need for organisations to recognise that when it comes to cyber warfare, technical expertise is only half the battle. The sophistication of a phishing attack lies not in its technical execution. It is more subtle than that. Rather, it is in convincing someone inside a target organisation to take the bait. Up-to-date technical security controls can be highly successful defending against standard, automated cyber-attacks. However skilled attackers have started to circumvent these defences by directly targeting the person in front of the monitor.
It is also worth stressing that because phishing attacks are not technically difficult to execute they are becoming much more common, with hacking groups increasingly aware that a little investment gathering intelligence on a target can make the most of an opportunistic attack. As a result, organisations who feel comfortable with cyber risk because they don’t think they are in anyone’s crosshairs are naïve at best, and, at worst, could be considered negligent.
With data breaches becoming more and more frequent and opportunistic hacking on the rise, resilient organisations will be those which recognise that human behaviour – which can be exploited by hackers to your detriment – is also your best defence:
Three tips to defend against a phishing campaign:
Know your weaknesses
Where are you or your organisation vulnerable? Would your employees act without thinking if they thought they might be locked out of your systems? Would an attachment promising bonus figures be too tempting not to click? This may be where an antagonist targets a strategic attack. If an unexpected email seems to know too much about your business, your family or even your hobbies and interests additional caution is advised.
Ensure you are educated
Is your entire workforce educated on phishing attacks and the risks that they pose? Can they identify the signs of a cyber-attack? Are they encouraged to report suspicious behaviour?
Have a rapid response plan in place
If you are the victim of a phishing attack or another data breach, your response time can make all the difference. Don’t just have an idea on how you will respond – know exactly who will provide support and have concrete measures like an NDA in place so that you can move quickly and seamlessly to respond to the threat.
If you’re not prepared you are exposed. With fast-moving, opportunistic threats more present than ever, risks cannot be avoided, but pragmatism and preparation can make all the difference.Receive our monthly newsletter