The Original APT: Advanced Persistent Teenagers(krebsonsecurity.com)
krebsonsecurity.com
The Original APT: Advanced Persistent Teenagers
https://krebsonsecurity.com/2022/04/the-original-apt-advanced-persistent-teenagers/
9 comments
I once worked at a place that secretly red teamed it's employees with phishing emails. I diligently reported them all in public channels, unaware I was being duped, and received no response or promise to block the domains. Eventually I was fed up by the inaction, and inspected the payload in an isolated VM with execution disabled. I thought I was doing them a favor, but just the act of clicking on the link subjugated me to 3 days of mandatory fishing training. The saltiness left over from that incident could pickle an entire nation's agricultural output.
I had one of these! If you reported the email the threat analyzer would crawl the link and mark your account as having been phished. My eventual solution was to just set up a rule to forward them to IT (the links were always <phishing-provider-landing>/<my-guid>) and ask them to stop insulting us.
I ran internal phishing email exercises were I use to work. We never let users know when it was an exercise vs real-world event, they always got the same automated response that it was being looked into and that was all. I guess luckily for our users no one ever received any training or punishment for "falling" for our emails. We use to do it mainly for click rate tracking.
My company does phishing email exercises, and they've added a "report phishing" button to Outlook you're supposed to hit, either for the fake messages or any real phish attempts you get, or worse, fall for.
The difficulty is that the company has outsourced many functions, meaning that there are external companies I often haven't heard of sending messages we have to interact with. Worse, one of those vendors has a very spammy-looking style and has even mis-spelled our company's name before in their mails.
The difficulty is that the company has outsourced many functions, meaning that there are external companies I often haven't heard of sending messages we have to interact with. Worse, one of those vendors has a very spammy-looking style and has even mis-spelled our company's name before in their mails.
Totally agree. But the thing is that costs money and the real desire is to tick the compliance check list at the lowest cost. So they throw out some software assurance tech, force staff through a click through phishing training program once a year and low ball ISO 27001 and SOC 2 certs.
Ass covered. Security and defence in depth? Hell no. They can employ the apologetics department dung beetles to roll that turd away quickly after the fact.
Ass covered. Security and defence in depth? Hell no. They can employ the apologetics department dung beetles to roll that turd away quickly after the fact.
See also: DEI and anti-harassment training
At any given time, a company is actively working against the interests of 90% of its employees: trying to cut salary, reduce benefits, stack ranking, or squeezing their schedules.
IT departments are among the worst of underfunding, exploitation, stressing. Because fundamentally the cool management guys see IT as a bunch of nerds to bully. But the problem is IT holds all the keys to the castle.
Until this long-standing fundamental bias of management is fixed, companies will be security sieves.
Unfortunately, what will be done is punitive to the employees: more red tape with no allowance for time, victim blaming, and ass-covering.
IT departments are among the worst of underfunding, exploitation, stressing. Because fundamentally the cool management guys see IT as a bunch of nerds to bully. But the problem is IT holds all the keys to the castle.
Until this long-standing fundamental bias of management is fixed, companies will be security sieves.
Unfortunately, what will be done is punitive to the employees: more red tape with no allowance for time, victim blaming, and ass-covering.
Damages seem to have been pretty minimal. Yeah there's a lot of "This could have been worse" but defense in depth seems to have worked. Okta seems to have taken the worst of it, and that was mostly in terms of reputational damage.
It’s easy to blame the user when they get a phone call from IT that says their account has been hacked and they need to reset their password. Except it’s not IT and the password reset tool is not the companies.
The reason this happens is that the business side of the company always hampers security. You could have the best IT security training in the world that says not to share your password and do not click external links in an email. But that means nothing when you have Susan, the admin of your department manager, send out an email with a link to a survey outside your corporate domain with instructions, bright red in comic sans, we are using a new survey tool, all employees are required to complete the survey.
So some things that should be red flags look acceptable. The people in charge consistently break their own rules that they impose on others. Companies set up conditions where the only thing preventing a breach is their employees ability to guess what feels like a phishing scheme, and what doesn’t.
IT security needs to identify and sanction activities in the business that trains users to produce bad outcomes.