Charged by an Elephant — An APT Fabricating Evidence to Throw You in Jail

This session, delivered by SentinelOne threat researchers Juan Andres Guerrero-Saade (Jags) and Tom Hegel, explored a specific Advanced Persistent Threat (APT) that fabricates and plants evidence on targeted systems.

The researchers presented several cases where malware was utilized to plant false evidence on personal computers, leading to wrongful arrests. One notable case involved a Turkish journalist arrested in 2011 for terrorism, who spent 19 months in prison before digital forensics revealed that the evidence had been fabricated.

Another discussed incident involved numerous Indian activists, where documents purporting to be an assassination plot against then-Prime Minister Narendra Modi were planted, resulting in accusations of conspiracy against the government.

Jags and Hegel further detailed their investigation into forensic reports, examining the Command & Control (C2) infrastructure and various malware samples, which pointed to an APT known as Modified Elephant, operational since at least 2012.

They outlined the attack lifecycle: - Initial access gained through phishing emails - Installation of a Remote Access Trojan (RAT) for ongoing access - Strategic document placement over time

While phishing remains a favored method for credential acquisition, recent years have seen an increase in exploiting cloud accounts and hijacking sessions.

The researchers also noted law enforcement's involvement in these cases, revealing that police played a role in the evidence manipulation.

They concluded with thought-provoking questions for the audience: - How can we address integrity issues with digital evidence and maintain the chain of custody of compromised devices? - What are the legal standards for intercepting malware used by law enforcement? - Who is responsible for overseeing the use of spyware by law enforcement compared to intelligence agencies?

Smishmash — Text-Based 2FA Spoofing Using OSINT, Phishing Techniques, and a Burner Phone

My favorite technical session was "Smishmash," presented by Thomas Oloffson and Mikael Byström, which provided compelling evidence that text-based multifactor authentication (MFA) is fundamentally flawed.

While many in cybersecurity are aware of SMS vulnerabilities, this session explored the reasons behind these weaknesses, the attack vectors, and potential defenses.

They shared striking statistics: - Smishing (SMS phishing) incidents surged sevenfold in the first half of 2022 compared to the previous year. - Fewer than 35% of individuals recognize when they are being targeted by smishing. - Text messages are viewed with greater trust than emails, leading to higher attack success rates. - One in five email addresses can be associated with a valid phone number.

The presenters explained that numerous data breaches have made phone numbers readily available on the dark web, facilitating easier bypass of text-based 2FA.

Although attackers still need valid credentials to reach the MFA step, this can be achieved through common methods, such as: 1. Account recovery or password reset to change the MFA phone number 2. SMS injection during MFA-enabled login 3. Smishing and Adversary-in-the-Middle (AiTM) attacks against authentic sites

Their demonstration focused on the AiTM method, where attackers leverage OSINT to gather information about the target user, including their phone number, and trick them into clicking a link that redirects them to a malicious proxy.

To effectively disguise the attack, the message must appear legitimate, often imitating requests from trusted sources like PayPal or Amazon. When the user logs in through the adversary's proxy, their credentials, including the second-factor authentication, are captured without their knowledge.

To mitigate these risks, the presenters advised against text-based MFA whenever possible. If it's unavoidable, they suggested enhancing security with: - Recaptcha - Cloudfront cookies - Appropriate CORS headers and settings

“No Mr. Cyber Threat!” — A Psychological Approach to Managing the Fail-to-Challenge Vulnerability

This briefing, presented by Simon Pavitt and Stephen Dewsnip, piqued my interest due to my fascination with psychology. Their session delved into human behavior regarding security practices, especially why individuals often click on unsolicited links or open unexpected documents.

The presenters shared insights from their experiment with gamifying security training in various organizations to tackle the "fail-to-challenge" vulnerability, where individuals fail to question suspicious requests.

For instance, when approached by an unfamiliar employee asking to use their computer for printing, many feel uncomfortable pushing back, even when the request seems suspicious.

They likened their approach to Pokémon GO, a game that motivated players to explore their surroundings. By gamifying security training, they aimed to create an engaging environment where employees could learn to identify threats.

Their experiment involved posing as an employee needing to plug in a USB device to print a file while displaying multiple red flags. Feedback was provided to participants, emphasizing that they would not be punished for failing to challenge the request.

Results indicated that 77% of participants found the gamified training engaging, suggesting that traditional security awareness training may not have the same effect, as many employees often view it as a compliance task rather than a means to enhance their security behavior.

The researchers encouraged others to explore gamification as a way to enhance employee engagement in security training, noting the persistent issue of employees clicking on suspicious links despite repeated training.

Trying to Be Everything to Everyone — Let’s Talk About Burnout

Burnout is a prevalent issue within the cybersecurity sector, and Stacy Rioux, a clinical and organizational psychologist, offered a unique perspective on preventing it.

Rioux acknowledged that conventional advice—working less, eating well, exercising, and relaxing—may not be sufficient in our field. Citing research, she noted that 77-80% of security professionals face burnout due to high mental workloads, the emotional toll of anticipating cyberattacks, staffing shortages, and difficulties in finding their place in the workplace.

Given these factors, it’s clear that traditional solutions may not be effective. Rioux proposed a psychological approach to managing burnout, emphasizing self-awareness regarding personal triggers and responses.

She highlighted the importance of self-efficacy in mitigating negative emotions that contribute to burnout.

What we cannot control includes: - Toxic work environments - Lack of support - Poor leadership - Unsupportive HR practices - Colleagues - Challenges inherent in the security field

Conversely, we can control: - Our behavior patterns - Responses to triggers - The impact of fears and insecurities - Self-worth definitions - Relationships with the workplace and colleagues - Boundaries and their communication

By focusing on understanding our responses and triggers, Rioux argued that we can better manage stress and negative emotions that lead to burnout.

The Burnout Taxonomy illustrates the progression from emotional exhaustion to self-efficacy, highlighting the importance of recognizing what is beyond our control and setting boundaries.

Thank you for reading! I hope you found these insights as enlightening as I did. To discover more of my work, consider becoming a Medium member through the link below!

<div class="link-block">

<div>

<h2>Join Medium with my referral link - Katlyn Gallo</h2>

<div>

<h3>Read every story from Katlyn Gallo (and thousands of other writers on Medium). Your membership fee directly supports…</h3>

</div>

<div>

<p>katlyngallo.medium.com</p>

</div>

</div>

</div>