Security In Depth’s Michael Connory hacked his first computer, an IBM System/370 mainframe, when he was 12 years old. There were games on the machine that he wanted to play.
These days in his role as an ethical hacker, he could probably set up a social engineering attack on your organisation in a matter of minutes.
Last week, Connory demonstrated to CIO Australia how easy it is for someone with his skills to breach your defences using his company’s simulated cyber-attack solution, Candiru.
Just prior to Christmas, Connory and his team created and sent out a simple phishing email to convince staff at the local office of a $10 billion financial services company to hand over some of their personal details. His team was engaged by the organisation to set up the phishing attack and will subsequently be hosting cyber security training for its staff in a few weeks.
The phishing email, titled ‘Thank you for your hard work,’ was sent to 140 staff at the organisation. Upon opening the email, staff were presented with a fake movie voucher offer which when clicked, sent them to a portal where they were asked to provide personal information such as their usernames, passwords and phone numbers.
It was prior to Christmas so some staff were on holiday. Despite this, 41 people clicked the link in the email and provided their details.
“We can see that a lot of the individuals didn’t open the email but some did – the reality is that many people [fall victim],” said Connory. “We can sit on this and then start to utilise Outlook web access or Gmail or whatever it is and then access [personal] emails that way.”
Around three hours into the phishing campaign, a staff member figured out it was SPAM and alerted the rest of the organisation, said Connory.
Connory said his organisation uses two methods during its regular hacking activities. The first is to use a “binding piece of technology” where malicious software is combined with another item such as a picture.
The second method, which the organisation prefers, is to send out a keylogger to gain access to a computer.
“An example might be a bank – we don’t want to target its customers, we think that’s dumb and slow, we want to target the bank itself. We want to be indistinguishable – we don’t want to be found. We can have a clean computer and a clean IP address,” Connory said.
Candiru can also monitor when a third party managed service provider or security technology a company is using will pick up an attack. The financial services firm was using Outlook 365 and the Mimecast cloud-based email security software.
Connory said the Mimecast product only picked up 18 per cent of the emails.
“The [financial services company’s] third party managed service provider, they were told about it and didn’t do anything. When they were told about it, they just told people it wasn’t serious and not to worry about it,” he said.
“When we checked the processes, out of those people who clicked on it, only one-third actually followed the process of how to deal with it. So the incident response program for that organisation completely broke down, the reporting of the incident broke down, the managed services and the technology behind it broke down.
“From this particular focus, we were able to identify significant gaps in the organisational structure. Now, this is an organisation that manages more than $10 billion in funds and has more than 50,000 members. And this is one of many.”
Cyber education is not good enough
Organisations are not doing the best job of rolling out cyber security education programs for their staff, according to Connory.
“The first component is they provide an induction and say, ‘don’t click on links you don’t know, try to identify the link, have a look and see if there’s a sense of urgency behind it [the email message].’
“The email that we sent [to staff at the financial services firm] said, ‘if you do this by Friday, you get your [movie] vouchers. We even spelt the HR director’s name incorrectly. If somebody really wanted to do it [send a phishing email], they wouldn’t make those mistakes. We did it on purpose,” he said.
Companies teach their staff to look out for suspect emails but they don't necessarily put into practice what they are taught and they often don't do another round of cyber security training for another year or two, Connory said.
"I did a review recently of a company that was breached and is in serious trouble. They had spent hundreds of millions of dollars on new cyber security processes which still failed," he said. "Nobody is communicating and there is no process involved [in managing attacks].
He said that Chinese cyber espionage group APT10 has taken advantage of this lack of communication across organisations. This threat actor targets managed IT service providers to access the IP data of both the MSPs themselves and their customers.
"This is what APT10 did. If I get access to one [company's] Gmail account and create an email address within one account which is seen to be ok, I can then start to translate that across to everybody else. This means you won't get that notification that [it's a potential attack].
"One of the tactics people use is to send a file that the user sees and asks, 'hang on, what's going on here? I haven't received a file, I haven't done anything.' And by you creating a conversation, what's occurring is that the system is learning that this is an ok and trusted communication. And from this I can send files, I can attach viruses and malicious code into your email because I have access to it and send it internally."