Protecting CXOs From Whaling

Scuba divers underwater. This is a 3d render illustration
Author: Josh Suifbergen, intrusion analyst, WatchGuard Technologies
Author: Josh Suifbergen, intrusion analyst, WatchGuard Technologies

There will always be the Willy Wonkas leading mighty organizations, who are vigilantly on the lookout for the likes of Arthur Slugworths who want to steal and replicate their cherished products. The length at which Wonka goes to protect his secrets involved using one of his employees to impersonate Slugworth, to go and offer the golden ticket winners a bribe for securing an Everlasting Gobstopper, and ultimately test their true character. Wonka was a true security-minded person, likely a person who would hold the position of both CEO and CISO. His factories were off-limits to the public, his Oompa-Loompa employees were vetted, and his security was proactive in finding a trustworthy successor. The real question is, did Wonka worry enough about his own security faults?

That time was much simpler. So how do we go about protecting a modern-day Willy Wonka from a whaling (phish-type) attack? Let’s define “whaling.” It is a form of phishing that is aimed at high-value targets such as a CEO, high-level executive, and an employee with administrative access to important company resources.

We want to take the approach of defense in depth. That means implementing basic security measures that are company-wide and ingrained in the organization’s security policies. Strong domain passwords, multi-factor authentication, least-user privilege permissions policy, and user education, are among actions that create barriers to unwanted access of an organization’s systems. Each layer of security compounds on top of each other to build a hardened security posture. That way, an attack can be stopped, or at least slowed down by multiple layers of security.

What does this all mean for protecting a Willy Wonka in your organization? Ultimately it is about user education, from the Oompa-Loompa to the Willy Wonka. There are several ways to go about this. One is to create in-house trainings that teach users about common phishing techniques. A step further could involve sending out a fake phishing email to see if any of the employees fall prey to one of the tricks. Of course, should a user fail one of these phish tests, a finger-wagging shouldn’t be the result, but instead have it be a teaching moment. For smaller organizations these phish trainings can be outsourced to third-party vendors. 

We can’t only put the onus on the end user for protecting an organization. Therefore, we use what we have already – data! Any organization is teeming with endless data. End-user logs, user authentications logs, geo-tags, and VPN connections (often showing the employee in an impossible time zone). In addition, the organization has logs for when users access online resources such as code repositories or collaboration software. All these logging sources and then some can be combined to create a holistic view of “normal” user activity, and gage expected interactions and network connections within an organization. A user logging into their account is no longer a straightforward process. Questions need to be asked and logs assessed whether this user is who they say they are. Did the user log in from their regular geo-location? Are they logging in at a normal time? For instance, if the user has never logged in between the hours of 1am to 6am would this be considered suspicious if they were to do so? These questions are assuming that your organization is already using MFA, hopefully using an authentication app over text verification. 

When Mr. Wonka goes to log in to his device we can hope – and probably at this point expect – using MFA, that there is a broad range of security nuts and bolts happening prior too and in the moments during his authentication attempt. Surely on a Monday, like nearly every Monday, Willy Wonka is at the factory, ensuring everything is running smoothly. His geo-tag, time of login, verification of identity with his password, and push notification approval on his authentication app all work to create a near seamless experience for Mr. Wonka to access the company network. He then goes to check his emails, where his email filtering system should have tossed any of the obvious phishes into his spam folder. Now were he to click on a generic phishing email, the next layer of security with a DNS layer detection should block him from accessing any known malicious domains or URLs. 

But isn’t Willy Wonka the prized ham? Surely, he gets more than mere generic phishes arriving in his inbox. Were the real Arthur Slugworth to have hired hackers to compromise one of the Oompa-Loompa’s accounts and therefore email, they could then send a specialized phish (whaling email) to Mr. Wonka internally. Perhaps his internal security system would not detect it. That’s where we hope the education trainings, some healthy paranoia, and a bit of common sense would kick in. 

Author Josh Stuifbergen is an intrusion analyst at WatchGuard Technologies. Read more WatchGuard guest blogs here. Regularly contributed guest blogs are part of ChannelE2E’s sponsorship program.