Gaining advantage over attackers: how VAPs figure into your security equation

Gaining advantage over attackers: how VAPs figure into your security equation

Over recent years the threat landscape has shifted away from infrastructure attacks aimed at servers, endpoints and networks as the primary focus. Instead, cybercriminals are increasingly targeting people with socially engineered attacks, and these people are often not the employees you would expect.

The traditional VIPs – for example, the CEO or CFO – in your organisation are not necessarily the people a cybercriminal targets. Instead, your security strategy needs to focus on identifying and protecting the business‘ very attacked people (VAPs). These individuals can be the CEO’s assistant, a programmer who handles remote key access, or even the financial team member who wires financial payments to vendors.

The question is: do you know who your VAPs are and how they are being attacked? If you don’t, you should. Gaining these insights can go a long way toward reducing your exposure to targeted threats.

Adversaries are taking a finely honed, highly strategic approach to targeting your workforce.

Sophisticated attackers diligently do their research, often have access to org charts and know how a business works better than the security team does. Today’s cybercriminals are much less interested in casting a wide net through scattershot spam or phishing campaigns in the hope of getting someone to download a PDF that contains malware or to click on a malicious URL.

It’s important to consider how risky each user is within the organisation and what measures you can take to do something about it. Proofpoint has developed a user risk score methodology, which is calculated by scoring the attacks themselves through picking out what’s interesting and then adding the human susceptibility angle to it.

There are two parts to this. Using mathematical concepts, Proofpoint looks at every threat and assigns it a score from 1 to 1,000 based on the spread of the attack, the type of payload and whether an actor can be associated with it. User data points are then added into the equation. These include URLs that users have clicked on over time, which users tend to do this frequently, how well users perform on phishing simulations and checking API connections to Microsoft Office 365 to see who may be coming from suspicious networks. Even device health, like browser patch levels, can provide valuable insights.

When you put it all together, you have a good sense of who is getting targeted and who is going to fall for the tactics and techniques of bad actors. All this number crunching gives you an advantage over attackers. You can use this intelligence to prioritise your efforts as attackers are prioritising theirs, which has the potential to shrink the threat.

When organisations use a risk model and find out who their most-targeted people are, they can take advantage of this intelligence to prioritise their efforts and focus on the most effective security controls. Here are some good places to start:

  1. Adopt a zero-trust network architecture with strict access control and verification of people and devices upon connection.
  2. Deploy solutions that block malicious emails and URLs.
  3. Limit administrative privilege levels on the devices used by VAPs by looking at who is targeted, who is susceptible and who can actually hurt your organisation if they get compromised.
  4. Secure network and cloud access by leveraging Microsoft Active Directory and other tools to authentic users.
  5. Conduct frequent, real-world security awareness training and simulations that address the vulnerabilities of targeted users and leverage the most current attack techniques and strategies.

By Matt Cooke, Cybersecurity Strategist, Proofpoint.

For more information on scoring and analytics tools, visit For more information on cybersecurity awareness best practices and training for VAPs, visit

Copyright Lyonsdown Limited 2021

Top Articles

teissTalk: Cyber Policy & Supply Chain Resilience

On 15 April, teissTalk host Geoff White was joined by a panel of four cyber security experts to discuss keeping supply chains cyber secure and resilient.

teissTalk: Malicious or Non-Malicious? Tackling the Remote Insider Threat

On 13 April, teissTalk host Jenny Radcliffe was joined by a panel of four cybersecurity professionals to discuss insider threats, especially the threat posed by remote workers.

Meet the teissTalk Hosts - The state of cyber crime in 2021

Social engineer Jenny Radcliffe and investigative journalist Geoff White, the joint hosts of teissTalk, introduce themselves

Related Articles