Regardless of their politics, the recent news of the DNC server hack, allegedly by Russian-government-backed hackers, should have security teams pulling their hair out. Why? Because the first phase of the attack used one of the oldest tricks in the book -- a phishing email attack, leveraging a copycat domain.
"For example, the first group, APT 28, often uses the same tactic: registering a domain whose name is similar to that of its target, to trick users into disclosing their passwords when logging into the wrong site. In this case, hackers set up misdepatrment.com — switching two letters — to target users of MIS Department, which manages networks for the Democratic committee." NY TImes, July 27, 2016
It should be no surprise to learn that almost every devastating cyber breach, from Target to the DNC, starts with the same exploit:
- A simple email message directs a user to correct a problem that needs urgent attention -- ironically, a favorite recent tactic is to suggest that there has been a security issue with the users account.
- The embedded hyperlink in the email connects to a website that looks legitimate, it is really a counterfeit website set up by the criminals.
- The user, in a hurry, does not notice that the website domain isn't quite right, or that the website design isn't quite right.
- The user enters their legitimate username and password, which is immediately captured by the criminals.
- Sometimes, just clicking on the link to the rogue website will infect the users device with malware or spyware.
Stop the phish, mitigate the copycat website, and you prevent this attack before it even begins.
The recent Ponemon Research report "Security Beyond the Traditional Perimeter" revealed an uncomfortable fact. While most security organizations have a full-fledged program in place for monitoring activity on the corporate network or at the corporate firewall, an astonishing 79% of security teams do not feel that they have processes in place to gain actionable intelligence about external threats. In fact, almost half of those teams -- 38% percent of the total respondents -- say that they don't have any kind of external monitoring process in place.
It is amazing to think about that.
Especially because it is so easy to take low-cost steps to dramatically reduce the probability that your organization is being phished, socially engineered, or imitated online.
An internet threat assessment, for example, provides teams with a comprehensive report of how third parties are assuming their corporation's identity online. Domain monitoring, helps to indentify and remove copycat web domains, like the ones that initially enabled the DNC hack. BrandProtect recently added a significant capability to its Domain Monitoring service - MX record monitoring -- which provides security teams with early warning of potential spear phishing preparations, And of course, anti-phishing programs are easily implemented. A robust anti-phishing service will detect phish in the wild, incorporate abuse-box-forwarding, analyze and provide intelligence on the phish, and deliver fast, effective mitigation.
Of course, employee awareness of phishing risks are essential. If you do not have a formal cyber threat education program in place, consider leveraging the BrandProtect Monthly Executive Threat Briefs. This simple newsletter provides end-users with best practices for reducing their personal vulnerability to internet threats.
Make no mistake, all enterprises, institutions, and organizations are at risk. Your cyber-adversary may not be backed by a foreign government, but they will use the same playbook. The first compromise will almost always be from a phish. Get ahead of the enemy. Take simple steps today to prevent headaches tomorrow.