The Trials and Tribulations of Training Your People
9–9–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, September 9, 2024 and I continue to be trolled with these videos by the US Department of Justice. The same week that I tell you all to ignore nation state threat actors, the DoJ drops news on both a Russian influence operation within the US conservative media space and indicts 5 GRU officers and one civilian for hacking Ukranian infrastructure.
For the record, you should still ignore the nation state threat. Let the DoJ handle it - they’re apparently very good at it.
The Trials and Tribulations of Training Your People
There was news here in Seattle this past week announcing the Seattle Public Library’s catalog and lending services are now both back online following a Memorial Day ransomware attack. The calendar now, of course, is after Labor Day, meaning that these resources were down the entire summer - and then some.
We don’t yet have a public reporting of the details behind the incident, but I am seeing more and more attacks that are specifically targeted against employees.
There was a new campaign outlined today that appears to be targeting employees of US home improvement store Lowes, driven by malicious ads on Google.
In this case, googling the general URL of the site (and not actually typing in the whole thing) returned top three results that were all phishing sites designed to trick users into giving up their credentials.
Attacks like this string together a few different mechanics to trick users, and makes our job on the training and defending side very hard. First, the attack uses the varied behavior of browsers to treat information typed into the address bar as a search query rather than a website request.
Google famously paid Apple $20B in 2022 to be the default search engine in Safari. They then take these search requests and serve paid ads that look like a search result - which can be confusing even for savvy users.
But the attackers here are going even beyond that. They’re using lookalike domains, which most of us know by now is a common tactic, but they’re going a step beyond, but using a placeholder site so that if you were to visit the malicious domain, it just looks like a placeholder.
Only when the users click through via the malicious ads do they get the actual phishing site, which then steals the credentials and goes onwards to great victory.
So, while we may have training programs in our enterprise like a KnowBe4 or Microsoft’s built in phishing awareness tools within M365, that’s only going to get us so far.
To really boost our defenses, what we’ve got to be thinking about is enabling our users to think more critically - and that means we’re going to have to engage them and empower them.
I know it’s common to look at users as the biggest source of risk, or to be dismissive of this group, but the reality is that - whatever changes are going on - users are going to be a constant, and they’re going to have accounts and connected machines, and need legitimate access to these systems that run our businesses and house our sensitive data.
We need to take a broader, more thoughtful, more inclusive approach to really upskilling our users. We’ll still need technical and administrative controls to backstop what we can, but spending that hands-on time to help users understand how these bad things happen and the proper, secure way to - for example - navigate to an employee portal gives you that much more of a chance to catch these attacks before they succeed.
If your average users don’t know how to reach out and report when something doesn’t look right, or double check before clicking, that’s a great place to start. A ‘phish report’ button is all well and good, but for attacks in the browser, on a mobile device, or via a phone call - that button isn’t going to help you.
This is going to be an ongoing effort, it’s going to take time, it’s tricky to define the ROI, but we’re to the point where we just don’t have a choice. Start thinking of your users as human sentries, who can identify these anomalies. Your job is to empower them, and then listen to what they tell you.
Fundraising
From a fundraising perspective, we’ve got a pretty good top line number - more than $9.3B in newly committed capital - but the bulk of that - nearly $8B worth - comes from just two funds:
Warburg Pincus raised over $4b for a structured transactions fund and Park Square Capital of London who raised €3.4b for a European direct lending fund
It really does seem like the bigger players with proven track records are the ones most likely to be able to raise in this market, and it also seems like it’s driven by hesitation and demand for liquidity from LPs.
Axios reported this morning that Sequoia sold of 10% of their shares in Stripe at a $70B to generate liquidity for those early investors as Stripe holds out against an IPO. These investors, of course, have been plenty patient (investing in 2009 and 2012, respectively). That said, the mechanics of these markets really aren’t built for this long-term buy and hold approach.
What that actually means for investors and operators, of course, remains to be seen.
With that, a reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.axios.com/newsletters/axios-pro-rata-d4c86218-11d0-4d98-ab3e-cc5d30686374.html