Are you sick of the marketing hype suggesting some “Next Gen” security device can solve all your security problems? Yes? Good. If not, maybe you should be. Let’s pick on the Redmond giant for a moment to illustrate an example.
Microsoft announced last month that after a legal victory, it had taken down 99 websites belonging to an Iranian state-linked hacking group called Phosphorus (aka APT35, Charming Kitten, and Ajax Security Team). Microsoft’s Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013.
Phosphorus typically attempts to compromise personal accounts using various social engineering techniques to steal user credentials, and install malicious software, according to Tom Burt, Microsoft’s Corporate VP of Customer Security & Trust. In his blog post, Burt states this software gives Phosphorus control over a victim’s PC. Burt goes on to state that after compromising a personal account, Phosphorus uses that info to pivot into other targets including those of businesses, government agencies, activists and journalists.
Once Microsoft took control of the 99 websites, it was able to redirect traffic from infected devices to a sinkhole controlled by Microsoft’s DCU. The intelligence that DCU collects from this action will help in the development of future security products and services.
While some might see this as a victory for Microsoft and the security community, I believe this is merely a bump in the road for Phosphorus. It took six years of hard work for Microsoft to track, document, build and win a legal case. It will likely only take days before Phosphorus is back to deploying the infrastructure needed to continue the compromises and data exfiltration activities in which they have become so proficient– Not exactly sure this is a victory worth celebrating. The battle may have been won, but the war is far from over.
What can we learn from this? For starters, take notice of the attack vector employed by Phosphorus. This is a Nation State actor who presumably has access to technology and funds beyond many businesses’ reach, yet their primary attack method really has nothing to do with technology. The first step is primarily social engineering, targeting personal accounts. No amount of spending on “Next Gen” security solutions is going to mitigate this type of security exploit. The truth hurts: especially when it hits the wallet.
What’s the lesson here? We need to get smarter on where and how we spend our security budgets. Security vendors will continue to push “Next Gen” devices with promises of solving all your problems, but the fact remains: There is no silver bullet. Certainly, staying educated on the latest tech is wise, but just keep it in context with the bigger security framework. Security is about people, process and technology. It doesn’t work without a thoughtful approach to all three. All too often, companies focus their budget only on the technology. Good luck sitting on that one-legged stool.
The threat landscape is everchanging. Challenge yourself to think differently about your approach to security. Find a partner that isn’t trying to sell you on a specific device promising a panacea. A true partner can guide you through the process, assess, educate and augment your resources, while providing sage advice on emerging technology. It’s the philosophy that we adhere to at CTI.