Black Hat: Public Opinion Hacking Hits Fever Pitch
… a social system is resistant to the hack.”
Companies Are Targets, Too
Public opinion hacking can also target businesses, she said.
“If you’re a CiSO … in a multinational company with global lines of business and you’re competing with other governments and other countries, reputational attacks on companies are just as easy to execute,” DiResti said. “Companies that take a strong stand on divisive social issues may also find themselves embroiled in social media chatter that isn’t necessarily what it seems to be.”
It falls on CISOs to try to understand when these attacks focus on corporations and how they should respond and think about them, she said.
“We need to be doing more red-teaming,” DiResti said. “We need to be thinking about social and media ecosystems as a system, proactively envisioning what kinds of manipulation are possible. With each emerging app, with each new feature and each new policy, the rules of the game change slightly. And we need to be thinking proactively about how those changes impact the kinds of information operations that we’ll see next.”
When it comes to public opinion hacking, information security professionals and information operation researchers need to communicate more, she said. The goal should be understanding how social network manipulation intersects with network infiltration to predict and mitigate these attacks, she said.
Pandemic Prompts Surge in Counter IR
Also at Black Hat, VMware Carbon Black released its latest global incident response (IR) report. The pandemic continues to create a larger surface area for cyberattacks, it said.
Among the findings:
- Security teams are struggling to keep up with the surge in attacks. Some 53% of IR professionals encountered/observed an increase in cyberattacks exploiting COVID-19. Remote access inefficiencies, VPN vulnerabilities and staff shortages are the most daunting endpoint security challenges.
- One third of respondents encountered instances of attempted counter IR in the 90 days before the survey. That’s up 10% from the previous report. Log destruction and diversion are the most common forms of counter IR. That signals attackers’ increasingly punitive nature and the rise of destructive attacks.
- More than one half of attacks have been on the financial sector. That’s followed by health care, professional services and retail. Fifty-nine percent of those surveyed said attackers’ end goal was financial gain, by far the leading motivation.
- One in three attacks shows signs of lateral movement. This movement is facilitated in new ways like unsigned certificates, or SaaS applications like Google Drive and Dropbox.
- More than one half of respondents saw attacks from China, followed by North America and Russia.
Greg Foss is senior cybersecurity strategist at VMware Carbon Black. He said counter IR has become a popular tactic. It allows attackers to cover their tracks, and actively take steps to remain silent and make investigations difficult.
“Counter IR attacks include everything from wiping the logs on the local system, disabling security tooling that may detect and prevent their malware, establishing multiple command and control channels for redundancy, and more,” he said. “This is why it is imperative for organizations to take a holistic approach to their security posture, through a layered security strategy.”
Implementing security information and event management (SIEM) to capture and aggregate logs makes it difficult for an attacker to hide evidence of their intrusion, Foss said.
“While malicious actors may be able to delete the local system logs, these logs should have already been replicated across to another system where they can be preserved and leveraged for investigation into the intrusion,” he said. “Counter IR is not a new tactic. Attackers have been covering their tracks since hacking into corporations became a possibility.”
The model has changed for a significant number of MSSPs, depending on how the organization was structured for remote work before the pandemic, Foss said.
“This means the onboarding of new security tooling, changing of processes, scrambling to cover known gaps in coverage, and generally adapting to …