In 2020 cybercriminals launched a spear phishing attack against Twitter that successfully scammed victims out of $180,000 worth of Bitcoin.
The attacker used a phone-based social engineering scam against Twitter employees in order to gain access to privileged accounts. The perpetrator then used these accounts to access various celebrity accounts and sent tweets promising followers that if they donated Bitcoin, then they would receive double that amount in return as COVID relief.
The attack against Twitter is not an isolated incident. Similar attacks have since been carried out against dozens of other companies. These attacks collectively illustrate the damage that can be caused by social engineering attacks.
Why helpdesks are vulnerable
While a cybercriminal can conceivably launch a social engineering attack against any part of an organization, such attacks often target the helpdesk. Attackers know that if they are successful at fooling the helpdesk staff, then they can easily gain access to privileged accounts.
All the attacker has to do is to pose as a legitimate user and request a password reset. In doing so, the technician will literally give the attacker a password that they can use to gain access to a privileged account.
Even as far back as 2017, “social engineering accounted for 38% of attacks bypassing company defenses” (source).
Today, this number is likely even higher since the Twitter attack served to embolden others who might have been considering such an exploit. This, combined with the provenance of remote work, has made the help desk an ever more tempting target for attackers.
Taking an offensive approach to helpdesk attack
It is clearly in an organization’s best interest to thwart these types of social engineering attacks at all costs, but sometimes it can be difficult to know where to even begin.
One of the best options is to attack your own service desk as a part of a Red Team exercise. Red Team exercises, which are sometimes called Red Team / Blue Team exercises or a Red Team / White Team exercises, are essentially an event in which an organization’s security staff and / or an outside security consulting firm launch an attack against an organization’s cyber defenses.
This is done as a way of determining whether the organization is vulnerable to attack. If a blue team (sometimes referred to as a white team) is involved, then their role is to try to detect the attack in progress and attempt to stop it from being successful.
A Red Team exercise is different from a penetration test. Whereas a penetration test essentially evaluates a series of checklist items, a Red Team exercise tends to be more like a real-world attack. The Red Team isn’t just looking for network vulnerabilities, they are actually trying to accomplish certain goals (such as conning the helpdesk staff into giving them access to privileged accounts).
Red team step one: define your parameters
Red team exercises require careful planning. One of the first things that an organization must do before conducting a red team exercise is to define the goals that the red team is trying to accomplish. These goals (which are sometimes known as flags) tend to be very specific. In the case of an exercise that is directed against the helpdesk, goals might include tricking a technician into resetting a password, gaining access to a privileged account, and then accessing a sensitive resource.
Another consideration is that organizations almost always set ground rules for red team exercises. These ground rules usual pertain to the techniques that the red team is and is not allowed to use during their attack.
The goal is to keep attacks lifelike and representative of what might happen in the real world, while also avoiding doing anything that might harm the organization. For example, a ground rule might state that all interaction with the helpdesk must be done over the phone or through email (as opposed to in person).
It is important to set clear expectations for when the exercise will end (so that it does not go on indefinitely) and what the consequences of the exercise should be. Remember, the goal is to learn from the exercise, so it is important to establish up front that nobody should lose their job if the Red Team attack succeeds.
Red team step two: take your findings to heart
As an organization concludes its Red Team exercise, it is important to consider next steps. If for example, the Red Team succeeds in compromising the organization’s helpdesk, how can the organization use that information to prevent such an attack from succeeding in the future?
Employee education is a good start, but it is also important to put controls in place that will prevent the helpdesk from ever being compromised again. This can be particularly challenging for those who are trying to defend against social engineering attacks. While lots of cybersecurity products address technical vulnerabilities, relatively few are able to defend against social engineering attacks.
How Specops could help
Specops Secure Service Desk is an excellent tool for keeping a help desk safe from social engineering attacks. Although Specops Secure Service Desk offers numerous features, there are three capabilities that are especially useful for thwarting social engineering attacks.
- Secure Service Desk gives users the ability to securely reset their own passwords and unlock their own accounts.
This should significantly reduce the number of password-related calls to the helpdesk (which has the added benefit of reducing costs). As the call volume is reduced, any password related calls that the helpdesk receives will quite naturally receive more scrutiny than they might have before.
- Provides the helpdesk tools to positively verify a caller’s identity, thereby ensuring that the helpdesk staff does not perform a password reset for an attacker who is impersonating a legitimate user.
The user identity verification process is not based on the user’s ability to answer knowledge-based questions (such as what is your employee ID number). Instead, a user’s identity can be verified by sending a one-time code to their smartphone or by asking the user to authenticate using an authentication service such as Okta Verify, PingID, Duo Security, or Symantec VIP.
- It’s impossible for a technician to reset a user’s password unless the user has completed the verification process.
This prevents an attacker from making a technician feel sorry for them so that the technician will bend the rules and reset a password. There is no exception for work friends, colleagues who have known each other for years, or even the CEO. A robotic approach takes the blame and onus off the IT staff.
You can test out Specops Secure Service Desk in your Active Directory for free, anytime.
Sponsored by Specops
Source: www.bleepingcomputer.com