The history behind a Security Breach

As we keep hearing about the rise in cyberattacks, ransomware, and nation-backed state attacks, like the ones done to SolarWinds and Malwarebytes, I think its time to take a different approach and re-instate what the infosec community is always insisting on; two-factor authentication, the usage of a unique password per site or per application, the adoption of a password manager for both work and personal uses, adoption of email security and data breach protection. With that said, I will try o explaining the need of these by using a real hypothetical example with a Fake company QuébecMantics.

The history behind QuébecMantics email hack!

Meet François Tremblay, a Finance executive that works for QuébecMantics. He has access to company finance tools, that he normally uses to pay invoices and to create multiple reports to track the company finances. As part of his day-to-day work, he is also allowed to process third-party payments up to $1.5 Million without the need of the board approval. He has a normal family, with a wife and two kids one has 12 years and the other has 14 years old.

On the other side, the news outlets are broadcasting astonishing results of QuébecMantics earing during the last quarter. This has a group of hackers interested in gaining access to the QuébecMantics network. They found François Tremblay on LinkedIn and now they are looking at other social media platforms to see if they can find something valuable.

In no time, the hacking group was able to find that François loves Hockey, his favorite team is the Montreal Canadian, his address in Montréal, the name of his family members, their birthdays, and the day he got married. One of the most relevant findings for the group came from a post in one of his social media account, they were able to find out he bought an item of furniture from a company that recently was attacked by ransomware and refuse to pay. Quickly the group went to the Dark Web and bought all usernames and passwords from that hack. After searching François name in the database, they got to know François uses a combination of the names and birthdays of his two kids to create passwords.

Andrew and Josianne (both members of the security team in QuébecMantics) are responsible for creating different policies including email password policies. They require all employees to use a minimum of 10 characters, with a combination of numbers, upper, lower letters, and special characters. Unfortunately, they still haven’t rolled out MFA just yet.

The hacker group is now moving full steam and using possible combinations of François family member names and special dates to access his email. Within hours, by using a brute force attack technique, they gain access to François emails. After a couple of hours, they are not able to find something useful at the time, so they create a forwarder rule, that way every email François receives gets forwarded to the hackers.

Two days later, an opportunity for the group is in François inbox, is exactly what they were waiting for; an invoice of $1.2 Million from a third-party company that has a due day by the end of the week, The group moves faster, and create an email impersonating the third-party company name, setting up the plate for a perfect phishing attack, they ask François to pay the invoice to a different account than usual, he is getting suspicious something is wrong, but because the attacker has the exact amount, invoice number and the name of the person who sent initially the invoice, they are able to convince him to transfer the money to the group bank account. François has little chance against this type of social engineering experts, and because of the amount, he can issue the payment without the need to discuss it with someone else (remember this is part of his day-to-day tasks) reducing even more the chances of detecting the attack.

QuébecMantics does not realize the theft happened until the third-party company complains about the missing payment one month later, and unfortunatley this happens when it’s too late to reverse the payment. The money is gone.

————————————————

Now, if we analyze the history described above is not something that is just fantasy, we know there are attacks like this happening at least every 30 seconds around the world according to the latest cyber security report by Cisco.

Let’s now analyze in retrospect what went wrong, what are the vectors of attack present in QuébecMantics, and what we can do to mitigate the attack and protect the company.

1. Create an education program to increase awareness among all the employees about the risk of posting a certain type of information on social media.

2. Encourage the usage of password manager tools, if possible give a license to all employees, that provide the functionality connected or not to the company network, that way, we can encourage all employees to be more cyber aware centric around the usage of unique password per site/app at personal levels, which will be very beneficial to reduce any possible vector of attack to QuébecMantics systems.

3. Mandatory MFA adoption for email, and other applications and websites that require to input a password. This mitigates the risk of credential theft, and impersonation, guaranteeing the employee connecting to the network is who he said he is. — I can recommend DUO as MFA because of the speed to secure applications with rapid deployment, faster user adoption, and ability to respond quickly to changing threats.

4. Adopt advanced email security and XDR capabilities, in case your company is using Office 365, don’t let everything to a third party or you can end like Malwarebytes. You should have your own security systems and policies to detect anomalies, and workload changes. This way if an employee sets up a rule to forward sensitive information outside the organization your security systems will be able to detect the change, and have it flag to the security team. If someone tries to impersonate one of your partners and perform phishing on you, your security solution should be able to detect, flag, and report this event. — I can recommend Cisco Advanced Phishing Protection, as it has been a market leader in email protection for the last 10 years! and the new enhanced protection can help you defend your email either you have it on-premises or running as a service with Office 365 or Gsuite.

Conclusion
Long gone are the days of only protecting your company from the point of view of a firewall, with social media and all the hyperconnected network we have built on top of the internet the attack surface has now increased exponentially. That is why more than ever that we need to understand what are our weak points and secure them with tools capable of interacting between them, and that is able to detect, react and block any possible threads.

Please comment and let me know if you agree or disagree with any of the points, I would like to know if you find this article helpful and if you will like to see more information like this.