Mad Squirrel Tech

If you know me, you know that I am passionate about cybersecurity and feel that the human element is too often ignored or handled with very little focus. This is why I think this is a mistake.

In the modern threat landscape, cyberattacks have become more than just a technical nuisance, they’re a constant and evolving menace. Organizations of every size are in the crosshairs, and unfortunately, there’s no magic solution. But if there’s one area where a lot of damage can be prevented, it’s by addressing human risk. That’s one place where security awareness training and simulated phishing exercises come into play. They’re not just another checkbox; they’re a crucial part of your layered security strategy.

Training and simulated phishing is not going to make the problem go away, but neither are any technical controls. These things need to be used together and we have to consider preventative controls to keep social engineering attacks from reaching the users, non-technical controls (*cough* *cough* *training*) for when they do, and more controls in case the user has a lapse in judgement and has an interaction with the attack. Defense is like an onion (or perhaps an ogre) and has layers. Here I’m talking specifically about the education part.

The Threat Landscape: Evolving and Ruthless

Cybercriminals don’t discriminate. They use whatever works, and increasingly, that means targeting people. Whether it’s ransomware, social engineering, or good old-fashioned social engineering, bad actors rely heavily on exploiting human error to get a foot in the door. It’s not the users fault really. We are all human and subject to making mistakes if we get the right message, about the right thing, at the right time. I can tell you stories about myself and other advocates having all falling for simulated phishes at one time or the other. It really is easy to do and it’s not about how smart we are, so let’s stow the blame and work on ways to equip people to protect themselves.

• Phishing’s Persistence
  The FBI’s Internet Crime Complaint Center reported over 300,000 phishing complaints in a single year. That’s not noise—it’s a wake-up call.
• The Human Factor
  According to KnowBe4 (hey, I know them!), a leading provider of security awareness training, a substantial number of successful breaches stem from employees clicking on malicious content. Training isn’t optional, it’s essential.

Why Security Awareness Training Matters

Think of your employees as the last line of defense. You wouldn’t send soldiers into battle without training, or a surgeon into the O.R. without practice. Cybersecurity should be no different.

• Enabling Human Firewalls
  Trained employees recognize red flags and stop attacks before they start.
• Faster Incident Detection
  Educated users identify and report threats early, speeding up your response.
• Compliance and Risk Reduction
  Regulations like GDPR and HIPAA demand security awareness efforts. Noncompliance can be costly.

Simulated Phishing: Practice That Pays Off

You test your fire alarms. Why not your people? Simulated phishes are not about tricking people. Crazy thought huh? It’s about giving them a chance to practice what they learned in training, without the risk to the organization. Messaging around this is critical so users know you are not trying to make them look or feel foolish, but instead giving them a chance to practice. This helps them at home as well as in the organizations. Scammers and scams are a part of life, the skills used to spot scams are invaluable personally as well.

• Behavioral Conditioning
  Simulated phishing builds reflexes. Over time, employees become more resilient. We want to change behavior, not just throw information at people.
• Cultural Shift
  Regular testing embeds security into your organization’s culture. As more people change behavior, the culture shifts and before you know it, there is momentum.
• Actionable Metrics
  These exercises offer real data to target training and track improvements. There is good information here, such as the types of attacks certain people, departments, or even the whole organization, are more likely to fall for. Use this information to make education have a better ROI. Why waste valuable attention span and training teaching people stuff they already have a firm grip on?

But Isn’t It Expensive?

Training costs money, but a breach costs a lot more. IBM estimates the average breach at $4.45 million. Some studies are higher, some a little lower, but all agree that it’s expensive and can have a serious impact on your brand reputation. That click on a fake invoice email could lead to ransomware, stolen data, or worse, and frankly there are a lot of other way more expensive products/controls that don’t do as well. Be wise when looking at ROI.

Building a Smart Program

• Know Your Baseline
  Evaluate where your team stands before you start.
• Stay Current
  Update training regularly to match the latest threats and provide short modules fairly often.
• Keep It Engaging
  Boring or irrelevant training doesn’t work. Use variety and interactivity to keep people interested.

Final Thoughts

Let’s be real, cyberattacks aren’t going away and technology alone won’t save you. Arm your employees with knowledge and experience. Security awareness and phishing simulations are not “nice to haves”, they’re a critical part, but not the only part, of a human risk management (HRM) program..

In a world where information travels at the speed of light, the ramifications of military actions can extend far beyond the battlefield. Recently, the United States bombed specific Iranian nuclear facilities, a move that has undoubtedly heightened tensions in an already volatile region. However, what’s also quite concerning is the pervasive misinformation and disinformation campaigns that will likely arise in the wake of such events. Let’s explore the dangers of these campaigns, particularly on social media platforms, and why cybersecurity professionals must remain vigilant.

Understanding Misinformation and Disinformation

Before diving deeper into the consequences of misinformation, it’s essential to clarify the terms:

• Misinformation refers to false or misleading information that is spread without malicious intent. It often arises out of confusion, misunderstandings, or the haste to share news.
• Disinformation, on the other hand, is deliberately false information designed to mislead or manipulate.

Both forms can significantly impact public perception and contribute to panic and distrust, especially in the realm of geopolitics.

The Dangers of Misinformation in Times of Crisis

When significant military actions are taken, the potential for misinformation escalates dramatically. Let’s examine some of the dangers:

1. Escalation of Tensions

Misinformation may exacerbate existing tensions between nations or communities. For example:

• Misreporting the extent of damage caused by the airstrikes could incite further retaliatory actions.
• False assertions made on social media can provoke protests or conflicts among different political factions.

2. Public Confusion and Distrust

A flurry of conflicting reports can lead to:

• Chaos as individuals struggle to discern fact from fiction.
• Distrust in legitimate news sources, causing the public to seek information from questionable sources, which perpetuates the cycle of misinformation.

3. Social Media Exploitation

Social media platforms are ground zero for misinformation. The speed and ease with which information spreads can be alarming:

• Deepfakes, a form of synthetic media, can create realistic but entirely fabricated videos or audio that distort the truth and mislead viewers. Not all media is faked either, some is just cleverly edited to be deceptive.
• Hashtags and trending topics can amplify misinformation campaigns, as users unwittingly share misleading content.

4. Impact on Decision-Making

Misinformation can directly influence decision-making at various levels, from the individual to governmental agencies. A civilian might act based on incorrect news, while leaders may feel pressured to respond to public outcry based on false narratives.

Strategies to Combat Misinformation

As cybersecurity professionals, understanding the landscape of misinformation is crucial. Here are several strategies to mitigate its impact:

1. Promote Critical Thinking

Encouraging critical thinking skills can empower the public to evaluate the credibility of information sources:

• Host workshops or webinars that guide individuals in identifying reliable sources of information.
• Utilize social media platforms to disseminate guidelines on spotting misinformation.

2. Implement Robust Cybersecurity Measures

Organizations should strengthen their cybersecurity frameworks to:

• Protect against the spread of false information through their digital channels.
• Train employees on how to recognize and counter misinformation.

3. Engage with Credible Sources

Promoting reliance on credible news outlets is essential. Share links to reputable sources and fact-checking websites to help the community make informed decisions.

4. Foster Transparency

Encourage transparency in media reporting, particularly during crises. Rapid fact-checking and correction of misinformation can help restore public trust in legitimate sources.

Conclusion: The Crucial Role of Cybersecurity Professionals

As the world grapples with the fallout from the US’s recent military actions in Iran, the threat of misinformation and disinformation becomes more pronounced. Cybersecurity professionals play a vital role in curbing these threats. By fostering critical thinking, implementing robust cybersecurity measures, and promoting transparency, we can combat the tide of misinformation that threatens to undermine our democratic processes and societal trust.

What Do We Do?

Stay alert and informed. Follow reputable news sources, verify information before sharing, and encourage your community to do the same. Together, we can navigate the minefield of misinformation and disinformation in these tumultuous times.

---

In today’s interconnected world, cybersecurity threats continue to evolve, posing significant risks to critical infrastructures and government agencies. Among the most prominent adversaries in this realm is Salt Typhoon, an Advanced Persistent Threat (APT) group that has made headlines for its sophisticated attacks targeting U.S. systems. In this post, we will explore the tactics and strategies employed by Salt Typhoon, as well as some notable incidents attributed to this cybercrime group, shedding light on their strategies and providing insights for cybersecurity professionals.

What is Salt Typhoon?

Salt Typhoon is recognized as an APT group that conducts long-term, targeted cyber campaigns against high-value entities, particularly in the realm of U.S. government and critical infrastructure. Unlike opportunistic cybercriminals, APT groups like Salt Typhoon employ a stealthy approach, aiming for persistence within their targets’ networks while exfiltrating sensitive data and possibly compromising national security.

Key Tactics and Strategies of Salt Typhoon

To understand how Salt Typhoon operates, it’s vital to dissect their methodologies. Here’s a closer look at the tactics they commonly employ:

1. Phishing Campaigns

Phishing remains a primary attack vector for Salt Typhoon, allowing them to gain initial access to targeted organizations through deception.

• Spear Phishing: This tactic involves customized emails aimed at specific individuals within an organization, often impersonating trusted sources to trick recipients into revealing sensitive information or credentials.
• Business Email Compromise (BEC): Here, attackers compromise legitimate business email accounts to initiate unauthorized transactions or access sensitive company data.

2. Malware Deployment

Upon establishing initial access, Salt Typhoon frequently employs various forms of malware to ensure control over the targeted systems:

• Remote Access Trojans (RATs): These tools enable attackers to control the infected system remotely, allowing for extensive surveillance and data collection.
• Credential Dumping Tools: They often utilize tools to extract stored credentials from applications, facilitating further access within the network.

3. Lateral Movement

Once inside, Salt Typhoon does not stay idle. To maximize their reach, they engage in lateral movement through a network:

• Exploiting Vulnerabilities: They identify and exploit unpatched vulnerabilities to gain access to adjacent systems.
• Credential Sharing: Utilizing stolen credentials to maneuver within the network helps them access sensitive resources with minimal detection.

4. Data Exfiltration

Data exfiltration is often a primary objective for APT attacks. Salt Typhoon meticulously gathers data, ensuring it is transferred out of the network undetected:

• Use of Encrypted Channels: They may encrypt data to avoid detection when exfiltrating it from the target network.
• Scheduled Exfiltration: Timing data transfers during off-peak hours can minimize the risk of being caught.

5. Evasion Techniques

To stay under the radar, Salt Typhoon employs sophisticated evasion techniques:

• Obfuscation: Many of their malicious payloads are designed to blend in with legitimate network traffic.
• Fileless Malware: This technique involves utilizing tools that operate in-memory and do not leave traditional file traces on the disk, complicating detection efforts.

Notable Incidents Linked to Salt Typhoon

Salt Typhoon’s sophisticated tactics are not just theoretical; they have been involved in several high-profile incidents:

1. U.S. Government Agencies Breach

One of the most alarming incidents linked to Salt Typhoon involved infiltrating multiple U.S. government agencies. Through a well-crafted spear-phishing campaign, the group successfully compromised sensitive email accounts of high-ranking officials, leading to significant breaches of confidential communications and national security information.

2. Attacks on Critical Infrastructure

Infiltrations targeting critical infrastructure, such as utilities and transportation systems, have been another hallmark of Salt Typhoon’s activities. These attacks disrupt services and pose direct threats to public safety. For instance, there were reports of unsuccessful attempts to manipulate systems of power grid operators, emphasizing the potential impact of such cyber activities on societal functions.

3. Supply Chain Disruption

Salt Typhoon has also targeted third-party vendors as a strategic means to infiltrate larger networks. By compromising software providers, they can gain access to client systems without directly breaching their defenses—an effective strategy common among APT groups that enhances their reach and impact on organizations.

Protecting Against Salt Typhoon’s Tactics

For cybersecurity professionals, understanding how to defend against threats posed by Salt Typhoon is paramount. Here are some strategies to enhance your organization’s security posture:

• Regular Training and Awareness Programs: Conducting comprehensive training sessions on recognizing phishing and social engineering techniques can reduce vulnerabilities.
• Effective Patch Management: Routinely updating systems and software can protect against known vulnerabilities actively exploited by attackers.
• Incident Response Planning: Establishing a well-documented incident response plan can help organizations respond swiftly to potential breaches, minimizing damage.

Conclusion

Salt Typhoon exemplifies the growing sophistication of APT groups targeting vulnerable infrastructures. By analyzing their tactics and recognizing past incidents, cybersecurity professionals can fortify defenses against future threats. The onus is on organizations to remain vigilant and proactive, implementing best practices in the realm of cybersecurity.

Stay informed and prepared to face these evolving threats. Consider evaluating your current cybersecurity strategies and enhancing protocols to safeguard your organization against adversaries like Salt Typhoon.

---

Sources

1. Cybersecurity & Infrastructure Security Agency (CISA) – Cybersecurity Advisories on APT Tactics
   CISA.gov
2. FireEye – Report on Advanced Persistent Threat Groups
   FireEye.com
3. Mandiant – Overview of APT Group Activities
   Mandiant.com
4. Reuters – Reporting on Cyber Incidents Involving APT Groups
   Reuters.com
5. Symantec – Insight into Cyber Threat Landscape
   Symantec.com

I work in the interesting field of cybersecurity and have for quite some time. Throughout the years, I have found myself increasingly skeptical about people and organizations. It could just be my old age, after all my goal in retirement is to spend my days sitting on my front porch telling kids to get off my lawn, but it could be something else. In this line of work, I hear about scams and see the ugly side of the digital world quite often, and I think it has impacted me.

Recently, my wife and I decided to buy some land. We have been looking for years, but had quit looking due to prices. Then, this opportunity just showed up out of nowhere (well on Facebook Marketplace), and next thing I know, we are making an offer. The people we bought the property from will still be our neighbors and he is a retired real estate pro, so the decision to do the sale without realtors on both sides made sense financially, however I was still nervous about it. His daughter, a current realtor, was kind enough to write up contracts and point us at a good title company, so it wasn’t like we were totally blind here. Over the course of a couple of weeks while we worked through some financial stuff, we spent some weekends doing some clean up at the property with the sellers permission and we got to know each other pretty well. In the back of my mind, I still had this gut-wrenching fear that things would go wrong.

When it was time to close, we met up with the title folk and signed the papers, then we had to transfer funds. Now this was a cash deal, so it was a matter of wiring money from our bank accounts to the title company, however I have heard so many stories about wire transfer fraud, that I was nearly sick with nerves when it came time to do the transfers.

I have no reason not to trust the seller. I looked up his name on the next-door property and the one we were buying, and they were the same (another scam is selling property you don’t own). I’ve seen his ID and I know that he lives in that house, yet I am still nervous almost to the point of paralysis while we wait for the property deed to be recorded and show up officially online (this can take several weeks right now).

So, what is the point of this story? Well, it’s this, it is not bad to be cautious these days as scams are everywhere. There are many that originate on social media and it is important to apply reason when looking at things, however it is important not to let paranoia steal the joy from what should be a happy event. Do your due diligence and remember that deals that seem too good to be true, are.

2 tips for Facebook Marketplace:

• Ads that include an alternate email address to contact, often saying something like ‘This is my parents, which I listed for them’ followed by that other email address, is usually fake. They are simply getting you to communicate off Facebook. Ads that have unrealistic prices, are fake. They want to open a conversation with you and will often attempt to get you to leave a deposit, or will tell you they are sending a code from Google Voice to prove you are ‘not a scammer’. The code is actually from Google Voice, but is being used so they can associate a Google Voice phone number with your cell phone, and use it for scams.

• Ads that have unrealistic prices, are fake. They want to open a conversation with you and will often attempt to get you to leave a deposit, or will tell you they are sending a code from Google Voice to prove you are ‘not a scammer’. The code is actually from Google Voice, but is being used so they can associate a Google Voice phone number with your cell phone, and use it for scams. These also seem to favor lines such as  ‘just serviced 3 days ago’ and ‘no rust, no dents, original paint, no accidents and clean title’, almost verbatim across ads