Day one at a new gig may come with a new computer and a coffee mug, but hackers have their eye on a different kind of welcome swag: system access.
In May, the cybersecurity firm Dragos revealed a cunning act of new-hire impersonation: Threat actors compromised an employee’s personal email and then began the company’s onboarding process.
The spear-phishing tactic exemplified an increasing cleverness in account-takeover maneuvers—human-targeting efforts that require orgs to take inventory of their defense technologies and enhance the training of HR professionals. Human resources, along with today’s cybersecurity professionals, are up against attackers who are just as innovative as defenders.
“We have relentless and very creative adversaries,” said Luke Tenery, partner at the global advisory firm StoneTurn.
Dragos did not respond to requests for an interview but shared plenty of details in a May post:
- A “known cybercriminal group” impersonated a sales hire and accessed SharePoint and the Dragos contract management system.
- Role-based access control denied the group from financial systems, IT help desk, employee recognition, and sales areas.
- After blocked access, the group pivoted to taunting and extortion tactics. “The cybercriminal continued to escalate their messages, Dragos did not engage,” read the report.
Hackers have often used the unseen employee to their malicious advantage.
- May 2022: Hackers hid “more_eggs” malware into attached résumés.
- June 2022: Check Point Research (CPR) exposed an Iranian spear–phishing operation that used impersonated email accounts to target high-profile Israeli and US executives.
- October 2022: KrebsOnSecurity found a flood of bogus CISO profiles on LinkedIn.
An attack hitting the onboarding process itself, however, is an effective tactic, according to Steve Winterfeld, advisory CISO at cybersec company Akamai Technologies.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“There’s opportunities based on events: a merger and acquisition, somebody being hired; those are changes. And as things are changing, you have an opportunity to kind of slip in,” said Winterfeld.
System activity logs enabled the rapid triage and containment of the security event, said the Dragos report, which also recommended least-privilege access to systems; scrutiny of emails for phishing characteristics; multi-factor authentication, and the blocking of known bad IP addresses.
“There’s always MFA, there’s access controls, there’s SIM [security information management] systems, there’s monitoring security systems, but a lot of that the HR employees themselves don’t have insight into,” Winterfeld told IT Brew.
Jennifer Urban, partner at the law firm Foley & Lardner recommends a phishing training tailored to one’s particular responsibilities. An HR pro, for example, needs to know the email threats lurking within their specific hiring processes.
“It’s one thing to read a general phishing training email that your organization puts out, or to go through annual training, but it really needs to be particularized to their job duties, whether that’s onboarding employees, or whether that’s getting calls from existing employees over the phone to have access to data,” Urban told IT Brew.
The main idea behind the training: Understand context and pick up on the nuances of suspicious behavior.
“Why would they ask me to click on something? Or why would I have to submit something to them?” said Urban.
That kind of wary skepticism is an essential part of awareness training—security lessons that are important to learn, as early as day 1.