Trade-offs of business applications and the evolution of the art of social engineering

Social engineering is not a new concept, even in the world of cybersecurity. Phishing scams alone have been around for nearly 30 years, with attackers constantly finding new ways to trick victims into clicking a link, downloading a file, or providing sensitive information.

Business Email Compromise (BEC) attacks reiterated this concept by allowing the attacker to gain access to a legitimate email account and impersonate its owner. Attackers think victims won’t question an email from a trusted source – and all too often, they’re right.

But email isn’t the only effective way cybercriminals use to engage in social engineering attacks. Modern businesses rely on a range of digital applications, from cloud services and VPNs to communication tools and financial services. Additionally, these applications are interconnected, so an attacker who can compromise one can also compromise others. Businesses cannot afford to focus exclusively on phishing and BEC attacks, not when Business Application Compromise (BAC) is on the rise.

Target single sign-on

Businesses use digital apps because they are useful and convenient. In the age of remote work, employees need access to critical tools and resources from a wide range of locations and devices. Apps can streamline workflows, increase access to critical information, and make employees’ jobs easier. An individual department within an organization may use dozens of applications, while the an average company uses more than 200. Unfortunately, security and IT departments aren’t always aware of, let alone approve of, these apps, making monitoring difficult.

Authentication is another issue. Creating (and remembering) unique username and password combinations can be a challenge for anyone who uses dozens of different apps to do their job. Using a password manager is one solution, but it can be difficult for IT to enforce. Instead, many companies are streamlining their authentication processes with single sign-on (SSO) solutions, which allow employees to log in once to a trusted account to access all apps and services. connected. But because SSO services give users easy access to dozens (if not hundreds) of business applications, they are high-value targets for hackers. SSO providers of course have their own security features and capabilities, but human error remains a difficult problem to solve.

Social engineering, advanced

Many applications – and certainly most SSO solutions – feature multi-factor authentication (MFA). This makes it harder for attackers to compromise an account, but it’s certainly not impossible. MFA can be annoying for users, who may have to use it to log into accounts multiple times a day, leading to impatience and, at times, neglect.

Some MFA solutions require the user to enter a code or show their fingerprint. Others simply ask, “Is that you?” The latter, although easier for the user, gives attackers the ability to operate. An attacker who has already obtained a set of user credentials can try to log in multiple times, even though they know the account is MFA protected. By spamming the user’s phone with MFA authentication requests, attackers increase victim alert fatigue. Many victims, after receiving a deluge of requests, assume that IT is trying to access the account or simply click “approve” to stop the flood of notifications. People are easily annoyed and attackers use this to their advantage.

In many ways, this makes the BAC easier to perform than the BEC. Adversaries who engage in BAC need only harass their victims into making the wrong decision. And by targeting identity and SSO providers, attackers can access potentially dozens of different applications, including HR and payroll services. Commonly used applications such as Workday are often accessed via SSO, allowing attackers to engage in activities such as direct deposit and payroll fraud that can route funds directly to their own accounts.

This type of activity can easily go undetected, which is why it is important to have network detection tools that can identify suspicious behavior, even from an authorized user account. Additionally, organizations should prioritize the use of phishing-resistant Fast Identity Online (FIDO) security keys when using MFA. If the FIDO-only factors for MFA aren’t realistic, the best thing to do is to disable email, text, voice, and time-based one-time passwords (TOTPs) in favor of push notifications , then configure MFA or identity provider policies to restrict access. to managed devices as an additional layer of security.

Prioritizing BAC prevention

Recent research indicates
that BEC or BAC tactics are used in 51% of all incidents. Although less well known than the BEC, the successful BAC allows attackers to access a wide range of business and personal applications associated with the account. Social engineering remains a high-yield tool for attackers today, one that has evolved alongside security technologies designed to stop it.

Modern businesses need to educate their employees, teach them to recognize the signs of a potential scam and where to report it. With companies using more and more applications every year, employees must work hand-in-hand with their security teams to help systems stay protected against increasingly sneaky attacks.