In response the SANS cybersecurity training organization’s disclosure of a data breach in which approximately 28,000 records of PII were forwarded to an unknown external email address as a result of a phishing attack, a cybersecurity expert offers perspective and recommendations.
We don’t know if the employee who clicked the bad link (or links) was on the security team or if they were in another function such as sales, marketing or operations. If they were not on the security side of SANS, there’s a likelihood that they were apathetic about cybersecurity because they’ve never had something like this happen to them before. If the phishing target was someone not on the SANS security team, it begs questions about what kind of training they had.
Many companies train hundreds of employees virtually with multiple choice questions and very basic content, rather than ongoing training and testing. And as we’ve seen, if the employee is checking their email on their phone or a smaller device, they’re more likely to click on a bad link – both because the acuity isn’t as good, and because of the sense of immediacy that these devices drive.
It’s so important to train employees never to click on an embedded link from a stranger, and never click on a short URL such as a Bitly – employees need to look for and identify the entire link.
We might not ever know exactly how the person fell into the trap because they might not share the information, but it could have been a sales email, a message purporting to be from their manager, or on some topic of interest. Phishers definitely understand the human element, and they work to understand peoples’ pain points and passions to make their emails more compelling. They also know when to send a phishing email to drive immediate responses. That is why we counsel that if a supposed work email comes in after work hours, it’s best not to respond – especially from a mobile device. Or if there’s a time-sensitive, must respond email, the sender should also text the receiver both to let them know and to help the recipient know that the email is legitimate. This is a good policy especially now, because we are seeing more phishing attacks this year than ever before.
And if the phishing victim at SANS actually IS someone on the security team, it’s important to realize that they’re likely not apathetic to security practices but that the organization may not be investing in their own security teams, or team members may be suffering from burn out.
Every company needs to be alert for signs that they’re not sufficiently investing in their teams, and that their teams are more susceptible than ever to burnout. When we give ongoing and engaging training that keeps best practices front of mind in an enjoyable way, we reduce the weight on the security pro’s shoulders. Especially now, we need to do everything possible to reduce emotional burnout during the pandemic. It’s also worth considering getting permission from management and letting security teams conduct fake phishing accounts on one another, and see who can trick who – and to make it fun, not malicious or shaming.
At this point, the only thing we know is that SANS caught this around August 6th, and bravo to them because they were fast and forthright in responding. While some personal information was disclosed, it could have been worse – fortunately, no financial information was leaked.
The takeaway is: we all need to stay aware and humble – if a phishing attack can snag someone at the SANS institute, it can happen to any of us who let our guard down.
I don’t think that we should hold SANS accountable to the same standard of security and data protection as we impose on, let’s say, financial institutions and other highly regulated industries. Otherwise, their training would become exorbitantly expensive and few organizations will be able to afford them, causing a domino effect of global insecurity and poor awareness. Like many others, SANS seems to fall victim to unforeseen work from home (WFH) measures that have undermined many security mechanisms and controls readily available in the office.
The breach of one single email, however, should not lead to such a significant exposure of PII data, even if it’s a drop in the ocean of disclosed data breaches from the last 18 months. Attackers will now gradually focus their attention on cybersecurity companies and organizations to get their clients\’ privileged information or credentials. The rapid and transparent reaction of SANS to this incident is laudable and professional. Moreover, this fairly insignificant incident will now likely boost internal security at SANS and provide additional confidence to its clients and partners.
This goes to show that no organisation is immune to cyber attacks, in particular phishing. Not even an organisation as trusted and qualified as SANS. Malicious actors with a variety of different motivations are known to engage in this sort of activity. They may also have been planning a BEC (or ATO) type of scam, such as a wire fraud. Or they may have been looking to utilise the account to launch further malware attacks against SANS itself or other organisations by leveraging the account. One group that systematically performs the latter is Emotet.
On July 17th Emotet returned with a vengeance from the hiatus they had been on since February. As a refresher, Emotet is a modular banking trojan that utilises a worm spreader module and brute force attacks to spread across a network once the foothold has been established. They rely heavily on Conversation Hijacking Attacks to spread their initial infections.
Emotet slightly surpassed Dridex in total volume over the past several weeks by attempting to attack customers with both malicious attachments and malicious URLs. They have been scraping previous email conversations and replying back to those with an Emotet dropper over the past year. However, they have also begun including previous legitimate attachments from the prior email conversation (along with a malicious link in the body of the message) to add the appearance of authenticity to the recipient and increase infection efficacy.
Phishing scams remain extremely common, and this latest breach shows that cyber criminals are not even afraid of cyber security institutes when targeting organisations. Clever spear phishing attempts are designed to deceive even those who are aware of them; in the moment when reading something which mounts pressure on you to verify or give up information, it can be easy to trip up and overlook a scam with no obvious clues.
Verifying emails has never been more important, and remains your best bet in beating the fraudsters. Companies that don\’t have the proper security procedures in place can often leave themselves and their customers vulnerable to social engineering attacks, and constant delivery of training is also vital to make people continually aware of the problem and raise a zero trust policy. Companies must limit the amount of employees who have access to personal information to reduce the possibility of a breach.
It is ironic and disappointing to see this happen to a cybersecurity training organisation, but not all that surprising. The majority of breaches like this are through employee error within companies. Phishing attacks are becoming increasingly sophisticated in the ways that they masquerade as legitimate sources and while anti-phishing software can help stop many of them, others will always get through. Equipping employees with the skills they need to prevent breaches is absolutely essential for businesses today- particularly as they transition into a hybrid remote/office work environment where there are less in-built checks on employee security. People need to be on the lookout for spelling and grammatical errors, overpromising and eager messaging, pop-ups and urgent deadlines or calls to action. They should also look carefully at who the email is from. Phishing attempts often use the name of someone they know (a colleague or friend, for example) but with the wrong domain address. If the email contains a link, you should verify its SSL credentials and never give out personal information on a site that does not have a valid SSL certificate. If an employee or business realises they have been breached, they should immediately take action by changing their personal password and alerting employees in the rest of the company.
People can help prevent the spread of these large-scale attacks by immediately reporting suspicious messages to Suspicious Email Reporting Service (SERS): report@phishing.gov.uk which support\’s the government\’s Active Cyber Defence programme.
The SANS Institute data breach demonstrates that no organisation is exempt from cyber attacks. Security awareness training is fundamental to tackling phishing attempts but this needs needs to be continually implemented, ensuring employees are aware of the latest threats. It should not be a one-off instance. Individuals should also apply the S-T-O-P principle: (1) Stop- (2) Take a Deep Breath- (3) Opportunity to Think- (4) Put the email into Perspective and report the phish. Moreover, organisations need to be aware that even this is not full-proof. Even with constant security training and awareness programmes, 12% of end-users will continue to be exposed to phishing threats. As such, organisations should be adopting multiple layers of protection, utilising trusted products and service offerings to reduce the phishing risk further.