Experts from Lancope, STEALTHbits Technologies and Tripwire commented late on news of a security breach in which researchers discovered an interesting phishing campaign originating from CareerBuilder. Taking advantage of the notification system the job portal uses, an attacker uploaded malicious attachments instead of résumés, which in turn forced CareerBuilder to act as a delivery vehicle for phishing emails.
Details are HERE
TK Keanini, CTO, Lancope (www.lancope.com):
“This shows how attacks are becoming less direct and more advanced. Attackers prey on the deterministic behaviors of systems where they can predict future action. Before clicking on any attachment, users everywhere need to understand to what degree it is authentic and how well they know the originating source. The default should be to not trust any attachment. While the Internet connects you to great resources, it also connects you to crime.”
Brett Fernicola, CISO, STEALTHbits Technologies (www.stealthbits.com):
“This recent discovery has a simple elegance and brilliance that I can appreciate as a security professional. This discovery goes to show that definition-based security products are a creature of the past. You would think that a Word document designed to take advantage of a known exploit would trip some type of definition pattern, but in many cases it will not.
So where do we go from here, how does one protect themselves from the unknown? I would argue the best one could hope for is quick discovery and containment. Humans are quickly becoming the weakest security link in today’s organizations, it’s only a matter of time until someone makes a mistake. So if we assume the inevitable how do we quickly discover and contain the threat? Well in a large organization gaining access to a single PC is just the starting point.
If all the attacker did was data mine all resources from that single PC they probably wouldn’t get to much valuable information unless that attack was an extremely successful and targeted spear phishing attack. So the next move of the attacker is to slowly and without detection start branching out and probing the internal network from the infected machine for other resources they may have access to. This is hopefully where you catch the attacker, we already know anti-virus is not getting it done, so we need to understand what is normal behavior for this user or PC. By monitoring authentication traffic in Active Directory and applying the proper analysis any hosts that have gone rogue should stand out like a sore thumb.”
Ken Westin, senior security analyst, Tripwire (www.tripwire.com):
“As the 2015 Verizon Data Breach Incident Report has illustrated, phishing is still a top attack vector, primarily because it is still effective. Attackers find creative ways to exploit our trust in brands we are familiar with either through making emails or websites appear to be associated with the brand, or finding ways to leverage the brand’s own systems to deliver malware. This approach is tried and true as it provides attackers with a way into networks even those that have strong perimeter defenses.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.