When reports came out last week that a breach of an unclassified but sensitive White House network was the result of spearphishing, Director of National Intelligence James Clapper said in a speech that government officials and private businesses needed to teach employees what spearphishing looks like.
Having been following the story closely, KnowBe4 CEO Stu Sjouwerman and KnowBe4 Chief Hacking Officer Kevin Mitnick agreed with that statement, with Mitnick tweeting, “White House hacked via social engineering. I'd be happy to provide our KnowBe4 social engineering training for free. It sounds like [they] need it!”
Of the discovery that the hackers had been inside the State Department systems for months before the White House incident, Sjouwerman said, “We are confident our training would reduce the threat from social engineering and would be happy to train the White House staffers for no charge. We have a panoply of tools that would assist them to increase their ability to spot and handle phishing attempts. Social engineering is often used by threat actors as it preys on uneducated users and is the cause of as much as 91 percent of all data breaches. Security awareness training is one of the most effective solutions to combat these attacks and mitigate risk.”
KnowBe4 aims to take that weak link, the employee or contact susceptible to spearphishing, and turn him or her into a strong link, through a web-based security awareness training program that encompasses “employee security education and behavior management.”
It’s a risk management tactic that not enough companies are taking seriously, while the threat grows daily. His firm, says Sjouwerman, focuses on serving small to medium-size enterprises (SMEs) because they are actually often the preferred target.
“Cybercriminals have gone pro in the last three years. It’s a $3 billion industry. There has been a significant improvement in sophistication and skills. It’s an arms race, and the bad guys have the advantage. What businesses are really looking at is that they feel they are not catching up, and they can never get ahead,” says Sjouwerman. “Different types of attacks, such as phishing and spearphishing, have taken off exponentially. High-value targets are much more often attacked, with focus and frequency. Especially in SMEs. The preferred target is not the Fortune 5000, because they have money, resources, time, people. The attacker prefers a relatively easy target. They can take the CFO or CEO, and start with spearphishing. They just let the CFO or one of their contacts click the link, penetrate the machine, lurk for a couple of months. Only one machine is compromised, the keylogger is placed. At the chosen time, they make the transfer with normal protocols and get, say, $200,000 out of the country, often while the CFO is on vacation.”
As with many similar cyber attacks, the White House/State Department penetration was carried out by suspected Russian hackers with an assumed state connection.
“These are usually Eastern European cyber mafia, some Chinese,” says Sjouwerman.
And is there ever any chance of recovering funds, once they’ve been taken? “It depends on how fast an unauthorized transfer is detected. Within a few hours, you can sometimes claw back some money. After a couple of days, the money will have been transferred 12 times, and then taken out in cash and distributed by money mules.” Likewise, data, when gone, is just gone.
Next page: What Doesn't Work Anymore