Hybrid threat model: Watch out for the unhappy employee

In this interview with Help Net Security, James Turgal, VP of Cyber Risk, Strategy and Board Relations at Optiv Security, talks about the hybrid threat model, a new approach that leverages social media to launch cyberattacks on organizations.

hybrid threat model

Threats are continuously multiplying, taking up new forms and seriously impacting organizations. Now we have the hybrid threat model to worry about. Could you say a bit more about this new approach?

The next generation of enterprise cyber threats will see external and internal threats and threat actors colliding into a hybrid threat model. This new approach entails external threat actors – including nation states and organized crime groups – conducting research campaigns and leveraging social media platforms to recruit disgruntled employees to work on their behalf to launch a cyberattack on an organization.

This new tactic continues to blur the lines between what has traditionally been the witting or unwitting insider versus the external threat actor or group. Once external threat actors identify a company to target, they conduct research campaigns using company employee lists and other documents that have been purchased off the Dark Web, taken from previous company breaches or obtained in attacks on third-party company providers. They then scour social media channels to identify unhappy employees within the target company that are using their accounts to vent frustrations.

External threat actors use any company data uncovered on these social media accounts to design their social engineering attacks to maximize the number of victims. In these social engineering campaigns, external groups “friend” these employees, and then groom them to become assets in their attack. In extreme cases, they offer to pay the disgruntled insider a finder’s fee for information about the company’s IT infrastructure or pay the employee to launch malware on their company’s network.

The hybrid threat actors have even taken the threat matrix one step further and have launched physical attacks. For example, physically mailing USB sticks to employees, who just need to plug it into a network computer to launch the malware, or obtaining employee credentials, either from the employee giving them or the attacker stealing them and then breaking into a server room to install rogue devices that capture, encrypt and send confidential data to the threat actor.

Why do you think this kind of attack is likely to occur?

Bad actors want to reap the maximum reward while doing the least amount of work and making a minimal financial commitment. In this regard, social media platforms are a gold mine. They provide a cost-effective and easy way for bad actors to gain information on potential targets, and because these platforms are so popular with individuals, there is a vast pool of targets for cybercriminals to attack.

Additionally, since these social platforms have grown exponentially over the years, designers have had a tough time keeping up with the security issues that go along with such growth. So, not only has the growth of social media platforms allowed threat actors to design methods and tactics to skim the information within to identify victims to exploit, but they can also take advantage of security weaknesses within the platforms themselves to execute attacks.

The combination of social media growth and the uptick in unhappy employees since the start of the global pandemic – both those who are part of the Great Resignation and those begrudgingly still with their companies – has made the hybrid threat model a very real risk.

How does the hybrid threat model leverage social media accounts to reach the goal?

The hybrid threat model only works if external groups can identify disgruntled employees, and we’ve seen that there is no better way to do this than on social media platforms. People are all too eager to post their latest gripe, concern or complaint on their social accounts, and cybercriminals are there to exploit it. A simple social search will turn up information on who has worked where for how long and whether they’re happy or dissatisfied.

New threat actor techniques on the social front include the use of Synthetic Media Social Engineering Frameworks and tools that actively develop password and cookie stealers with a downloader function, capable of delivering additional malware after performing the password and cookie theft. There are multiple versions of this type of attack methodology, some dating back to July of 2019. This type of activity targets Facebook and Instagram business and advertiser accounts, while additional versions target other major service providers, including Apple, Amazon, Bing, Google, PayPal, Tumblr and Twitter.

What is it that organizations can do to thwart this kind of attack?

It has never been truer that cybersecurity and buying down cyber risk, is more about humans and human nature, than about the actual technology used.

In any organization, employees are the first line of defense — and they’re all too frequently the weakest link, so much so that all it takes is one employee clicking on a suspicious link to launch an attack that will cripple the company. For years now over 90% of all attacks are launched using social engineering and business email compromise techniques. The use of these tactics by threat actors, the lack of consistent cyber hygiene, the increase in stressors upon employees – whether from the COVID-19 pandemic, economic or geo-political issues – and the massive use of social media platforms should be driving a larger conversation on what companies are doing to understand the impacts of the environmental factors on their employees and their well-being, as well as the role cybersecurity education, awareness and training plays in building a strong security culture.

Corporations need to take a deeper look at their pay and benefits structure and their human resource program for employee development and work to understand the connection between the environmental impacts on their employees and the company’s cyber security risk posture. In addition, organizations should (on their own or with an outsourced partner) develop a strategy to understand the gaps in their ecosystem and then deploy the appropriate insider risk and threat tools, processes and methodologies to understand what is normal and approved employer behavior on the company’s ecosystem. This will make it easier and faster to detect threats and then quickly act to mitigate the damage.

How common could the hybrid threat model be now and in the future?

We’re already seeing hybrid threat model attacks, and I expect the threat to escalate alongside growing environmental factors that affect employees’ lives. And, as long as social media platforms remain popular, and employees use those platforms to espouse their displeasure with their employers, cyber criminals will continue to use them as a treasure trove of information to get witting or unwitting employees to do their dirty work.

Don't miss