Cybercrime – Email Threats – Part 4/4

Cole French:

Email. There isn’t a more prevalent form of electronic communication on the planet, this makes it the perfect tool for cybercriminals. What started as simple spam messages designed to sell often nefarious products has morphed into a wildly sophisticated underground enterprise leveraging equally sophisticated techniques. Tune into the final episode in our cybercrime series, where we unpack email threats, their history, how they’re perpetrated, and how they impact all of us personal and professional.

Welcome to the Cyber Compliance and Beyond Podcast, a Kratos podcast that brings clarity to compliance, helping you leverage compliance as a tool to drive your business’s ability to compete in any market. I’m your host, Cole French. Kratos is a leading cybersecurity compliance advisory and assessment organization providing services to both government and commercial clients across varying sectors, including defense, space, satellite, financial services and healthcare. Now, let’s get to today’s episode and help you move cybersecurity forward.

Email is still the most prevalent form of nonverbal communication throughout organizations. Not only that, email is used for both the personal and the professional, at least for those of us of working age. As email rose to prominence, so did spam networks. Email spam wasn’t all that different from the spam we receive in the mail, junk designed to lure customers into purchasing products often of questionable origin. Spam has largely been relegated to the dustbin of history however. Sadly the end of spam didn’t mean the end of email threats, instead threat actors moved to much more sophisticated email attacks. Phishing, including spear phishing and whaling, and business email compromise using email as the attack tool to extract financial resources from organizations. Today, we’ll discuss the ins and outs of email threats, including the social and psychological aspects of human behavior attackers exploit, and how organizations can work to prevent the success of email threats.

Joining us again for the final installment of our cybercrime series is Terry McGraw. Terry’s a retired lieutenant colonel from the United States Army and now serves as the CEO of Cape Endeavors Incorporated. Terry brings over 20 years of experience in cybersecurity threat analysis, security architecture design, network operations, and incident response across both commercial and government sectors. We hope you enjoy this episode.

So Terry, thanks for coming on again as we wrap up our cybercrime series. And throughout this series we’ve talked about a lot of different stuff, but I feel like one of the common denominators in our conversation has been the presence of email threats. So if you could just get our conversation going today, with what are the different email threats? I think the most common email threat most of us know and hear about is phishing, but what maybe some people don’t know as much about is that there are different kinds of phishing. So maybe you could just get us started by going over the different types of phishing, and then we can just jump into it from there.

Terry McGraw:

Sure, so the flavors of phishing. So typical spam is at the lowest end, that has largely been weeded out by a lot of engines that help support removing spam with spam filters. And all the major ISPs have some flavor of spam filter now, but it still comes in occasionally. So spam is advertising related, not necessarily specifically malicious per se, but designed to just get marketing attention and clicks that way. Then you move up to phishing, which is malicious intent and designed to get a user to interact with the email to some mal intent. Spear phishing means that someone is actually targeted, there is a campaign designed to go after you specifically. So some open source intelligence was done to find things about you to make it more relevant for you to click.

So a friend of mine, Jon Ramsey, he was the CTO at Dell SecureWorks, he’s now a distinguished fellow... Well, he was a distinguished fellow at Dell, I think now he’s at AWS. He tells the story of a spear phishing attack on him, where he had an email, and it was sent ostensibly by the private school his child goes to. And the email content was, “Hey, your son broke his arm on the playground.” And they knew specifics about the playground, they knew specifics about the school. And it was designed to compel an action. I mean, “Your child’s been hurt, so please sign this release form so we can get him treated at the emergency room. We’ll see you at the emergency room.” So of course this would normally have generated a lot of panic and probably would’ve generated... As he says, it would’ve generated a response on his part. But the only reason why he didn’t fall for, it is his son was home, he was home sick from school that day. But it was a very well crafted, very well researched email designed to get his attention and to have him click.

So that’s spear phishing. One could argue that that goes in the next category, which is whaling. So whaling is I’m going after a big fish, someone specific, a CEO, a CTO, a high dollar or a high visibility target. The whaling is going after a singular person, but that singular person represents either, A, lot of access, either a CEO, or the potential for the financial gain from compromising that is also large. So that’s in whaling. And those are the general categories. I guess there’s one more, which is sort of a general cybercrime tactic, business email compromise. It’s using email, part of it could be a phishing component to get that initial access, it could be spoofing. There’s several flavors of business email compromise, but it is getting a financial win by the compromise of an email account. Or there’s flavors of this, there’s compromising the email, there’s spoofing of an email, there is faking invoicing that they send via email. So there’s flavors of the business email compromise, but it is direct monetization of criminal activity using email.

Cole French:

So then would you say that business email compromise, like you just said, is monetization versus phishing is really just going after a particular individual? Or can phishing also branch into similar tactics as business email compromise, I guess maybe without the monetization part?

Terry McGraw:

Yeah. Well, so BEC is designed to use the email not only as the initial access vector, but the mechanism of stealing. So for example, if I can spoof a CEO’s email or a chief financial officer’s email or a finance analyst, where I can then use that account legitimately... Not spoofing, but I compromise the account, then I can use that to actually initiate fraud. If it’s spoofing, I’m hoping to fool someone that it’s a legitimate email by having a character off, et cetera. Again, designed to get someone to respond to it because it looks legitimate. But they’re using the email as not only the vector, but also the mechanism of the theft. And phishing in general is a wider campaign and it’s designed around access, like using email as the initial access vector. So for example, it could be getting a delivery mechanism from malware, where that malware then provides the access.

A lot of phishing is the... Excuse me, the multifactor authentication bypass techniques that we see are largely around phishing, meaning they try to get someone to click, that click provides the capturing of the user email and password. Then they put a server in the middle, a proxy server, which will captured the MFA request going back and forth. And so that provides them the in. Phishing is not usually sent to just one person, spear phishing is. But phishing in general, I’m going to send to a group of people inside a company and hoping that someone clicks on it.

So for example, that during tax season you may see a request that looks very legitimate, “Please update your W-4 form. Prior to the tax season starting we want to make sure that everybody is up-to-date on their withholdings.” That looks legitimate, people click. It’ll look like a landing page for some document storage repository, folks will click on it and authorize the access that way. So phishing in general is about the initial access vector for follow-on activity that then has a financial gain component. But phishing in and of itself, unlike BEC... BEC may have a phishing component, but BEC is using the email as the financial mechanism or the financial theft mechanism, whereas phishing is usually an initial access vector.

Cole French:

So as far as phishing is concerned and the success rate, so do you have any indication or what are the statistics out there as far as how successful phishing campaigns are within organizations?

Terry McGraw:

Yeah. Well, so that’s interesting. I’ve been giving talks about the cyber threat landscape publicly since 2014. Black Hat, Forrester, Gartner, all the big conferences, RSA, et cetera. I say that not as a ego maniacal statement, but just the fact that I’ve been presenting this data a lot. And the top three initial access vectors, and I think I’ve said this before on this podcast, is they’ve remained the same consistently. And unfortunately, the top three initial access vectors for compromise are unpacked systems and servers, stolen credentials and malware born through email. So those are the top three. And they’ve been the top three, and they’ve been the top three. So phishing remains in the top three of the initial access vectors that cause data breaches and or financial compromise, i.e. ransomware or business email compromise. I mean, other than ransomware, the number two for financial theft of a corporate entity’s environment is business email compromise. So ransomware would be number one, number two being business email compromise.

The FBI I think reports... It’s in the billions, I think 32 billion and counting from business email compromise globally. So it’s a significant financial threat to corporate entities. And so if you look at the progress over time or the evolution of tactics, if you go back 15 years, banking Trojans were what we saw, and it was the theft of PCI data. And we as defenders got better, we tokenized PCI data, we put levels of encryption in place and obfuscation layers so you didn’t have direct correlation between PCI and actual information, et cetera, et cetera. So we got better... And oh, by the way, banks got better at detecting that kind of theft. So that made the barrier higher. I think 2011 we saw one of the first couple proofs of concept for ransomware, and that removed the middleman.

And what I mean by that, so when business... Or banking Trojans, you had PCI theft, but you had to launder that, you had to convert the PCI data to actual... Making blank credit cards or blank ATM cards. You’d have to send people into stores to either purchase goods or buy gift cards or something, some other way to launder that money and then convert that exchange to actual dollars. And all of those things, A, meant you had to hire middle people to do that work, you raised your exposure to law enforcement along the way. And the time window for monetizing that theft was very short. So ransomware came in, and so you remove the middle people. You don’t need money mules anymore, you now just compromise someone’s environment, you encrypt their data. Now we see data exfiltration as an extortion tactic. But either way, you’re now going for the direct monetization. I’m holding you hostage, you pay me the ransom.

And in business email compromise, it goes even one step further. So the things that we put in place to help with ransomware, really good backups, protection of our identity and privilege access management, all the things that we’ve been talking about in this series. But with business email compromise, someone’s voluntarily giving the money. So I send you a fake invoice and it looks really, really legitimate, and you pay a threat actor directly. I compromise an email and send it to an inside group from that email, and it looks legitimate and someone does the financial transaction that I’m requesting. A CEO sends a request for a good faith payment on a merger and acquisition, et cetera. And those all get generated and paid.

So again, you’re cutting out all the middle people. In this case, you’re also bypassing a lot of the legitimate security controls we’ve put. Now you have someone who’s been fooled into making a payment, whether that be by spoofing an email or getting a response to an invoice, but you’re actually compelling a payment of activity via that email. And so it’s thwarting a lot of the security controls, because a human is willingly clicking and willingly completing the action or being fooled into completing the action. And so that’s why business email compromise is still rather problematic, because it’s still very much the human in the middle.

Cole French:

And what’s... From a law enforcement standpoint. So you mentioned at the beginning when you’re stealing PCI data and things like that, there was a lot of effort involved and that increased your exposure to law enforcement. What are you seeing as far as law enforcement involvement in phishing and business email compromise? I mean, we cut out the middle man from a financial standpoint, but does that also reduce the likelihood that these folks are getting ensnared within law enforcement and actually getting caught, prosecuted? Or does it create this shadowy environment where the financial losses just are what they are and there isn’t really much legal recourse?

Terry McGraw:

So I guess we should set the level of what law enforcement can and cannot do. I applaud the law enforcement effort, but there’s very few folks in the law enforcement that have the skills to do this forensically. And the mechanisms for getting the money back can be problematic. The FBI has an amazing cybercrimes team, but they’re limited in people. So the amount of cases that they can get involved in are small to begin with. Then also remember that the vast majority of the folks that are inside the cybercrime rings are outside of the United States. So the ability for us... You can get indictments, you can seek extradition and prosecution. That’s if you can find them and if they’re in an area that would actually support your law enforcement efforts, and most of them are not. A lot of them are in the Commonwealth of Independent States, i.e. the former Soviet Union states. And most of those areas turn a blind eye to this kind of crime, because it generates a lot of revenue.

It’s illicit income, of course, but it does bring in a tremendous amount of money. We’re talking billions of dollars getting flooded into regions of the world that would not otherwise benefit from that. And so the areas of the world that these actors tend to operate in... Not always, I mean, there’s an exception to every rule. But let’s just say the 80% plus are operating in regions of the world geopolitically that are not supportive of extradition, if you will. So there’s a limit to what law enforcement can do anyway. In the areas of ransomware, where we see that payments are being done by cryptocurrency. Things like Bitcoin, they’ve been pretty well enumerated by the FBI. So there’s a trail that can somewhat follow in the enumeration of wallets, that allows for the potential of getting some money back. If they’re well known, if the trail is clear, and it’s hot, and it’s a big enough dollar amount that would warrant the FBI getting involved, then of course you can maybe see some level of result in that.

But the reality is the vast majority of this are just business losses. You can file a report, you can make your claims to insurance if necessary, you file your law enforcement reports, et cetera. But the reality of getting that money back, it’s an exception, not the rule, which makes this still an expensive loss. So I do think law enforcement... And again, great people, great skill, there’s just way more activity than they have the ability to respond to. And you won’t get a lot of support from local law enforcement in this kind of thing. Federal law enforcement, there’s just not enough folks to do this to help adequately. So unless we’re talking high, high dollar, high visibility, high impact stuff, you’re not likely to get the type of support that you might think you could.

Cole French:

Yeah. Actually, recently I heard a story about an employee at a charitable organization who received an email. And it was from a person, just didn’t seem out of the ordinary. It wasn’t somebody that they were familiar with, but it mentioned this particular person’s superior. And said, “Hey, I’ve talked with so-and-so, and he’s said that he’s going to provide some help to our charitable organization in partnership. And as such, I need gift cards from these particular entities.”

And this person went out, bought the gift cards, sent them digitally to this particular person, no idea who it was. And then of course she goes back, talks to her superior. And he’s like, “I don’t know what you’re referring to.” And yeah, same kind of thing, it ended up they just had to write it off as a loss, because there’s not a whole lot you can do. And I can see why we’d only really be able to go after the sophisticated entities that are perpetrating phishing. So are there wide scale phishing campaigns? I mean, you mentioned it earlier, they are typically more wide scale in nature. So is that something that we’re able to piece together that you’ve seen in your experience, or is it difficult to piece together how broad a phishing campaign is?

Terry McGraw:

No. Well, I mean, it’s actually pretty easy to do business email compromised forensics. So from the incident response perspective, understanding what happened is usually pretty straightforward. And you can tell by looking at the logs how broad the campaign was and who eventually clicked on it, et cetera. The forensic of that is pretty straightforward. So understanding what happened after the fact is not all that difficult forensically. Which opposed to if you think about ransomware, for example, or data exfiltration, forensically, that’s often very difficult finding the smoking gun. What was taken, how much was taken, et cetera, what was affected, et cetera. Those are all very in depth investigations forensically, and rarely do you find the actual smoking gun. Whereas in business email compromise, you almost always find the smoking gun, forensically it’s rather straightforward. By the way, which is why when you hire an incident response firm, business email compromise is usually a fixed price engagement, because we have a lot of automated tools that can do that, gather it and come to a conclusion rather quickly.

All that said, it doesn’t really help you because the damage is done. Getting money back is often very difficult in both cases. So understanding what happened, and how broad it was, and who it affected in the organization, again, rather straightforward. I will say that your example of the gift card thing is rather prevalent. It’s not only email, by the way, there is SMS phishing called smishing. In fact, one of my own employees contacted me the other day on Teams, and saying, “Hey, Terry, did you send me this text asking me to go buy a bunch of gift cards for one of our customers?” And I just giggled, and I’m like, “Really? You have to ask that question?” But I’m glad they did. We have a two-party check system here at Cape Endeavors, where anything financial or HR related requires someone to verify it.

So that’s what he was doing, was reaching out to me saying, “Hey, I got a request from you to go buy gift cards. Is this legit, yes or no?” And of course it wasn’t. But it is one of those things that is rather prevalent, you’ll see phishing style type of techniques in SMS. That’s a significant problem as well. Often just as lucrative for the cyber criminals, you get a text from somebody asking you to do something.

And again, this is the human component of this, the human condition. An office environment, and I think humans in general, we want to help. As employees, we want to be responsive to our bosses, we want to be seen as proactive and responsive and reactive, we want to be seen as the person that’s go-to. All of these things play to the human condition. And threat actors know this, there’s a large psychology component to cybercrime, especially through email and phishing. It’s designed to get you to respond, it’s crafted that way. And we do, we respond. And so that’s what makes this so difficult, it’s why... And there’s been a lot of debates about the effectiveness of email phishing training, et cetera. But yeah, it’s still very prevalent and still very effective.

Cole French:

Yeah. And I would add too, that not only is it to get you to respond, but I think it also preys on a particular... Getting you to suspend disbelief. I think that’s the biggest thing. When I talk with people who’ve encountered something that is phishing-like, whether that’s a pop-up or an actual phishing attempt, it’s always there’s some problem that needs to be solved. And yeah, I think for all the reasons you just mentioned, the desire to help, the desire to be a go-to. But it also can happen in a personal context, where this doesn’t have anything to do with work, this just has to do with something that could be a problem for me individually.

And it’s presented in a way that preys on the fear side, which I think ultimately it gets you in this place where you don’t even think about the fact that this is actually ludicrous. Why would I get some message... Like you were talking about, the smishing message that one of your employees got. Why would somebody be reaching out to me via a text message to take care of something like that? That’s completely out of the norm, that’s unusual, I would never ask somebody to do that. So it preys on our ability to let our guard down and suspend all of our abilities. I guess, think of it in a this is crazy, nobody would ever do this kind of way.

Terry McGraw:

Well, but it’s interesting, because... So I don’t know, I mean, I’ve been in the commercial industry now, I guess... Gee, for about 11 years now. And I think that maybe even you could say this from the military side. When the CEO sends you a personal message, in companies of a certain size, that becomes an emotional trigger as well. I mean, A, either what does the CEO want with me? You want to be seen as responsive. But it could be a oh, crap moment, it could be a wow, a flattering moment. But it is an emotional response. So if you get something from a C-level person and you’re a mid-level financial analyst, you pay attention. It could also be where the content is triggering, and I’ll use my poor mother as an example. And unfortunately she’s fallen for this a couple of times. But she’ll get an SMS message, and my mother is in her eighties and not exactly technically savvy.

But she’ll get a message that says, “Hi, this is your federal credit union. We’ve seen some fraudulent account activity.” And it’ll be amounts in the several hundreds, and my mom is on Social Security. And so that’s a significant emotional event for her when she sees multiple charges for hundreds of dollars. And immediately, her emotional reaction is to call the number, because they’ll leave a number for you to call. And of course you’re going to get someone who’s obviously not in the United States accent-wise, et cetera. But the desire for her to resolve the quote-unquote fraud was so high that she suspends disbelief of all the other indicators that she’s not talking to the actual bank that she thought she was talking to, et cetera.

Not to mention it wasn’t the actual number, she didn’t verify that the number in the text was the bank number, she just called it. And of course, unfortunately for her, they got her on, talked her through, they had her give up the multifactor token while they’re logging in, using her in this conversation to log in. And they stole every penny she had from all of her accounts. But it was in that hook, someone is stealing from me. It’s an emotional response, and of course she got the answer. So I do think there is an emotional component to this, that you are right, it does get you to suspend disbelief. It’s a sense of urgency, it’s a sense of responsiveness, it’s an emotional trigger. And that emotional trigger tends to get you to stop thinking logically. We see this in arguments as well, as soon as someone loses their temper, all logic goes out the window. As soon as you’ve triggered someone emotionally, logic tends to slip and you tend to just react, and that’s when they’ve got you.

Cole French:

Yeah, I actually have a similar story. A friend of mine who is a business owner was hit with... I can’t remember exactly whether it was smishing or phishing, but it was in that line of someone reaching out to him and presenting him with some problem. And he’s a younger guy, but he jumped on it and started working with... Same thing, he got a phone call, I think it was something financial and banking related. And told him that he needed to call this number, and all this kind of stuff. And so he got ensnared in it a little bit. And eventually he actually was on the phone with these folks in the car. And so I feel like this is an interesting tidbit to this, where sometimes a third party listening in. So he’s in his car, he picks up one of his kids from school, and he’s talking to this person, speakerphone, in the car. And his daughter’s sitting in there, and she’s like, “I think that that person is going on mute every time that you talk.”

And then he starts piecing it together, and then he starts asking questions. And they put it together basically, that first of all, he’s spoofed the number. So he called them back from the number that looked like the bank. But then he’s essentially asking them these questions, and then as they answer them, he’s going on mute. So it was just some of these strange aspects of this particular interaction that raised the alarm before he’d gone far enough to give everything away. But even still after it was all over, he had to disentangle from it and he had to get the bank involved and do a whole bunch of stuff. It was two to three days worth of undoing. He didn’t lose any money or anything like that, but still it caused a pretty significant impact to him personally. But I just think it’s interesting how it took somebody else who was not in this situation and not wrapped up in it to be like, as they’re just listening to it, “This sounds strange.” So I think that highlights the...

Terry McGraw:

I mean, it’s even worse now. Because in that scenario, imagine if, for example, the person you think you’re talking to has been voice faked. I mean, generative AI and the ability to improve phishing, but also voice phishing. There’s enough of my voice publicly and probably yours now, Cole, too as well, to fake our voices with AI to a high degree of fidelity that would fool the average person. And so these things, that’s why we put in two-factor checks here at Cape. Is that if someone got a phone call from Terry and it’s saying to do something or requesting some financial response, my team sends me a text or sends me something on Teams to verify that in fact they’re talking to Terry and not an AI. And that’s unfortunately a reality.

We used to look for grammatical errors in email, et cetera, things that would indicate a non-native speaker. Those are gone with generative AI. The AI has created incredibly realistic, both graphically, grammatically, even on the voice component piece of that. Whereas you almost have to create a two-party check system, because the fidelity of the criminal use of these tools is so good that... I mean, it’s fooled parents into thinking their children have been kidnapped and paying ransom.

I mean, these are real things. These are real-world scenarios, where people literally have heard their kids screaming and crying, either being captured or tortured. That creates an incredible emotional response in you as a human. And just like Jon Ramsey’s email about his kid being hurt, these are emotional triggers, logic gets supplanted to a response. And did the parent think to call their kid on the cell phone and say, “Hey, are you okay?” They just immediately start reacting. And so that’s why we see these. And generative AI is here, it’s impactful and it’s making this situation even worse. Again, try to verify. That would be my advice to everyone, is that when you get something in a corporate environment and it’s financial or HR-related, absolutely have a two-party check system. If you have something in your personal life where you know you’re being emotionally triggered by either, A, something as horrific as a kidnapping or as simple, mundane as fraud activity in your bank, try not to suspend your disbelief. Take the deep breath and verify that who you’re talking to is actually who you think you’re speaking to.

Cole French:

Yeah, all great words of wisdom there. And yeah, that’s a good segue actually into how do we thwart or stem the tide, so to speak, of these email threats, business email compromise, et cetera? So you mentioned at Cape, you guys have a two-party check. Is that a manual two-party check or do you use any...

Terry McGraw:

No, it’s manual.

Cole French:

Manual?

Terry McGraw:

It’s manual, it’s part of our AUP. We try not to develop a culture of encouragement, we’re developing a culture of mandatory compliance. Meaning in the AUP for financial and HR transactions specifically, it specifies you will, not it’s a good idea, not it’s encouraged, but you will. And it doesn’t matter that you’re interrupting the CEO at midnight, if you get a request to do a financial transaction that came from someone at the C-suite, you are required to verify that is in fact legitimate. And that also speaks to a culture shift. I mean, I hate to say it, but in lot of corporate environments, the C-suite is the sacrosanct group that, “God, I’m not going to interrupt the CEO.” But if the CEO has been spoofed, who else would you verify that with?

I mean, so having the CEO be the one that says, “No, I want you to call me. In fact, I insist that you call me.” The leadership has to be the ones to embrace the consequence of being interrupted at dinner or at nighttime or at odd hours or having... You cannot take umbrage that some person inside your organization would reach out to you directly. I find that to be a personality flaw in some leaders, by the way, that it would take umbrage to that. But that’s all another discussion. But yes, having two-party check systems and having it be part of the culture where it’s mandatory, not encouraged, not anything other than it is demanded. Meaning if you get these requests, you will verify, period. No ifs, no ands and buts. And not doing so has consequences.

Cole French:

Yeah, I think that’s a great approach. And I do think as much as tooling and technology, it’s something we always are after. I think, again, it is one of those things that it can be a hassle, it can be a pain. But sometimes the manual nature of it, because that’s... Like we talked about, the suspending disbelief and the psychology behind it, I think the best way to thwart that is to do things like a two-party check.

Like, “Hey, I got this thing. All right, I got to ask and double-check with someone else before I do it.” Because then that creates an automated thought process in my mind as somebody who might receive one of those requests. And I think having that two-party check that I actually have to talk to somebody, again, is my first line of defense. Psychologically I know, oh, I got this message, this is what I need to do first. I can almost not even worry about the content of what this is, I know I got to talk to so-and-so before I do this. And that just helps abate the psychological aspects of it. Now, as far as... So that’s the manual side of it. I know a lot of companies do phishing campaigns, which is a mix of... Are mostly automated and technical. But are there any other solutions out there that you see that help deal with email threats?

Terry McGraw:

Yeah. I mean, so the sandboxing software solutions have gotten quite sophisticated. I mean, I know the key people at Mimecast, Proofpoint. And I know that they continually are fighting the good fight against doing this from a technological perspective. For example, with generative AI, grammatical errors are missing. But even things as clever as replacing ASCII characters that are English with an ASCII character that’s Cyrillic, for example. But in type, look identical to the human eye, but are different. Meaning so if I’m typing in a URL that has the letter E, for example, and in the actual email it’s a Cyrillic E, not an English E, where the URL would then take you to an entirely different location, but you just don’t know it because it looks to you legitimate. And that is something that, again, a human couldn’t catch. So having one of the big email sandboxing solutions where they’re doing that comparative analysis of the URL to ensure that it’s a legitimate URL and not been spoofed with something like a Cyrillic replacement of an English character. Where they’re looking at DMARC, for example. Using a protocol that’s looking for DNS resolution prevalence.

Is it rare and recent or is it legitimate? What’s the reputational analysis of the locations, et cetera? All of those things... I mean, if you don’t have an email sandbox... And that’s not just relying on the exchange version or the Google version, but I mean legitimately a Mimecast or a Proofpoint as an additional barrier. I think it’s almost negligent at this point. Because look, I mean, humans are not going to be able to detect the vast majority of these things just by visual inspection. In fact, an acquaintance of mine, Dr. Chase Cunningham, a prevalent character on LinkedIn. And he calls himself Dr. Zero Trust. And he is, he’s a PhD in zero trust architectures. But he has a wide range of technological topics. And he broached the subject a few weeks ago on the efficacy of training for phishing attacks, human training.

And the reality is there’s a body of evidence both pro and con, that phishing training is largely ineffective. And it’s because the technological advancements keep outstripping our what to do. For example, visually inspect the URL to make sure that it’s legitimate. Well, if you do a Cyrillic replacement of an English character and to the eye, it looks like the same, how the hell are you ever going to do that by visual inspection? You can’t.

So a lot of the training that’s predicated is predicated on old tradecraft, not new tradecraft. And so I say that to say that we do need... I think, A, awareness of these things is important, but two-party check systems are way more effective than training someone to look at the URL. I think technologically we have to have a Proofpoint or a Mimecast or one of those other capabilities that’s constantly trying to evolve their solutions to help thwart these things, to a degree that humans just can’t do. And so you leave the edge cases to a human, and that’s where the two-party check systems come in. But technologically, I think you have to have that barrier to fight the good fight ahead of where you leave your last 1% too.

Cole French:

To your point about Proofpoint and tools like it, in addition to all the things you mentioned, the built-in sandboxing capabilities and visually spoofing the URLs, those particular email sandboxing tools also come with the ability to customize rule sets and build things that are specific to your organization. And we’ve worked with some customers actually who have leveraged tools like that to build their own robust rule sets that are specific to the type of work or the type of business that they do. So not only are you getting the intelligence that these companies are gathering from all the different organizations they’re working with, but you also then have a tool set, that with the right expertise and the right folks in your organization you can actually build it out to further support your own organization as well.

Terry McGraw:

Yeah, customability is key. And look, I’m not making a pitch for any particular vendor, you have to do your due diligence. I’ve worked with those two, the ones I’ve mentioned in the past, and I respect their capabilities. There’s still things that they have to work through. For example, fighting the prevalence of QR codes in email. How does one... You visually can’t tell if the QR code has a malware redirect in it or a spoof in there. And it’s been problematic for the email sandboxes to resolve that. They probably have solved it by now, it’s been a few quarters since this became a technique that we’ve seen. But again, those are not things that you can let a human go figure out.

It’s too much to ask of your employees or any one of us to thwart every one of these new tradecrafts. I think you almost have to have an R&D wing of a technology company, like a Proofpoint or a Mimecast helping you to address those things. Otherwise, it’s just not fair to a human to say, “Well, go look at that QR code and make a determination whether or not it’s legit or not.” The only alternative is nothing that has a QR code can be used if it comes to you in email. Anyway, so I say all that to say, that I think that you’re going to have to rely on technologies to help, because just saying we’re going to do phishing training of our humans I think is naive at best at this point.

Cole French:

And to your point about that, actually, you mentioned earlier that I think there’s a growing feeling that it’s maybe not effective, and I think for sure as it relates to the tradecraft component. Yeah, it’s still focused on all the old ways of looking at phishing emails. But also from what I’ve heard, and this is just anecdotally, I don’t have necessarily firm statistics to back this up. But from folks I’ve talked to, the rate of people clicking on phishing campaign emails really hasn’t changed at all. So we’re not seeing, oh, it was two in five and now it’s one in 10 or something like that, we’re not seeing any drastic reductions in phishing campaigns. Which to me tells me that they’ve reached to the point of their effectiveness, and we’re not going any further.

Terry McGraw:

No. Again, I think general awareness is still... For example, the call out of QR codes containing malware redirects that have been sent out through email. I think that kind of training is helpful, knowing that that’s a problem. I’m not saying that a human can solve it by looking at it or I can train you how to look at a QR code and determine what’s malicious, what’s not. But I can make you aware that if you see a QR code in your email, you should immediately go, “Huh?” The training that I think you should employ are, again, two-party checks. The training is, “Hey, did you know that in your acceptable use policy, you did sign this clause, it said you will do the following? That is a policy that we’ve employed, it is something that we are going to hold you accountable to.” And oh, by the way, we reinforce that when we talk to our employees.

I think those kind of training, tradecraft awareness, just I think that can be useful in helping reinforce policy, but it certainly isn’t going to stop effective phishing. I mean, the reality is these things are effective for a reason. And either whether they, A, are impossible for a human to determine, I keep using that Cyrillic replacement of an English character, to the naked eye they are identical. But to the computer, they mean something completely different. And so it’s not fair to burden... Training won’t solve that. So the best you can do is make someone aware that that exists. So Terry McGraw told your audience, Cole, that you can have a URL that looks completely legitimate, but at the ASCII level is not. And so I don’t think you’ll solve the problem, but you could at least make aware. And so I think that that’s the best we can hope for with training, is awareness. I don’t think we’re going to effectively solve the problem unless we put behavioral challenges on there, like the two-party check system.

Cole French:

Just to sum up, so awareness and good processes, and then some good technical solutions. This is the three tools in your toolbox that you can rely on in the fight against email threats. But one thing I wanted to circle back to that you mentioned earlier, Terry. And this is just something that’s near and dear to me as somebody who used to work in security operations. You had mentioned, and we’ve talked about this on all episodes in this cybercrime series, is unpatched systems being at the top of the list. And in a lot of ways, unpatched systems and email threats go hand in hand. Because I send an email, somebody clicks on a link, that link compromises something that’s unpatched on my system. So just want to mention patching systems is so important. And from my perspective, from a security standpoint, is really the most important thing we do as security practitioners.

And from a compliance standpoint, we’ve worked with a lot of organizations evaluating vulnerability management, which is the whole process. Patching systems, patching vulnerabilities. Not necessarily the same thing, although often they are. But just want to highlight the importance of patching systems, that is the number one vector of compromise. But it is closely related and enables a lot of these email threats that we’ve talked about. It’s amazing what we’ve seen in working with different organizations and the lack of awareness, the lack of implementation when it comes to vulnerability management and patching vulnerabilities, especially significant and critical vulnerabilities in environments.

Terry McGraw:

There are two things that I think warrant talking about in that regard. Number one, it sounds really easy to go patch. But in a large enterprise, that’s not necessarily the easiest thing to freaking go do. You’ve got systems that need to be tested before you roll out patching, so you don’t break an operational thing. You have to prioritize, because literally these things can be dozens if not hundreds a day depending on whether it’s Patch Tuesday or it’s other software vendors and their prevalence. You have to make the determination, is it my environment? How prevalent is my environment? What’s the impact of this in my environment? What’s the level of access it provides, et cetera, et cetera? CVSS scoring, et cetera. So having a vulnerability management plan and program is difficult, but absolutely needed. There’s also interesting tools, not only internal scanning, but a business partner of ours, SixMap, they’ve created a unique way of looking at the external attack service.

They use some AI generative models, et cetera, and an entirely different methodology for looking at external scanning. But finding where your internal scanning may have missed, either from limitations of your tools or just not understanding adversary tradecraft from the outside. So looking at alternative ways to see yourself from an adversary perspective are critical components to that. So I don’t want to think that patching in and of itself is easy, it’s not, there’s a reason that a lot of this stuff goes unpatched. I think it’s also interesting to note that CISA, the Department of Homeland Security’s cyber protection wing. What is it? Cyber Intelligence Security Agency. They’ve created secure by design software initiative. And I think Jen Easterly, who’s the former director of CISA, said it best. She’s like, “For far too long, we have accepted that our software vendors are providing us insecure code.”

I’m using a DLL library or a module library that has a C component that’s susceptible to buffer overrun. I mean, now I’ve got entire systems that are predicated on a library used by a whole bunch of people that now have a buffer overflow capability. The fact of the matter is, we as consumers of software need to demand that software makers hold themselves to a higher standard of security acumen. I mean, why should we accept the fact that our software is going to be vulnerable?

And so I do think that just even for awareness, go check out the Secure by Design initiative. And the desire to get software vendors to do static and dynamic testing before they roll stuff out, to ensure that you don’t have subcomponents of your software, dependencies in your software that can cause your whole application to be compromised. I think that that initiative is refreshing. I don’t know how effective it’ll be, but I’m glad to see that we’re taking it on. And I do think it’s one of those things, where attitudinally we need to change our perspective. Why do we have to accept the fact that software is always going to be a vulnerability in our environment? We need to hold our vendors to a higher standard.

Cole French:

Yeah. I think this is one where the technology and the pace of technology created an environment where I could just build an application, I could build software however I want because I don’t have to worry about... There’s almost no constraints. And I think with that security went out the... I don’t know about out the window’s maybe extreme. But I think that a side effect of rapid advancements in memory and technology to support software development made it... I think actually inadvertently created this... What we’re in now, where security is somewhat of an afterthought. It’s really, I got to get this thing to work, and I don’t really need to take into account technological constraints, security constraints, things like that. So I think there’s a whole culture around it.

Terry McGraw:

It’s interesting, because I saw a... I forget the gentleman’s name, but he’s one of the directors of the security for C programming. So C is still a very, very prevalent language, and it’s an underlying component to most kernel developments, et cetera. But a lot of the security flaws... Because it’s not a memory sensitive language, meaning it does not have garbage recovery, et cetera. Meaning it’s not a... Memory has to be treated very, very specifically in C, and it needs to have a lot of checks, and it needs to have a lot of validation because it doesn’t handle memory allocation natively. So you have to write it into the code. Anyway, there’s the security platform, I think it’s Carnegie Mellon that hosts it. Anyway, the gentleman was giving a talk on it. And the argument he was having was with the prevalent compilers, because it’s the compilation that validates whether or not the code has integrity. Meaning do I have a buffer overrun problem?

Well, in several of the major compilers for C, they provide a buffer overrun validation, but not a buffer underrun. Meaning that if you fill up the memory allocation to the point where you now are using adjacent memory locations, that’s a buffer overrun, and you can inject code that way. But what the C community found, is that you can actually continue to overwrite to the point where it adds to the memory adjacent at the bottom end before the memory’s called. So now you have a buffer overrun and a buffer underrun capability. And advanced adversaries know this. And so they will write code specifically to attack buffer underrun. Well, guess what? None of the compilers check for that. And so that’s a huge problem.

And of course, now you’re trying to convince compiling software engineers that this is a legitimate problem. It’s not just a one-off, it’s not just it’s an esoteric academic thing, but that you have the potential for adversary tradecraft. And so there’s this constant back and forth of what’s in the realm of possible. So I think you’re right. I mean, it’s non-trivial having to address these things. But it also requires the folks developing the software capabilities to understand that there are malicious actors out there that make it their life’s mission to find out how to exploit your code. And when a body of security professionals comes to you saying, “Hey, this buffer underrun thing, you probably ought to address it.” That should be enough to compel you to go back and look at your code. So I do think that these are cultural issues. But again, security by design has to be baked into all of these things.

Cole French:

I think that’s a good place to wrap up our conversation. I think this series, the cybercrime series, I think right here at the end as we wrapped up this conversation, I mean, it’s perfect. I think we talked about how really, even though we break these things up into individual things, it’s all interrelated. Everything overlaps with each other, so the key is really to think about it. Yeah, we should think about each problem individually, but we also need to think about it holistically and as it relates to our entire organizational operation.

So Terry, I really appreciate you coming on. I really appreciate you talking through different aspects of cybercrime with us. I think our listeners have really gotten a lot of value out of hearing your wealth of experience and insight. And so I just really appreciate you coming on.

Terry McGraw:

Cole, as always, I really appreciate your invitation and talking with you. Again, I think the folks that you’ve brought to bear in Kratos are some of the best in the business. And again, it’s a mutual admiration society here, and I appreciate the opportunity.

Cole French:

Thank you, Terry. Appreciate it. Thank you for joining us on the Cyber Compliance and Beyond podcast. We want to hear from you. What unanswered questions would you like us to tackle? Is there a topic you’d like us to discuss or you just have some feedback for us? Let us know on LinkedIn and Twitter at Kratos Defense or by email at ccbeyond@kratosdefense.com. We hope you’ll join us again for our next episode. And until then, keep building security into the fabric of what you do.