Gaining the Advantage Over Attackers: How Very Attacked People Figure into Your Security Equation

Gaining the Advantage Over Attackers: How Very Attacked People Figure into Your Security Equation

August 01, 2019
Tim Choi - VP of Product Marketing at Proofpoint

Do you know who your Very Attacked People are (VAPs) and how they are being attacked? If you don’t, you should. Gaining these insights can go a long way toward reducing your exposure to targeted threats.

Adversaries are taking a finely honed, highly strategic approach to targeting your people. Sophisticated attackers diligently do their research and often have access to org charts and know how a business works better than the security team does. Today’s cyber criminals are much less interested in casting a wide net through scattershot spam or phishing campaigns in hopes of getting someone to download a PDF that contains malware or to click on a malicious URL.

In a recent Risky Business Soap Box podcast, Ryan Kalember, executive vice president Cybersecurity Strategy at Proofpoint, talked about ways to determine how risky a user is and what measures you can take to do something about it.

Kalember describes the user risk score methodology developed by Proofpoint: “It’s a combination of scoring the attacks themselves by picking out what’s interesting and then adding the human susceptibility angle to it.”

There are two parts to this. Using mathematical concepts, Proofpoint looks at every threat and assigns it a score from 1 to 1,000 based on the spread of the attack, the type of payload and whether an actor can be associated with it. User data points are then added into the equation. These include URLs that users have clicked on over time, which users tend to do this frequently, how well users perform on phishing simulations and checking API connections to Microsoft Office 365 to see who may be coming from suspicious networks. Even device health, like browser patch levels, can provide valuable insights.

When you put it all together, you have a good sense of who is getting targeted and who is going to fall for the tactics and techniques of bad actors. All this number crunching gives you an advantage over attackers. “You can use this intelligence to prioritize your efforts because attackers are prioritizing theirs… It’s amazing how it shrinks the problem,” says Kalember attesting to the power and value of these metrics.

After working with his team to generate reports for more than 750 Proofpoint customers over a 90-day period, he is seeing that adversaries are now targeting a group of people in particular business functions with different techniques over a longer period of time. In any given organization – like a large global bank with tens of thousands of users, for example – Kalember contends that there are typically about 100 people who get targeted.

One example Kalember cites involved a large global retailer. A single actor persistently targeted everyone with the words “China associate” in their LinkedIn job titles. The actor used a variety of techniques during different phases of the attack – infected Microsoft Word macros, malware or malicious links buried in PDFs attachments, credential phishing and others. Because the campaign persisted over time, the security team had plenty of opportunities to engage with the VAPs and let them know they were on the radar. The security team ran phishing simulations for users with the lures used in the campaign to heighten their awareness and educate them in the event of future attack attempts. The team also tuned their security information and event management (SIEM) and user and entity behavior analytics (UEBA) tools to carefully monitor the behavior of these users and to send alerts when suspicious activity was detected.

As Kalember points out, when organizations use a risk model and find out who their most-targeted people are, they can take advantage of this intelligence to prioritize their efforts and focus on the most effective security controls. Here are some good places to start:

  1. Adopt a zero-trust network architecture with strict access control and verification of people and devices upon connection.
  2. Deploy solutions that block malicious emails and URLs.
  3. Limit administrative privilege levels on the devices used by VAPs by looking at who is targeted, who is susceptible and who can actually hurt your organization if they get compromised.
  4. Secure network and cloud access by leveraging Microsoft Active Directory and other tools to authentic users.
  5. Conduct frequent, real-world security awareness training and simulations that address the vulnerabilities of targeted users and leverage the most current attack techniques and strategies.

Many of these scoring and analytics tools are built into Proofpoint products. For more information, visit: www.proofpoint.com.

To listen to the entire podcast, click on https://risky.biz/soapbox27.