In this ID Forum episode, Shane Shook, a leading cyber-security expert, discusses the challenges presented to companies in today's distributed workforce environment. Learn how companies can mitigate risk, improve productivity, and protect against fraud today and tomorrow.
This episode is part of the ongoing BehavioSec ID Forum Podcast Series.
BehavioSec, a pioneer in Behavioral Biometrics, uses continuous authentication to create a unique digital customer profile that is over 99% accurate. This unique profile transparently validates a user's identity with zero friction, and updates dynamically to gradual changes over time, so the customer's unique profile automatically updates and remains perpetually accurate.
Organizations that partner with BehavioSec's solution enable a heightened customer experience by:
Intro [00:00:01] BehavioSec ID Forum
Gia [00:00:07] Good day and welcome to the BehavioSec podcast series. Today we have cyber security expert Dr. Shane Shook here with us. Shane is a venture consultant with forgePoint Capital and is a leading expert in cyber security with over 30 years of investigation experience. Welcome, Shane, and thank you so much for your time today. So, Shane, to start off, we are in such a unique swirl of transformation. With all of your experience, are there any key learnings or common threats, especially with our current environment that you are seeing surface in your day to day experience?
Shane [00:00:47] The overriding theme and something that I talk about everywhere all the time with regard to cybercrime (which I spent the last 22 years since leaving the military focused on one facet or another), is that cybercrime isn't about risk and threats. It's about crime. The intrusion on networks, the manipulation of systems, the destruction of data theft of data and extortion that occurs and the frauds that are created through the use of tactics like account take over. Those are actually crimes. The methods of achieving those are what we call cyber because we all use computers these days. But they're not much different, really, than the crimes of the past. It's just that in some ways it's easier and more expedient to achieve. Saying that, especially currently with more work from home or distributed workforce everywhere around the world, there is a much bigger attack surface.
Shane [00:01:55] Our social graphs, which were already loose in our personal and interpersonal relationships, and especially our business network relationships are extended now so that we're communicating even more with our business colleagues, some of whom we've never actually met. Some of whom are probably not even who they say that they are. But we're communicating with them now with the devices that we use or our personal as well as our professional. The expansion of that environment, of that footprint of our our technology, as it's used for these different purposes, equally expands the attack surface, partly due to that social graph expansion. Also because, coincidentally, with the fact that we're all working from home to other issues arise, that there aren't as many people to pay attention to what's happening at the office. Of course, we're already overtaxed in IT. but also, we don't have the same types of controls and defense on our equipment, our applications, or even on our communications at home that we enjoy or are subject to a united point of view in the office.
Shane [00:03:25] Some patterns start to emerge where rather than targeting our firewalls in the corporate office, it's much easier to target our own home with PDoS attacks to interrupt business. Or rather than try to social engineer our way into an office space, at least some backdoors or Wi-Fi pineapples or something out of the middle, instead, we see things like zoom bombing or other conference meeting intrusions. Similarly, rather than trying to inject into corporate email for business email compromise, for example, because we're, coincidentally, using these this equipment and our networks at home for business and for personal use, it's to some extent as successful to go back to personal accounts as corporate.
Shane [00:04:23] Other just general patterns that I've seen over time that are reflected and probably magnified now is that consumer targeting by cyber criminals leads to commercial compromise. The supply chain, which is effectively a business demonstration of our professional networks in our social classes, is used to manipulate it to access targets of interest rather than to be the direct target. We've seen that repeatedly over the years with a number of the key groups like Cloudhopper, AVP 1, or AVP 4, etc.
Shane [00:05:08] Ultimately, what this all boils down to, as I mentioned before, it's not about risks and threats, persay, those mechanisms that give us some insights or perspective on how to evaluate what's occurring. We have enough information. It's really the fact that cyber crime is about crime, not about cyber. Crime is all about the objective. What are they after?
Gia [00:05:35] So with all of this, what recommendations would you make to help customers to minimize what you've highlighted here? How can we how can we help them?
Shane [00:05:48] Something I say in every blog, every article, certainly webinars where I talk or present, is that a bad actor needs three things. They need a tool or do something to dig a hole. You need a shovel ready and a picture you need a hammer, that sort of thing. They need a credential in order to do something in a protected account or service. They need to either create a credential or through a subscription or they need to steal a credential in order to achieve whatever their objective is with that application. The third thing that they need is time because it takes time to exercise the tool or to use the credential. Although it sounds really simple, the best way to minimize the risks of cybercrime are to take away one or more of the three factors. Take away the the standing privileges, for example, on our local computers. As I discussed in the recent blog I did with Remediant, reduce the attack surface by limiting the credentials that they might have access to. Reduce the attack surface by turning off services that are unnecessary or when they're unnecessary. For example, for your laptop or your home computer, it's a simple click on the taskbar where the wireless or or even the wired connection to your network is and turn it off when you get up to get a cup of coffee or to have some lunch. At the end of the day, turn it off, save yourself some money and power and save yourself the headache of potentially someone coming in while you're having lunch or asleep. Take that access away and turn it off. Reduce the standing privileges and take away the accounts that aren't needed on your computer. Even more effectively use two factor or multifactor authentication. If you've got application services that you're in control of, implement methods of controlling and limiting not only the use of an opportunity for use of those tokens, for example, but also the access that those tokens have through isolating different parts of the person. Then ultimately take away time by having visibility. Periodically check who's connected to my computer. Put a piece of software on it to get to know someone else's logging while you're logged in.
Gia [00:08:32] So with all that, I mean that I think, you know, the tools, the credentials and the time. I think that's a great platform. I wanted to get a bit more specific on BehavioSec in the area of account takeover. That's where BehavioSec plays and tries to help our customers. Now, Account Takeeover (ATO), as it's called, is troubling in normal times. As of late, are there some areas that you would highlight in this specific area that often contribute to successful account takeover?
Shane [00:09:11] So going back to what I was talking about earlier, we've expanded our attack surface by expanding where and how we work. We're a bunch of islands and archipelagos, as I've been saying recently, rather than a fortress. We're trying to practice fortress security around a bunch of islands that are separated by water. It's not a very effective tactic. It takes different strategies to manage both types of threat environments.
Shane [00:09:40] Credentials are one of the three factors I mentioned that are important to limit or reduce exposure in order to minimize threats or risk to organization or to yourself. With account takeover it all effectively starts with credentials. It's about who you are meant to be as represented by a token or by a user name and password in most cases. That starts with who you are and starts with who you represent yourself to be. We have today a much bigger digital identity than we have an individual identity. We have a much bigger digital social graph than we have an interpersonal social graph. For example, I probably have two or three thousand LinkedIn connections on my profile but I probably only have five really close friends and maybe a few hundred pretty close friends. That's the difference between my interpersonal network and my digital social graph digital network.
Shane [00:10:51] With account takeover, especially now where the supply chain is similar to the commercial type of reach, is the mechanism that attackers use to gain access to commit fraud and theft. It starts with the credential line. Today it largely starts with social graphs. In traditional network compromise that red teamers with you, for example, typically go out and collect information on the internet to identify the autonomous system numbers or the domains by their top level or well qualified to be names and associate those then to IP addresses that represent the servers, which are the attack surface of a technical nature of an organization that then they'll attempt to exploit the builds of the servers but according to the services that are exposed.
Shane [00:11:49] In an account take over, something similar happens. But rather than go to Showdown or Senses, the attackers will now go to LinkedIn, Twitter, Instagram, Facebook, etc. They'll also, coincidentallly, go to places like Google or [have a big pond] - places like that and try to excise information that they can. In the case of Google searches, for example, about breached information, usernames and passwords have been taken or their user names and services hashes have hashes related assistance with services. But there's a lot of information out there that they can already use without having to social engineer or having to technically engineer their way in. That's the practices that they're more often using now.
Shane [00:12:39] So one way or the other, they'll find a way to intrude on a social graph in order to then do like the popular people that weren't invited to a party would do in a social situation in order to meet the other popular people and become part of the in-crowd, attackers will do something similar with LinkedIn, Facebook, or others. They'll they'll find a way to engage with a target. That target may not be the primary target, it may be a secondary target. Like a supply chain vendor, for example, might be to bank. By getting into that periphery network, then they can work on gaining access through reputation to target the network. There they'll seek to identify a person or persons that have some authority over the objective that they have. If that objective is data theft, they'll look to go after the IT staff, for example. if that objective is financial theft, they'll look to go after the controllers or potentially the CFO. If that objective is fraud, they'll look to go after the CEO or the CFO or someone that has authority over the accounts. They will work on social engineering their way through the social graph, which as I said earlier, is weakened today because we're not as defensive as we're dispersed where we're working today as we would conversely be if we were still working in the office we wouldn't be spending as much time on social media.
Gia [00:14:21] So with all of that said, what can institutions or customers do to help minimize account takeover and minimize some of the things that you've just outlined that have changed so much in the last several months.
[00:14:38] Improve your end point security. Make sure you've got antivirus. Antivirus does some good. Doesn't matter if it's the next gen or old gen, having it does some good. At least it'll put up some flags at some point in the process that there might be a problem. So use antivirus to improve your endpoint security. Patch your system and keep it updated. That will also improve the performance of antivirus. With regard to your social hygiene, just like you practice technical hygiene on your computer, you should practice social hygiene on the social networks that you interact with. Review the people you're connected with on LinkedIn periodically and determine whether they should be in your in-crowd or not. If they shouldn't, then exclude them and make them challenge you to come back in the future. At some point if you've got visitors you're gonna kick them out and then you give them a chance to come back in the future. It's good to keep a clean inbox, as you say, to keep a clean desktop. Improve your visibility. Make sure you've got logging, particularly on applications where ATO typically occur are going to be financial interfaces to corporate bank accounts, to social media platforms for communication purposes, and to transactional systems. If you're in the venture capital community or any kind of transaction system on the supply chain, vendor relations, marketing, etc., those applications will have logs and you should encourage enhanced logging, particularly around anything that conveys a token or an identity token and dedicate some review to it.
[00:16:41] It's a surprising thing, but I don't think you'll ever find a company that doesn't have very thorough and very regular review of their finance expenditures, plans,and past performance. Over the past twenty plus years, don't find that kind of disciplines regard to the applications and the logs that relate to the services that provide CFO's, controllers of organizations, and CEOs with that type of information. Especially in our increasingly digital identity and environment, it's crucial to practice the same policies of review and practice the same disciplines of oversight all the way up and down the chain with regard to tools and technology that relates to the systems that we depend upon. Whether the systems be finance, HR, communications, or marketing the fact is they are today all systematized, and as such there are logs available that should be reviewed with similar disciplines to the disciplines that HR, finance, or marketing employ. Just because there are bits and bytes doesn't matter. In some ways, it's easier to apply discipline to them. What's important is to take away some from history and focus on the discipline of the job.
Shane [00:18:21] I'm going to insert just two more points since, of course, BehavioSec's client base is largely in financial services. I'm going to say that, you know, on this topic, cyber trends in financial services, especially with ATO, which is the primary means of achieving fraud and that the objective of these types of cyber criminals. I'd really encourage with the logging, with the visibility into the use of tokens through those services and applications to do the two things the financial investigators and financial controllers have always done. That is, know your customer fundamentally and know what you can know about them and realize that their social graph may be different than the reality of their identity. Take steps in and equip yourself with tools that can help you see through the noise. The second thing is to follow the money. Make sure the money is going where it is supposed to go. I recently did an article with a dark reading where I talked about how BEC is facilitating theft and fraud through transactions in the venture capital community. Know who you are dealing with and then following the transaction through to its completion.
Gia [00:19:46] Such great perspective, Shane, and such great advice. Thank you so much for your time today and we would love to have you back again. I know it's challenging times, but having a perspective like yours really helps. I thank you so much for being with us today and I also thank you listeners out there. And again, we will have you back very soon.
Shane [00:20:08] Thanks very much.
Intro [00:20:11] BehavioSec, ID Forum.