Pop culture and movies color our idea of targeted hacking and cyberattacks. The hacker sits in front of a barrage of monitors, all showing either terminal windows or a far too complex dynamic schematic of the network. Building on past knowledge, the hacker enters command after command with the keyboard, free of typos, and might click a couple of mouse or touchscreen buttons. A countdown runs down, and suddenly, they are in the system.
Unfortunately, attacks that target one specific individual or company are seldom like the movies. They resemble mundane intelligence operations more than any high-pressure movie scene. Let’s explore how most targeted attacks start.
Chatting Up for Targeted Attacks
One of my college internships was at a company that was facing numerous attacks from hostile nations. These attacks were directed at much of the company’s IP, especially at the engineering plans of military products. Consequently, the cybersecurity training went above the usual test spam.
Around the midpoint of my internship, there was an influx of new interns on the train. Most were chatty and above-average-looking, yet not intimidating. After a week, the supposed interns were gone, and everyone got an E-Mail about how much information this social engineering test had extracted during a week of going back and forth on the train.
We trust individuals we meet face-to-face, especially if we share an experience. Complaining about a shared employer is an excellent way to get someone to open up about their experiences and slowly navigate them toward the topic of interest. It doesn’t matter whether it is a crowded bar, a train, or the airport lounge. A skilled speaker can gain some level of information.
Given the uncertainty and cost of a cyberattack, the human intelligence approach is cheaper than any cyber-only attack. Suppose the attacker extracts login information or the ability to reset a password. In that case, cyber can utilize the open door to move from system to system and escalate their credentials.
Targeted Spam
Targeted scam E-mails can similarly efficiently gain access to a Network. When preparing to speak at a small business conference at the beginning of 2024, I utilized AI to contact each of the registered attendees. Each e-mail enquired about their services, with details enclosed in a PDF. The only thing the PDF had was a ping back to me.
My pretend customer got a 98% opening rate. When one of my colleagues turned the game around and sent me the same e-mail with my name, I opened it myself.
After ten years of running a small operation, there is no way I wouldn’t have opened a customer inquiry. Twelve years in cybersecurity, including as an expert on corporate boards and the government, cannot overwrite the human excitement and validation I receive from a prospect without doing any cold calling.
My brain was overjoyed that a customer wanted to buy from me, so I was a willing recipient of my scam e-mail. We love gifts as much as we appreciate people who make our lives easier. Thus, we hardly ever say no to something good, particularly if it saves us hard work.
What did my AI scam cost? It was significantly less than an hour with a hacker who could have broken into all these systems.
Buy Credentials
Humans are lazy, especially regarding seemingly useless tasks such as creating passwords. Any attacker with even a slight understanding of the space will first check whether they can buy the credentials of an employee or contractor—single individual passwords retail between 3 and 10 USD. (Bulk prices can go down to fractions of a cent.) Even in low-cost countries, buying up all the intelligence on a target and simply trying out these passwords is significantly cheaper than any other method. It’s also easier to hide what you are doing.
The rise of multi-factor authentication is slowly closing this avenue. However, many individuals and organizations have many zombie accounts in their databases. These are accounts of forgotten employees with valuable data or accounts from employees who have long ago left the organization. Yet, they still provide a veritable way to gain data from inside an organization.
Hacking Is Expensive, Targeted Human Intelligence is Not
Pure hacking is expensive, error-prone, and slow. Targeted cyberattacks are nothing like the 5-minute job in front of the screen. They often involve significant amounts of espionage and psychology. Consequently, the training has to match the attacks and include awareness about when to share what information and how to behave online.
After all, humans like to build connections, be helpful, and forget unpleasant things. If we don’t consider the implications of these traits, we can only hope that a direct attack will never target us.