It’s all too often tempting to apply a single viewpoint when it comes to hacking. We tend to believe that hackers are either tremendously professional groups looking at disrupting commercial operations or government functions or private individuals out for an instant cash reward. However, cyber security software firm, Imperva, has gone a step further in the recent report Beyond Takeover – Stories From a Hacked Account. In the research, Imperva mirrored the reversed the phishing hook to hack the hackers, proving that these “professionals” are just as susceptible – and in the process learned some very important anti-hacker lessons.
Reverse phishing and the anti-hacker research methodology
In a nutshell the methodology consisted of creating ‘Honeypots’ which real-world hackers would find attractive. These ‘traps’ were linked to several different types of email and logins which contained personal information. Also set up were file hosting services on platforms such as Dropbox and Google Drive. To add a further layer of authenticity, the accounts were also linked to social media sites such as Twitter and Facebook, as well as subscription sites for news and other items. The email boxes were then populated with messages and contact lists. The next step was to leak account credentials onto the dark web using a zero-day phishing campaign and start tracking what would happen.
The researchers collected 200 instances where accounts suffered credential leaks. Of those leaks, the research indicated that 44% were exploited by hackers, 34% were repeatedly accessed – and it appears from different IP addresses, indicating that more than one phisher was responsible. The average time it took for the accounts to be penetrated was a single week. In 50% of the instances the accounts were compromised within 24 hours. So what are the anti-hacker lessons?
Key anti-hacker learnings
The experts at Imperva came to some conclusions about the vulnerability of accounts in an age where the average user is present on the Internet on a variety of platforms and using multiple devices. These are some of the anti-hacker learnings that organizations across the board can take away from the Imperva study:
Password reuse across multiple accounts is incredibly dangerous. If the user continues this practice, it increases the chance of falling prey to determined attacks. If hackers get hold of a single password for a single user account they can access all the sites where the user is registered.
Humans remain susceptible to hacking – even with the best training and security awareness in the world – and malware infection and vulnerability to hacking is almost unavoidable. Users will almost always click on links, and download and open attachments. Therefore, the focus of any organization should be to build robust threat intelligence and breach detection solutions. In theory, this enables the organization to quickly detect a compromised account and any attempt to abuse enterprise data and resources. The organization can then quickly quarantine the compromised asset.
Attackers tend to perform manual searches for sensitive information once they have compromised an account. As an organization, if you are detecting threats by monitoring for patterns of automated tools, you may need to rethink your strategy.
Timing is everything. Automated threat assessment tools can assist in dramatically reducing the possibility of an account being hacked in the first place – but taking measures to re-protect accounts that have already been hacked is equally important. Reaction within 24 hours should be the target for organizations, which can then revoke passwords to prevent further damage.
The research presented an interesting study into the behavior of hackers. Especially how Imperva reversed the phishing hook and the fact that these ‘professionals’ are just as susceptible to phishing attacks as ordinary folks. Organizations should consider these anti-hacker learnings as starting points to enhance their cybersecurity defenses.