Security Operations Center

Dan Gavin 5, Sep, 2024

Blog

Even the Experts Can Be Fooled

When even experts in social engineering can be fooled, it is important to ensure a defense in depth strategy for your business’ information security. KnowBe4, one of the country’s largest providers of cybersecurity and social engineering training, got fooled by a North Korean IT worker intent upon loading their network with malware.

KnowBe4 had a job opening. They were looking for someone for their internal Artificial Intelligence (AI) team. What they received instead was a valuable training lesson in advanced social engineering. They were fooled. But unlike many companies, they disclosed the failure. Their experience might save others from a similar fate.

Fortunately, they caught the imposter early enough so there was no breach or illegal access to the company’s systems. They stopped him before he could do any damage. Here is how it happened, how they stopped it, and some lessons learned.

The human resources team did their jobs. Background checks came back clean because the imposter was using a valid but stolen US-based identity. They conducted 4 video conference-based interviews validating that the person matched the photo on the application. The imposter took a stock photo and used AI to merge his features to the photo. HR even verified his references.

Once hired, the imposter asked to have his laptop sent to a farm. Not the kind you’re thinking of. It was “an IT mule laptop farm.” The laptop farm is like an office filled with laptops and computers hackers use. They connect remotely from North Korea to the laptop farm. It was a good thing KnowBe4 restricted new employee access and didn’t allow access to the production systems.

Once the imposter had been successfully hired and his laptop had been delivered, it was time for him to embed his malware onto the company network. He downloaded and attempted to execute malware. He then used some technical trickery to cover his tracks.

The good news is the company security operations center (SOC) was alerted to potentially dangerous behavior and called the imposter. The imposter claimed criminals must have compromised his router. The SOC team quickly isolated his computer from the rest of the network preventing his access to valuable systems and data. The imposter was unresponsive once he figured out that he was caught.

Here are some lessons learned. When a company uses remote workers with remote computers, the company should have a way to scan the device ensuring there are no other connections on the device. When hiring workers, don’t rely simply on email references. Do not ship laptops to locations that don’t match the applicant’s address. Make sure applicants are not using Voice over IP (VOIP) phone numbers. Lastly, watch for discrepancies in address and date of birth.

With all the process failures, KnowBe4 did not suffer a breach. They understood defense in depth. They had multiple lines of defense in case one (the employee screening process) was breached. All their laptops had endpoint detection and response (EDR) software loaded and they had a SOC watching over their network. The EDR stopped the malware from executing and alerted the SOC. The SOC team isolated the computer right away and escalated the issue.

When it comes to protecting your business, you cannot rely on the minimal protections. Firewalls and anti-virus are useful, but they do not stop a hacker from entering through your email or your browser. Technology, like EDRs and SOCs, may save the day, but must be backed up with tried-and-true policies and training. Although KnowBe4 is an expert in social engineering, they got scammed due to lax hiring policies. They have since updated their hiring policies. Remember, a fool may learn from his own mistakes, but a wise man learns from the mistakes of others. Be the wise man.

Dan Gavin 24, Feb, 2021

Blog

Congratulations, You Are About to Lose the Super Bowl

Jets in Super Bowl: The last time the New York Jets won a Super Bowl (in fact, the ONLY time they ever won), Richard Nixon was elected president of the United States. The year was 1969, kids.

Intel on Opposing Team: One thing about being in the Super Bowl is both teams know who they are up against. The opposing team has just finished an entire season of football. Both teams will review the video recordings of every game so they know the strengths and weaknesses of the other team, and of their own.

Your Turn: Imagine YOU are the New York Jets, and you’ve just been notified that through a quirk of fate, you are playing in the next Super Bowl! Congratulations! Oh, but there is a catch. You don’t know who you are playing.

Cyber Super Bowl: What does this scenario have to do with cyber security, you ask? Actually, quite a lot. For one, almost every network, especially homes and small businesses, are about as well defended as the New York Jets. Which means, not very well. And offense is completely out of the question.

Offense & Defense: As with football, so with networks. We need BOTH defensive AND offensive lines. We’ve already established that offensive cyber operations are off the table for home users and small businesses. Since we aren’t permitted legally to conduct offensive cyber operations, the next best thing is to detect an intruder early. In a computer network, defense equates to prevention. Prevention consists of firewalls and antimalware. Conversely, offense equates to detection. Detection consists of Endpoint Detection and Response tools, as well as Security Operations Center (SOC) analysts responding to alerts. In addition, your team can leverage Cyber Threat Intelligence (CTI) from the Intelligence-sharing groups and then actively hunt for those very threats on your network.

Prevention is Affordable: For most home users and small businesses, prevention is all they can afford. Because prevention is usually an automated process facilitated by software, you set it and forget it. Since most home and business users are running Windows 10, you have Windows Defender installed by default, and that is the best option for antimalware and the host firewall.

Detection: Detection is tougher because it usually involves hiring an SOC team (or tasking your IT staff with additional duty, for which they aren’t trained). For a small business and home user, detection and threat hunting is only feasible with a Managed Security Service Provider (MSSP). For example, Dell purchased SecureWorks a few years ago, and AT&T purchased AlienVault to provide those services. The downside is most of the MSSPs target large businesses with deeper pockets. You just need to make sure you pick a vendor that can provide the sweet spot of security and cost.

Cover Your Bases: The sweet spot is really about covering all your bases (forgive the mixed metaphor). Getting prevention and detection capabilities in place. But even when you do that, the persistent attackers will still get through. Eventually. That’s where the cyber insurance comes in. A great place to start looking for solutions would be Stickler Webb Insurance. There you can get cyber insurance quotes and find a cost effective SOC vendor to provide the offensive line.

Your Offensive Line: You are not going to the Super Bowl. If you have a computer network, you are already IN the Super Bowl. Relying on prevention alone is like going to the Super Bowl with only your defensive line. Imagine how that game would turn out. You are in the game whether you like it or not. Make sure you at least HAVE an offensive line.