Your tools can only handle so much defense when it comes to social engineering attacks. What types of social engineering can’t a rule set catch?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our sponsored guest is Josh Yavor (@schwascore), CISO, Tessian.
Got feedback? Join the conversation on LinkedIn.
Thanks to our sponsor, Tessian
But you can prevent them. Learn how Tessian can stop “OH SH*T!” moments before they happen, why Tessian has been recognized by analysts like Gartner and Forrester, and which world-renowned companies trust the platform to protect their data.
Full transcript
David Spark
Your tools can only handle so much defense when it comes to social engineering attacks. What types of social engineering attacks can’t a rule set catch?
Voiceover
You’re listening to Defense in Depth.
David Spark
Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CIAO series and joining me for this very episode is Geoff Belknap, who is the CISO of LinkedIn. Geoff, thank you so much for joining again.
Geoff Belknap
Thanks for having me and welcome to another amazing edition of Defense in Depth.
David Spark
That is the sound of Geoff’s voice. You’ll hear a lot more of it throughout the show. So when you hear that voice, don’t think it’s me. Know that it’s GEoff. Our sponsor for today’s episode is Tessian and in fact they brought the subject and our guest who I’ll introduce in just a moment. But first, Geoff, on LinkedIn, I asked this question that I posed in the opening of the show, what types of social engineering can’t a rule set catch? Now we know there’s no perfect rule set to catch attacks. Mostly because attackers get creative and humans act like humans, which is often very unpredictable. So, what do you do for the attacks your rule sets can’t catch?
Geoff Belknap
Give up and go home. I think that’s the answer. Oh, I’m being told that’s not the answer.
David Spark
No, that is not the answer.
Geoff Belknap
This is a common problem where we bleed over from the area where technology can be our friend to where we really have to rely on humans’ instincts and tuition because that’s what’s being preyed on. Which means we have to figure out, how do we figure out when someone’s lying? And how do we do that with technology? So, it should be a really interesting show today while we talk to an amazing guest who has some insight here.
David Spark
Here’s one of the issues I want to keep addressing throughout the show, is that most companies have some level of customer service where they’re receiving information and trying to do good for their customers. And figuring out what that procedure is to know or to be able to verify the trust, but verify attitude, so they can continue on down that road to provide service, yet at the same time protect their company.
Geoff
I think more companies have more of this than most people realize because you’ve got customer service, you’ve got sales, you’ve got recruiting. And you’ve got everybody whose job it is to just take stuff from the outside and assume best interest. Well that makes this really challenging.
David Spark
Exactly. So let us bring in our sponsored guest who has written about this, spoken about this at great length, and has a lot of great insight. Very excited to have him. I know you know him from the Slack world, yes? Am I correct?
Geoff Belknap
I know him because the CISO world is the world’s smallest eco-system and every CISO knows every other CISO. So everyone one of us is basically Kevin Bacon.
David Spark
Exactly. Good way to put it.
Geoff Belknap
So welcome our guest, Kevin Bacon.
David Spark
No it is not Kevin Bacon. Which, by the way, Kevin would be horrible on this discussion, let me point that out. He would be absolutely the worst. But this is the Kevin Bacon of all CISO’s – Josh Yavor, the CISO of Tessian. Josh, thank you so much for joining us.
Josh Yavor
Thanks David. I don’t think I’m ever going to have a introduction that rises to that occasion again.
Geoff Belknap
Well now you’ve got it recorded.
David Spark
And you can prove it to everybody.
Geoff Belknap
That’s right.
Can it be solved?
00:03:26:23
David Spark
Yoav Nathanial of Goldman Sachs, said “You’ll need a lot of rule sets that are constantly updating if you plan to catch all types of phishing with a static rule set.” And Roger Sales at Blackberry said, “I’m not convinced a rule set is a right solution. You shouldn’t try to detect phishing attempt but the phishing attempt outcome.” He then listed a number of mitigations, many that most security programs have. So Geoff, I think we’re kind of in agreement that you kind of do need a rule set somewhere. But we know that it’s not going to catch everything and then you need, in the world of Defense in Depth, other mitigations, yes?
Geoff Belknap
Absolutely. Rules have their value. There is some about of phishing and other social engineering attacks that you can effectively detect with rules. And for those kinds of things it’s a numbers game. The people that send those are going to send a million of them and hope five or ten of them land. Like that’s a fine sales follow upfor them. But for more complicated things, and I think more to the point, what Roger is talking about here, we really shouldn’t be attempting to detect the attempt, we would be attempting to detect the outcome. Because that’s what really matters. And every phishing attack is not really a phishing attack for credentials. And that’s why, I think, we’re using the broader term here of social engineering attack. Sometimes people looking for money, sometimes they’re looking for information. Sometimes they’re looking for your credentials. Some of those things really lend themselves well to rules and a lot of them don’t.
David Spark
It’s interesting, I was talking to a friend whose child was walking down the street by himself and some person came by and said, “Do you know where your parents are?” Which you realize is a question a concerned adult would ask and also the question that a predator would ask. So what my friend said to his son is, “You can be polite and you should be polite but you’re not required to give information out.” Which I thought was good advice. Josh, let me throw this to you, rule sets do have their place and we should be polite but not necessarily giving people all the information they want.
Josh Yavor
Yes, absolutely. And I think that Geoff is right when he mentioned that we need to have rules. But the way we apply and use rules needs to be focused and scalable especially in our ever-changing and growing world around how people collaborate and the systems that they interact with. And focusing on the outcomes is absolutely something that we need to index on. We can learn a lot from Defense in Depth and the end point security world. We’ve made tremendous leaps in evolution in technology and with approaches to that problem space. But I’d also add in, it’s the things that you can detect from rules. It’s outcomes as well. But it’s also intent. If we’re able to actually better assess what the intent of that person on the street asking about where the parents are, or the intent of this request coming in through email in this case, I think that’s actually a sweet spot that is not completely explored yet in the industry space or even in academia.
David Spark
So let me ask a follow up on that. What are then the tell-tale signs or ways to understand intent?
Josh Yavor
So I think a lot of us experience this perhaps in annual security awareness trailing oddly enough. It’s the one perhaps most common slide that I see out there, which is the tell-tale ways to tell when you’re being phished. And there are some pieces of advice in there that all of us have seen before including things like being aware, at a human level, when we’re reading it, of the authority based calls that action, that are unusual. My CFO never talks to me, why would my CFO all of a sudden email me out of the blue requesting me to make a rapid high dollar amount money transfer? So the abuse of authority and also a false sense of urgency being applied, is what we tell humans to do. And I think the question then becomes, how do we make that something where it’s not only the humans that are doing that and that technology can help humans be better at that? Because, let’s me be honest, a child can be tricked, we can be tricked and socially engineered with a motivated and capable attacker. So how can we apply technology to help the humans be better at being more resilient by reducing the overall volume of these types of emails that they see? And providing in the moment coaching and guidance to a system.
How do we handle this?
00:07:55:12
David Spark
Yoav Nathanial again of Goldman Sachs said, “If organizations were very strict about how to use email versus how to not use email, then they wouldn’t be experiencing much phishing. However you never see them.” And Drew Dressler of VMware, went so far as to say, “We can start by eliminating emails systems as the standard be-to-be tool-set for communications.” So, I don’t know if that’s going to solve the problem, getting rid of email, but we do believe that there is a very inherent, insecure nature of email, yes Geoff?
Geoff Belknap
Yes, we’ve talked about this in other shows. I’ll tell you my experience at Slack was really transformative to how I would have approached Drew and Yoav’s messaging here, when you’re at a high growth organization, whether they’re a start up or just an established organization, they’re growing very fast with a lot of money involved, there’s a lot of attempts to extract money from that organization. Either through various methods, legal or otherwise. One of the really common things that happens for start-ups is they do what’s called whaling. But they’ll say, “Hey, I’m the CFO, I’m the CEO, I need you to wire me a million dollars.” Or, “I’m one of your investors and I need you to wire me a million dollars to this bank account.” Whatever it is. One of the things we found which was an amazing way to defend this is, when I was at Slack we used Slack to communicate. That just by virtue of the finance team getting an email about it, they’re like, “What is this? Why is the CFO emailing me? That’s weird.” And we found out that there are a lot of organizations where that was actually an upside for them that they didn’t realize was there, moving all of their most important communications off of email onto another platform. Whether it be Slack or Teams or something like it, was actually really impactful for avoiding those kind of attacks. And what I’ve learned over the years is that is actually really important. And the way that I use email now, spoiler alert for anyone who tries to send me a sales pitch or phish email, is every external email that I get goes to a separate inbox. Goes to a separate bucket that I look at maybe a couple of times a day, I skim it or something like that.
David Spark
Are you referring to my emails, you look at a couple of times a day?
Geoff Belknap
No, yours have a rule, those get looked at immediately, David, don’t worry.
David Spark
Do they? That’s the way it should be.
Geoff Belknap
That’s why I’m so fast to respond to those. But the point is, I’m not looking at the external emails right away because I know those are lower value. And that would be weird if suddenly one of my CFO emails came in the external bucket, that’s helpful. So I do think just, I’ll say, anecdotally, from my own experience, I think there’s something really important here. But at the end of the day, that’s me. That works for me. I’m a paranoid person in the security industry.
David Spark
But that’s a really interesting thing to say. Let me throw this to you, Josh, and let me know if you’ve seen this happen before, but to make a corporate wide decision of all financial transaction information must be on our internal communications platform or Slack, while it’s not going to eliminate anything a hundred percent, but that can put a real, big dent in that problem, yes?
Josh Yavor
Absolutely. I think we need more creative approaches to how we engage with the broader world. The fundamental thing about email is that is one of our last open and connected systems that isn’t part of a walled garden. I love Slack, I love all the evolution that we’ve seen in technologies and platforms like it. Not just Slack, you can look at Webex, you look at Microsoft Teams and all the other chat platforms out there, the benefits that we’re talking about here in terms of confidence that we know who we’re talking to, and that this is an approved and trustworthy channel, also cut the other direction. It also becomes a barrier to doing business interacting. So the most successful solutions I’ve seen put in place by organizations is one where email is the front door. And you still have to have locks on the front door. You still have to have a fence around the office building, so to speak. But there’s a question of, what happens once you get in the front door. If it’s a bank you don’t go right in the vault, right? You go into a lobby and there’s bullet-proof glass and tellers and all of that. So what is our equivalent to that? And the best implementations that I’ve seen it’s that email is the front door. It’s a routing function. You get put into a process using building platforms and tools where ultimately, maybe it’s a conversation between a CFO and the director of finance in Slack to validate that this is an intended action. And it’s part of our process, this is like our multi-factor, multi-step approval process to build confidence in that transaction.
Geoff Belknap
Yes, because at the end of the day those methodologies might work for me or most of my communications get me inside the company, but if you’re in sales or recruiting or marketing, you need a solution. You need a defensive perimeter with depth to solve the problem for you.
Why is this so darn hard?
00:12:40:21
David Spark
Johnathan Waldrop of Insight Global said, “Can’t always catch the nuanced phish that doesn’t contain links or attachments but are used to initiate a conversation and ask for help. This is especially try for service providers with consumer facing support/service centers.” Like what I mentioned at the beginning of the show. He goes on to say, “This is where you have to rely on solid and well defined business processes.” And I want to give you an example of that right here. Now Ted [UNSURE OF NAME], he told the story and I’m just paraphrasing it here but, of him issuing a warning that the CEO was about to get spear-phished after they announce their series B funding. And low-and-behold it did actually happen and as a result they implemented a two-person financial transfer rule at the bank. So I think right here, I’m going to throw this to you first, Josh, the whole need to have very, solid business processes in place can also deal with when rules fail, when everything else fails as well. What have you see work here?
Josh Yavor
I’ve seen, really an eyes wide open approach. I think that we need to start from the position as always with security, we talk a lot about Defense in Depth. I have yet to find an equivalent for enablement in completion of that phrase. But enablement is what we need to start with and what I mean here in this case is understanding what the current process is. Knowing that it’s really difficult to change human behavior. So understanding how your finance team, your recruiting, your HR team, inter-operate with each other and interact with external world. What is the best type of funnel? What are the ways in which you need to go between different systems? We can lean in there but ultimately that’s what makes it so hard is the complexity across all of the disparate communication and transactional flows. Years ago we could say, with confidence, oh yes, it’s just email. And then maybe we go into an early cloud B-to-B platform. Today what information touches and is processed through, whether it’s a recruiting application, whether it’s a financial transaction, the number of systems that handle that data and support decision making and engagement there, it’s astronomical in some organizations, especially when we’re looking at things like marketing. And so that’s what makes it hard. How do we keep up with behavioral changes of the business as well as individual humans? And this is where rules fall flat and we really have to start looking at behavioral approaches to understanding what is normal, what’s different. And taking an approach that enables decision making at a human and technology level basked off of those observations.
David Spark
Is there any way you’re doing this yourself, Geoff? Understanding human behavior?
Geoff Belknap
I think there’s no way most people are doing this themselves. I think most people already have a world of problems trying to understand what humans are doing at any given moment.
David Spark
I have a time understanding what I’m doing.
Geoff Belknap
Same. And I think Josh really gets to the heart of the complexity here. Most of us have a business or an organization to run and that is too complex to be sorted out by a set of rules. We have a hard thing to do. And the attackers, like we talked about earlier, they’re not just after credentials anymore. They’re after a whole host of things that they can monetize or use against you later in a further attack. You’re just not going to be able to keep up with that with rules. You have to really elevate your thinking from just strictly I’m trying to prevent credential compromise or business email compromise. I’m trying to prevent an attack on my business, the way that I, I conduct myself during the day. And you’re going to need more horsepower for that. And whether you’re buying for a vendor or you’re building some internal system, (let’s be honest, don’t build some internal system unless that’s key to your business or you’re a company that competes with Josh’s or something like that,) you’re going to need to buy something. Because you need to focus on running your organization not building a solution that covers all bases.
David Spark
I think we’re all in agreement here that you need Defense in Depth but from so many different angles. From rule sets, for understanding human behaviors, from having business processes. I mean what am I missing here? No one of these things would work but yes, you need it more, Josh?
Josh Yavor
I can tell you what I think we’re missing as an industry. What we do have already is we have decades of attempts at understanding what works and doesn’t in rules. We know that. And we know where they fall over and usually it’s with scale and complexity. We know that we have emerging AIML based technologies that will do the behavior analysis. The missing component is how do we connect these two in the human context? How do we actually use, not only artificial intelligence, but actual intelligence by using human engagement to help enhance what we’re doing with technology in the moment that they need help?
What aspects haven’t been considered?
00:17:34:09
David Spark
Rick McElroy of VMware said, “A rule set also cannot catch me convincing an employee to hold the door while I slide in to the building with them.” Rick also mentioned the move to BCC, that’s Business Communications Compromise not blind carbon copy, which is unlike BEC, Business Email Compromise. And what he’s saying is with BCC, this is communications compromise, is that it happens on any communication platform so it could happen on Slack, it could happen on Microsoft Teams, wherever. How much of this are you seeing, Josh, and I know that at Tessian you have a solution specifically targeted towards email but this is just one key vector to the way we’re communicating that and that’s why you have a more open view to social engineering in general, right?
Josh Yavor
That’s right. Email is where we see a lot of the demand for solutions and where we see a lot of vendors, like Tessian, prioritizing in the problem space. But it’s absolutely not the only place where we have to address social engineering risk. It just happens to be the place where two things are true. The most amount of data exists for technological based solutions to be applied is very data rich. We have a standard structure to email formats and so on, that’s very well understood. But as we look at the patterns of behavior there and how attackers change to reflect how people work and engage with each other, there is SMS based messaging that’s phishing, right? There’s social engineering via voice-calls. Encrypted and messaging is also a venue for attack. So I think what comes next from a technology perspective is what can we learn from supporting email and corporate chat where it’s a more assessable set of data, where we can observe behaviors, and learn from decades of interactions? And how do we apply, technologically, that learning to these other communication mediums and mechanisms, and how do we bring it all together ultimately? I think that’s where we’re heading in terms of both need and hopefully in terms of solutions. And I think that’s where we are going to continue to see a confluence of what I hope to be, delightful and empowering and user experiences, that really get away from this rule based experience of, hey I can’t actually send that SMS message because it contains a link and it’s blocked and I don’t know how to get help. Can you imagine that equivalent to what we’re currently experiencing in mini organizations when we try to send an email? It’s a terrible experience, we have to do better as we expand to these modern communication solutions.
Geoff Belknap
Yes, I think you said it really well. It’s time to really grow up and realize that we have all these other avenues to communicate about business. And we’re really only spending all our time thinking about email as the way to attack. And although I may have said this earlier, Slack and Teams are great avenues to use as alternates to email, but that doesn’t mean they’re not without their risks and certainly there are threat actors out there that are well aware that other people use other communications platforms.
David Spark
Can I actually ask you, Geoff, specifically with Slack, since you used to be the CISO over at Slack, just saying this purely from ignorance, how would an attacker get in to Slack? How does this happen?
Geoff Belknap
It happens just like you get into anything else. If you haven’t turned on SSO or 2FA, people can phish your credentials and then you’re in that Slack.
David Spark
And they’re impersonating somebody else?
Geoff Belknap
Exactly, they’re impersonating somebody else, and Slack, like Teams, is considered a trusted environment, so by default, if Josh and I are on the same Slack or Teams instance and he messages me, I’m going to assume that’s Josh. It’s not email, it’s Teams, it’s my internal tool. So there are pros and cons. If you compromise Josh’s Teams account or his Slack account, it’s going to be very difficult for me to understand that that’s not Josh. Which is why we go back to, this is why we need depth of protective technology to make sure that we’re covering these other areas to give me some indication that something might be going on here with this interaction with Josh. There’s a lot of things now I can be trained to realize it’s weird that Josh is rushing me, it’s weird that he’s asking for information he wouldn’t otherwise ask for, but what I really should be leaning on is technology that helps me wake up that there might be something wrong here. Not technology that prevents everything bad from ever happening but something that helps me, the human, make better decisions. And I think that’s what we’re all looking for.
David Spark
Is this connected, Josh, and I’m just shooting here, but it sounds like, like on my phone I have a level of predicted text because I write in certain patterns over and over, that they are pretty good about seeing it, and if all of a sudden someone compromises my account and the text is not writing in the same pattern that I do, you would think it would be able to see this, yes?
Josh Yavor
Absolutely. And you’re giving an example of a hallmark area of measurement and analysis from a machine learning perspective that is highly applicable. And applied by many different vendors but Tessian as well. And I think that one thing I would add into the conversation here in terms of what hasn’t been considered, is that we’re talking about Slack and Webex and Microsoft Teams as the more secure solutions, but an interesting pattern is that they’re actually becoming, over time, more open and connected. So whether it’s the Slack connect features, whether it’s the similar features sets in Microsoft Teams or Webex, simple presence in some of these corporate Slack environment, doesn’t always even mean today that that person is part of the same organization that has deployed that Slack tenant. And what that experience is like across all chat platforms is inconsistent and it changes between web and native client and mobile client experiences and that’s an area of emerging attacker behavior as well. I’m aware of organizations that are targeted because they are open and connected on these messaging platforms, allowing the outside world to come in and actually connect directly with employees in the context of their own corporate chat platform.
Geoff Belknap
Yes, it’s 1999 again when it comes to email versus chat platforms. The difference though is I think we’ve learned a lot about how this stuff works and we’re going to adapt much, much quicker.
Closing
00:23:41:19
David Spark
That brings us to the end of the show. This was excellent. Thank you very much Josh and Geoff. We come to the part of the show where I ask both of you, and I’ll start with you Geoff, what your favorite quote is and why?
Geoff Belknap
Roger sells, absolutely, “I’m not convinced a rule set is the right solution. You shouldn’t be trying to detect a phishing attempt but the phishing attempt outcome.” And couldn’t agree more. In fact in many ways, this is the core of security. We’re not really trying to detect the specific tactic somebody’s using to breach an environment, you’re trying to detect what’s the outcome they’re driving towards? Are they trying to steal data? Are they trying to compromise an account? What should we be aware of? And we see lots of tooling and unfortunately, I think the reality is we see lots of tooling overlooked too that are simple solutions to these problems. I’ll give you a great example just real quick – Google put out a browser plug-in called Password Alert, and if you were a Google customer it would detect if you were typing in, or someone in your organization, was typing their password into a website that wasn’t something where a password should go. And it was this dead-simple way to detect that somebody had been phished. Now they couldn’t prevent it but they could immediately let the IT team know, “Hey, Geoff’s account has just been phished.” There are so many solutions like that, that just get overlooked that are not about preventing it. It’s about rapid detection of the outcome.
David Spark
Josh, your favorite quote and why.
Josh Yavor
My favorite is going to be Jonathan Waldrop saying, “You can’t always catch the nuanced phish that doesn’t contain links or attachments but are used to initiate a conversation and ask for help.” This is especially true for service providers with consumer facing service and support centers. This is where you have to rely on solid and well-defined business processes. I love this because it’s an approach that’s eyes wide open and aware of the needs of the business and how people interact. And it’s focusing on the need for us to recognize that there are multiple layers in this problem space and our solutions need to be connected just as these layers are. And I would actually extend this quote and say that from my perspective, where we need to go is really bring this together from a human experience perspective where as the employees that we’re supporting are interacting with email, messages, whatever it is, the technology is actually prompting them and coaching them and enabling them to make decisions in real time. So that they can actually be empowered by our solutions rather than blocked by them.
David Spark
I love it. Alright, I’m going to let you have the last word here, Josh, but first I want to thank your company, Tessian, for sponsoring this very episode of the podcast. Geoff, any last words?
Geoff Belknap
You know what, I love this discussion, I think it’s especially good because we’re talking about, not just the core of the problem we have here, but actual solutions to this. So I’m going to go back and listen to this one again and I think you should too. I’ll also say, hey, as a reminder, and I know I never say this, if you’re looking to solve problems like this at scale, come on over to LinkedIn.
David Spark
Hold it, are you hiring at LinkedIn?
Geoff Belknap
I am.
David Spark
Awesome.
Geoff Belknap
And even if you don’t think LinkedIn is the place, you can also come to LinkedIn and find other jobs. We have those too.
David Spark
It’s weird you should just go to find a job at cyber-security but primarily I think everyone would want to work with Geoff.
Geoff Belknap
Many people have decided to do so.
David Spark
Smartly so. Alright, Josh, any last words? And by the way, any offers you have with Tessian, anything you want to pitch, please, this is definitely the time to do it.
Josh Yavor
What I would like to say is, similar to Geoff, I am also hiring and you can find my job postings on Tessian dot com. But also on LinkedIn. So I can play that game too. I would actually encourage folks who are interested in social engineering and what we’re doing in this problem space to check out some of our latest research on Tessian dot com. My team did research into what we saw in the space of spear-phishing in 2021 and published some recent reports that have highlighted attacker behavior, lessons learned and conclusions and so on. And finally, we actually just released a really, cool set of features in our product that bring rule based solutions into the ML world. And so it’s a product called Architect and it actually allows organizations to be able to get the best of both worlds. Best in class, ML based behavior informed solutions with the rules that are actually effective and necessary for safety in organization.
David Spark
Excellent. I love that. Thank you very much, Josh. Thank you very much, Geoff. And thank you to our audience. As always, for your contributions and for listening to Defense in Depth.
Voiceover
We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.