Mandiant has just released M-Trends 2017, its annual overview of the cyber threat landscape. It doesn’t exactly make for happy reading – especially those businesses content to rest on their laurels when it comes to cyber security.
Threat overview…
There is some good news. Businesses, it seems, are getting ever-so-slightly quicker at actually spotting breaches: the average time between compromise and discovery has apparently gone down from 146 to 99 days. But of course, this is still more than adequate time for hackers to access what they are looking for: (just ask Yahoo and TalkTalk!).
Those of us who have been involved in cyber security for decades are familiar with the ‘cat and mouse’ game described in the report. Cyber attackers continue to hone their tactics; they evolve and get smarter – and it’s the job of security teams to continue to keep up.
So what have criminals been up to over the last year? Well, you’ve heard of ‘state sponsored’ hacking. On the one hand, this report shows that many run of the mill hackers have boosted their skillset so they are now comparable with state-level actors.
But one new trend came as a particular surprise to the report’s authors: criminals getting on the phone to their targets to get the information they need to launch an attack. Hackers, it seems, are becoming more sophisticated with the help of some decidedly ‘old school’ con tricks.
How does it work?
1. The hacker realises that a generic-themed, unprompted email will most likely be picked up by the target company’s corporate email controls.
2. So the hacker does a little digging (via LinkedIn or the company’s website). He identifies a named individual and comes up with a credible ruse to make contact – such as a potential new supplier of office materials – or even a new client enquiry.
3. The hacker telephones that individual. The upshot is that the hacker will send through an email relating to the telephone conversation.
4. The target receives the email. Attached is a Word doc (a price list or invite to a conference, for instance). In the subject heading, the hacker avoids the usual suspects – phrases such as “delivery confirmation” which are used in many attacks – so as to bypass email controls. The content of the email relates directly to the earlier telephone conversation.
5. The target is expecting the email – so his guard is down. To open the attachment, the target is invited to disable macros. He does so, resulting in a batch script being executed and the hacker’s malware payload being downloaded.
So what do you do about it?
You’ve got robust email filters in place already. You might even have invested in a pretty nifty endpoint detection and response platform. Yet this, along with all the other tools and strategies you might have working for you, can count for little if your people are the weakest link in the security chain.
Are your staff being ‘socially engineered’? Is a single phone call all it takes to bypass your organisation’s security? We’re in the business of helping organisations build their very own culture of security awareness. To find out how we do it, contact us today.
Hello, Nathan
First Thanx for your great courses and I really enjoy them.
The question is: but if a person allowes macros on this emal ( by the way he is waiting for this particular email, so he can do it) the script runs anyway??
Macros are in the attachment. Word, Excel etc. Modern versions ask you before they will run the Macro.
“5. The target is expecting the email – so his guard is down. To open the attachment, the target is invited to disable macros. He does so, resulting in a batch script being executed and the hacker’s malware payload being downloaded.”
So the macro ran and it was a pop up that actually said “disable macros” which executed the batch script? Or is there a typo and the user enabled macros allowing the attached macro to execute which was the batch script?
Good morning. I want to work in cyber security. i just paid for the four courses. I will like to be mentor by you. I want to learn as much as possible. Thank you.
Good to have you on the course.
Nathan, I’m a student (on leave, so to speak), wanted to let you know I suggested investigative journalist George Webb get in touch with you – he’s trying to get the 411 on a few tech companies, one of which is huge and dodgy, the other is huge and who knows what. Just wanted to give you a heads up. He’s doing a series on YouTube, no $ involved, just trying to help many people in need.
Be well, and many thanks.
I heard the announcement about the 2014 Yahoo hack, and Russians being ID’ed as the perps, a couple of months ago. Just wondering how they got caught? Were they not following Anonymity Rules like are taught in your courses?
Reminded me of the story I believe you refer to in one of your courses (can’t find it now): “How TOR Users got Caught.” TOR users got caught by correlation?
I haven’t read any details on how they got caught. Probably held back.
i really want to thank you about your awesome courses ,thank you so much ,,but i have a question o hope you answer it .
i am studying Computer Engineering ,,and my goal is to reach cissp ,,so should i leave the college and study courses ,,or should i complete the college ??
because i really think that the college is useless
College gives you a piece of paper that shows a level of education. Why not do both at the same time. Read my career guide: https://www.stationx.net/cyber-security-career-guide/
thank you mr nathan