SE Labs

Special Edition
Computer security testing comment and analysis from SE Labs

DE:CODED – How Attackers Attack

DE:CODED is the official podcast from SE Labs.

SUBSCRIBE! Use one of the ‘Listen on’ links below to keep updated using your favourite podcast platform.

Listen on Apple Podcasts Listen on Spotify Listen on Google Podcasts Listen on Stitcher RSS Feed

Series 1 | Series 2 | YouTube

🥇 Winner of the Best Up & Coming Podcast 2021 award 🥇


Show notes for series 1, episode 1 (How Attackers Attack)

How do attackers attack? Simon and Marc look at their tactics and explore options to help recognise and evade them. They examine social engineering in a cyber security and physical context. And the guys also explore technical exploits. At the end of this episode you will have a great overview of how attackers attack.

Annual Report 2021

Email attachments are not the main way bad guys try to hack you, your computer and your organisation. Successful attackers will also use social engineering attempts to persuade you to open them.

Cold-calling or emailing from out of the blue isn’t going to build the trust required. So they try other things…

How Attackers Attack

We look at how criminals try to exploit our human and technical vulnerabilities.

These vulnerabilities include:

  • Human kindness,
  • Human fear and
  • Vulnerable software

Those are the main areas on which attackers focus. We also cover file-less attacks (which aren’t really file-less); exploit toolkits; and malicious documents.

Watch out for links in email and social media. It’s almost not a case of when shouldn’t you click on them. It’s when should you?

Finally, we suggest a DIY ‘hack’ for viewing suspicious documents. It will improve your security instantly and for free.

There’s a lot more content in the podcast so listen now!

Please subscribe and join the discussions.

Sign up to our newsletter!

Topics

  • Social engineering introduction (cyber and physical)
  • Tactics
  • Human and technical vulnerabilities

Resources

Transcript

(Generated automatically)

Marc Briggs 0:04
Welcome to DE:CODED, Series One, Episode One – your weekly podcast providing in-depth insight into cybersecurity. Show notes, including any links mentioned in the show are available at decodedcyber.com.

Simon Edwards 0:21
This series introduces some important cybersecurity concepts. We explore how hackers attack, ways to prevent or at least detect their intrusions, and how to respond when they succeed. We’ll also discuss the products and services available. And because it’s our job to test these things, we’ll look at what makes a good and bad product.

Simon Edwards 0:44
I’m Simon Edwards, cohost of the DE:CODED podcast, and founder of SE Labs, a testing security organization that works with all of the major security players. I used to be a journalist covering security, and now I advise security vendors, their customers and other organizations about information security.

Marc Briggs 1:05
And Hi, I’m Marc, Simon’s cohost on DE:CODED. And I run the operations at SE Labs. I spent 11 years in the British Army, and the last four years transitioning those skills I learned from the military into cybersecurity.

Simon Edwards 1:23
In this episode, we’re going to talk about how attackers attack. We’ll talk about their tactics, and the ways that you can recognize what they’re doing, and hopefully avoid falling foul of their evil schemes. So we’re gonna start talking about social engineering, first of all, which applies equally in the physical world as it does in the cyber world. So Marc, first of all, what is social engineering as a concept?

Marc Briggs 1:51
Okay, well, we see social engineering in the cyber and physical worlds, and people talk about it quite confidently in the in the press, and online. But we really need to dig down – what is social engineering and and does it apply to me as an individual? Well, it’s really the art of manipulating people or a person so they give up confidential information.

Marc Briggs 2:20
Now, the type of information that the criminal could be seeking through a social engineering attack can vary. But the individuals that are targeted by the criminals, they’re usually trying to get you to give up things like your password or your bank information, or access to your computer. So they can install malicious software and things like that. Those are the most common forms of cyber social engineering, that we can identify.

Marc Briggs 2:52
Now criminals use social engineering tactics, because it’s usually easier to exploit an individual’s natural inclination to trust, than discover ways to actually hack your software or get into your building without being identified. For example, it’s easier to fool someone into giving you their password than it is to try and hack their password, if you can.

Marc Briggs 3:19
Or if you had an office block with CCTV cameras, dead bolts, and all the doors, razor wire out outside guard dogs, and all the rest of it, and you’re confident that that is all the security you need, rather than, as a criminal, trying to find the way to exploit all those separate layers of physical security. If you just turn up, dressed as a pizza delivery guy with a pizza, and you get given access by the security guard all the way through those layers of defense, then you’ve achieved the same aim through manipulation of the human in the security chain, rather than having to do technical exploits.

Simon Edwards 4:02
Right. So when when the pizza guy turns up at the building, that’s a physical example where someone is going to have to assess should this guy be here, or maybe he can make them not even assess that maybe he can put pressure on them just to let him through?

Marc Briggs 4:16
Well, that’s where the the social engineering tactics come in. So social engineering is manipulation of an individual and then there’s the tactics that are commonly seen in order to manipulate people. And we see them regularly in phishing attacks. And one of them is the advantage which is taken out of people whose natural tendency is to trust or have curiosity. So you may get an email from a friend and it has a link or attachment or a Call to Action in it. And because the email has come from a friend that you know, you automatically trust what’s in the message, and therefore you’re more inclined to click the link or download the attachment.

Simon Edwards 5:16
Right. So in in the physical world, there are lots of different ways that people can get at you, through the door, for example, but in the computer world, there are a limited number of ways. So sending an email is a very common way because that is a way that we interact with the outside world through our computer. Cold Calling would be another one on the telephone.

Simon Edwards 5:39
So you know, especially if you’re in the UK, I think increasingly in the US, people are contacted, they think by Microsoft who tells them there’s a problem with their computer, and then tries to persuade them to do things like install software, which is usually malware. And you get SMS messages, as well as your phone and your computer tend to be where the cyber attacks come from.

Simon Edwards 6:01
Or you can also, you’re getting a bit advanced here, but you can get ahead of the victim in some ways, and guess what they’re going to be interested in. So if you knew that your target was really interested in a particular computer game, you can actually set up a website about that computer game, in the hope that they will visit it, and then you attack them from that website. We’ll get down to the technical exploits later, but setting up fake websites to attract certain types of targets is I think, a kind of social engineering as well.

Marc Briggs 6:33
It is. It is baiting. It’s a baiting scenario. So what you do is you dangle something in front of something that people want. Many people will take the bait, so in your example, it’s access to a website that has information about a game that you know your target is interested in. But it could be anything, such as a pirated copy of a movie, free music to download. And you can often find these baiting scenarios on peer-to-peer sites. So social media, Facebook, something like that. You are a social engineer, you aren’t exploiting a chain of command or authority in the way that you might in different types of social engineering attacks. You’re just a friendly peer, that is offering stuff that you think other people might be interested in.

Simon Edwards 7:25
Yeah, and you could jog them onto that website. So in a business context, if you’re a CISO, you’re probably going to be quite interested in computer security advice. And so if someone sent you an email, someone who seemed to be a friend of yours, or appear, saying, “Hey, have you seen this new great website about phishing attacks”, you’re probably going to click on that link.

Simon Edwards 7:48
With social engineering, we are going to focus on the cyber element of it. But I think we both recognize there’s an awful lot of similarity between the physical and the cyber world. So I think we can abstract it a bit. Let’s look at some tactics. So tactics, generally play on one of a couple of things with people and that is their trusting nature and their fear of getting things wrong: the consequences versus the effort. So urgency, I think that’s quite a common tactic, isn’t it?

Marc Briggs 8:20
That’s right. So you’ll see it in a lot of social engineering attacks. But you also see in high pressure sales techniques. You are given an unrealistic timeline in order to carry out an action. And what the social engineer wants you to do is act first and think later. So you may get told, you’ve got a friend that is stuck in country x, they’ve been robbed and beaten, and they need your help, can you send them money? But you’ve only got a certain amount of time, because they’re in desperate need of this urgent care immediately.

Simon Edwards 9:03
Or this invoice needs to be paid now, otherwise, there’ll be fees attached to it.

Marc Briggs 9:08
It’s right. You often see advertisements for sales and money off on a countdown timer online. And so unless you buy this product in the next 59 seconds, and you’re watching the clock countdown, you’ll miss the opportunity of saving however many pounds, and it’s that sense of urgency and those unrealistic timelines for you to make an informed decision, which the social engineer is going to draw on to try and get you to give them what they want.

Simon Edwards 9:44
But if some random guy sent me a message saying “Quick Simon, send me loads of money” I’m probably not going to do that. So they have to get some kind of credibility built into their request or demand don’t they?

Marc Briggs 9:57
That’s right. Yeah. So they need to build up a level of trust. And to give you a physical example, this might be when a courier turns up at a building to get access, and say, “I’ve got to get up, I’ve got to deliver this post so quick, otherwise, I’m going to get in trouble with my boss.”

Marc Briggs 10:22
If that individual is just dressed in casual clothes, then you won’t have generated the same kind of trust that if that courier is dressed up in a UPS or FedEx or DPD uniform, and it’s the same thing online, so if you get a random email from Joe Bloggs that you’ve never heard of before, and he’s asking you for money, or anything really, money is the most obvious example of something that raises suspicion, then you’re unlikely to trust it. And you’re going to apply some of the other security tactics we’ll talk about later.

Marc Briggs 11:02
But if you get your email from, you know, Gloria, who’s a friend of yours, then you’re more likely to trust that.

Simon Edwards 11:11
I don’t, I’ve never trusted Gloria!

Marc Briggs 11:15
But the fact is that a lot of email addresses and email accounts have been hijacked. And the control of those email accounts was in the hands of the criminal social engineer. And so the fact that Gloria has emailed you, for the first time in seven years, and the first thing that she said is, “give me a load of money, because I need it urgently”. The fact that it’s come from her shouldn’t apply the appropriate amount of trust in you to warrant the action that the criminals looking for that.

Simon Edwards 11:52
Yeah, and there are a couple of ways that Gloria’s email could come through. So someone might know that I’m friends with her and write an email that appears to come from her account. And it’s quite easy to spoof emails. With a little bit of digging, you can tell but if it was a convincing email, the probably wouldn’t dig down too deep.

Simon Edwards 12:12
And the other more extreme way is actually to hack Gloria herself and actually send it from her account. And that is probably these days, quite an unusual situation. We saw lots of malware, maybe 20 years ago, they would do that kind of thing, it would go through address books, on people’s hard disks, because that was the day before cloud-based email. More likely to see this kind of thing, I think, on social media accounts. And certainly I’ve received more kind of claims that I’m in weird videos, than I’ve received strange emails.

Simon Edwards 12:46
So branding, or authority is important. So authority is a kind of branding, isn’t it? If the police, or the FBI or whoever contacts you, that’s going to make that email stand out a bit in your inbox compared to 1,000 PayPal fakes?

Marc Briggs 13:02
Well, there’s, there’s there’s two points to raise on that example that you’ve just given. And so it’s not just an individual’s email address, that may have been hijacked, and maybe getting you to apply a level of trust that you wouldn’t apply to a cold caller. You could have received a communication from a popular company, a bank, a school or institution, which you recognize the branding. And therefore, you apply a level of trust to it because you’ve received your you received an email from Bank of America and NatWest whatever before, and it looks like this. And therefore, I’m going to assume that this is the same company at the end of it.

Marc Briggs 13:52
And so you apply level of trust, and you give over information as a result, but you gave an example there of an authority figure. So maybe you as an individual, it might be your boss, or it could be the police or it could be the government. And when you are including authority figures, as a social engineer, you are pulling on a different emotional string. And you can use this in combination with other tactics. So you might apply a sense of urgency and an authority figure. So I’m your boss. I’m emailing you with direction to give over some information or some access, and you’ve only got a short amount of time to do it. Because of a reason which I’ll explain it could be anything. Now.

Simon Edwards 14:41
The consequences will be worse if you don’t,

Marc Briggs 14:43
Absolutely. Now, you as an individual there have the pressure of – you want to do the right thing for the police, or for your boss or whoever that authority figure happens to be because that’s your job, your contract to do that it’s your role in society to abide by the laws. And so there’s a willingness to carry out those actions for an authority figure. For half the population and the other half of the population, there’s the fear of those authority figures. And that pulls on the that fear emotion. If I don’t do this, am I going to be put up on a discipline case? I don’t want that on my employment record. Am I going to be taken to court? Or am I going to have a criminal charge raised against me?

Marc Briggs 15:32
The little bit of information, or the little bit of access that I’m being asked to provide, just simply isn’t worth the risk of the consequences of that discipline coming down on me. So rather than investigate it, or rather than push back against the police, or the authority figures, I am just going to allow this little bit of access or this little bit of information go because I think in my world that it’s not going to cause that much damage.

Simon Edwards 16:06
And I’m aware when we’ve talked previously, and as we will later in the series, because we come from the UK, we kind of think that the government and the police are wholly good. But in some countries, that’s definitely not true. And then possibly not even in the UK. But, you know, yeah. No one wants to get into trouble with the police because they have power, whether they’re goodies or baddies.

Simon Edwards 16:34
When we look at all these tactics it kind of feels fairly hopeless, you know, how are they able to, the bad guys, exercise so much control over us. And it’s because the way that we’re made as humans, we’ve got various characteristics, which are exploitable, and it’s very popular for security experts to talk about humans being the weakest link in the chain.

Simon Edwards 16:59
I personally think that humans are a really powerful link in the chain, because they’re really good at pattern recognition, they can kind of smell when things are off a lot of the time. It’s harder with computers, because you can’t see the opponent. But we do have exploitable characteristics. And I think one of the most depressing ones is kindness. I think a lot of people are kind and want to help.

Marc Briggs 17:23
That’s absolutely right. And it’s a very easy trait to exploit. You might ask people to donate to a charitable cause, with instructions about how to send money to the criminal rather than the cause itself, and you’re going to prey on kindness and generosity. In those cases.

Marc Briggs 17:46
The social engineers are going to ask for aid or support for whatever disaster, political campaign, charity and usually whatever is at the top of people’s mind. And so if it’s relevant in the media, in a certain country or certain geographical area, then you can exploit that because it’s likely to be in the forefront of people’s minds because of the coverage it’s had in the general media. And you want to help out.

Marc Briggs 18:18
You want to do what you think is the right thing. People need help. To get that help, they need a bit of cash, and you’ve got some cash and you want to help. It is an easy sum in your mind. But your ability to give that money to the right people is being circumvented by those criminal elements that are preying on that generosity and kindness.

Simon Edwards 18:40
Right. So if I want to trick you into making a bank transfer from your business, to what seems to be mine, I could get some urgency by saying, “Well, look, Marc, I have left this too late. Can you just put the transfer through today, please, because otherwise, I’m going to be in a world of trouble?” And that’s putting pressure on you. That doesn’t really exist. It’s just your your kindness that’s going to make you feel maybe I should just get this done and help Simon out.

Marc Briggs 19:04
Yeah, that’s pulling on the sense of urgency, the unrealistic time pressure that we’ve talked about. It’s pulling on my generosity, because I want to help you out. So as a human, I’m naturally wired to want to help you. But also, it’s pulling on my empathy. Because I know that if you don’t get it done in this short time span, you’re going to get in trouble.

Marc Briggs 19:31
And I know what it would feel like if I got in trouble for something like that. And I don’t want you to be in that position. And therefore that’s a triple whammy for me. So I want to do it because it’s the right thing. I want to do it because I don’t want for you to get in trouble. And I’ve got to do it quickly. So I haven’t actually got time to research and think about it.

Simon Edwards 19:52
There’s a quadruple whammy because we’ve got authority in here as well. The only reason that I will get into trouble is because of my boss and so I’m kind of putting the fear of authority onto you. I’m the proxy of it. You’re not scared you’re going to get into trouble. But you’re worried that I’m going to get into trouble. So you’ve got urgency, we’ve got authority, spoofing, probably as well, all sorts of tactics coming into play.

Simon Edwards 20:15
But I mean, not all people are nice are they? There are some people who are very selfish and greedy. And I think greed is definitely something that we can exploit if we were going to attack somebody and make them do something.

Marc Briggs 20:28
Yeah. And a lot of us have seen these emails or messages to notify, “you’re a winner!” And an email may claim to be from a lottery organization, a dead relative, or you’re the millionth person to click on a particular website or something like that. But in order for you to receive your winnings, you have to provide information about your bank account. And so they know how to send the large sums of money. Because they just can’t send you a cheque. It’s too big an amount of money for your current account or something like that.

Simon Edwards 21:07
There are some really clever techniques. So let’s imagine this right? So I send you an email saying you’ve won a lottery, that you have no recollection of entering, possibly from another country. So you don’t believe me. But I asked for your details, because I wanted to transfer some money to you. So you think “Well, what’s the harm? I’ll give you my bank details, my PayPal account”, whatever. And I was “okay”. And I transfer £500 into your account. So you’re thinking, “this is brilliant,” like “this must be real!” What criminal gives you money? And I say, “Okay, that was just the first sum to make sure that everything’s working.”

Simon Edwards 21:41
“The next installment is gonna be quarter of a million pounds. But there is an admin fee for this. So if you could send us £1,250… it’s nothing compared to the total amount, but it’s something that we need to get this through.”

Simon Edwards 21:54
And you can either do it once, and I just get all the money back that I sent you plus a bit extra, or I do each then transfer, not quarter million, but a bigger chunk. And you can keep playing it on and on and slowly extracting money from the victim, and giving enough so that they believe that there is that big payout at the end, but you drain them slowly. And I think that’s that plays on people’s greed, but also they’re un-awareness that criminals are really super sneaky.

Marc Briggs 22:22
Yes. And you’re also each time that you go through that cycle of paying and then extracting you’re building trust in the organization and you’re building a relationship between the criminal and the target, to the point where you as the target will get so far down the relationship that you can’t see the position that you’ve been put in.

Marc Briggs 22:47
And the numbers that you are sending to the criminal each time are so ridiculous that if you’d started with those figures, then it would raise too many suspicions you would have never got through. But building the trust with an individual over time gives you the ability to exploit them further. And those greed phishing attacks, even when the pretext is very thin, people often fall for it by giving away their information because they are so blinded by the possibility of such a big reward for such little effort.

Simon Edwards 23:26
I think though as well, that that kind of delusional filter that comes over them after a period of time is also partially because they just can’t bear to face the possibility that they’ve been tricked. They just get very embarrassed. And in the consumer world. I’m sure we all know people who have been tricked by cold callers. Who have taken chunks of money out of old people’s bank accounts over a period of time.

Simon Edwards 23:51
And I’m talking about old people specifically because they are very experienced human beings. They’ve been on this world longer than everyone that’s younger than them. So when they get conned, it’s extremely embarrassing, because kind of wisdom should come with age. And it might just be easier to keep believing that the bad guy’s on their side rather than to go, “Oh my God, I’ve just spent £20,000 that I shouldn’t have, and given it away”.

Simon Edwards 24:18
And so from my experience of dealing with those individuals, it takes a little while for them to really face up to the reality. And it’s not really I think that they truly believe it all the way to the end. I think they’ve twigged probably halfway through, but then it’s just like, “oh my God, how can I face what an idiot I’ve been?” And they’re not idiots, because the criminals are really clever. They’ve got their scripts, they know what they’re doing. And that’s how they make millions.

Simon Edwards 24:45
In business, though. This is less likely to happen, isn’t it, because you do have some checks and balances. But we have seen clients send hundreds of thousands of pounds out to the wrong places. So how does that happen?

Marc Briggs 25:00
Well we, as an organization, get a lot of phishing emails just into our email address that is where our invoices get sent. And they are just general phishing emails hoping that our organization is so big, and we’re paying so many invoices that the criminal’s phishing invoice just gets put on the top of the pile and just gets paid with the rest of them and not recognized as being out of sorts.

Simon Edwards 25:29
Yeah. I think it gets more serious when the attackers get some level of technical access. And we’ll talk about exploits shortly. But if you can log into somebody’s email at a target, you can start seeing the kind of messages that they’re getting. You can start putting together what contracts are in place. And then you can time an invoice for just when it’s expected for just the right amount of money. But for the wrong bank account detail. And although the UK is getting better at mapping names to account numbers, I don’t think internationally they’re there yet.

Simon Edwards 26:05
So I don’t know if anyone listening has experienced this, but in the UK up til about three months ago, up to the well, let’s say the end of 2020, if I wanted to send you some money, all I need is your bank account number and sort code. And I could name you ‘Mickey Mouse’ if I wanted to and the bank would still not raise any red flags. Whereas in the UK, at least now if the name that you put on the transfer isn’t very, very similar or exactly equal to the account name, then red flags raised. They might not block the transfer, but they will say “Are you really sure about that?”

Simon Edwards 26:42
So we’ve looked at the tactics that social engineers use, and the characteristics that we have for being tricked and why those tactics work. And let’s have a look at the kind of payloads that the attackers will deliver. So for example, you know, the things that Marc and I’ve been talking about so far might be a demand for action: “please transfer some money into this account, and do it now because it’s urgent”.

Simon Edwards 27:07
Or it might be requests for information like what is your username and password? I’m sure we’ve all had Apple iCloud or PayPal emails saying we need to verify our information. You might in the old days have received malware attachments, you know, computer viruses and Trojans attached to emails. That’s a lot less likely to happen now because Office 365 and Gmail and all those other services everyone uses generally don’t allow you to attach executable files.

Simon Edwards 27:37
And by executables, I mean programs, computer programs. You’re more likely to get a link to those in an email, because then the email services don’t really know what’s going on. Some of them will look down those links and, if they see an executable, they might rewrite the email and say, “Are you sure you want to click on that link?” But we do testing. Marc, you do a bit of email testing don’t you?

Marc Briggs 28:00
Yeah. That’s right. That’s right. Yes. And, and we look at all these aspects within the email test, whether it be a an old-school attachment, executable file, as you’re talking about, or more likely, a link these days, but the call to action is the key element in an email, because you may not be exploited electronically. You may be convinced in the nature of the wording to give away information that can either give people access or give people information in order to gain access,

Simon Edwards 28:36
Right, yeah. You have to believe it. If you just send a program called bad.exe attached to an email, no one’s gonna run it.

Marc Briggs 28:45
But you see those. I see emails that come into my inbox, the junk inbox because because of the the platforms are doing their jobs, but it is just to the email address, and it just has a link. And there must be some success with those emails, in order for those criminal elements to keep sending them.

Simon Edwards 29:10
I’ll tell you a funny story that I might cut out of this. Sometimes you can just be really unlucky. I used to work for a computer magazine reviewing computer equipment. And there was a PR company that worked for a hardware manufacturer called Creative Labs and they made like kind of the best sound cards that normal consumers would ever consider putting into their computers. And so we were always getting press releases about Creative Labs from this lady.

Simon Edwards 29:36
And the reviews editor at the time who I worked with got an email with an attachment called creative.exe from this woman. Now at the time there was a virus going around. It was a worm that spread between people’s contact details through email, like we were talking about before, so we are talking like more than 20 years ago. But it just looked like it was legitimate. It was called the client’s name. She was the right person. He double-clicked it. And his hard disk was filled with infinite numbers of files that were alleging to be photographs but weren’t and it just broke him completely.

Marc Briggs 30:09
Yeah. And that was just, I mean, it’s unlikely that attack was as targeted as it might seem to you. But it was just purely by luck that the attack was called creative and you got Creative Labs, links from this woman.

Simon Edwards 30:30
He was very unlucky. He just used to walk near computers and they would break. It was uncanny.

Simon Edwards 30:36
When we talk about technical exploits, we’re looking at a few different things. So one is we have to recognize that all software is vulnerable. No piece of software that we’re aware of in the world has got no potential security holes, which means that you can hack it. So we talked about executable files, these are programs, you generally don’t see those coming through email. You might get them through download sites and things. But for businesses, it’s not really a very big deal.

Simon Edwards 31:07
What you may have heard about in the technical press over the last three or four years are so called ‘fileless’ attacks. What they really mean is attacks that don’t have executable files in them, because they rely on scripts and scripts are files. So you might have macros, or Visual Basic files, or PowerShell files. And where they are quite tricky is they never really touch the hard disk. So if you’ve got some kind of anti-virus products running, that looks at files that are written to disk, while these never do, they stay in memory, so they can be a little bit slippery.

Simon Edwards 31:41
And you’ll get these attached to some emails. So they might be at the end of a link. More likely, though, you’ll get a document. So it could be a Word document or a PDF. And you would think to yourself, “Well, what possible threat can a Word document have? It’s just words?” Well, it is. But it is code which is opened by Word. And Word has vulnerabilities in the same way that the average PDF reader has vulnerabilities.

Simon Edwards 32:08
You know, Adobe Reader used to be full of holes. Probably still is. So when you open a Word document, the badly made document attacks Word and makes it do strange things. And that might be to download more malware or to open a connection to the attacker. And like Marc was saying, if you believe that this Word document is coming from the right person, if you’re expecting it, then you’re going to open it.

Simon Edwards 32:35
And finally, one of the one of the most significant threats, I think of the last few years has been the web-based browser exploits. So you might remember, exploit toolkits, a few years ago, were very widely spread, certainly very heavily talked about by the security vendors.

Simon Edwards 32:51
And these are where you just simply had to visit a website. And some malware would invisibly download onto your computer and start running. Unless you’re a tester like us where we run tools, and we can see all that behavior going on in the background, you would have no idea that it was installing software on your computer to steal your passwords, maybe to encrypt your files later.

Simon Edwards 33:13
Or just to kind of subscribe you into a network of computers under the control of bad guys who are going to use for all sorts of things like attacking other systems.

Simon Edwards 33:24
So those are kind of general technical threats that we see. And on their own, they’re pretty useless. You have to combine them with social engineering for most people to come across them. So having frightened everyone with how weak and feeble we are as human beings and how clever the attackers are with their tactics and payloads – Marc, can you give us a few tips on how we as not just as individuals, but business owners or officers? How can we protect ourselves, our families and our organizations?

Marc Briggs 33:56
Well, there’s a few things to remember to do. And I think the first one that I’d recommend is just to slow down. Criminals, social engineers want you to act first and think later. If the message that you’ve received, by whatever means, conveys a sense of urgency or uses those high pressure sales techniques that we’ve given examples of earlier, be skeptical. Don’t let their urgency influence your careful review of the decision that you are going to make about what they’ve asked you to do – the action which they’ve asked you to carry out. So I think that would be my my first one.

Marc Briggs 34:28
The second one is research the facts. So be suspicious of anything unsolicited. Remember that emails can be hijacked. But if you’ve not asked for it, or you’re not expecting it, then be suspicious of it. If the email looks like it comes from a company that you use, do your own research. So, for example, if you get an email from the government, and it looks like it’s from the government, because you recognize the branding from previous emails that you’ve had, don’t follow the links on that email. Do your own research.

Marc Briggs 35:19
So come out of the your email, go into your search engine, access the government through the website that you found on the search engine, and then access your account that way. And that way, you are mitigating the fact that that email may have malicious links attached to it.

Simon Edwards 35:40
Right. So you’re saying that if an email has got a link in it, and the email comes from your bank, rather than clicking on the link, go to your bank and look at the private messages that they send to you through that?

Marc Briggs 35:51
Absolutely, absolutely. And if the bank has got something to say to you, then you can actually phone them as well. I mean, there are other ways of doing research. Don’t trust the links, and don’t trust the emails. But do remember that the banks or institutions, schools, governments do contact you by email. So what we’re not saying is everything is is a social engineering attack. It’s just – be suspicious.

Marc Briggs 36:17
You’re looking for the absence of normality, or the presence of the abnormal, around the emails that you get. You know, the type of emails that you regularly receive from different organizations, and the type of content that they have. If the content is different, or if there’s anything that’s unusual, then that’s when you apply your suspicion.

Simon Edwards 36:40
I think people get really used to using search engines, now. It used to be that they were quite rubbish. And now you type into Google and it just appears number one. But you can’t completely trust search engines, so I think using bookmarks for your most frequently accessed services makes a lot of sense. So your car recovery service, your banks, whatever else… You’re much less likely to get misdirected if you have a list of those in your web browser. What else?

Marc Briggs 37:05
Well, remember, we’ve said earlier in this podcast, that emails can be hijacked. And they often are. We’ve probably almost all had emails that look like they’re from friends. But that friend’s account has been compromised, their address book has been exploited and emails have been sent. So remember, that if you receive an email from a friend, and it’s unusual (the presence of the abnormal), then be suspicious. And you’ve got other ways of contacting this person, so if your friend contacts you and is applying a call to action, or a request for information, money, whatever it happens to be, what’s wrong with giving them a call?

Simon Edwards 37:57
No one phones anyone anymore!

Marc Briggs 37:59
Okay then. Yeah! Why don’t you send him an Instagram message. or whatever you want to do. Signal is a good messaging app. Telegram. There are a number of different forms of communication, which means that you don’t have to bounce back via the email that you’ve been sent, that has raised your suspicion.

Simon Edwards 38:22
And I think, yes, social media accounts is exactly the same thing. If you get strange messages saying, “is this you in that video?” from friends of yours, possibly ones you don’t normally talk to that often, that should be a red flag as well.

Simon Edwards 38:35
When you download files, such as Word documents, or someone sends you a link to them, there are lots of different products out there, particularly for large enterprises, that will allow you to view them without exposing yourself to an exploit such as I spoke about earlier.

Simon Edwards 38:51
But for even large businesses, and even consumers, there is a cheaty way of doing this, which is to use your Google Drive. If you upload that word document to Google Drive, and view it through that system, you’re actually stopping Word from getting involved, and that reduces your risk. So viewing PDFs, Word documents, PowerPoint, all that kind of thing, through a service like Google Drive is a cheap and easy way to reduce your threat exposure.

Simon Edwards 39:23
And finally, what should you do if you have won the Canadian lottery and you’re in the UK?

Marc Briggs 39:28
Well, winnings from foreign country, whether it be you’ve won a foreign lottery, you’ve received money from an unknown benefactor, or there’s someone in a foreign country that just wants to transfer you money, it’s going to be fake. If you’re not expecting it, and you haven’t actually bought a ticket in the Canadian lottery, then this is a scam. So be aware of it. Don’t get blinded by these greed phishing emails and the prospects of winning a lot of money. Treat them as fake.

Simon Edwards 40:11
So the final tip is, if anyone asks you for any kind of password information or financial details, just ignore it. You don’t have to do any research. If it’s important, if it’s your bank, they’ll get in touch another way, it’s just not going to be true that you need to urgently respond to any of those kinds of requests.

Marc Briggs 40:30
And no one, no institution is going to ask you for your financial information or ask for a password. No one asked for it. It’s definitely fake.

Simon Edwards 40:40
A lot of the things we’ve been talking about relate as equally to businesses as to individuals. But one of the most popular kinds of attacks is involving credential theft. So if you read all the different threat reports over the years, yes, there are exploits, computer viruses, whatever else.

Simon Edwards 41:00
But generally, what happens in the majority of time is that attackers gain access to usernames and passwords, and use those to get into networks. And once they’re in, they may then start using technical techniques to move around inside the network and increase their ability to move, find more data, get into the really juicy stuff.

Simon Edwards 41:21
Credential theft is hard to prevent. You do need products, usually on your network, to do that, although there are some inexpensive ways of monitoring the situation. Although obviously it will be too late by that point. So yes, monitor the different breach databases, we’ll list some of those in the show notes, to see if your organization appears. If you’re in Wikileaks, you can search for that, too. That’s totally disastrous, but it’s maybe worth doing as well.

Simon Edwards 41:48
You’ll also hear consultants talking about the dark web, which is really just another part of the internet. It’s not that exciting. But it is where criminals trade information. And you might find that if you have a look around, your organization’s details might be available for sale. It’s probably not worth paying whole teams of people to do that. Maybe get a couple of team members to have a quick scan around.

Simon Edwards 42:14
Ultimately, not everything is down to you as a human being to recognize and research. There are products available to try and help. Marc specifically runs the SE Labs, email testing, for example. So we know that a lot of these products are quite capable of detecting threats. But is it fair to say they’re not 100% effective?

Marc Briggs 42:36
It is fair to say that, yes. And these products are in development all the time. And it’s relatively new security infrastructure, when you compare it to something like the endpoint protection that people might more commonly know as an anti-virus software, stuff like that. But the email protection and the endpoint protection are all layers, which should be configured appropriately for you as an individual, you as an organization, to to provide the protection it needs. So what you are receiving, as the user, it has already knocked out all of the more obvious social engineering or attack vectors, and you’re only dealing with a small percentage of what’s out there.

Simon Edwards 43:28
Yeah, and actually, the humans, they sit in the middle of it. So you have threats coming through email, they should get handled by the email filtering. Threats coming through the web browser. Again, various anti-virus products and all the rest of it should deal with that.

Simon Edwards 43:42
But there is always the human in the middle, fielding everything. They’re choosing which websites to visit. They’re choosing which emails to open. So you cannot rely on the technology 100%. No security technology is both 100% effective at stopping threats and allowing you to get useful work done. So human discretion is necessary, and I think with the tips that we’ve been able to provide In this episode, we hope that puts you well ahead of the game.

Simon Edwards 44:10
Please subscribe. And, if you enjoyed this episode, please send a link to just one of your close colleagues. If you want to join the DE:CODED community and access private content, including our monthly executive briefings, apply at decodedcyber.com/circle. And that’s it. Thank you for listening, and we hope to see you again soon.

Peek further behind the curtain with DE:CODED Circle.

If you would like access to exclusive, private content from the security testers at SE Labs, please consider applying to join DE:CODED Circle.

DE:CODED Circle is a moderated, vetted community built with the goal of sharing threat intelligence and business-focussed security knowledge to responsible peers.

Apply to DE:CODED Circle now.

Feedback

Please send your comments, questions and concerns to info@decodedcyber.com.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press