The Cybersecurity Infrastructure Security Agency (CISA) and the FBI recently released an advisory about Phobos ransomware, highlighting the attack methods threat actors use to target public sector entities. The report mentions the top three ways attackers gather intelligence, creating victim profiles by searching information about them, scanning for vulnerable remote desktop protocol ports and then phishing users to access vulnerable RDP ports.
Once they finish reconnaissance, threat actors gain initial access into victim environments through valid accounts (threat actors exploit user credentials to infiltrate organizations), external remote services (leverage internet-exposed services to access the target environment), and phishing attachments (using a phishing email attachment to execute an attack).
What are the common thread between these reconnaissance and initial access methods? Social engineering. Whether it's installing malicious attachments or exploiting RDP ports (possibly using harvested or purchased credentials) or using valid accounts (79% of credentials are stolen using phishing), social engineering stands by far the most common root cause across all initial access methods.
And it’s not just Phobos, look at any ransomware attack supply chain incident, or business email compromise, social engineering features prominently in all of them.
What nearly everyone gets wrong about cybersecurity
If we study the Phobos advisory, CISA lists 20 controls to mitigate ransomware attacks. These recommended mitigations suggest technical controls that do nothing to address the core root cause behind 80 to 95% of all attacks. The only technical control that addresses social engineering: phishing-resistant multi-factor authentication (MFA) – the 13th control in a list of 20.
So can phishing-resistant MFA stop a Phobos attack? Probably not. That’s because Phobos uses a combination of phishing and malicious attachments to breach organizations. Once users are tricked into running the malware, it’s usually game over. Phishing-resistant MFA may block some remote desktop protocol (RDP) or attacks that leverage valid accounts, but should the attacker persist and if they have already entered the victim’s environment, they probably don’t need RDP or valid accounts anymore.
Similarly, a majority of cyber regulations, frameworks, and compliance standards such as HIPAA, GDPR, SOX, and PCI-DSS, don’t place much emphasis on social engineering. Technical controls such as firewalls, encryption, and backup and recovery get a lot of attention, but social engineering receives scant mention. Security teams are no different either, investing billions into cybersecurity technology every year, but neglecting to address social engineering, the major culprit behind successful cyber break-ins.
The need to prioritize threats and mitigations
Existing cybersecurity strategies often treat threats like bubbles in champagne, assuming they're all the same size and require individual ways to manage the issues. But this view lacks vision: some threats are significantly larger – like social engineering and unpatched software. These major threats stem from a single, powerful source: human error.
Security agencies, regulators, and cybersecurity teams need to move away from a one-size-fits-all view to threats and mitigations. We need to prioritize. Focusing on addressing the root cause behind social engineering attacks can be more effective than treating each threat type equally. This means shifting focus to initiatives that change employee mindset, behavior and exposure to cyber threats.
Best practices to mitigate social engineering
Here are some practices that can help to mitigate the biggest threat in cybersecurity:
- Focus on high-priority threats: Avoid spending time, money and resources on threats that have a slim chance of happening. Instead, focus on the biggest and most common ones – social engineering, unpatched software, exposed devices and ports, poor password practices and reuse. Remember, ransomware is a symptom, human error made overt by social engineering manipulation is the root cause.
- Boost security behavior and culture: Employees are the last defense against social engineering scams. If organizations focus on training people and boosting security intuition, they will mitigate social engineering attacks to a great extent. Phishing simulation programs and regular training exercises can improve security instincts and best practices.
- Reduce online exposure: Use OSINT tools to research vulnerabilities about the organization and its employees online. This can include anything from open ports to unpatched devices to leaked credentials to published mobile phone numbers. Reduce the business’s exposure to these items because attackers can easily weaponize such information to build targeted social engineering attacks. Teach employees to stay cautious and conservative when posting online.
Social engineering attacks remain a persistent threat, especially as ever-popular AI tools create new methods for manipulation. News headlines are awash with large enterprises falling victim to cyber scams despite widespread use of cybersecurity defenses. Staying ahead of evolving threats involves awareness of social engineering scams through education and training exercises.
No doubt, the industry will improve. CISA’s latest guidance against the nation-state Volt Typhoon gang, highlights continuous cybersecurity training and skill development as a very important action for business leaders. If the security industry could follow suit and prioritize training, we would certainly see a reduction in global instances of fraud, scams, and cyberattacks.
Stu Sjouwerman, founder and CEO, KnowBe4
