Unmasking the Imposters, Part 2: Detection and Damage Control

In the first of this two-part security report, we discussed the threat presented to individuals and enterprises by malicious outsiders posing as members of an organisation itself, or representatives of a trusted external institution like a bank or popular online resource. We looked at how these imposters are refining their methods of extracting funds or confidential information from victims targeted through phishing campaigns, backed up by malware, and supported by data gleaned from contact databases and social media.

 

To conclude, we’ll be considering the various ways that companies and individuals can spot the presence of an imposter, mitigate the damage they potentially cause, and take measures to render an organisation less vulnerable to attack, in the first place.

Detection in Principle

The unique slant of an imposter attack which makes this kind of cyber-assault difficult to detect is that the intruder (having gained the relevant information and access permissions from someone within the organisation or closely associated with it, by phishing) now has the freedom to operate within the corporate network, looking to all intents and purposes like a legitimate user. From this position, an imposter can sabotage existing operations, steal vital information and / or funds, and compromise the network.

imposter2_gathering

So the key for network administrators and security officers is to look for activity that originates from within their own system, but which runs counter to the objectives and overall best interests of the organisation.

 

A “typical” imposter assault on a network occurs in three distinct phases:

Phase 1: Infiltration of the Network

As we’ve seen, it’s no longer a case of simple “bait and lure” phishing. Targeted campaigns are now conducted based on research taking in contact lists, user profiles, and data gleaned from social media. This may be supplemented by the insertion of malware into the targeted system – malicious software that can assist the initial phase of attack by scanning for access credentials, cracking passwords, and eating away at network defences.

The Tell-Tale Signs:

  • Authorisation requests or attempts to gain access to resources from a user who would not normally be required to make such attempts in the normal course of business – especially if their position on the corporate network / security hierarchy is low.

“Noise” generated in expected flows of network traffic may indicate hacking attempts by malware which has made its way into the system.

Phase 2: Gathering Data

Having achieved access and gained a foothold, the imposter may then proceed to hoover up as much information from the network as they can: credentials and passwords of authorised users, financial records, contact lists, business intelligence, etc. To the casual observer, this information will appear to be going to a legitimate user – but there’ll be a lot of it.

The Tell-Tale Signs:

  • Look for an inordinately large number of data requests, file searches, downloads, or file transfers to a particular user’s account.
  • These data-gathering attempts will also be very frequent, when compared with the profile of an average user of the network.

imposter2_smugglingPhase 3: Smuggling the Data Out

Unless the imposter has an agent physically in place to ship out flash drives or other removable media (a disgruntled worker or “mole” within the organisation), they’ll have to rely on point to point data transfer, to extract the information they’ve stolen. Typically, this will be to their own remote servers, which are often cloud storage services set up on temporary accounts, using credentials they’ve also stolen or faked.

The Tell-Tale Signs:

  • Creating a link from the imposter’s presence within your network to their dummy cloud storage account may leave an audit trail that can be traced by security monitoring software.
  • Unless the stolen data is trickled out gradually over time (which is harder to trace, but increases the imposter’s risk of detection) a sudden surge in file transfer activity should also throw up red flags.

If the attack is prolonged, with data being smuggled out over a long period, it may also be possible to set up tracing algorithms on your security monitoring software to highlight recurring patterns of data transfer from a particular user, which may be worth investigating.

Monitoring Your Users

In setting permissions and drawing up policy, your network administrators and security officers should establish “Who’s Who?”, at the outset”:

  • Which users have the authority to access which network assets, resources, and data
  • What their base and average levels of activity should be under normal operating conditions
  • What their level of activity should look like under any spikes of activity that occur, such as seasonal sales campaigns, or at audit time

These can serve as benchmark levels for your network and security monitoring software, in flagging any anomalous activity from your registered users.

Monitoring Your Network

A similar approach should be adopted in setting up administrative and security oversight for your network as a whole.imposter2_analysis

  • Establish benchmark levels for network traffic flows during base, average, and peak levels of business operations.
  • Establish benchmark levels for login attempts, access requests, etc. under these conditions.
  • Configure your monitoring tools to red-flag anomalies as they occur – and investigate them, thoroughly.

The Human Element

Your workers can contribute actively to keeping the imposters out – if they know how to take precautions, and don’t fall victim to identity or credential theft, themselves. So you’ll need to:

  • Run a formal training programme to educate your staff on the ways of avoiding phishing scams conducted via email or social media.
  • Set up strong password regimes and multi-part authentication (login password, plus mobile phone number, plus security question, etc.).
  • Educate them in the proper configuration and use of network security tools, firewalls, and malware detection software.

The perpetrators deal in falsehood, but the imposter threat is real. But it’s a threat that can be avoided. We hope this report has been a help to you, in that.

Des Nnochiri has a Master’s Degree (MEng) in Civil Engineering with Architecture, and spent several years at the Architectural Association, in London. He views technology with a designer’s eye, and is very keen on software and solutions which put a new wrinkle on established ideas and practices. He now writes for markITwrite across the full spectrum of corporate tech and design. In previous lives, he has served as a Web designer, and an IT consultant to The Learning Paper, a UK-based charity extending educational resources to underprivileged youngsters in West Africa. A film buff and crime fiction aficionado, Des moonlights as a novelist and screenwriter. His short thriller, “Trick” was filmed in 2011 by Shooting Incident Productions, who do location work on “Emmerdale”.


Posted

in

,

by

Tags: