For years, the easiest avenue to conduct a cyber attack against a business or an organization was social engineering attacks via emails. While still a primary concern, criminals and nation-states have begun adapting their methods by targeting the largest and most public surface of any business: their presence on social media. The Cipher Brief sat down with Evan Blair, Philip Tully, and John Seymour of ZeroFOX to discuss the threat emanating from social media and how security professionals are mitigating this evolving threat to both the internal data security of companies and organizations, as well as their external reputation.
The Cipher Brief: How would you characterize the cyber threat from social media?
Evan Blair: Social media is the biggest risk to corporate security today. It has a scale like nothing we have ever seen before and an inherently trusted nature to it, one where we freely engage with “individuals.” It gives people the ability to build a credible story, even if they are not who they say they are. Most importantly, security teams have intruder hunting technology that is focused on the internal datasets and the internal network that they want control, but they have virtually no visibility into social media and the channels and platforms that exist outside their firewalls.
Social media platforms have become the number one business tool for reputational growth, customer retention and customer experience programs. Companies are looking to spend almost a quarter of their entire marketing budget on social media engagement over the next couple years. But security teams are flying blind. Social media presents a very unique opportunity for the adversary to do two different kinds of attacks. First, targeting the organization to get into its corporate network, behind the firewall, and past the traditional information security tools in place—circumventing that big, expensive fortress wall. This is accomplished by impersonating profiles that are used in social engineering phishing attacks—and a variety of other scenarios—to elicit information from individuals internally to gain access by compromising the operational integrity of an organization’s network.
The second vector of attack is an external threat to their business operations, customers, and reputation. At the end of the day, what really hurts businesses in a data breach is the trust of the consumers. The only thing that matters to a business is not the safety and integrity of the data, but rather if their customers are going to spend their money there. From an external perspective, if I am fraudulently impersonating your brand—like customer support representatives, for example—I am engaging with your customer and prospect base, damaging the perspective they have on your business and hurting long-term revenue and potentially your organization.
So there is the internal threat of compromising individuals and using them as the gateway to the network, and the external threat targeting your reputation and customers. Companies must ensure security against social media threats via two pillars: security monitoring inside networks and digital monitoring and remediation externally on social media platforms. The first has already been an aspect of cybersecurity for a long time, but external attacks are becoming a focal point due to the sheer impact it has on business and revenue opportunities.
TCB: Could you describe your SNAP_R social media phishing bot? What does it do and what is it used for?
John Seymour: SNAP_R works in two phases. First, it finds out which users are highly valued targets—for example, people who have job titles in their descriptions or commonly engage with the platform—because attackers do not want to hit people who are not very likely to click on the link in the first place. Second, after deciding whether or not a person should be a target, the SNAP_R bot generates a tweet geared toward that person based on their own timeline, scheduling the tweet for a time they are likely to be engaged with the platform based on their posting history. SNAP_R does this using several different link generation models and neural networks, and it also incorporates some other tactics, like presetting the tweets to admin so only the targeted user can use them, and shortening the links so that people don’t know where the link goes to until they click it.
SNAP_R can be used for internal penetration testing of an organization by assessing how big their social media footprint is, and how vulnerable to hacks from social media they are. It is also useful in promoting awareness by showing companies that social media is an attack vector—no longer just email.
Philip Tully: The emphasis should not be that Twitter itself is vulnerable—with any kind of digital communication media you can be fooled over whether you are communicating with a bot or a human. As always, it’s the humans on Twitter who are vulnerable. This is the type of vulnerability that a lot of these new platforms are going to have to deal with.
TCB: What are the primary factors driving the threat emanating from social media?
EB: The primary factor that drives any change from a security perspective is the motivation of the adversary, which comes down to money, national security, corporate espionage, and/or hacktivist sabotage. As long as those motivations exist, there is going to be a way for a criminal organization or nation-state to compete against incident detection technologies.
These are big issues for organizations, whether they result in a data breach or a bottom line financial hit or reputational damage. While organizations will continue to employ solutions to monitor and mitigate these issues, the adversaries will continue to chase the attack surface. This is the reason for conducting offensive security research—to get better at doing bad things so that we can use that data to influence our machine learning on the defensive-side to catch new tactics that organizations are being assaulted.
TCB: How do you feel about the ability of organizations to counter this threat moving forward?
EB: Optimistically, the network defenders in the end are going to prevail. But this does not mean it is not going to be a really hard fight. There is a lot of money behind cyber crime and cyber espionage.
What can nations do? Certainly visibility into the social media landscape from a security perspective is the first and most important step. Then understanding what to do with the data collected. Organizations need internal policies in place for how to act when they see intrusions—most don’t have a social media security policy.
There must be security analytics applied to the data in real-time. This requires multiple types of artificial intelligence machinery—ones that work longer; ones that are quicker; ones that are more accurate; ones that are more general. With a phishing attack via a URL, organizations must be able to integrate that data in real-time for their security position to block that attack or identify if the attacks have been effective in the past.
Lastly, there must be awareness training—“do not click on links in emails and do not open attachments you do not recognize.” This has reduced the effectiveness of email-based attack. That same training, while far from a silver bullet, must be applied to other channels. Winning the cybersecurity fight will undoubtedly be a combined technological and human victory.
PT: Social media is not going anywhere. The platforms may change according to the market and competition, but the solution is not going to be that all of sudden companies stop having social media accounts. When organizations disengage with a platform, they are worse off because they have less visibility into the threat. When companies do not have a social media presence, they are the ones that are most susceptible as it would be easy for someone to make a company account, impersonate them, or try to push customers to give up their information, harming the company’s reputation without them even knowing.
EB: When there is hundreds of millions of dollars at stake, criminals are not going to say “well then we are just going to pummel your email,” or “we are just going to continue to try to break through the network security.” No, they are going to look for the easiest way in and social media is the low-hanging fruit connected to every organization in the world. With 75 percent of the world’s Internet population active on social media, it is an easy way to the soft underbelly of an organization and can hit them on both fronts—where it hurts their wallet and where it hurts from an internal data security perspective.
John Seymour is a Data Scientist at ZeroFOX, and Ph.D. student at University of Maryland, Baltimore County. He researches the intersection of machine learning and information security in both roles.