Vast majority of cyberattacks still traditional and unsophisticated – Alethe Denis exclusive interview

<?xml encoding="UTF-8">

For our second interview in this series, we have Alethe Denis - Senior Security Consultant on the Red Team at Bishop Fox, member of the DEF CON Groups Board, and a star in the DEF CON Black Badge Hall of Fame.

Alethe's work with Bishop Fox has helped businesses develop and enhance solutions and strategies to improve their security, and her perspectives have been featured in numerous outlets, including the Wall Street Journal, Der Spiegel, DARKReading, and The Register.

Besides being a renowned expert in offensive security, she's also a public speaker and she's passionate about giving back to the community, whether it's through training the personnel of the U.S. Army Special Operations Command, or mentoring cybersecurity students and staff at Los Alamos National Laboratory.

Now, she's here to share her knowledge with us. We asked Alethe about several topics, covering everything from what makes us vulnerable to phishing to the potential role of AI and deepfakes in future phishing attacks. She was generous with her insights, and we're excited to share her expert perspective with you.

In this article

• Everyone is vulnerable to social engineering - every single human [...] that is why it's so effective'
• Social engineering, the biggest threats moving forward'
• AI, deep fakes, and machine learning have influenced scamming and phishing over the past couple years'
• On the thrill and challenges of red team operations
• Social engineering isn't sophisticated, but remains effective and lucrative
• References

Everyone is vulnerable to social engineering - every single human [...] that is why it's so effective'Q: Do you think it's possible for someone to be entirely impervious to phishing attacks, or is everyone vulnerable to some extent? (Question by Diana)

Everyone is vulnerable to social engineering - every single human. And that's why it's so effective as an attack vector. We are all vulnerable because we are all connected.

Just as the only truly secure system is one that is not connected to anything, the only secure human would be one that is not connected to anyone else; one that does not have to interact with anyone else. With our collaborative work environments, this is simply not possible.

Layer human psychology and human behavior on top of the necessity to engage and interact with each other, and we are all, unfortunately, very much vulnerable to social engineering.

I myself fell victim to it - a phishing attempt for my wireless phone account pin number. That experience launched me into this space and motivated me to learn more about social engineering to ensure that I never fell for it again.

That led me to want to help educate others, eventually guiding me to a career in offensive security on a red team, where I now employ social engineering tactics on a daily basis.

From more than a decade of experience now, I can share that there is always at least one person who is just the right level of distracted, helpful, or simply cognitively unable to discern when they're being manipulated by another human.

That's an unfortunate truth we, as the protectors and defenders, need to accept. The only thing that can protect a certain percentage of the population are our technical controls.

Q: What's the most sophisticated scam you've encountered? Perhaps it was one of your devising? (Question by Alpa)

I most admire these scams that leverage multiple layers of pretexts or technology to create the appearance of a genuine request or persona.

We typically only hear about the final act in the media - the last phone call or the final exploit of the human at the helpdesk of the company that was compromised.

But what I admire is the architecture of the con.I also enjoy the use of new and unique platforms in the fabrication of bogus identities and phishing attempts.

For example, we recently started hearing about the use of Google Calendar invitations and Google Doc Comment email notifications as a means of sending phishing links to unsuspecting victims.

How truly creative, to leverage a trusted email service to deliver a notification email that was guaranteed to land in the target's inbox, and then direct them to a trusted platform - Google calendar or Docs - to deliver a malicious link.

I don't qualify many of these scams, or social engineering in general, as sophisticated. In fact, social engineering, by definition, is not sophisticated by most information security professionals' standards.

However, the use of SaaS and third-party software products and services to deliver malicious links and payloads is, by far, the most effective and sophisticated type of campaign currently employed by attackers (and by our own red team during social engineering campaigns).

This approach helps us evade detection and bypass a lot of the common monitoring and alerting capabilities of our client organizations.

However, it's not really in my best interest to disclose how we are accomplishing this, now is it?

Q: You love Pulp Fiction, some of us @ Techreport also love Pulp Fiction. What makes it so special to you? (Question by Alpa)Source: SFGATE

The movie Pulp Fiction came out when I was 12 years old, and I managed to sneak into the theater to see it.

Probably not the best idea but, at the time, I didn't know any better and I knew that Tarantino was special.

I adored the humor because it was very dark and, even though I was young, I'd been exposed to a lot of adult problems and challenges, even at that stage in my life.

I was operating in a very adult world, even as a preteen. There were some scenes and themes that went over my head, but, for the most part, I empathized with the characters. I appreciated the character development and the storytelling so much. The film made a huge impact on me.

I also loved that they incorporated a University of California Santa Cruz T-shirt into the movie. John Travolta's character wears the T-shirt after the famous incident in the car, which requires him to change his clothing.

I was living on the UCSC campus when the movie came out. In fact, the theater I snuck into to see the film was in downtown Santa Cruz, and people lost their minds when that T-shirt came on screen.

Having our university and that mascot featured in a movie getting that much attention was pretty sensational - for both the university and the town of Santa Cruz, where I lived at the time and for the two years following the movie's release.

A couple of years ago, I had the opportunity to go to the New Beverly theater in Hollywood - which is owned by Quentin Tarantino - to see a midnight showing of Quentin's own 35mm print of the movie Pulp Fiction, with his manual edits to the film.

It was a pretty incredible experience to see where he cut and spliced the 35mm film and taped it back together, and to see that raw edit of the physical film was very special. Just knowing that it was from his personal collection was even more insane.

The theater is older with the original seats, and it literally smells like 1994 in there. I felt like I was 12 years old again, sneaking into the theater to watch that movie on film. It's an experience I will treasure for the rest of my life.

Q: You're a great supporter of Hope for the Hinterlands of Nepal.' What drew you to the cause? (Question by Alpa)

I could not begin to describe how honored I am to support such a worthy cause and a selfless team - @VipinSangwann you are an incredible inspiration and your generosity of time, effort, and spirit is truly incredible and humbling Namaste https://t.co/kxOJVYhfai

- ETE (@AletheDenis) April 5, 2023

I was approached by Vipin Sangwan several years ago. He was asking for support for his efforts to provide the resources to enable girls and young women to remain in school in Nepal.

Most of the young girls and young women in Nepal are forced to marry young because they are from families that are severely under-resourced and lacking in material wealth to support them.

This charitable organization provides the financial support and material resources to help families keep their girls and young women in school, allowing them to create their own paths, careers, and the lives that they choose for themselves, rather than having their destinies dictated out of financial necessity.

I'll admit that, at first, I was pretty skeptical. I get approached rather frequently by people requesting money for support of various funds. But Vipin was able to demonstrate his efforts and show verifiable evidence of where the funds were going, and how his efforts were benefiting these communities and changing lives.

Over the years, he has continued to send regular updates to me, including pictures and videos from his journeys across hundreds of miles of rough terrain to bring clothing and supplies to children in schools all over Nepal.

Recently, he has manufactured stoves and donated those to families, providing heat and healthier cooking methods that reduce smoke in the people's homes and helps prevent health problems.

But what has moved me the most is Vipin's selflessness, his generosity with his time, and dedication to this cause. He has put his entire life on hold in order to physically make these things happen and create this positive change.

That's something not many people would be willing to do, and his sacrifice is something that merits support. Donating money and raising awareness feels like the absolute least I can do.

Social engineering, the biggest threats moving forward'Q: What are you most afraid of when it comes to modern cybersecurity threats? (Question by Amy)

I'm most weary of our overdependence on tools and our overconfidence in them. Human sneakiness and social engineering are, in my humble opinion, our biggest threats moving forward.

As we continue to automate things and depend on machine learning and AI to do the bulk of our simple tasks, and later, our more complex tasks, I see us losing that keen human insight and ability to identify vulnerabilities and threats that are more complex or layered in their approaches.

It's similar to how a self-driving car is unable to anticipate the car that you just know is going to change lanes up ahead, even before they put their blinker on or start to move over.

There are some things that human experience and skill will always be better at determining, compared to automation or rule-based logic.

Q: What are, in your opinion, the most important best-practices for someone to avoid falling prey to online phishing attacks? Whether that's a scam email or a spoofed website. (Question by Alex)

Time - time is the best protector against an emotional response. I have a rule that, when I read an email, especially early in the morning, I am not allowed to respond for at least 15 minutes.

This gives me time to process the request and properly verify that the other person is genuinely authorized to make this request.

Secondly, ask questions. Don't be afraid to be an inconvenience. Ask your manager if an email from a third party is a genuine vendor email request you should reply to or engage with. Ask HR if it really is open enrollment.

Ask questions to ensure that you're interacting with the email in a way that is safe, and my general rule is to ignore the rest. If it's important, they will email again.

Be on the lookout for crazy response deadlines and watch out for email senders with domains that don't match. But understand that some domains, and even login pages, can be the absolute genuine ones, just proxied (eavesdropped on) by the attackers.

I suggest to only navigate to your login pages via trusted sources, like your saved bookmarks, rather than attempting to login to a service from a link in an email that you weren't expecting.

The bottom line is: stop, evaluate if you are having an emotional response, and then if you are, question the other aspects of this email to see if it appears genuine.

Start asking questions and take the time to validate the request before you interact with it. Or, ignore it. If it's important, it'll come back to you. If it doesn't and if someone authorized doesn't communicate to expect the email, it was probably not a genuine request.

With phone phishing, the best defense is simply not answering the phone. But if you have to answer the phone, the same rules apply. Take time to ask a lot of questions and properly validate a request.

No matter how charming the requestor may be, always verify identities and stick to company policies regarding verification and authorization.

Q: In your experience, what's the #1 thing that even the most knowledgeable people overlook when under a phishing attack? (Question by Diana)

People often assume that they are immune to manipulation and that common social engineering tactics simply won't work on them. This is a terrible assumption to make, as every human is vulnerable to these weaknesses.

We are, by definition, human, and the world would be a very cold and callous place to live in if we lacked empathy and trust.

It would also be very difficult for us to even leave the house if we were unable to trust anyone in our environment. We couldn't even start our cars if we didn't trust our mechanics and the people who manufacture the parts and fluids in them.

Once people are able to separate the human elements from the phishing attack, and remove the parts of the campaign that are meant to provoke emotion, it typically becomes more clear from an analytical perspective that the campaign doesn't seem to add up, or the requestor doesn't appear genuine.

AI, deep fakes, and machine learning have influenced scamming and phishing over the past couple years'Q: Would you say that AI (thinking of deepfake technology here) has had a significant boosting effect on scammers and phishers? Or is the classic method of email phishing and vishing still the go-to and most effective? (Question by Alex)Fake livestreams of Elon Musk are one of the best-known examples of deepfake scams in recent years
Source: Trend Micro

AI, deep fakes, and machine learning have certainly influenced scamming and phishing over the past couple years. Deep fakes used to be expensive to produce or, at the minimum, extremely time consuming. Now that's not really the case.

I believe there is still a significant barrier to entry when it comes to skills and resources to create a compelling deep fake, even if you're able to collect enough material to train a compelling deep fake of a specific individual.

For this reason, the ROI can be pretty low for your average scammers and low level for profit' social engineering campaigns.It's simply not worth the time or the effort, especially when your standard authority' or empathy' based pretexts are still both effective and lucrative.

In my opinion, the vast majority of attacks will still be rather traditional in nature, casting a wide net, and with less sophisticated pretexts and supporting infrastructure.

However, for the high value targets, like the global mega corporations and individual spear phishing victims where there's a very high potential reward for attackers, I do anticipate we will see deep fakes more frequently.

With such custom targeted attacks on high-value targets, the attackers stand to profit greatly if successful.

Q: Are you concerned with the potential of AI for developing malicious code and how its vast coding knowledge may be used as part of more complex cyber attacks? (Question by Amy)

Of course I'm concerned. I think the majority of us are similarly concerned. I do feel that the use of AI in code development will be a game changer for many of us, in a positive way.

However, I do know that some people are using it irresponsibly and sharing proprietary company information with large language models (LLM) that are not properly segmented from the public models.

Also, we are aware that malicious attackers can leverage these models to create advanced methods of attacking these systems. Since the LLM was used to develop it, it therefore has intimate knowledge of how it is built.

Put plainly, if an LLM was used to develop something, it only makes sense that it would know how it is vulnerable to attack. That is something that concerns me, that attackers can then weaponize this knowledge and use it against these systems.

Q: To clarify this once and for all, can you get infected by simply opening an email or are you safe to do so as long as you don't click on any links or open any attachments? (Question by Alex)

Simply opening an email is safe in most modern email systems. The real danger comes from clicking on suspicious links, enabling external content, or opening attachments without verifying the source.

Practicing caution and keeping software up to date effectively mitigates the risks associated with email-based threats. However, the risk is never zero.

In older, outdated environments, email systems, or less mature organizations, more sophisticated threats may pose significant risks to systems and data without requiring human interaction. In such cases, it's crucial to have additional layers of technical security in place to prevent compromise.

Q: A company can have all the most up-to-date cybersecurity tech. However, often, it's us who are the weak link in an organization. We can be taught the signs that suggest something is untoward (the half-hour security awareness' training video), but it's that human' (emotional) aspect that makes us vulnerable. Especially the face-to-face (your favorite) variety. How do you go about addressing that balance between vigilance and constant suspicion? (Question by Alpa)Many employees still fall for phishing emails, despite cybersecurity training

Very early in my career, I believed that Security Awareness Training was the answer. Soon, I realized that humans still failed the test.

Then, I thought, this must be a culture issue. People just didn't seem to care; they knew better, but they weren't invested in protecting their employers and their employer's data from attackers. This was also not entirely correct.

As it turns out, studies have shown that some people are simply not able to discern when they're being manipulated. They lack the ability to perceive the threat, to see when people are being deceptive.

So, you have people at many unique levels of awareness and capability when it comes to identifying potential social engineering tactics employed by attackers in the wild.

It's very difficult to issue one-size-fits-all advice for an employee population to achieve the balance between paranoia and fantastic customer experience. Even when that experience is an internal help desk experience.

So, how do we standardize these processes to ensure that people at all levels are able to defend against social engineering attacks consistently, and empower them to say no without making them responsible for delivering a bad experience to the requestor in the interaction?

The answer is policy and procedure around requestor verification, and empowering our employees to stick to these policies and procedures without fear of taking the blame for declining to authorize individuals who do not pass verification checks.

When employees can effectively point to a procedure and a policy behind it, and then say this is a non-negotiable," then it takes the burden of the no" away from them. It allows them to do their job and ask the right questions, and it will stop attackers the vast majority of the time.

It also takes the burden off the human to decide when they need to be suspicious and when they can be relaxed.

All too often, humans make the wrong call in these cases. We are human, and we sometimes trust for the wrong reasons and make poor choices. That's just human nature, to make mistakes. And that's okay.

On the thrill and challenges of red team operationsQ: What's the most thrilling and high-stakes assignment you had as a social engineer? One that demanded every ounce of skill and ingenuity to keep your cover intact. (Question by Alex)

The majority of my red team engagements are conducted remotely. This is true for the remainder of the red team and me; we conduct our assessments remotely, for the most part.

And in some cases, they don't even involve social engineering tactics at all. I qualify social engineering as a skill, more so than a job title.That said, on the red team, we do occasionally have the opportunity to include on-site physical infiltration of the client offices for our red team operations.

When we are conducting a physical penetration test, the red team trophy objectives may be similar to the ones for the remote red team engagements, i.e. own the client network.

However, in these cases, we are permitted to use the method of physical access to the client building as a means of achieving the goal. And you cannot replicate the adrenaline or the anxiety of breaking into a building.

You do get slightly more comfortable and more confident in these scenarios after completing several engagements. But the stakes are always high, because the goal is always to remain undetected and to achieve the goal without being contacted by anyone.

Due to the unpredictable nature of these situations, it's very tough to plan for every potential outcome and this can be both vomit inducing and thrilling as heck, haha.

One of my recent engagements had me going up against a former red teamer and someone who was also a former Israeli Defense Force (IDF) operator.

I knew exactly who they were, and I decided to use this information, boldly leveraging their authority in my pretext, with plans to assert this authority over an unsuspecting receptionist.

Much to my dismay, the usual receptionist was out of the office that day, and covering for them was a security manager.

But to add even more difficulty to the situation, the security manager immediately escalated our request for access to the very person we had named in our phony work order, and who we expected to be working from home that day.

When they came walking out to greet us, it became a standoff. We each knew the other knew more than they were willing to admit. And, while attempting to read each other, it became clear that we were at a stalemate.

I compare this situation to when Beth loses her queen early on in the first episode of the series the Queen's Gambit. Mr. Shaibel educates her on how to forfeit out of respect for her opponent as, despite it not being checkmate, she is clearly unable to best her opponent, having lost the advantage this early in the match.

At this stage, I decided to resign. We let our opponent on the blue team kick us out and they let us leave with our dignity.

I maintained the pretext even as we walked out of the building, calling our red team operator - who was monitoring the number we had setup for our fake company on the work order, in case the blue team decided to call the number we left - complaining, as any IT Technician would, that we had been denied access to complete our dispatch.

Because I showed respect for my opponent and didn't waste their time attempting to strong-arm compliance with our request for access, an exercise I knew to be futile, we were actually able to smoothly transition the engagement to an assumed breach, and still deliver fantastic observations and recommendations to the client.

And I gained a fantastic friend and resource in the blue team opponent. They are now someone I am quite proud to say caught me. And I have a lot of new skills to apply going forward to assist us with remaining undetected in future engagements.

Q: Do you think blue team and red team roles require distinct skill sets? (Question by Diana)

Red Team and Blue Team operators play distinct but complementary roles in cybersecurity, each requiring a unique set of skills.

Red Teams focus on offense, using techniques to simulate attacks and identify weaknesses in an organization's defenses.

Their skills revolve around penetration testing, social engineering, stealth tactics, and post-exploitation. In short, knowledge of systems, processes and applications, and anything else that helps them exploit vulnerabilities and evade detection.

Red Teamers need to think creatively, often automating tasks with scripts and using specialized tools, all while maintaining strict operational security to remain hidden from defenders.

On the other hand, Blue Teams are the defenders, focusing on detecting, responding to, and remediating attacks. Their expertise lies in monitoring network traffic, analyzing logs, and incident response.

Blue Teamers are skilled in using detection and monitoring tools, identifying patterns and indicators of a compromise, along with forensic techniques to investigate and respond to potential threats.

They also focus on proactive security measures like system hardening, vulnerability management, and behavioral analysis to reduce attack surfaces.

While each team has its own focus, cross-team collaboration and understanding of each other's methods are essential for a well-rounded security posture, often facilitated through Purple Teams.

This collaborative approach allows organizations to continuously refine both their offensive and defensive strategies, improving overall resilience against cyber threats.

I would also encourage practitioners to switch sides from time to time in their roles, and throughout their careers, to see which areas of focus they are most drawn to.

Some folks find new passion playing for the other team, while others can benefit from seeing things from the other side or from new perspectives.

For example, you can better detect attackers if you understand how attackers think, while it's also true that you have a better chance of remaining undetected if you understand how defenders detect attackers.

Q: Through InfraGuard you've worked with the FBI. What's the juiciest security failure you're allowed to share? (Question by Alpa)

Unfortunately, I am not able to share anything related to my relationship with InfraGard or the FBI, or information shared with me.

Sometimes, they allow me to present to them the operations I am working on and to do outreach in our local community, where I help to educate local businesses on cybersecurity risk.

Recently, I had an opportunity to do that at the 19th Annual Cybersecurity Symposium hosted by InfraGard Sacramento, where I was one of the invited speakers.

Q: Some of us still feel the itch to interact even when we recognize a phishing attack. Is it ever safe to engage with the attacker, or should we still avoid it? (Question by Diana)

My advice is always not to engage. This is the only way to prevent any potential negative consequences. If you engage, you encourage the attacker to continue to persevere.

This persistence is exactly what we want to discourage. And by not engaging, they will likely move on to another target who is responsive.

I know that it is tempting to engage and, sometimes, it can be entertaining, especially with text message based phishing attacks.

I myself have done so in the past. However, I would recommend leaving these conversations and marking them as spam or reporting them as junk whenever possible.

This advice also extends to social media platforms and direct messages on those and other online forums.

While it may be entertaining, it can be a gateway to retaliatory behavior from the attacker, and there are much better ways to expend your own energy.

Q: How would you rate the following security and data privacy environment, and how could it be improved, with data security and privacy in mind?

1. 1Password for all online accounts [...] (question continues) (Question by Alex)

This is great!

2. Double-blind password system for the 1Password master password, with one part memorized and one part stored as a static password on a YubiKey. The full password would have a very high entropy, so it's completely random. [...]

Also a great idea, but tough to implement throughout an entire organization.

Perhaps only require this level of password requirement for those with the highest levels of privilege, and have more relaxed requirements with U2F implementation for users with lower levels of access.

You'd still have highly phishing-resistant password and access control requirements, but not so difficult that you create a nightmare for helpdesk employees, who will be resetting access for everyone who forgets and/or loses their YubiKeys all the time.

3. YubiKey security key as the sole 2FA across all websites that accept it. Otherwise, the Yubikey proprietary authenticator as an alternative. [...]

Another great recommendation.

4. ProtonMail as the main email provider with several sub-addresses for individual service categories (like banking, social media, work, etc.) [...]

For personal use, I absolutely encourage this. For organizations, it may make collaboration a bit more complicated.

There's a balance to be struck between collaboration and security. The level of risk the organization is prepared to assume often depends on the sensitivity of the data and the people it's charged with protecting.

5. Never using public Wi-Fi networks [...]

I support this one always and for everyone.

6. Typical distrust toward all email links unless it's something specifically requested on the spot (like password reset links) [...]

I would clarify that verified internal and expected links are typically okay but, yes - there is just never a hard and fast rule

7. Remote work, so no unauthorized access to personal devices [...]

Always nice, but I'd add also encouraging remote workers to keep devices secure and locked when not in use, and not taking them to insecure locations, but working from remote home offices rather than areas where they can be easily shoulder surfed or compromised outside of their trusted network.

8. Linux OS (OpenSUSE Tumbleweed) [...]

Yes, potentially more secure, but again, may offer some challenges when it comes to collaboration and use of certain applications and services.

9. Full data backup on a separate drive [...]

Frequent, air gapped, and regularly tested backups are vital for recovery.

10. VPN on for most of the time [...]

A trusted VPN for connecting to the work' network is always recommended.

11. Librewolf browser with Privacy Badger extension [...]

I prefer a chromium browser for collaboration, thanks to its usability with various services and also for ease of use.

Developers typically develop applications and services with these browsers supported fully. Using the privacy capabilities of these browsers is absolutely something I would encourage as well.

12. Startpage search engine

Search engines, I feel, are simply personal preference. But for avoiding having your data mined and sold, this is a very good and secure option.

Social engineering isn't sophisticated, but remains effective and lucrative

From me and the entire Techreport team, we'd like to thank you for this opportunity, Alethe!

We rarely get the chance to sit down with a cybersecurity and social engineering rockstar, so it's been a real treat.

ReferencesClick to expand and view sources

1. Social engineering - Glossary (NIST)
2. Google Warns How Hackers Could Abuse Calendar Service as a Covert C2 Channel (The Hacker News)
3. Understanding Proxy Servers and How They Work (Okta)
4. Finance Worker Pays out $25 Million after Video Call with Deepfake chief Financial Officer' (CNN)

The post Vast majority of cyberattacks still traditional and unsophisticated - Alethe Denis exclusive interview appeared first on Techreport.