The Science of Cybersecurity and The Human Element
By Kevin O’Connor / Director of Threat Research at Adlumin, Inc.
July 12, 2022
The “Human Element” of cybersecurity is often one of the most challenging aspects to manage when considering the defense of a network. At Adlumin’s Threat Research group, we work to merge the science of cybersecurity with the mindset of how users and threats engage with Information Technology (IT) systems. Let’s dive deeper into how the human element manages both the defense of networks and the threat against them.
The most evident area where the Human Element plays into the defense of IT systems is anywhere there’s user interaction with the system, which has a security-relevant context. Users don’t only need to be trained on how to use their system – but also on the basics of end-user cybersecurity to prevent simple attacks like drive-by-downloads and attachment-based malware.
One of the biggest threats facing the human-machine interface is phishing. The U.S. Department of Homeland Security’s Computer Information Security Agency (CISA) says that “phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization [or source].” While true, what’s missing in this definition is that phishing attacks are one of the most popular ways attackers will gain access to a user’s system through malicious attachments, such as macro-enabled malware or malicious links, to gain a foothold in a targeted network.
Defending Against Phishing
Technical controls exist which can help mitigate the threat of phishing-related attacks. Email filtering appliances/applications can automate the heavy lifting of denying known-bad actors that have engaged in more extensive and previously seen campaigns. The further application of machine learning in the context of message content is also promising. From there, security administrators can implement controls to scan or block attachments or mitigate specific technical vulnerabilities like macro-based malware by disabling the use of macros or denying permissions to run downloaded attachments or other ‘online’ sourced software.
Getting closer to the human element, controls that require users to participate in opening links actively can help. To avoid users accidentally clicking on a malicious link, applications like Outlook can disable links in emails requiring the user to manually copy and paste links from their email into their browser to visit sites ($LINK). This extra step can go a long way in getting the human behind the keyboard to think about the site they’re going to.
But these controls are either; incomplete, limiting, or require some level of user participation. Without proper training on identifying phishing and malicious emails, users can still fall prey to craftily composed messages or spoofed or compromised accounts from legitimate senders. The risk stemming from this human element-based threat must be mitigated through training, monitoring, continual awareness, and testing. Adlumin partners with KnowBe4, which offers user training, and we’ve integrated KnowBe4 phishing capabilities into our platform ($LINK).
Credential & Business Email Compromise
Another human element in cybersecurity that needs consideration is Credential and Business Email Compromise (BEC). The FBI says Business Email Compromise is
“one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional. In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request.” (FBI, 2020)
The risk BEC and other account compromises have to a business are potentially devastating, with the FBI’s Internet Crime Complaint Center (IC3) reporting $43 billion in cost between June 2016 and December 2021 (IC3, 2022 Business Email Compromise).
Credential and Business Email Compromise can be costly and is an evolving threat, with IC3 also reporting that there’s been an introduction and then an increase in the use of Virtual Meeting Platforms in conducting the attack (IC3, 2022 Business Email Compromise: Virtual)
These are often fundamentally human-centric attacks relying on combinations of social engineering or stolen credentials to bypass the need for in-depth technical exploitation or gain an initial foothold against a target network or business.
Defending Against Credential & Business Account Compromise
Technical controls can help mitigate credential compromise or BEC, including implementing 2-Factor Authentication wherever possible. Mandatory password expiration can also limit the time an exposed account or credential can be used for malicious purposes.
Logging, monitoring, and Auditing user accesses can help identify potential cases of account compromise by looking at the user’s typical activity and alerting or taking Security Orchestration Automation and Response (SOAR) action when there’s abnormal or suspicious activity. Adlumin is an example of a Managed Detection and Response (MDR++) platform that can help identify and act on such malicious activity. Adlumin uses machine learning algorithms for User & Entity Behavior Analytics (UEBA) to help detect and respond to illicitly used credentials and accounts. Adlumin will monitor, track, and alert on expired credentials and accounts.
Another vector for credential compromise and BAC is through Darknet and other public data breaches and account/credential dumps. As a Human Element, users often reuse passwords across multiple accounts or will use business emails (and possibly shared passwords) on platforms that are then compromised. These compromised credentials can be a great source of intelligence for attackers, potentially giving them validly credentialed access to the compromised account. Defending against this, tools like Adlumin’s Darknet Exposure Module can monitor for exposed credentials on the Darkweb and alert or take immediate SOAR action before attackers can exploit them.
Computer Information Security Agency, CISA (2022, August 25). Security tip (ST04-014). CISA. Retrieved June 10, 2022, from https://www.cisa.gov/uscert/ncas/tips/ST04-014
FBI, Federal Bureau of Investigation (2020, April 17). Business email compromise. FBI. Retrieved June 10, 2022, from https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/business-email-compromise
Internet Crime Complaint Center, IC3 (2022, February 16). Business email compromise: Virtual meeting platforms. Business Email Compromise: Virtual Meeting Platforms. Retrieved June 10, 2022, from https://www.ic3.gov/Media/Y2022/PSA220216
Internet Crime Complaint Center, IC3 (2022, May 4). Business email compromise: The $43 billion scam. Business Email Compromise: The $43 Billion Scam. Retrieved June 10, 2022, from https://www.ic3.gov/Media/Y2022/PSA220504