Part 1 of the Attack Surfaces series

Ask anyone how breaches start and they’ll most likely say: “Phishing”. That’s the “people” attack surface, but it goes well beyond phishing. In our red team practice, we’ve certainly phished targets to gain initial access. We’ve also used the people attack surface to elevate privileges and establish persistence once we’re inside by asking for endpoint detection and response software (EDR) to be disabled, asking for special virtual machines, or asking for other permissions. More often than not, those requests are granted (by people!).

The 2024 Verizon DBIR notes that across 10,069 breaches, 68% (!!) involved a human element (the highest of the four characteristics they tracked).

Phishing and Social Engineering

Attackers are increasingly leveraging social engineering techniques as an initial access vector. Phishing emails are frequently used to deliver malware or assist in credential capture (including 2FA). These tactics have evolved to target mobile devices through SMS phishing (“smishing”) and malicious voice calls (“vishing”). Attackers also capitalize on real-world events to craft timely and persuasive lures.

The objective of these attacks is often to compromise a single user’s workstation or credentials, which then serves as a foothold for lateral movement and further access. In essence, people serve as a gateway to an organization’s most sensitive data and “crown jewels.”

Exploiting Business Processes

Business processes that rely on human validation or judgement can also be exploited. The “confused deputy” problem arises when attackers manipulate an authorized individual into improperly granting access. We’ve seen (and used) this technique against external-facing company personnel - notably, sales and accounting. In the article linked, an attacker registered a fake company with a name similar to a legitimate company to which his targets routinely sent millions of dollars. No surprise: he was able to get his victims to wire his fake company $100M+ just by sending emails.

Further - the “people” attack surface extends beyond a company’s employees to include customers and third parties. When companies allow external marketers or partners to contact customers, it normalizes communications originating from outside domains, making it more challenging for customers to identify phishing attempts. The risks are compounded when scammers successfully commandeer legitimate-looking email addresses.

For example - attackers impersonated legitimate companies like BlockFi through their bankruptcy proceedings to defraud account holders attempting to withdraw their funds.

Managing People-Based Risks

People-based risks can be managed but never eliminated. Technical controls, such as multi-factor authentication, EDR, robust authorization controls, and network segmentation can all help mitigate the risk and limit the blast radius of a successful phishing attempt, but this remains one of the more difficult attack vectors to control for.

Security awareness training also helps - training should ensure users know not only how to identify the most common types of phishing (email, voice, SMS), but how to report them promptly as well. Perhaps the most critical piece of training is that users must feel comfortable letting internal security personnel know exactly how they interacted with a phishing email as soon as they realize it is fraudulent. Many hours (or days) of incident response (IR) time are routinely wasted based on users not telling the full story because they fear reprisal or punishment for what is usually an honest mistake.

At the organizational level, stakeholders should have fast access to up-to-date IR plans and should be familiar with their roles and responsibilities for any incident. Familiarity can be accomplished through IR tabletop exercises in advance of a real incident. Not only does this help with familiarity, it can also uncover gaps or pitfalls in the plan itself when the stakes are low. The cost of an IR tabletop exercise is orders of magnitude lower than the cost of cleaning up a breach.

Monitoring for anomalous user behavior can also help detect compromised accounts early before significant damage occurs. This may involve using machine learning to establish baseline behavioral patterns and flag deviations in real time.

Stay Vigilant

Our most security mature customers foster a culture of security awareness without blame. Every employee should understand their role in protecting the organization and feel empowered to report potential threats without fear of retribution.

Adopting a holistic view of your attack surface that includes people, processes, and technology takes time. By proactively identifying and mitigating risks associated with human behavior exploitation, companies can build resilience against increasingly sophisticated social engineering tactics and safeguard their critical assets.