If you’re planning to take the SY0-401 version or the SY0-501 version of the Security+ exam, you should have a basic understanding of various attacks including email attacks.
For example, can you answer this question?
Q. The CEO of a company recently received an email. The email indicates that her company is being sued and names her specifically as a defendant in the lawsuit. It includes an attachment and the email describes the attachment as a subpoena. Which of the following BEST describes the social engineering principle used by the sender in this scenario?
A. Whaling
B. Phishing
C. Consensus
D. Authority
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Attackers have been increasingly using email to launch attacks. One of the reasons is because they’ve been so successful. Many people don’t understand how dangerous a simple email can be for the entire organization. Without understanding the danger, they often click a link within a malicious email, which gives attackers access to an entire network. Email attacks include spam, phishing, spear phishing, and whaling.
One Click Lets Them In
It’s worth stressing that it only takes one click by an uneducated user to give an attacker almost unlimited access to an organization’s network. Consider the figure. It outlines the process APTs have used to launch attacks.
Steps in an attack
Note that the attacker (located in the attacker space) can be located anywhere in the world, and only needs access to the Internet. The neutral space might be servers owned and operated by the attackers. They might be in the same country as attackers, or they might be in another country. In some cases, the attackers use servers owned by others, but controlled by the attackers, such as servers in a botnet. The victim space is the internal network of the target. Refer to figure as you read the following steps in an attack:
1. The attacker uses open-source intelligence to identify a target. Some typical sources are social media sites and news outlets. Other times, attackers use social engineering tactics via phone calls and emails to get information on the organization or individuals employed by the organization.
2. Next, the attacker crafts a spear phishing email with a malicious link. The email might include links to malware hosted on another site and encourage the user to click the link. In some cases, this link can activate a drive-by download that installs itself on the user’s computer without the user’s knowledge. Cozy Bear (APT 29) used this technique and at least one targeted individual clicked the link. Similarly, criminals commonly use this technique to download ransomware onto a user’s computer. In other cases, the email might indicate that the user’s password has expired and the user needs to change the password or all access will be suspended. Fancy Bear (APT 28) used a similar technique.
3. The attacker sends the spear phishing email to the recipient from a server in the neutral space. This email includes a malicious link and uses words designed to trick the user into clicking it.
4. If the user clicks on the link, it takes the user to a web site that looks legitimate. This web site might attempt a drive-by download, or it might mimic a legitimate web site and encourage the user to enter a username and password.
5. If the malicious link tricked the user into entering credentials, the web site sends the information back to the attacker. If the malicious link installed malware on the user’s system, such as a RAT, the attacker uses it to collect information on the user’s computer (including the user’s credentials, once discovered) and sends it back to the attacker.
6. The attacker uses the credentials to access targeted systems. In many cases, the attacker uses the infected computer to scan the network for vulnerabilities.
7. The attacker installs malware on the targeted systems.
8. This malware examines all the available data on these systems, such as emails and files on computers and servers.
9. The malware gathers all data of interest and typically divides it into encrypted chunks.
10. These encrypted chunks are exfiltrated out of the network and back to the attacker. Privilege escalation occurs when a user or process accesses elevated rights and permissions. Combined, rights and permissions are privileges. When attackers first compromise a system, they often have minimal privileges. However, privilege escalation tactics allow them to get more and more privileges. The recipient shown in Figure 6.1 might have minimal privileges, but malware will use various privilege escalation techniques to gain more and more privileges on the user’s computer and within the user’s network.
If users are logged on with administrative privileges, it makes it much easier for the malware to gain control of the user’s system and within the network. This is one of the reasons organizations require administrators to have two accounts. Administrators use one account for regular use and one for administrative use. The only time they would log on with the administrator account is when they are performing administrative work. This reduces the time the administrative account is in use, and makes it more difficult for the malware to use privilege escalation techniques.
Insider Threats
Do you know what many experts are referring to as the biggest cybersecurity threat?
Insiders.
This isn’t insiders intentionally stealing data.
Instead, it’s insiders making the same mistakes over and over such as clicking on links that install malware on their systems, or providing their passwords via fake pages that prompt them to change their password.
Do users in your organization know the best security practices and comply with them?
Q. The CEO of a company recently received an email. The email indicates that her company is being sued and names her specifically as a defendant in the lawsuit. It includes an attachment and the email describes the attachment as a Which of the following BEST describes the social engineering principle used by the sender in this scenario?
A. Whaling
B. Phishing
C. Consensus
D. Authority
Answer is D. The sender is using the social engineering principle of authority in this A chief executive officer (CEO) would respect legal authorities and might be more inclined to open an attachment from such an authority.
While the scenario describes whaling, a specific type of phishing attack, whaling and phishing are attacks, not social engineering principles.
The social engineering principle of consensus attempts to show that other people like a product, but this is unrelated to this scenario.
If you’re studying for the SY0-501 version of the exam, check out the CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide.