[00:00:17.290] – Matt Fusaro
How are you doing?
[00:00:19.070] – Jason Pufahl
So, I think we decided to call this one ”Cyber Incident Monday?”
[00:00:22.030] – Steve Maresca
I think so.
[00:00:24.530] – Jason Pufahl
Right, so it’s the holiday season. People are shopping, right? I think fewer people are going out to the malls. More people are shopping online. The reality is we know it’s happening during work and there’s legitimate reasons for it. People are buying things for gifts, maybe for staff. They could just simply be buying things for the office like normal. Clearly, people are also going to shop in their lunch hours or random times during the day for personal shopping, right? So, the reality is—it’s happening. You’re probably not going to put controls in to stop it.
[00:00:57.860] – Jason Pufahl
So, I think the discussion we really want to have here is, how do we actually sort of enable employees to do it safely? Are there tips that we can give them? What are some of the potential pitfalls to somebody shopping online at work?
[00:01:14.650] – Jason Pufahl
And I think we did want to start with a story around…I guess it’s certainly an incident, right? It might not have been your traditional ransomware, but an event that occurred at one of our clients when an email administrator, if I recall, was shopping and directed to a kind of an illegitimate site that looked correct, right?
[00:01:37.170] – Steve Maresca
Yeah, I think the main takeaway is that the outcome was that because of shopping activity, as sort of the prelude to this attack, an attacker was able to take over a domain by intercepting email, by modifying credentials, and altering the fundamental information associated with this customer’s website. That impacts a lot of things. It’s reputational. It’s huge impact for email flow. All of the customers of that entity were affected themselves. They couldn’t reach anything.
[00:02:12.280] – Matt Fusaro
It’s hard to recover from, too, when you have a domain take over like that…
[00:02:16.350] – Steve Maresca
It’s a nightmare.
[00:02:16.390] – Matt Fusaro
…now you’re getting the entity involved with the hosting provider.
[00:02:20.050] – Steve Maresca
Yeah, it took days to resolve.
[00:02:21.940] – Jason Pufahl
It did, and days by design, right? Because your time to live for this stuff was set to actually take a long time to recover from.
[00:02:27.800] – Steve Maresca
[00:02:28.950] – Jason Pufahl
So, the hard part about it, though, was from some of the useful tips is the email administrator, in this case, I think was using the administrative credentials as the local logon for a PC. So, it was easy to collect those for the attacker when that attack started.
[00:02:47.300] – Steve Maresca
Right, and there was a phishing component also. They were visiting a shopping website. They were expecting some sort of notification. And they supplied their credentials. From there, it was a really straightforward step to log into systems as if this individual…and obtain the credentials, and effectively subvert the workflow of domain management of network engineers. And from there, the domain takeover is really quite straightforward—modify the service associated with the domain, and off they go.
[00:03:18.220] – Jason Pufahl
So, an event…an attack that probably took an hour to execute, I think resulted in…I have ten plus people’s time over the course of a week to recover from.
[00:03:31.200] – Jason Pufahl
It was a hugely disruptive event. The institution was mad because they had a reputational issue, more than anything else. Of course, it happened over the holidays, because it’s a really popular time to do it. If I recall, it probably happened, I want to say, it happened on Christmas Eve. I’m not 100 percent positive that going back, but it was a common thing like that, right?
[00:03:52.540] – Jason Pufahl
It’s a Friday. It’s the day before a holiday. It’s on the holiday. That’s the time that these things actually are executed.
[00:03:58.070] – Steve Maresca
Right, there are secondary impacts. Difficult to reach support. You have to prove your identity. How you would normally do that? Well, via codes delivered to your email, which you can’t receive because your domain has been hijacked. It’s just a vicious cycle.
[00:04:11.750] – Jason Pufahl
So huge amount of disruption, because an individual wanted to purchase something online, which we see all day, every day during this time of year. How do we protect against that? How do we enable people short of really complex firewall rules, and some of these other things that people like to implement that, in my opinion, don’t really provide a lot of value? And I think training and awareness is one of the bigger helps here.
[00:04:39.690] – Matt Fusaro
Yeah. I think that early 2000s mentality of “let’s block as much as possible.” Web filtering has gotten, I think, has become much more permissive over the past five, 10 years or so. I don’t know if you guys agree with that or not.
[00:04:54.880] – Group
[00:04:55.210] – Matt Fusaro
I’m sure it depends on where you are, but a lot of places, they’re pretty open. That’s kind of the ideal. They want people to feel like they’re not being censored at work. But that also means now you can get to a lot of websites that you wouldn’t have normally gotten to.
[00:05:07.650] – Jason Pufahl
They don’t want to drive people home, right? They want people staying in the office, which means enabling them.
[00:05:11.850] – Matt Fusaro
Yeah, protecting when you do allow all those things, it gets significantly more difficult, right? Making sure that browsers are up to date. You don’t have extensions allowed all over the place. Our SOC is probably very sick and tired of seeing all the coupon extensions out there that get alerted on all the time.
[00:05:34.690] – Steve Maresca
The bigger issue, aside from the actual activity itself, is that it’s being performed on a system that’s being used for legitimate business activity. It’s the confluence of maybe personal shopping with business systems. That’s the actual fundamental problem, and that’s exacerbated by the use of organizational credentials and identities at that moment.
[00:05:58.960] – Steve Maresca
So, some organizations choose to have an Internet-only guest network that employees can use for this type of activity. And most people use their phones quite comfortably to do that. That’s a fine way of facilitating something that might be culturally permitted.
[00:06:16.270] – Steve Maresca
Alternatively, just having separate accounts for privileged activity and unprivileged activity. That will put up a giant stumbling block for an attacker trying to take over accounts or otherwise subvert systems.
[00:06:29.410] – Matt Fusaro
Right, yeah, agreed.
[00:06:32.170] – Jason Pufahl
It’s an interesting point you make because we always recommend keeping your personal activities on personal devices, and your professional ones on professional devices. Don’t co-mingle email accounts. Ideally, to your point Steve, use your phone or maybe your personal laptop for shopping.
[00:06:50.050] – Jason Pufahl
The reality is, if I’m being honest, there’s probably been a Zoom meeting or two where I’ve browsed websites instead of listening to the meeting, right? It’s way harder to pull out your phone and surf on Amazon during a Zoom meeting. We all spend a lot of time on that.
[00:07:08.410] – Jason Pufahl
We don’t want to pretend that people are only going to use personal devices for this stuff, right? I think the point about making sure you have your non-administrative credentials is really, a key one. That was such a critical component to the incident we talked about earlier.
[00:07:23.650] – Steve Maresca
Yeah, I think I agree with your other point, which is effectively they’re going to do it anyway.
[00:07:29.020] – Jason Pufahl
They’re going to do it anyway.
[00:07:29.850] – Steve Maresca
Everyone does it anyway. The only way to prevent it realistically is a draconian environment that no one actually implements, in reality. So, what do you do realistically? Well, defend browsers.
[00:07:43.390] – Matt Fusaro
[00:07:44.770] – Steve Maresca
Yeah, spam filtering. Use ad blockers if it’s permissible. Defend against the likely paths for that type of attack. You want to make sure that workstations are up-to-date and they’re not using browser plugins that are out-of-date. That’s the typical drive-by attack. You get rid of that, and you have a more subdued attack surface.
[00:08:06.570] – Matt Fusaro
Yeah, I was just going to mention with that. Most of these are going to be, like Steve said, drive-by attacks or they’re going to be opportunistic. You’re not going to see a lot of advanced APT-type malware that is going to take over systems like this. This is going to be your average, everyday stuff.
[00:08:25.630] – Steve Maresca
[00:08:26.560] – Matt Fusaro
Some of them aren’t even really targeting businesses. They’re really targeting the at-home user. They’re just looking to disrupt or get them to call a number and steal a credit card or something like that, right?
[00:08:37.670] – Steve Maresca
[00:08:38.830] – Matt Fusaro
So yeah, it’s not always the advanced things.
[00:08:42.800] – Steve Maresca
But recognizing that, generalized security awareness training is how you equip general users to avoid these types of issues. Unrealistic expectations are that every user is going to detect something, but at least you’ll make them think twice when they receive an email that is a little strange, or encounter a website that’s unexpected in terms of its representation. That’s where you start.
[00:09:09.010] – Jason Pufahl
Make it interesting. And I think the trouble with security awareness training all the time is we say the same things. “When you see phishing, look for a malformed email address” or “Be suspicious of the URL.” But the reality is have a conversation with your employees that it’s the holidays and you’re going to see these types of attacks. Be explicit about it. And I think if you anchor that in something that’s going to happen over the next, say, 3-4 weeks, people will pay more attention.
[00:09:35.600] – Jason Pufahl
Don’t be as vague as I think we often are. We’re our own worst enemies in that regard sometimes.
[00:09:39.850] – Steve Maresca
Yeah, I mean, realistically, the holidays—whether we’re talking about Thanksgiving or Christmas or you name it—that’s when our guard is down, people are on vacation. There needs to be some sort of secondary, “Hey, have your heads up, look for things” type of advisor. Yeah, absolutely. Paying attention is critical.
[00:09:59.810] – Jason Pufahl
So, I think we talked a tiny bit as we were preparing for this, around the idea of sort of third-party processors and some of these other payment mechanisms out there. I think we’re used to seeing things now.
[00:10:11.550] – Steve Maresca
[00:10:11.740] – Jason Pufahl
Clearly, credit card’s common. PayPal integration. And maybe, like an Apple Pay, much more common. But we probably see some other payment processors out there that are less frequently…that you run into less frequently. Is there a risk to those in your opinion, or is there any reason to avoid some of these other things?
[00:10:33.890] – Matt Fusaro
It’s tough to answer the avoid question. There’s good reputations. There’s bad reputations, too. You’ve got places like Affirm that are pretty popular now, Shopify, a lot of them are “buy now, pay later”-type style.
[00:10:48.130] – Steve Maresca
But still new to many people.
[00:10:49.700] – Group
[00:10:51.620] – Matt Fusaro
But you have to also remember is that a lot of them are doing credit checks, so they’re going to be asking for a lot more personal information than just your credit card. It’s easy to recover a credit card. But, once your Social Security number is out there, that’s a little bit more difficult. So being aware of that and not necessarily using your corporate network to be transmitting your Social Security number to buy a laptop for your little Johnny.
[00:11:19.550] – Steve Maresca
And ultimately, if you’re using one of them because it’s attractive because you don’t have the amount of money that’s necessary at that very moment, then do some secondary research, open another tab, determine if it’s legitimate. It doesn’t take very much searching, realistically.
[00:11:33.780] – Matt Fusaro
[00:11:35.330] – Matt Fusaro
Yeah, it’s easy to vet most of these things. If you have questions…I haven’t personally tried this before, but I’m sure you can reach out to either your banks or your credit monitoring. If you do have it, ask them about it. I’m sure they’ve got helplines that can kind of attest to whether those are legitimate organizations or not.
[00:11:54.700] – Jason Pufahl
Yeah, that’s fair. And I think you named a couple of really common ones. But it is interesting to see that the integration is in some of these third-party services and people really using, are spending money in different ways, or accessing money in different ways now. So, you have to be mindful of that
[00:12:08.740] – Steve Maresca
Again, returning to the gift-giving aspect. This is the time for gift cards. Gift card scams are very common.
[00:12:14.980] – Jason Pufahl
That’s a good point.
[00:12:16.790] – Steve Maresca
Incentives during the holidays in the form of gift cards are actually occurring in the workplace. So, you know, distinguishing between real and fake in that context might be a challenge for some people. Really, just make a phone call; ensure it’s legitimate.
[00:12:31.370] – Matt Fusaro
Phone call, walk over to the office or something like that. Verify that they’re actually asking for that gift card.
[00:12:36.420] – Jason Pufahl
Let’s face it, there’s really never an emergency gift card giving requirement. You just don’t have the, “You have to buy it this second or else some bad thing’s going to happen.” So be suspicious of those. And we see it all the time, and they work and they’re persistent. They’ll try a variety of different ways to get people to spend money on that.
[00:13:01.590] – Jason Pufahl
Coming back to this, really at the beginning, we do want to talk to our employees about the fact that it is the season, and you probably don’t want to say, spend all your time shopping, but you don’t want to pretend they’re not going to.
[00:13:14.840] – Jason Pufahl
And I think it’s important to have these conversations to do your best to protect your organization from kind of, the common things that we talk about, really in a lot of these episodes. Again, these are really complicated attacks that we’re talking about. It’s basic awareness and just sort of being careful about where you’re at.
[00:13:31.920] – Steve Maresca
Yeah, acknowledging it without sounding punitive so that people feel inclined to listen and think on the behalf of the organization. And recognize there’s a personal component too.
[00:13:42.630] – Jason Pufahl
Yeah. I mean, that’s fair. Know that it will probably quiet down in a few more weeks. We’re in that season. So, you do your best to weather the storm and kind of get through it.
[00:13:56.070] – Jason Pufahl
Any final thoughts at all? I think we talked a little bit about pop-up blockers and coupon trackers and some of these other interesting things people encounter. Anything that jumps out as a final idea?
[00:14:10.070] – Steve Maresca
I think I’d say if your organization does have website filtering by category or something like that, just recognize that they’re not 100-percent solutions. They’re at best 40, 60 percent, if you’re lucky.
[00:14:24.060] – Jason Pufahl
[00:14:24.510] – Steve Maresca
There’s always a new vendor out there that’s not been classified. It’s the nature of the beast. So, if you have them and you rely on them because you think that they are reliable, know that it’s an arrow in the quiver, but not the be-all-end-all.
[00:14:39.190] – Matt Fusaro
Yeah, doing things like that and just making sure that your visibility systems are up and working. You’re getting at least some logs from your firewalls. The usual things we talk about.
[00:14:50.060] – Matt Fusaro
Make sure that your systems are actually catching the day that you want. And if it does come down to having an incident, at least to be ready.
[00:14:56.890] – Jason Pufahl
Yeah, that’s reasonable. So, I think as a quick ending, we just want to say happy holidays. Don’t be afraid of holiday shopping. Talk to your employees, of course. If you have concerns around this that run any deeper than this conversation, feel free to reach out to us at Vancord on LinkedIn or VancordSecurity at Twitter. And as always, thanks Steve and Matt for joining us today, and we hope that people got value out of this.
[00:15:20.470] – Steve Maresca
[00:15:22.650] – Speaker 1
Stay vigilant, stay resilient. This has been CyberSound.