Humans are hard-wired to connect and to trust. As infants, our survival is based on making social connections so we can obtain our basic needs and this propensity continues into adult life. This natural trait is the most effective weapon for cyber threat actors using social engineering as a vector for attacks, and it is one that continues to prove especially difficult to combat.

Attackers use social engineering through human interaction to exploit trust and manipulate people into ignoring or deliberately circumventing normal endpoint security procedures. The targeted nature of attacks also helps threat actors to cover their tracks for as long as possible so they can accomplish their aims—often the target doesn’t realise they have been a victim until the wider effects become noticeable. 

These effects can be anything from crippling malware infections to major financial fraud affecting businesses and individuals. And, just like other kinds of cyber threats, adversaries’ tactics are evolving all the time.

Corporate Catfishing

Recently we’ve seen a rise in attackers playing the long game, devising bespoke social engineering campaigns targeting corporate users over an extended period in a bid to ultimately dupe them into providing access to their company network so a malicious payload can be delivered. Matt Wixey of PwC, who has conducted research into this phenomenon, has dubbed it “Remote Online Social Engineering” or ROSE.

Unlike a classic phishing attack, which relies on targets failing to spot a spoofed email address in the heat of the moment, ROSE is focused on building credibility with the target—in a similar way to tactics employed in catfishing, but without the romantic overtones. The campaign is built around in-depth research into the target’s personality, interests, and activities and is designed to bypass the filters that might otherwise put the victim on their guard.

Credibility is built through the creation of false personas with presence across multiple social media platforms that the target trusts, such as LinkedIn. The persona engages with the target over time, often using trust-building tactics like appearing to be part of similar social groups such as a company or university alumnus. Once trust is established, the threat actor finds a way to introduce an infected file through the target’s business email, causing them to unwittingly deliver malware onto the corporate network. While malware infection seems to be the most common motivation at the moment, such tactics could equally be used for extortion or to recruit victims into undertaking activities such as money laundering.

ROSE represents a significant and difficult-to-detect risk. For most organisations, the first indication that an employee has been the target of extended social engineering will be when network monitoring controls spot malware execution—at which point the “attack” has likely been under way for a considerable amount of time.

A key challenge for corporate defenders stems from the proliferation of false profiles on social media platforms, including those frequented by employees and often used for legitimate business purposes. False profiles can be very convincing, particularly if they demonstrate a long account history and conversations with other profiles. Employees need to be educated to look deeper for evidence of a connection’s claims. For example, do they show independent knowledge of apparently shared events, locations, or institutions? They should also be required to “sandbox” communications with social media acquaintances by not interacting using corporate email. Any deviation from such policies should raise a red flag immediately.

Phishing attacks persist

“Classic” phishing attacks remain a major problem for enterprises as their sheer volume raises the chances that some will eventually succeed. The problem becomes particularly prevalent around the holiday season. The spike in consumer shopping spurs threat actors to create convincing fake shopping sites and advertise discounts sent via phishing emails designed to reel in the unwitting, often time-pressured consumer.

Linked to the high volumes of holiday sales is an increase in refund fraud, which continues to be a major source of revenue loss for retailers. Here, threat actors purchase goods and then falsely claim that they have not been delivered or are faulty, relying on their social engineering skills to convince the retailer’s customer service team that they are due a refund. Fraudsters may also use fake receipts to claim refunds, despite never having purchased a product in the first place.

Build a hybrid defence against social engineering

Mitigating social engineering fraud risk requires a combination of automated signature- and indicator-based tools and employee education, implemented alongside an understanding of the context in which threats are developed and deployed. This context varies all the time; for example, maybe your company is involved in merger and acquisition activity and threat actors want to glean insider information. This could put employees at greater risk of phishing or ROSE attempts. Business intelligence can provide risk in context and help pivot an organization’s protection programme accordingly.

Neither automation nor education can succeed in reducing risk alone, and both require security teams to stay up to date with the latest social engineering and phishing tactics to provide essential context around the attack environment. For example, in the case of refund fraud, it’s important to be aware of threat intelligence around evolving tactics, such as serial number generators on fraudulent receipts, and help customer service teams stay alert to indicators that a refund request is not genuine.

From a technical perspective, automated tools that capture phishing attempts, such as blocking known spoofed email addresses and recognising indicators of compromise, reduce the quantity of phishing mails that reach employee inboxes. However, some will always make it through, and automated tools cannot detect the attackers who are “invited in” by victims of remote online social engineering scams. Ongoing employee education, cybersecurity training, and open discussions around the risks and tactics used in social engineering campaigns bridges the gap between what automated tools can block and what they can’t, thereby reducing the overall risk that attacks will succeed.

Ultimately, social engineering attacks are based on exploiting human nature, and there’s no technical or automated solution that’s 100% effective against an attack that preys on individuals’ vulnerabilities. At Flashpoint, we analyse business risk intelligence around the latest social engineering tactics to better understand the context in which threats are developed and deployed. This allows us to tailor our technical and employee education programmes for organisations, accordingly. With robust and timely programmes, organisations have an opportunity to trigger warnings that will make employees and consumers think twice before they – and the corporate network – fall victim.

• Protect against malware with the best antivirus software.

The topic of intellectual property (IP) protection is getting the much-needed attention it deserves on the global stage. 

Due largely to the U.S. administration’s line on trade negotiations with China, the issue of counterfeit products and international IP theft by state-sponsored actors has risen to the fore. Recent estimates suggest economic espionage in the form of IP theft by Chinese actors costs the U.S. economy up to a staggering $600 billion. 

While the impact of the U.S. ultimatum to the Chinese government on IP theft has yet to be seen, this previously below-the-radar issue is now gaining long-overdue recognition.

• Enterprises must take insider threats more seriously
• The role endpoint monitoring plays in detecting and prosecuting insider threats
• Protecting businesses from insider threats with machine learning

Intellectual property – a critical business risk

A company’s IP is estimated to represent as much as 70% of its market value. Ideas and innovations are what make an organisation unique and competitive, yet businesses have often struggled to properly value their IP. A recent study found that, despite 80% of organisations citing cyber liability and IP theft as a serious business risk, only 16% of IP assets at risk of cybercrime are adequately insured. The report also found that 28% of organisations have experienced a material IP event in the past two years.

Unfortunately, the value of IP is often only understood once it has been stolen and commercialised. When copycat products start appearing, or unique features pop up in competitor designs, the loss becomes apparent. By that point, the damage has been done, and recourse is limited to patent infringement courts. So, what can businesses do to protect IP assets, quickly identify when theft has occurred, and reduce the risk of exploitation?

Motivations for insider IP theft

A key vulnerability for businesses defending their IP is company employees. When tracking the history of an IP breach, we often find that the door was unlocked by someone on the inside. With privileged access to critical systems and information, employees are trusted with corporate secrets that, for some, prove too much of a temptation. There are many scenarios:

Employees with a grievance against their employer bid to punish them by sharing sensitive information for personal profit. Another scenario might see an employee tempted by a high salary position with a competitor in return for stealing corporate secrets prior to leaving their current role. This is the alleged situation with Tesla and Xiaopeng Motors where a former Tesla employee is accused of stealing 300,000 files of the company’s self-driving source code from the car maker by using his personal iCloud account attached to the corporate network, before leaving to take up a role with the Chinese firm.

Employees don’t always deliberately reveal secrets; they can simply be targets of malicious activity themselves. They may be recruited by bad actors using an apparently legitimate front, such an invitation to an overseas academic conference, and manipulated into divulging trade secrets.

Compromised employees are vulnerable to threats of blackmail from actors who have either uncovered compromising information or have manipulated them into actions that they fear being made public. These employees steal company data to prevent their own secrets from being revealed.

Finally, we see bad actors take roles within target organisations with the sole aim of accessing and exfiltrating trade secrets.

Managing insider IP theft threat

Managing and mitigating the risk of IP theft is a complex, multi-layered activity that needs broad reach to be effective across the different kinds of insider threat. It’s also a multi-disciplinary undertaking that should incorporate HR and IT, but have visibility at board level, too.

User access management (UAM) is an important element that restricts employees to accessing only the data and systems that are relevant to their role. Combined with user behaviour analytics (UBA), this can pick up unexpected access attempts and spot a potential theft— perhaps by an unhappy or compromised employee—before it takes place.

From an HR perspective, policies about data access and management should be regularly reinforced and companies should also seriously consider controlling access to public data-sharing sites from within the corporate network. HR departments should be alert to the risks around employees leaving the company, working with IT to ensure that permissions are revoked and analysing activity prior to the exit date to identify any unusual data movements or actions. Bear in mind that many employees believe they have ownership of the projects and data that they’ve worked on, and the temptation to take it with them can be strong.

Organisations also need to be aware of high-risk dates on the corporate calendar. These include the development and launch of new products, when stolen IP is likely to command a premium price. Overseas visits by senior personnel should also trigger a higher level of vigilance, and staff should be advised how to protect their devices and be aware of being manipulated.

Swift detection to mitigate impact

Such is the market for stolen IP that, even in the most vigilant organisations, breaches happen. Detecting them as quickly as possible is critical in limiting their impact. A valid way to do this is by looking at the onward journey of stolen IP. If its theft has been motivated by greed, the IP may potentially be offered for sale to the underground community. Monitoring these illicit online communities for references to the organisation can help detect the theft. This practice, however, requires access to such communities and is not something the average IT team should be expected to undertake. Instead, companies should consider using business risk intelligence to underpin their insider threat programme.

A prior incident shows how this works: Flashpoint analysts identified a post on an elite cybercrime forum offering the sale of source code from unreleased software owned by a multinational technology company. Analysis subsequently determined the actor was a company employee. This intelligence enabled the company to safeguard the source code and terminate the rogue employee.

Attempted sales of stolen IP are not the only use case for business risk intelligence. It can also pick up chatter that indicates bad actors are planning to target a company or expose prospective employees’ links to undesirable organisations.

IP theft stifles innovation and legitimate competition, damaging companies and economies on an enormous scale. As companies begin to better recognise the value that IP represents, they need to gain greater insight into who is aiming to steal their IP and how. By combining this with a robust insider threat programme, companies can do a better job of protecting their most valuable assets.

Josh Lefkowitz, CEO of Flashpoint 

• Also check out the best antivirus