July 25, 2018
The top five phishing targets in financial services? We wish it was that easy.
By: Shawn Duffy

When the idea for this blog first came up, a "top five targets in financial services" hook seemed catchy and readable. But distilling attackers’ methods to only five would be a disservice.

The targets of phishing campaigns vary far more widely, often depending on the objectives of attackers—which can also vary widely. We know this because our Advanced Adversary team spends all day every day carrying out extremely sophisticated (and usually successful) attacks. We evaluate potential phishing targets based on two basic criteria:

  • How likely is it that this target will respond to a phishing email? Is the employee new to the target company? Do they often receive unsolicited attachments from people they don’t know (HR, for example)?
  • How close is the potential target to our true objective? Does their job function include the initiation or approval of wire transfers? Might they have access to confidential mergers and acquisitions data or non-public financial information?

So while it’s impossible to cite only five targets, it is quite possible to provide four lessons from the trenches.

#1: Forget what your anti-phishing training has taught you.

OK, maybe not completely. But understand that a sophisticated attacker isn’t necessarily going to send you an email with spelling errors or a fake invoice from UPS. Sophisticated attackers research their targets. This will include data from LinkedIn profiles but may also include Instagram, Facebook, Twitter or even newsletters from your alma mater. The goal is to send an email that the target could expect to receive.

Our team once broke into an organization by targeting a new employee who had graduated from Northwestern University. We drafted an email that appeared to come from the head of HR in her region, a name she likely recognized, welcoming her to the firm and mentioning how great it was to have another Northwestern grad on the team. We then asked if she could fill out a survey about her experience in the hopes that we could recruit more Northwestern grads. Believable, right? It worked.

#2: Layer your defenses.

You might be wondering, "How can I train my employees to act appropriately in these cases?" There is no simple answer. But truly resilient organizations have multiple layers of defenses, knowing that any layer may fail. The goal is not to be impenetrable, it’s to make it increasingly difficult for attackers, and so they either give up or make enough noise to get caught. I can’t think of a single engagement where one piece of software completely foiled our ability to compromise an organization. Layering works.

#3: Remember your fundamentals.

Organizations with the most success in stopping our attacks have a good grasp of security fundamentals and solid network hygiene. This means proper network segmentation, good telemetry on endpoints, minimal trust between network zones, two-factor authentication on critical resources, monitoring internal portals for sensitive information (I can’t tell you how many times we’ve found domain administrator credentials on an internal website), solid and enforceable data classification standards, and pervasive security awareness at all levels. These are the things that slow down attackers. They also require a commitment to a security culture.

#4: Involve the business.

Far too often we see internal IT departments making security spending decisions. Naturally they make those decisions based on what they believe to be important—but that’s only a piece of the puzzle. For example, a client spent a significant amount of money hardening its Active Directory infrastructure. Understandably, they wanted to see if their money was well spent. But we proposed something more useful: an engagement where we would attempt to compromise their confidential mergers and acquisitions data. Within two months, we had compromised the inboxes of the CEO and general counsel—and discovered the next 10 acquisition targets, information that was potentially worth billions. And we did it all without having to become domain administrator. That doesn’t mean that protecting Active Directory isn’t a worthwhile priority. It just means that security spending is meant to protect the entire business, so the business must set those priorities.

Popular Tags

    More blogs on this topic