I am back from my 29th trip to Acadia National Park on the coast of Maine. There is something about sitting on a rock and staring out at the Ocean that is magical and refreshing.
This year, though, we couldn't do our annual fishing trip on Frenchman's Bay. All the major fishing trips were suddenly booked - surprising even the boat operators. I tried to book a private trip, but my best price was $1,000 for four hours of fishing (which is really two hours when you factor in getting to where you can catch fish and the trip back). It just wasn't worth it. We did other, fun things instead.
You also have a different sort of "phishing" problem. The bad guys have been leveraging AI to create the most perfectly formed phishing emails. Sadly, I must report that we are in a period in which these attacks against your users are increasingly succeeding.
There is no way that mere humans, no matter how well trained and retrained, can catch all the subtle nuances between real and fake emails.
Here are some of the issues we now face:
- Threat actors are selling M365 phishing emails with a guarantee that the emails will get through.
- Rumors are that Google's SMTP framework may have been breached by a threat actor.
- Rumors of TLS breakdowns
- More and more "Clean IPs" and "Clean URLs" are used in phishing campaigns
- Invisible web proxies like Evilginx are redirecting traffic to infostealers over legitimate sign-in pages.
- Already installed Chrome Browser Extensions, continuing to turn malicious at an alarming rate.
- intentional mass sending of bogus emails to set your users up for a phone call from "IT" to help them fix the spam problem the threat actor just created.
- And now to add to the indignity, the threat actors are giving you fake CAPTCHA, fake unsubscribe buttons, and even fake report phishing buttons in their phishing emails.
Users should only unsubscribe from unknown or untrusted emails using the buttons in their email client, not in the email itself. The same is true for reporting phishing.
The recent trend is that users are getting "fake voicemails" as links. Also, they are receiving emails from sources they routinely trust that have been compromised.
Time and time again, I hear users admit they "clicked on something."
Often, they state the screen flashed, and whatever the link was didn't work, and they simply went on with their day.
Most of these events have left the threat actor in their email for approximately 24 hours before being discovered.
We need to build on our defenses and include tools, services, and strategies that help us quickly protect the district when one of our users falls for one of these attacks.
We need to quickly pivot to identify, contain, and kill strategies to handle an active threat.
There are a couple of actions you can take to try and blunt the effectiveness of this assault on your users.
- Implement DNS filtering
- Block all DNS traffic that isn't yours.
- Implement a robust SPAM filter with AI integration and a strong sandbox feature.
- Limit your browser extensions to only those required for legitimate administrative and instructional activities.
- Have a robust EDR client with a SOC watching over the endpoints
- Implement MFA on all email systems
- Actively look for impossible travel situations with your cloud resources.
- Add these new attack techniques to your security awareness training.
- Implement a Security Operations Center (SOC) to provide 24x7x365 oversight to your network and cloud services. All of the most recent events would have been caught by any of Acture's leading SOC services within 20-40 minutes. They would have been a momentary nuisance management issue rather than a NYS reportable event.
Acture Solutions offers several solutions to get ahead of these active threats. Give us a call and let's talk about what makes sense for your district.
Scott F. Quimby
Senior Technical Advisor, CISSP, vCISO
Acture Solutions, Inc.
You must be logged in to post a comment.