While information is unfolding in the most recent Uber breach (and now Rockstar, too), one thing we’re already seeing is:
- Startup vendors telling everyone how they would have prevented the breach
- “Security experts” giving obvious advice (“enable MFA!”, “use a password manager!”)
As Nathan Burke likes to say in one of my favorite quotes ever — “stick your head out the window and you’ll hear the sound of a million PowerPoint decks being updated.” That sound is coming!
Full transparency, I’m a vendor, so I fall squarely in bucket #1, but I also spent about 20 years as a practitioner and executive dealing with these types of issues on the front lines dating back to when I was on the Microsoft Outlook team working to protect customers against the first email born viruses, like ILoveYou.
To start, Uber has a strong security program. I know many folks on the team and they are some of the best in the world. So sharing hot takes and elementary tips is a waste of breath. At this moment, we know it was a social engineering attack regarding MFA push notifications that gave the attacker access, but we haven’t seen all the details.
What I’d like to do is share a few tips on dealing with social engineering attacks for companies that have fairly mature practices in place and need to take them to the next level. Here we go!
Know Your Risky Users
Social engineering attacks start and end with taking advantage of a well-meaning employee just trying to do their job. Attackers know this and take advantage of it time and time again — they’ll go on LinkedIn, look up the person, their role, what they do, check out their social media profile, etc. There’s tons of information on the internet that allows them to hyper-target individuals with sophisticated attacks.
Because employees are so often the targets of attacks, organizations need a way to understand that risk at an individual level.
When you buy car insurance, the insurer doesn’t just evaluate the car — most signals they get are on the driver. Same thing is true for the employees of our organizations.
Every company needs to measure, historically, the risk of every employee. We can’t manage what we can’t measure and if 82% of breaches are due to human error, we better start measuring it.
If we’ve measured the risk of all employees we can take the obvious next step of how we best protect them. Every functional security team I’ve ever worked with has the basics of control technologies in place — protecting their endpoints, networks, email, and web traffic. But, these technologies are often disconnected and reactive.
Even mature teams focus on playing the security equivalent of whack-a-mole in their security operations and incident response teams.
With social engineering attacks, we should be taking a much more proactive stance. How do we embed the intelligence we know about employee risk in our control technologies to make more intelligent, proactive decisions?
For example, why aren’t our Identity solutions smart enough to know whether a user consistently clicks on phishing links? Or that they just downloaded malware? Clearly, we can make better decisions if our systems are more interconnected.
Beyond Zero Trust Marketing
Because social engineering relies on actively targeting employees, we need systems that are both constantly fed and updated with new intelligence combined with validation of security postures upon identity and access decisions. Some would call this zero trust, but most implementations within enterprises that I see are slight upgrades to VPNs or identity systems that simply check the trustworthiness of a device posture at the point of entry into a network or application.
If you read NIST’s guidance, you’ll see they touch on a few key principles:
- Continuously Verify – verify access and trust for all resources
- Context Awareness – incorporate behavioral data, intelligence and context from other systems for stronger validation
- Automated Dynamic Response – access is determined by dynamic policy validation and enforcement based on risk and resource sensitivity
Social engineering often relies on single points of failure, but as an industry we need to continue moving towards a stronger, dynamic, more intelligent security control plane where trust is consistently verified and validated and it’s not just a new flavor of NAC tied into VPNs or identity systems.