For years, businesses assumed they were adequately protected from cyber-threats by simply having a professional anti-virus/anti-malware software installed on their computers. Although this may have been sufficient in the late ‘90s and early 2000’s, it’s no longer an effective defense strategy on its own. Modern cyber-attacks target business email systems, cloud services, and firewalls rather than the computer endpoint. To defend against these new threats, businesses must implement multiple cybersecurity defense “layers” on each element of their technology. As we’ll explain below, this strategy isn’t just theoretically more secure; it really works and has saved countless businesses from devastating cyber-attacks and data breaches.
The Modern Threat
In March 2021, the FBI sent an urgent warning to state and local agencies reporting significant increases in business email compromise (BEC) attacks. This notice also provided agencies a list of layered mitigations to help defend against the attacks. Just a few months later, In July 2021, a massive email phishing campaign targeting state and local governments successfully compromised the Florida State Attorney’s office. In a matter of hours, this attack spread like wildfire to attorney’s offices throughout the state. As each office was compromised, the attack continued spreading to their respective vendor and client lists, impacting thousands of individuals.
How It Worked
The attack began with a phishing email masking itself as a notification from Adobe. The notification appeared to come from a trusted contact and contained a link to open a PDF invoice.
When a user clicked the link, it directed them to a secure Google Sites page (created by the threat actor) that had buttons for three login options the user could select to access the invoice. When a user clicked any of the three options, it redirected to another page where the user was prompted to input their username and password.
Once the user submitted their username and password, the credentials were routed to the attacker. The attacker then used these credentials to log in to the user’s email account and redistribute the same phishing attack to the user’s contact list. With this access, the attacker could also exploit the business through various means for financial gain.
Defense in Layers
Mature managed I.T. service providers (“MSPs”), such as Digital Boardwalk, protect their clients from cyber-attacks like this by implementing a dozen or more layers of defenses. That way, if (and when) one layer fails, there are several more to follow that can effectively stop the attack. This particular phishing attack was a perfect demonstration of how these layered defenses are such an effective strategy. Let’s highlight three notable layers of defense that protected Digital Boardwalk customers from this attack.
Layer 1: Email Threat Protection
Since most of today’s cyber-attacks begin with some type of email communication, protecting the business email system is a critical first layer of defense. In many cases, this protection can effectively filter out phishing emails, preventing them from reaching the users’ inbox in the first place. It can also scan hyperlinks in the email to make sure the website is safe for the user to visit. In this specific cyber-attack example, however, the email was sent to the user directly from one of their trusted contact’s mailboxes, so the email threat protection system was unable to identify the email as malicious. Additionally, since the link in the email went to a secure Google Sites page, and that page itself contained no malicious content, the link scanning function did not block the user from visiting the site.
Layer 2: Internet/DNS Security
The Internet is fundamental and integral to today’s business operations and technology. Therefore, Internet/DNS security is another important layer of defense. This protection can monitor every single Internet connection a device makes, be it to a website, an advertisement on a website, or even a foreign server. In this specific cyber-attack example, when the user clicked the link in the email, they were directed to the Google Sites page. But then, when the user clicked the login button which normally redirected to the attacker’s phishing page, the DNS security blocked the user from reaching the page. By blocking this page, the user never had the option to input their email credentials, and the attack was stopped in its tracks.
Layer 3: Multi-Factor Authentication (MFA)
The prevalence of cloud-based technologies and remote work makes multi-factor authentication yet another critical layer of defense. MFA simply means that, in addition to a username and password, the user needs to provide a temporary code from a device they are in physical possession of (typically their smartphone) in order to log in. Although the cyber-attack in this example was stopped at Layer 2, let’s assume it wasn’t. Imagine that the user had made it all the way to the phishing page and inadvertently given their username and password to the attacker. When the attacker used those credentials to log in to the user’s email, the attacker would have been prompted for the temporary code from the user’s phone. Without this code, the attacker would have been unable to log into the account, and their attack would have failed.
Most mature MSPs implement a dozen or more of these layered defenses for their customers in anticipation that one or more will inevitably fail to stop the threat. As threat actors continue to develop these new attack strategies, businesses must constantly evaluate their risks alongside their service provider and implement new defenses. By combining these technical defenses along with human-centric layers, such as cybersecurity awareness training and routine phishing exercises, businesses can significantly reduce their risk of a successful cyber-attack and gain some much-needed peace of mind.