The importance of employee phishing training is difficult to understate. Yet again, last week we saw a major IT intrusion which caused a major headache for a business in the energy industry. Colonial Pipeline, which is responsible for transporting a large portion of the US supply of various fuels, was hacked and brought down operations. This interruption has created supply issues and significantly interrupted company operations.
Two quick side notes:
1) Our blog article last week covered recovering after an attack. This incident illustrates that article in practical application.
2) The hackers had the audacity to apologize after the incident, which, I guess, is the nice thing to do? Criminals with manners as they may be…Colonial Pipeline still has to clean up the mess.
So…What Happened?
While not 100% reported at the time of this writing, it appears that the attack was quite conventional in the approach. It may be shocking to some that quite often, including in this case, it is not a lone hacker but rather a criminal organization that perpetrated the attack. Indeed, as outlined in this article, the attack involved three separate criminal parties. The basic structure of the attack appears as follows:
1) An unwitting agent of the company or organization—an employee, an investor, a contractor, or anyone else with access to sensitive information—provides credential information to a bad actor #1, most likely in the form of a phishing attack.
2) Compromised credential is added to a database and placed for sale on the Dark Web.
3) DarkSide (bad actor #2), a criminal internet conglomerate, acquires the database and identifies Colonial Pipeline as a target.
4) DarkSide contracts an affiliate (bad actor #3) to infiltrate Colonial Pipeline via the compromised credential using their encryption malware. After successfully compromising defenses, the malware holds company data for ransom in hopes of a massive payoff (in this case, between $2-4 million).
The Criminal Enterprise Relies on Poor IT Policy
As noted, this was all unlocked by a single, unfortunate event: clicking a bad link and offering up sensitive details. However, the IT failure likely happened on several levels, including poor employee training, lack of multi-factor authentication (MFA), and failure of Dark Web compromised credential scanning.
To briefly touch on the two latter pieces, Dark Web scanning is an imperfect process. Currently, we don’t know the length of time that the compromised credentials were online, nor do we know that the compromised credentials would necessarily have been included in the databases that are part of a Dark Web service’s scan. However, to make a hypothetical argument, had the credentials been up for sale for enough time to be scanned and had Colonial Pipeline been watching, a good IT policy would have required a change of credentials for the impacted user. This could have stopped the attack from happening.
Similarly, MFA could have likely stopped the attack from happening. Again hypothetically—as the forensics are likely still ongoing as of this writing—MFA would have prompted the compromised user for login permission. Knowing that he or she had not initiated a login, ideally the user would have reported the incident to the company’s IT personnel. Even if no action was taken, the improper login would have been stopped. Only if the compromised user would have actively accepted the fraudulent login, despite not actually logging in, would have MFA failed in our hypothetical situation.
However, I’d like to shine a light on the employee phishing training piece. By strengthening this portion of a company or organization’s cybersecurity defense, the MFA protections and Dark Web Scanning are much more efficient guardrails (rather than primary defenses). On its face, employee phishing training is quite simple, although it can take several different forms. Because it is an effective technique and important layer of cyberdefense, this type of employee phishing training is required by several different standards of compliance (to include NIST 800-171/CMMC).
Training may be offered by a company or organization in a traditional, formal manner, such as a classroom setting or session around the conference room. This can be effective, but as an IT Managed Serviced Provider (MSP), Certified CIO has found the best solution to be a bit more involved.
With our partners at KnowBe4, we can provide continuous phishing training at a very reasonable cost. It’s an annual commitment, but the cost is low…generally around a cup of coffee a month per employee. (Two cups if you don’t prefer coffee to taste good. But you get the idea!)
KnowBe4’s primary training comes in the form of fake phishing emails. These are for educational purposes, but give metrics on which employees may be higher risk. These employees then may get a bit more attention to help him/her be more vigilant in clicking bad links. After all, it’s much better to be identified as a weak link than be proven a weak link after an attack occurs. Really, though, the best part of this is that end users get so used to examining and deleting training phishing emails that real phishing emails are examined and deleted just as quickly.
KnowBe4 also offers short video vignettes that show some of the methods businesses and organizations are breached, campaigns for automated calls and texts, and many other options. We strongly believe that KnowBe4 is one of the BEST ways to prepare your folks for phishing, smishing, vishing, and all the other “ishings” the bad guys can throw at you!
What YOU Can Do…
We’d love to have you a part of our IT family, including getting your crew better trained with KnowBe4. GET IN TOUCH and give us a call!
