When I speak to executives after there has been a cyber attack, the first reaction is often an introspective search to answer the “why” questions. Why have cyber actors chosen to attack me, our organization, this culture? The truth is that it’s hard to understand why. Sure, there are the standard motivations of financial gain, theft of intellectual property, corporate espionage, sabotage, fame, or political activism. But why me? Why us?
Most cyber attacks are not particularly sophisticated in their use of advanced computer science or quantum mechanics. They might be clever in their ability to appear authentic or pull on emotions. But in reality, cyber attacks are part of a crude assembly line, and your organization might just have been the last target in a never-ending sequence.
It’s been frequently reported that for 9 in 10 cyber attacks, the root cause of damage can be linked to phishing. Simply put, phishing is an attempt to get someone to take an action that unwittingly leads to damage. Such attacks are easy to configure, cost-efficient, and effective. To mount phishing campaigns, attackers need human targets, represented by email addresses. Attackers acquire these addresses, load them into a database, and then begin sending attacks. The goal is to earn clicks.
Phishing is more of a volume game than a targeted one. Being in the attack database makes you a perpetual target for any phishing campaign by that actor or organized group. My experience at the National Security Agency—and my team’s research into other nation-states, criminal organizations, and the like—has shown that cyber actors evolve their operations into assembly lines. Distinct teams are responsible for the targeting, launch and execution, technical exploitation methods, on-target activities, analysis, and post-campaign exploitation. There is little effort to optimize these assembly lines over time, especially as the attackers find success.
The Cloudforce One team has conducted extensive research on how a relatively simple phishing campaign could cause serious long-term damage to multiple organizations. We investigated an attack campaign launched the day after the 2016 U.S. presidential election by a Russian espionage group we called RUS2—a group that targets political organizations.
By reconstructing the target database, we found that phishing targets included not only current government officials but also former officials and political associates. Targeted individuals continued to receive phishing emails through their personal email addresses long after they changed jobs. Some individuals had been in the database nearly 10 years by the time of the 2016 attack, and continue to be targeted today.
That’s where it gets interesting.
Compromised names, phone numbers, and email addresses stay in phishing databases indefinitely. Whether emails bounce or recipients fail to take the bait, attackers don’t bother to scrub their lists. Once you become a target of a phishing attack, you might remain a target indefinitely.
For corporations and government agencies, the persistence of contact information in phishing databases adds an extra layer of danger. When a targeted individual changes jobs, that person puts their new organization at risk, opening a new vector to a new organization’s network.
Given the simplicity and effectiveness of phishing, cyber attackers will continue to use this tactic for the foreseeable future because it is effective. There’s not much we can do to stop them from trying. We can, however, prevent them from succeeding.
We have to assume this risk is always present and that every individual is a potential entry point.
Over the past 20 years of my career—working at the National Security Agency and United States Cyber Command, and building technology used to preempt phishing attacks—I’ve found that the best way to mitigate the impact of phishing schemes is by adopting a Zero Trust security strategy. Traditional IT network security trusts anyone and anything within the network: Once an individual or device gains access to the network, that individual or device is trusted by default.
With Zero Trust, you trust no one and nothing. No one ever has completely unfettered, trusted access to all apps or other resources within a network.
The best Zero Trust approach is multi-layered. For example, as a first line of defense, you can preemptively hunt for phishing infrastructure and block campaigns before users can even click on malicious links in texts or emails. You can also use multi-factor authentication (MFA) with hardware-based security to protect networks even if attackers gain access to usernames and passwords. You can apply the principle of least privilege to ensure hackers who make it past MFA controls can access only a limited set of apps. And you can partition the network with micro-segmentation to contain any breaches early.
At Cloudflare, we thwarted a phishing attack last year using MFA with hardware security keys as part of our multi-layered Zero Trust approach. The attack began when a number of employees received a text message that led them to an authentic-looking Okta login page, which was designed for credential harvesting. The attacker attempted to log in to Cloudflare systems using those stolen credentials along with time-based one-time password (TOTP) codes—the attack required that employees participate in the authentication process. Unfortunately for the attacker, Cloudflare had previously transitioned from TOTP to hard keys.
If the hard keys hadn’t been in place, other security measures would have prevented the attack from reaching its objective but, fortunately, the threat didn’t get that far. Our Security Incident Response team quickly blocked access to the domain used for the fake login page and then killed active, compromised sessions using our Zero Trust Network Access service. If the attacker had somehow reached the point of installing malicious software, the endpoint security we use would have stopped the installation. A multi-layered strategy like this one helps to ensure that even if one aspect of an attack is successful, the attack itself won’t cause substantial damage.
Cyber attacks come at you pretty fast, but when you stop to look around they don’t really evolve significantly.
How do you prevent them from succeeding?
First, ensure you have strong anti-phishing controls. Not all MFA controls have the same level of efficacy, so be sure you adopt a phishing-resistant MFA and implement selective enforcement using identity and context-centric policies. Enforce strong authentication everywhere for all users, all applications, and even legacy and non-web systems. Lastly, make sure that everyone is on “team cyber” by establishing a paranoid and blame-free culture that reports suspicious activity early and often.
There’s little we can do to prevent phishing, but there is a lot that can be done to preempt damages. With a Zero Trust approach, you can help ensure the next time the phishing assembly line churns out an email to your address, it doesn’t result in any damages. Learn more about the multi-layered Cloudflare Zero Trust Platform.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Oren Falkowitz — @orenfalkowitz
Security Officer, Cloudflare
After reading this article you will be able to understand:
Once your personal information is obtained, it lives in the attackers database indefinitely
Phishing attacks are part of a crude assembly line
Little can be done to prevent phishing, but there is much to do to preempt damages