Today, just about everything you view on the Internet is designed to either manipulate your opinion (mostly to sell you something but also to sway your political or social position) or steal from you. But what you say – officially or informally – has the same effect.
A perfect example of this is a fake invoice Critical Informatics received right after we informed the SEC that we had completed an equity round of investment.
We were not surprised to receive the phony invoice. It is a well-known scam that has been perpetrated for some time, which begs the question: why they haven’t been shut down, but I digress…Let's talk about the larger issue.
The reason we were targeted for this scam is simple: we hit the radar. Someone has been scraping public information releases to take advantage of companies that are in flux – as that likely correlates to some confusion into who authorizes what activity. This is especially true with A/P activity, which is likely to increase at the time of the equity investment (because of the cost of legal review/counsel, wow.)
Your public exposure as a company, and as a key employee in that company, provides information that is increasingly being used to target you and your business. Much has been written recently about operational security – how to NOT disclose information – but much of that is beyond your control thanks to:
- Corporate filings
- Press releases
- News articles
- Government information required to be public
Exacerbating the problem, it’s now simple to gather DIY information quickly on targeted demographics, as well as the commercialized versions applied (primarily) politically:
- Jester iAWACS (see @th3j35t3r; here’s a good summary)
- Twitter geofencing
- Cambridge Analytica – pretty insidious, IMO
Then, after that analysis and information gathering, more customized attacks are coming if you’re important enough – you control money, intellectual property, or infrastructure operations. And they’re getting better at it.
Now put this together:
- Your public communications are being watched
- Simple attempts should be assumed at all times
- If you're a big enough fish, targeting combined with specific exploits
- research on software you use
- research on your IT admin for scheduling patching
- research on you personally
- your shadow internet footprint
- your home footprint
- your opsec
The point is that with all the preventive, detective, and responsive controls you have in place (including, hopefully, Managed Detection and Response), you’re still a target. If you hit the radar of an actor that is serious, they’re going to put some time (increasingly less time, thanks to the methods listed above) into understanding you. Then an attack will be customized and launched. This makes the question typically asked by executives, “are we secure?” moot.
Your controls handle the broad, “shotgun-blast” type attacks that are unspecific and untargeted. When someone is serious about taking from you, they’re not going to use a method that’s detectable by every antivirus vendor. In reality, you’re only secure until your ticket is punched. That awareness should be projected to everyone in a leadership, sensitive operational, or other position with privileged access to assets that would lend themselves to theft or disruption. That awareness is, realistically, the only control that matters here.