By now, you are most likely working from home for purposes of social distancing. Call it whatever you will, ‘shelter in place,’ ‘hunkering down,’ or ‘self-quarantine,’ we have all been forced to settle into our new work-from-home (WFH) normal. Unfortunately, this great migration homeward is fueling social engineering and manipulation. Predictably, the scramble to set up home offices is seeding the increase of pretext and pretense for malicious human hackers amid the crisis. The expected uptick in social attacks is impacting the entire digital landscape.
Industry pundit Mary Jane Couldridge, of the Canadian Cyber Threat Exchange (CCTE), champions the push for corporate-level safety and security measures in WFH environments. A key concern of hers is teleworker readiness to “notice … phishing campaigns.” While many WFHers have the luxury of corporate oversight to secure them against such attacks, others are not as fortunate. Eric Smith Lares co-founder insists that safe computing habits followed through proper hygiene are vital for every teleworker. From a corporate exposure perspective, VPNs should be appropriately isolated, only allowing client connections from authorized and managed corporate devices. Our red teamer (RT) view suggests that home workers account for all the ‘security moving parts.’
Typical controls to consider are multi-factor authentication, endpoint hardening, monitoring solutions, endpoint detection response (EDR), and awareness training with relevant, up-to-date materials such as current pretext because the attackers inevitably will follow the staffers home. Smith confesses, “I can’t imagine all the surge of help desk calls that come in with people having connectivity issues being remote.” Increased support calls along with incident response capacity will tax some operations significantly – a perfect incubator for increased pretexts, according to Smith.
Increasing Pretext
In his book, Social Engineering: The Art of Human Hacking, social engineering expert Christopher Hadnagy defines pretexting as “the act of creating an invented scenario to persuade a targeted victim to release information or perform some action (SEAHH, p.78).” I asked Mr. Hadnagy whether the correlation between the swell of teleworker and its and the rise in novel WFH pretexts was valid. “I 100% agree,” that there is a correlation, says Hadnagy. He continued, “Many people that never worked from home are now forced to be in a home environment.”
He predicted that more people would drop their guard down because “home is where we relax,” and attackers are counting on our “guard being down.” Hadnagy also mentioned the psychological impact of teleworking and isolation as a vector of exploitation as human hackers target fear and panic in the home-based workforce. I spoke with Lanisha Allen, a doctoral student in clinical psychology at William James College, about this psychological impact and managing social media consumption in a crisis.
She has observed the profound emotional influence the media has had on herself and others since the COVID-19 outbreak. She notes that people are being exposed to a flood of content during this time, causing some to experience anxiety, depression, and discouraged, while surprisingly, others seem to be reacting impulsively with skepticism. “People are more likely to click on internet content for information and guidance on how they should best handle the COVID-19 epidemic, which is exposing them to hackers” states Allen.
Expanding Pretense – Disinformation
There is also a rise in misinformation dissemination by way media, social media in particular. As disinformation campaigns rage on, companies on the frontline, like Twitter, Facebook, and Youtube tasked to combat the spread of misinformation, have extended paid leaves to core staff in the wake of COVID-19 according to the Washington Post (WaPo). “While Facebook, YouTube, Twitter, and other companies have long touted artificial intelligence and algorithms as the future of policing problematic content, they have more recently acknowledged that humans are the most important line of defense.”
Given the absence of knowledgeable staff to train the artificial intelligence (AI) engines that detect misinformation spread, leadership at the social media platforms warn the public to expect an uptick in errors (false positives in particular), which lends an advantage to the influencers. Now, WFH employees (and their respective family members) are increasingly the de facto frontline of defense against these campaigns.
Unlike the glut of vendors in the social engineering market to defend end-user, no such luxury exists on the information ops mitigation side. I recently posed a question to Like War author, Peter Singer, around the dearth of solutions to thwart misinformation peddlers as compared with the social engineering market. Home staffers should take precautions to reduce the consumption of information in the effort to maintain productivity.
His response – “educated-users.” Given the absence of digital defenses, he admonished both public and private sector leaders to devote time educating colleagues, end-users, and communities to become self-resistant to the spread of these campaigns. As COVID-19 spreads, so does misinformation at an alarming. WFH staffers, however, can do their part to decipher the signals from the noise.
Semper Vigilans (Always Vigilant)
Home-based staffers and those that manage them should heed Hadnagy’s advice – “this environment is perfect for attackers to get you to take an action that may NOT be in your best interest.” Lares strongly believes that addressing physical security alongside computer security goes a long way in shrinking your pretext attack service. A quick task list might include:
- configure email inspection email
- review hardware devices you buy online
- determine if Wi-Fi networks at home are you using legacy encryption like (WEP (wired equivalent privacy )
- ensure that WPS (Wi-FI Protected Setup) enabled that could be brute force.
Determined actors will continue to rely on tricks of the trade to abuse an organization, its 3rd providers and entire supplier ecosystem amid the current panic. Also, disinformation trolls continue to amplify mistruths to sow distrust and distract workers to degrade productivity.
Remain vigilant out there and know that there is always someone at Lares available to help. Contact us today and we’ll do our absolute best to help you through these trying times.
Mark Arnold has a 15+ cybersecurity career, serving 8 of those years in leadership roles. As a transformational leader, Mark has built security teams and programs, authored maturity model blueprints to optimize risk management processes, and implemented security domain practices at large enterprises and service providers. Mark’s areas of interest include cloud security, threat intelligence, and vulnerability research, nation-state attack methods and related activities (e.g. information operations and disinformation campaigns) and their collective impact on nations and society. Mark recently completed an executive education cohort on the intersection of cybersecurity and technology at Harvard’s Kennedy School.