Tackling the social engineering bonanza caused by the Microsoft Exchange hack [Q&A]
In early March, Microsoft disclosed that Chinese hackers had exploited software vulnerabilities in Microsoft Exchange on-premises servers to gain access to the email accounts of thousands of Microsoft customers.
While these companies are now laser-focused on deploying patches and other security measures to remediate the vulnerabilities in their email software, Josh Douglas, VP of product management -- threat intelligence at Mimecast, believes these technical fixes will only go so far.
Douglas believes companies impacted by the Exchange hack need to be aware of the social engineering risks that could linger for years to come. We spoke to him to get a view of this 'social engineering bonanza' and to learn best practices for mitigating the risks associated with it.
BN: Why are victims of the Microsoft Exchange hack at risk from lingering social engineering attacks?
JD: The threat actors behind the Microsoft Exchange hack gained access to victims' email accounts, giving them a view into organizations' email dynamics and patterns. The repercussions of this go beyond access to corporate, financial and customer data. It also gives them the opportunity to map an organization and its people, see how they interact with each other, and understand email senders' tone and style, which include customers, partners and suppliers -- all of which can be used to impersonate senders and fake familiarity with intended victims.
For example, they could mimic the tone and style used by various high-value executives to execute whaling attacks, or to trick employees into falling for phishing campaigns. They could impersonate IT personnel to get employees to change their passwords on a spoofed site. And, because they can see how invoices are emailed, who they come from and even PO numbers, they could send emails as external entities as part of business email compromise campaigns. Even scarier, they could target organizations related to the compromised company or have already done so as a mail in the mailbox.
The bottom line, by analyzing a company's email communications, these threat actors can naturally fit into the flow of communications within a company to easily deceive employees -- and even customers and partners -- into thinking an email is legitimate.
It's important for victims of the Exchange hack to understand that even if they remediate the vulnerabilities in their email servers, they could see social engineering attacks stemming from this attack for years to come.
BN: Is there a technical fix for this type of attack?
JD: There is no perfect technical fix, but organizations can harden themselves from social engineering attacks and gain proactive email security by applying security controls across three areas or 'zones':
- At the email perimeter -- Enforce security controls at the point of entry or exit of the organization or email platform as well as capabilities that use machine learning to detect digital deception based on communication styles and patterns.
- Inside the network and the organization -- Implement security capabilities focused on applications, systems and people that are internal to the organization and include awareness training to build up your human security barrier.
- Beyond the perimeter -- The realm of the internet that is beyond the direct view and control of an organization's IT and security teams, but where cybercriminals develop and host many of their attacks. The goal is to identify attacks before they become an incident.
Zone two is particularly important when it comes to battling social engineering attacks resulting from the Exchange hack.
Of course, it goes without saying that end user awareness, education and training is still the best defense against social engineering attacks. Security awareness training programs can reduce the risk of human error and make employees an active part of your security strategy. Engaging employees in this way is one of the most effective ways to reduce cybersecurity risk.
BN: Why do you think social engineering attacks continue to be so successful?
JD: There are several reasons. First, threat actors are using more substantial and artful digital deception tactics on people and organizations, which enable these adversaries to overcome sophisticated defenses. They are combining behavioral and psychological ploys with technology techniques, which makes these attacks harder and harder for victims to identify.
The second reason social engineering attacks are so successful is because too many organizations still take a compartmentalized view of security. While organizations think in terms of 'symptoms' -- e.g., email security, user awareness, link scanning, identity management and so on – threat actors are thinking in terms of deception campaigns. The problem with viewing attacks in isolation is it keeps security people focused on the individual trees rather than the forest. The most damaging attacks today are the ones that are part of a sweeping deception campaign that includes multiple components (spoofed sites, social engineering, multi-stage malware, etc.), rather than opportunistic one-offs.
BN: What do you recommend organizations do to defend against digital deception?
JD: The first step is to build a counter-deception strategy -- one that counteracts all of the components of digital deception (i.e., the psychological and technical elements) and implements defense strategies across each of the three attack stages:
- Preparation Stage -- When threat actors conduct reconnaissance, researching employees and companies on social media or other channels (like a compromised Exchange server!) to improve social-engineering effectiveness. They might also register domains that their targets trust or create look-alike web pages in preparation for the execution stage. An effective counter-deception strategy will work to identify these 'indicators of digital deception' early in their cycle and apply countermeasures to render them ineffective.
- Execution Stage -- As mentioned earlier, the most damaging attacks are usually those requiring patience and planning -- and this is why the dangers associated with the Exchange hack are so serious. In the execution phase of digital deception campaigns, bad actors use multi-vector sequences that include elements such as elaborate chains of communication with the victim to establish trust, the use of look-alike domains, fake LinkedIn profiles, and scraped web pages. All of this is designed to meaningfully add to the impression of authenticity. A counter-deception strategy defends against these tactics by combining end-user training and good internal processes with technology that can identify suspicious behavior to disrupt this execution phase before any damage is done.
- Exploitation Stage -- Most counter-deception measures will come into play in the first two stages. But, there are opportunities to stall the attack at the third stage -- right at the point of exploitation. Here too, security awareness training and good internal processes are critical. Additionally, technology can help disrupt the psychology used by an attacker, identifying the smoke and mirrors that veil the deception, causing a victim to pause and prevent the exploitation.
The bottom line is that a multi-layered counter-deception strategy can help organizations make their employees, customers and supply chain more resilient against digital deception -- whether they're targeted today, next week, in six months or in two years.