7 February, 2017
The next post in our series highlighting our 2017 Cybersecurity Predictions introduces our prediction about the continued and evolving threat of spear-phishing and social engineering. The current U.S. tax season brings this threat front and center for both businesses and individuals as criminals use targeted social engineering tactics to gain access to employee data and file fraudulent tax returns.
Though our practitioners do see an uptick in social engineering activity during tax time, attacks are becoming more sophisticated across the board and the base of people considered “high value” targets is broadening, making vigilance and awareness training a priority for security programs to address throughout the year. Read on to learn more about how we expect this threat to develop in 2017.
As organizations continue to migrate to and embrace evolving technologies, including the cloud and IoT, and in parallel shore up perimeter defenses to raise the bar on network security, criminals will increase their focus on the human element as an entry point to pivot into broader network systems. In 2017, advanced social engineering tactics will become more targeted, cunning, and more effective, exploiting the weakest link – employees – that organizations always find challenging to safeguard.
Defenses are improving around protecting infrastructure and new technologies that organizations are increasingly adopting, such as cloud services. Providers like Amazon, Microsoft, and Google continue to bolster security to help protect companies that migrate their critical data to the cloud.
As a result, in 2017 attackers will continue to increase their focus on targeting the human element, especially at the executive level of organizations.
We will see an increase in spear-phishing attacks directed at insiders, third-party service providers, and business partners, aimed at gaining wider and faster access to data, such as information on a company’s R&D, M&A activity, strategy, employee data, customers, and finance or other critical assets.
The individual, device, and the interface in between the user and the cloud will become the primary targets for criminals hoping to obtain credentials. Therefore, employees will continue to be the Achilles heel of any security program and the critical line of defense against such attacks.
Criminals will broaden the range of social engineering and phishing tactics they employ, including spear- phishing attacks, to increase their chances of success.
We will see cases of phishing tactics that will continue to be more authentic in appearance, with embedded malware that once clicked will infect or spread through an organization’s system. We will also see an uptick in phishing scams targeting mobile devices, as well as social media sites that are accessed by employees on company mobile devices.
Employees accessing social media at work has become part of routine business operations for most organizations, and the increasing reliance on accessing social media sites via mobile devices and apps, has created multiple security gaps ripe for exploitation by attackers.
Adversaries will use more sophisticated coercion techniques to target employees, using knowledge gained from their social media profiles to extort them or exploit their human vulnerabilities to deceive them into providing sensitive information. To build a more robust profile of a target, criminals may even conduct a series of smaller attacks to gather personal information before launching one major attack to gain network credentials.
In 2017, we expect to see adversaries hone in on “high value” targets, which no longer only means high net worth individuals or board members, but also those targets who can be used as entry points for access into systems and other critical assets, including heads of business units and employees in finance, operations, and HR departments.
In 2017 attackers will build automation into their tools to more efficiently exploit credentials, company data, and sensitive information once credentials are obtained.
For example, once a set of credentials is discovered, they will be used in an automated fashion to gather more data – logging into other sites where the credentials work to collect more data and expand the dossier on the person to gain additional access. Security breaches of this nature are more likely to succeed in environments where there is negligence, carelessness, and lack of awareness regarding security and social engineering exploits.
While the cloud, IoT, and other emerging technologies will continue to be leading data targets for hackers in 2017, attackers will increase their focus on the human element of technology along with other access points, including social media, building in automation to quickly exploit credentials, company data, and personal information. Increasing employee awareness and education, enforcing policies and implementing new technologies around employee behavior analytics to combat evolving and existing exploits will be essential.
To watch our recent webinar discussing this and our other 2017 Cybersecurity Predictions, CLICK HERE.
For further information, please contact:
Paul Jackson, Managing Director, Stroz Friedberg