In our previous article, we laid the groundwork for what we believe to be a serious threat to ICS/SCADA devices: social engineering. We continue here with some definitions, some of which you may already know.
Phishing
Phishing is a relatively broad term for any attempt to trick victims into sharing sensitive information, such as passwords, usernames and credit card details. The intent is almost always malicious. Another characteristic of phishing is that it tends to be random, usually exploratory in nature, as opposed to a targeted act. Instead of targeting a specific individual or group of individuals, phishing tends to target multiple victims from within the same organization. Think of phishing as the “throwing spaghetti on the wall and whatever sticks” approach.
Spear-phishing
Spear-phishing is a much more targeted form of phishing. Spear-phishing attempts are designed to appear as though they are coming from somebody the recipient knows and trusts, including a colleague, business manager, the human resources department, or somebody personally associated with the potential victim. Similarly, spear-phishing attacks will likely target an individual or small group of individuals. The better spear-phishing attempts even include a subject line or content that is specifically tailored to the victim’s known interests or industry. If a malicious actor is determined enough, they will data mine a victim’s public profiles like Facebook, LinkedIn, Twitter, or Instagram to get a better sense of what the potential victim may fall for. Ultimately, the intent is to gain as much intelligence as possible (the higher value the target, the deeper the malicious actor will go in their data mining) by leveraging names of trusted people within the victim’s circle or to grab their attention in some other form (such as a newsletter from an industry publication or a bank alert). Anything that will elicit an emotional response.
Pretexting
The waters become a bit muddy when trying to distinguish between spear-phishing and pretexting, but one really leads to the other. Think of it like this: where spear-phishing tries to get you to give up sensitive information almost immediately (through some well-crafted email), pretexting may require a bit of priming of the target. Call it an “advanced form” of spear-phishing that is a significant threat on the rise, where the FBI estimates that pretexting within the context of business email compromise (BEC) amounts to a $3.1 billion scam. To elaborate, once a malicious actor finds a way into the inner circle of the victim (such as identifying a “frequent contact list” or co-workers), a bad actor impersonates the “trusted source” and manipulates a target of interest with the specific intent of gaining the victim’s trust. Often, the sender will try to impersonate a company official and ask targeted questions. These targeted questions build trust, and once the attacker is confident enough this false sense of trust can be exploited, the attacker will do their dirty work like trying to get the victim to leak sensitive data. Despite using pretexting to gain financial access being specifically banned by the Gramm-Leach-Bliley (GLB) Act, the Act’s restriction does not apply to information that enters the public domain as a matter of public record. If your employees are active and untrained “posters” of all their activities on social media, does the GLB apply? It may not, and that should concern you because your organization may lose a powerful legislative tool intended to protect you.
Small Missteps, Huge Mistakes
What if someone is guilty of releasing sensitive or private material unrelated to them? For example, Paul tweets to George “Happy Birthday!” or “great to see you at that conference!” George never wanted any of this information revealed. In doing so, Paul may have inadvertently created vulnerabilities for George, especially if George was tagged as a high-value target. These little gems of “evidence” (which you may be completely unaware of) are fertile pieces of information that will be used by a highly motivated malicious actor. As a malicious actor seeks out these seemingly unrelated details, what they are in fact doing is collecting, collating, and eventually prepping to exploit the target. Therefore, you are faced with a situation where you not only have to protect your information but also ensure a third-party is protecting your information. By no means is this an easy task. And if you cannot do that, you need to ensure that you are equipped with the necessary tools to protect against what we've been calling “potentially unwanted leaks” (PUL). Similar to potentially unwanted programs (PUP), PULs may be more of a nuisance at the beginning until they become a huge problem. Why? Because all these PULs can be collected, processed, analyzed, and even disseminated between bad actors for the malicious use of exploitation. Once completed, this process may then be used again and again to move up the chain of targets. So, why are these types of attacks so powerful? They prey on the emotional response of an individual, a fact that reinforces our belief: a technological solution will do little to protect you in the case of this type of attack. Whether it is desire or simple curiosity, if you are untrained to recognize a spear-phishing attempt, you may be pulling the trigger against your network yourself. According to the Verizon DBIR, phishing and pretexting combined represented almost 98% of incidents and breaches that involved a social action, with 88% of pretexting attacks being carried out via email. Additionally, many pretexting attacks were found by internal financial audits rather than a cybersecurity product or fraud detection method. We accept that these statistics are not airtight, as attacks and breaches are very typically underreported by victims, but the numbers are enough to get our attention, and they should get yours. We cannot overemphasize enough the role emotion plays into all of this. Most Individuals like to be seen and heard. Therefore, imagine for a moment that you have been venting on Facebook about work, but then you “suddenly” get an email from your CEO or CFO seeking your input on a project. Or perhaps it is a “competitor” company or an “industry expert” seeking your advice on something work-related. You may feel a sense of value that you did not previously have, and all of a sudden, you may be more forthcoming with information you would otherwise hold on to. Unfortunately, all of this may be an illusion and the final defense measure is the person looking at the screen wondering, “should I click this or not?” If you haven’t noticed yet, there is little technological trickery or sophistication applied; rather, it is all about human emotion and reaction so far. Now, with this introductory background on definitions, where does it leave us? Well, we are seeing an increase of incidents against ICS/SCADA devices on the rise. And that is worrisome. In our next article, we discuss the trends and clarify a few more of the nuances (until we figure out the basics – like the difference between “steal” and “copy” – we’re going to have some serious problems). Lastly, we will walk you through what happened at Prykarpattyaoblenergo. About the Authors: Paul Ferrillo
is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them. George Platsis
has worked in the United States, Canada, Asia, and Europe, as a consultant and an educator and is a current member of the SDI Cyber Team (www.sdicyber.com). For over 15 years, he has worked with the private, public, and non-profit sectors to address their strategic, operational, and training needs, in the fields of: business development, risk/crisis management, and cultural relations. His current professional efforts focus on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.