Trent: Hi there welcome back to TechScoop and thanks for joining us. Now this week Im fortunate enough to be joined by the incredibly intelligent Mr Ryan Economos from Mimecast, Thanks for joining us
Ryan: Thanks Trent good to be back
Trent: Now last time we were here Ryan we were having a chat about the anatomy of an attack where we were focused on attack vectors. Which you defined as a shotgun/sniper rifle approach. Now today I want to get a bit more of an understanding about how an attacker is gathering information about you or the type of information that theyre trying to send to try and get you to take an action.
Maybe you want to start with the shotgun approach?
Ryan: Yeah sure I think the shotgun approach, there’s not a whole lot of intelligence gathering that goes into those types of emails. It is very much the shotgun, so it’s trying to get as broas as possible. Usually what the attacker is going to be looking for there is things like “can we get a well known brand” potentially we have custoomers of a enenergy utility vendor. Or even something like Netflix, no one wants to go without watching the latest series. So being able to have a service that means something to an individual and then use emotive language that incites a sense of urgency and get the user to perform an action. The reality is that they might send that email to thousands upon thousands of people and it only takes one person to click on the link in order for that to be effective.
Trent: So the second one, the sniper rifle approach, I’m guessing that takes a lot more intelligence gathering.
Ryan: Yeah correct. I guess that the sniper rifle approach to phishing attacks a lot more goes into that. You’ve got attackers that are very easily able to profile an organisation for most organisations they’ll have a company website, about us page. This will typically list key people within the business, CEO, MD’s financial controllers etc. So you’re going to have those names available and if you don’t have them on your company website there’s what I like to refer to as open source intelligence platforms, which is just social media. So you have LinkedIN, it’s really easy to figure out hierarchy who’s reporting to whom, attackers can look at that structure and in order to make this attack effective I’m going to pretend to be someone of seniority within that business. They have the ability to control and ask for things to be done and I’ll target someone within a department like the finance team in order to get some sort of action. That’s the first approach.
The second approach is then, collating data from other sources and there’s services out there, like emailhunter which you can literally go and put your company domain into and it basically shows you all of the sources where your domain has been found in the web. This could include your CRM system, Salesforce or dynamic CRM they could figure out what type of internal tools you might be utilizing, then perhaps launch an attack based on asking for a credential to be reset or referring back to an internal tool that is going to have meaning to the person that you are generating the attack to.
Trent: Wow, that’s something else.
Ryan: Lots of detail goes into it.
Trent: So were starting very broad with the LinkedIn and then we’re going to get more and more refined with each step. What would you say the next step would be?
Ryan: Launching the attack is naturally the next step, because there’s no point of gathering all of that intelligence and doing nothing with it. There is a misconception that hackers are wildly intelligent people with an ability to code and have intricate knowledge of internal systems. But the reality is that hackers aren’t basement clad hoodie wearing dwellers anymore they’re just people, like you and I. You can purchase things like Malware on the web very easily and it comes with a form of technical support so if your Malware doesn’t work for you, you have a hotline you can ring up. We then see that there is tools that get used for penetration testing and they contain dozens of ready made vulnerabilities so an attacker could leverage one of those vulnerabilities to send through to the organisation. Again, this can be very effective as a lot of organisations aren’t necessarily following proper patch protocols that’s why we saw such an impact with WannaCry and Nonpetcha with the SMB block protocol so it’s very easy to use ready made, pre made Malware to launch that attack on an organisation.
We then see the attackers may go through and are looking to impersonate someone of seniority and in order to legitimize that further, they may go to the effort of registering similar domains. So that could be like, registering a domain with slight character edits so Mimecast is an example, we have an m in our name if the attacker goes and registers a domain with an ‘r’ and an ‘n’ that can oviscapte what Mimecast looks like and fools the end user into thinking its legitimate.
Trent: Wow. Hey Thanks for that Ryan, now next time we have a chat I want to discuss what a successful attack looks like. We’ve spoken about attack vectors and what attackers are doing and the way that they’re trying to infiltrate organisations and we’ve talked about their research. I suppose the next logical step is to look at what happens when an attack is successful.
Thanks for joining us.