Over recent years the threat landscape has shifted away from infrastructure attacks aimed at servers, endpoints and networks as the primary focus. Instead, cybercriminals are increasingly targeting people with socially engineered attacks, and these people are often not the employees you would expect.
The traditional VIPs – for example, the CEO or CFO – in your organisation are not necessarily the people a cybercriminal targets. Instead, your security strategy needs to focus on identifying and protecting the business‘ very attacked people (VAPs). These individuals can be the CEO’s assistant, a programmer who handles remote key access, or even the financial team member who wires financial payments to vendors.
The question is: do you know who your VAPs are and how they are being attacked? If you don’t, you should. Gaining these insights can go a long way toward reducing your exposure to targeted threats.
Adversaries are taking a finely honed, highly strategic approach to targeting your workforce.
Sophisticated attackers diligently do their research, often have access to org charts and know how a business works better than the security team does. Today’s cybercriminals are much less interested in casting a wide net through scattershot spam or phishing campaigns in the hope of getting someone to download a PDF that contains malware or to click on a malicious URL.
It’s important to consider how risky each user is within the organisation and what measures you can take to do something about it. Proofpoint has developed a user risk score methodology, which is calculated by scoring the attacks themselves through picking out what’s interesting and then adding the human susceptibility angle to it.
There are two parts to this. Using mathematical concepts, Proofpoint looks at every threat and assigns it a score from 1 to 1,000 based on the spread of the attack, the type of payload and whether an actor can be associated with it. User data points are then added into the equation. These include URLs that users have clicked on over time, which users tend to do this frequently, how well users perform on phishing simulations and checking API connections to Microsoft Office 365 to see who may be coming from suspicious networks. Even device health, like browser patch levels, can provide valuable insights.
When you put it all together, you have a good sense of who is getting targeted and who is going to fall for the tactics and techniques of bad actors. All this number crunching gives you an advantage over attackers. You can use this intelligence to prioritise your efforts as attackers are prioritising theirs, which has the potential to shrink the threat.
When organisations use a risk model and find out who their most-targeted people are, they can take advantage of this intelligence to prioritise their efforts and focus on the most effective security controls. Here are some good places to start:
- Adopt a zero-trust network architecture with strict access control and verification of people and devices upon connection.
- Deploy solutions that block malicious emails and URLs.
- Limit administrative privilege levels on the devices used by VAPs by looking at who is targeted, who is susceptible and who can actually hurt your organisation if they get compromised.
- Secure network and cloud access by leveraging Microsoft Active Directory and other tools to authentic users.
- Conduct frequent, real-world security awareness training and simulations that address the vulnerabilities of targeted users and leverage the most current attack techniques and strategies.
By Matt Cooke, Cybersecurity Strategist, Proofpoint.
For more information on scoring and analytics tools, visit proofpoint.com. For more information on cybersecurity awareness best practices and training for VAPs, visit proofpoint.com/uk/product-family/security-awareness-training.