Everybody is talking about email, browsing, and phishing as
the main attack scenarios organizations should care about. However, in the real
world, determined attackers use a variety of additional techniques that are in
many cases under the radar of enterprise security teams.
There are many of those attacks out there, and they’re gaining
popularity. Here are just five non-phishing user-centric attacks you should
definitely be prepared for.
1. Malicious networks
Your users use their laptops at home, in coffee shops, at the
airport, abroad, etc. Malicious actors can easily set up WiFi hotspots in these
locations and use them to target the operating system on the user’s laptop.
When the device connects to a compromised/malicious network, the attacker can
attempt DNS spoofing, leverage DHCP vulnerabilities in Windows, or try the good
old man-in-the-middle attacks to try to impersonate popular websites or
software update servers. Rogue WiFi captive portals can also take part in these
attacks. A zero-trust network infrastructure, despite the hype, isn’t enough to prevent the damage from this
type of attack.
Always-on VPN solutions can help mitigate some of this risk
but may result in a degraded user experience in which the user cannot connect
to some legitimate WiFi networks.
2. Malicious external devices
Handing out thumb drives as free gifts is a classic way to get
users to run malicious executables on their machines. However, external devices
go beyond USB disks. Almost any external device, including smart cards,
webcams, keyboards, and other human interface devices can leverage operating
system vulnerabilities and own the user’s machine. One commoditized example of
that is the rubber ducky ($50): “… the attacker walks up
to a computer, plugs in a seemingly innocent USB drive, and have it install a
backdoor, exfiltrate documents, steal passwords or any number of pen test
tasks. All of these things are done with many well-crafted keystrokes in
seconds. The USB Rubber Ducky does this in seconds.”
To mitigate these attacks, consider using group policy to
block unknown external devices, but take into account your users and whether
they connect to docking stations and to all kinds of peripherals like external
3. Sophisticated insiders
We all heard about insiders, but they are getting more and
more sophisticated. It’s no longer just about plugging a large capacity USB
disk and downloading all the files in a file share. These sophisticated
insiders, in many cases IT staff, can write scripts, use the latest malware,
leverage privilege elevation vulnerabilities, etc. This allows them to
carefully leak data without raising any alarms, for financial or any other
motive. They can also go on a vendetta and plant a scheduled script that would
bring down the organization’s production servers when it’s least convenient.
To mitigate this risk, you have to consider all the methods
that insiders can use to deliver malicious content into privileged environments
and try to prevent or limit them. You should also take into account all the
ways insiders leverage to get data out of the organization, including
network-based and peripheral-based exfiltration.
4. Getting infected by any other app
It’s true that we’re already in 2020, but we’re not yet in the
post-PC era. Beyond using a browser and an email client, employees use a wide
variety of other desktop apps including: conferencing apps like WebEx, Zoom,
and TeamViewer; messaging apps like Slack, WhatsApp, and Teams; file sharing
apps like Dropbox, Google Drive, and OneDrive; and many other legacy
applications built by an unknown IT department in the organization in the late ’90s
and somehow survived to this day and age. These apps are far from being perfect
and are actually a more ripe target for vulnerability hunting than the
well-known browser/email clients.
To mitigate this risk, you have to consider operating system
isolation technologies that take the entire operating system with its variety
of apps (and their vulnerabilities) and isolate them in a virtual machine or to
a separate physical machine, as Microsoft recommends. Of course, to make it practical,
consider how users will get access to the apps in these virtual machines and how
to optimize their experience, both at the office and remotely.
5. Tampering with the laptop
When we say laptop tampering, we refer to scenarios like the
“Evil Maid Attack,” a term coined in 2009 by security analyst Joanna Rutkowska.
In this type of attack, a malicious actor gains physical access to the device.
This could be happening in hotel rooms when people leave their laptops
unattended. The attacker can try to simply boot from an OS on a thumb drive to
tamper with the operating system on the laptop, injecting malware or simply to
steal all the data. The attacker could also try compromising the firmware on
To mitigate these attacks, you must implement a full disk
encryption solution that leverages the Trusted Platform Module (TPM) and Secure
Boot features available in modern laptops, as well as mandate users to type in
a PIN code on boot to prevent DMA attacks. You should also consider a system
that allows you to remotely wipe or lock the laptop in case it is stolen.
Tal Zamir is the Founder and CTO of Hysolate.