This edition of the Threatpost podcast is sponsored by Egress.
There is no question that companies are in the sights of would-be criminals looking to exploit them. While companies look at solutions and training to help keep the perimeter secure, the biggest fail point is often the employees, AKA the human element.
In this Threatpost podcast, sponsored by Egress, we sit down with Jack Chapman to discuss the steps and tactics that companies can take to stay one step ahead of their adversaries.
During our conversation, we discuss:
– Weaknesses that attackers look to exploit
– Evolution of toolkits
– Securing MFA and more
An abridged transcript is available below.
Jeff Esposito: Hello, everyone, and welcome to the latest edition of the Threatpost Podcast. Today we are joined by Jack Chapman of Egress. He is the VP of threat intelligence at Egress and is tasked with deeply understanding the evolving cyber threat landscape to remain one step ahead of cybercriminals.
Leveraging these insights and his extensive r&d skill set, Jack oversees threat intelligence for Egress. Jack previously co-founded anti-phishing company Aquila AI and served as its chief technology officer, working closely with the UK intelligence and cyber agency GCHQ to develop cutting-edge product capabilities. Aquila AI was acquired by Egress in 2021. Jack, welcome to the podcast. How are you doing today?
Jack Chapman: Good, Jeff. Pleased to be here.
JE: It’s always good to see you. Hopefully, everything’s going well over in the UK today. So in looking at your background, I wanted to see if we could dive a bit into the darker side of cybersecurity and look inside the attacker’s mindset. Is that something you’re okay with?
JC: That is my bread and butter, is what I do on a daily basis, is my favorite topic.
JE: Well, that’s a good thing because then we’re gonna dive into it a bit. So what, you know, what are some of the weaknesses that attackers look to exploit in companies?
JC: The number one is people. It’s very much from attackers were sort of the crime as a service ecosystems matured, they’ve gone on to very much return on investment model. And the vast majority of attackers are all very financially driven. And as part of that, they sort of evaluating their TTPs and how they attack organizations. And oddly enough, when we say out loud, it makes sense, it’s a lot cheaper and easier to target a human than it is to invest half a million dollars into the next zero-day. So it’s very much human-focused, and then growing from there that enables the other attacks.
JE: So it seems like no matter what the year changes, it’s always going to be that human element that’s the biggest problem for companies.
JC: Yeah, absolutely. And it almost looked like it was changing a couple of years ago, but then organizations and so as a whole, we’ve matured our cyber posture, we’ve implemented sort of the OWASP, top 10, with pen testing and password policies, which is great to see. And it’s almost like we’ve focused the attackers back on the traditional piece, so we’re back to people.
JE: And it’s like, is it just phishing? Are there other things like I know, we’ve seen stuff like people losing USB has been the in the drops that we’ve seen in the past. But is it just phishing? That’s the easiest layer in are there other options of that?
JC: I think phishing is the vast majority, but you’ve got the fringe elements like the social engineering, the phishing, smishing, and all these other great marketing terms that we’ve got in cyber as a whole, which doesn’t, they don’t drive me mad at all, honestly. But then going on from that, we are starting to see more things around breach replay attacks, and the amount of data breaches individuals and organizations are in and that that’s the other main channel into it seems to be phishing and breach replay at the moment.
JE: Okay, now, once the attackers are in, you know, how have the toolkits evolved and like what organizations need to be on top of?
JC: I think the two main ways they’ve evolved are in sophistication and automation. So even though we’re using the same language for all of these attacks, they have moved on a bit more. So just an example of this one, one I saw actually, the other week, was a phishing attack that when the user clicked on the link, it would automatically look up their MX record, to see which payload it should show the user, which is a great bit of innovation from the attackers point of view, but it makes it on our side quite difficult at times, to protect.
So in terms of sort of that knowledge base off, what do we need to know to handle this increase in sophistication, automation, first of all, sort of a change in attitude of expect more of this to continue. It’s a strong trend it’s going to occur, and really reassess of whether the traditional ends we have in place, because the other big thing that’s changed in this shift, if you like, is the rise in compromised accounts where an email will have fantastic email authentication, the SPFD command D mark, but it will also be a older domain. It’s over two years old. It’s got lots of mail flow, all of the things that traditionally we could create security solutions around. The attackers have identified our methodology, and have broken it essentially. So from our point of view, it’s don’t just rely on the n same solution in that way, it’s important to really re evaluate the risks we’re facing in that space.
JE: You know, the follow up from that, though, it’s a giant cat and mouse game. And it seems like, you know, this is one of those spots, that’s going to be the, the eventual spot where companies need to stay on top of this one, otherwise, they could fall victim of of one of these types of attacks. Now, speaking of the company standpoint, like how are companies behind when it comes to training and keeping up with technology?
JC: I think probably, especially that training angle, I know my biggest frustration and talked to a lot of organizations is they think training is the solution in and of itself. And it’s one of those issues, whereas expectations versus reality. But training is a huge asset when it comes to cybersecurity. We want to bring our ordinary users with us on this journey towards that sort of cyber efficacy, what I would say, well, they’re not cyber experts. It’s not their job to be, but they’re part of the solution rather than the potential problem.
Part of the issue, especially when comes to social engineering is this type one type two thinking, where an attack is designed to keep people in type one, which is very instinctive, responsive, rather than type two, which is that slower, methodical thought out process. Where the assumption with a lot of training is okay, you can make people stop and think, however, if an attack keeps you in that type one, they’re not going to be able to fall back on their training so a lot of attacks are designed to almost undermine it. So for me, training is a key part of the sort of layered protection towards it.
But you need technology in place to essentially overlay that, that can help detect it, especially some of these more sophisticated attacks. Any policy as well. So if someone’s asking for financial transfer, phone them up, do something completely outside of the chain of communication. Break, break it from an attackers point of view, I think falling back on these three, which are quite traditional pillars that we talk about all the time and industry, and how they interlink. I think it’s that how these sort of people, technology and policy interlink is an opportunity for us to help mitigate sort of the shift in sophistication.
JE: And I think getting, dive into this a little bit deeper jack, and one of the spots here that I think stands out, especially in the technology layer over training is the fact that I think when a lot of people look at trainings and companies, it’s easy, hey, this is with our compliance training once a year. And it’s something that it seems like that’s doomed to fail if you’re looking at training just for the solution.
JC: Absolutely. And I think that’s where the expectation comes in, of what threats are you actually facing as an organization? What are the risks? Where are your crown jewels? And we talk quite a lot about something risk registers. And it’s tying training and the technology to that as well, because the unfortunate thing that makes it quite difficult on the defensive side is every organization is different. Their threat landscape is different, their appetite for risk is different.
And it’s important that they’re treated as individuals on on how we protect them as well. So one of the reasons I got into cyber in the first place was, it’s a lot harder to defend the system then it is to attack it. So I think, on that note, it’s very much continuous innovation is important. Just because training worked in the past doesn’t mean it will continue to work. Even if it’s just the same training, updating it helps, update what channels you use, look for other options as well.
JE: And I think I think what you said like getting to that point even more, and there’s when you just talked about, you know, the person picking up the phone and talking about a wire transfer, I think, you know, this year alone, there’s been at least six of those that you could hear about, and it’s not a small amount of money that people are losing. So I think it’s definitely an approach that that practitioners need to follow and I appreciate the fact that you’re a good guy and that you find it better and more challenging to do the good side of things. Now getting back to, you know, the account takeovers and things one of the hotter topics that I think you know, had been passed around by a lot of people is the need for MFA. But it seems like even with this, it’s a security measure that has flaws and can open the door. Am I correct and reading that or is that something a bit different?
JC: Yeah, I think MFA is a key step to to our security posture, it adds a barrier of entry and makes it harder for attackers to compromise accounts, and then use those accounts as assets or get all of their sort of intended outcome. I think the difficulty with MFA is too many organizations think I have MFA therefore I am secure, and that’s the end of the journey for them. Where what we’re seeing is from an attackers point of view, the amount of tools and automated services they have to bypass MFA is increasing and increasing rapidly.
Everything from doing sort of man in the middle attacks where they install a cookie or scrape cookies from your laptop, all the way through to actually using full on auth services where they’re pretend to log into Microsoft’s Microsoft, for instance, on your behalf. So, an attacker has realized that that’s a barrier to entry, and they are overcoming that with speed. So I think it’s key to have because we’d like to frustrate attackers, but we can’t just solely rely on it.
JE: And I think with that part, like, there’s so many different ways that people are looking at MFA, whether it’s security keys, whether it’s an authenticator, whether it’s there I say, SMS in some instances as well, like, what are some of the best practices you think organizations should follow when they implement this into their environments?
JC: The first step is to have it. So a non perfect implementation is 99% of time better than none, because I talk to a lot of organizations and they’re hesitant, because they can’t do it perfectly. So I push back on that logic slightly. In other ways, I would say how can you implement it in such a way that it doesn’t have to be frustrate your users, depending on what you’re protecting? Because at the end of the day, if the security doesn’t work for people often find a way around it is the unfortunate thing because they’ve got jobs to do. What I would say on that is then do a reasoned, reasonable sort of approach. So do you have weekly resets? Do you do monthly resets? New devices? And that’s the conversation to have throughout your security team of what works best for your organization in that place, both from a operational angle and risk, but also compliance and what vertical your organization’s in.
JE: So with that point, this is this is a really interesting spot that I want to dig a bit deeper into. Because before we talked about how employees are the weakest link, number one. Number two, that when you’re looking at this a bit more, you know, we put technologies in place to secure them. But then the third part about it, now, when users configure a way to absorb the MFA, they’re almost acting as a role of almost internal hackers, because they have to get their jobs to do so. Like, is there a way to implement MFA specific to job functions or things like that?
JC: Yes, it depends on sort of the technology stack and what you’re trying to achieve. I know, in industry, we’ve got this concept of sort of crown jewel defense. So is it just certain assets that you need to protect above and beyond, and there’s sort of secure storage solutions that you can sort of use to add an additional layer, where you sort of got general protection or sort of your general file sharing, and then you have a level up if you’d like. Additionally, to that, depending on sort of job function, the other way to view this is from a risk basis. What individuals are most at risk based on the feedback from their training? And I think this is a key opportunity, when building sort of security policy is use your layers of security fit to feed into creating other layers. So what are your top risks? How are you mitigating those? And then how who the people around those top risks are? And that way, you’ve got quite a nice methodology that is reasoned and appropriate but will still secure the organization.
JE: And I think that’s that’s a key now, before we let you go today Jack, I have one final question for you, and it’s how do you see toolkits and attacks evolving in the future.
JC: I see them following the current trend where they’re more easily accessible, and they become cheaper and more automated. However would predict, look into my crystal ball here that they’re going to become and link up with more Osen sources. So scraping social media, scraping breaches. To almost go towards a more automated targeted attack, automated spear phishing. In a larger scale, we’re starting to see criminals sort of test this in, they’re more sort of using breaches to steer their templated attacks and doing lookups. But I would expect this sort of increase in sophistication to continue.
The other trend we’re seeing in this, which I expect, unfortunately, to not change, is the amount of obfuscation and counter-detection techniques built into these toolkits. Things like using zero-sized font and white-on-white text within the email itself. So the user sees something completely different to what a machine would see. And I don’t think that an attacker is going to change this general trend until it stops being successful for them, unfortunately. So that’s where it’s important for us to try and get that step ahead. We always talked about this sword and shield, we’ve moved on the defensive side forward, then the attackers move forward. And I think for us is how can we sort of undermine them here because they’ve currently got this step forward on us.
JE: But I think it’s you know, one of those things that we definitely need to keep an eye on. And I think we’re definitely going to keep an eye on the work that your company is doing as well, Jack, but that brings us to the end of today’s podcast. So I wanted to thank you for the time today, Jack, and wish you nothing but the best of success in the future on these things.
JC: Thanks, Jeff. It’s been a pleasure.