Going beyond user blame to become more resilient

I often hear that security breaches are attributed to “the weakest link in security: users”. And while many recent hacks have been linked to users falling for phishing or social engineering, it feels too simplistic to throw up our hands and accuse our colleagues of clicking on fake Teams message notifications or plausible fake attachments that link to malicious websites. Especially as we just taught them that “we’re moving to Office 365”, which triggers all kinds of new notifications.

Yes, sure, these dumb users should have carefully inspected the URL (“it was “offlce365”, not “office365”, how could you not see that?”), and remembered that microsoftonline.com is the legitimate URL where they can safely enter credentials, while windows.net is very probably malicious¹. How could they forget?

It’s an unending battle between one or two security officers running awareness campaigns for thousand of users, and scammers that become more and more insidious. Clearly, user awareness is key and should not be underestimated. However, it should not be the only (or even main) element of our security toolkit. Especially as, out of thousands of users and millions of emails, one click is enough to allow an attacker to get a foothold on the internal network, unless the attack is prevented or detected.

Attackers only needs to find one weak link to enter in our systems. Let’s turn it to our advantage: we also only need to detect the attacker at any point during their attack, from their initial phishing email to their malicious activity (data extraction or ransomware). One misstep is enough.

So instead of focusing on our user’s unfortunate “click”, let’s focus on everything else that could have prevented, detected, or limited the impact of the attack. I’m listing some examples of relevant measures below, but it’s really just to show how much can be done.

User receives a malicious email

Prevent the email from being delivered, with an efficient anti-spam system
Tag external emails as “External to the organization” to help users assess their legitimacy

User clicks on a link or opens a malicious attachment

For malicious web links: filter and log web connections, scan links when they’re clicked and re-evaluate them later
For malicious attachments: keep devices up to date, deploy adequate endpoint protection measures²

The attacker collects the user’s password or gains access to their machine

Enforce Multi-Factor Authentication³
Limit data users have access to (which lowers how much can be exfiltrated)
Detect simultaneous connections from distant locations / risky sign-ins, detect data exfiltration / unusual volume of data being copied / unusual folder share, etc.
Record activity to be able to replay the attack once detected⁴

The attacker tries to gain larger/full control of the network in order to launch an attack

Detect when one computer attacks other computers, for instance with ATA
Limit user rights on the machine (to avoid privilege escalation), and avoid theft of admin credentials, for instance with Credential Guard
Deploy best practices to secure the Windows environment (AD and its dedicated admin accounts), to segment the network and limit / record access to servers (Jumpbox)
Be ready to mitigate, isolate part of the network, recover data, etc. if necessary

Clearly, so much can be done, that if a device or account is compromised (and stays undetected), it’s probably our fault as much as the user’s.

Yes, that’s accurate, *.web.core.windows.net contains user-generated content and often phishing - see 1, 2. ↩︎
Typically: detect malicious attachments, block JavaScript in PDFs, Macros in Word, etc.; enforce additional steps to run the malicious file (like re-entering credentials or requiring files to be in a specific folder to enable macros), etc. ↩︎
There aren’t so many phishing attempts that ask users for their second factor token in real-time, but that shouldn’t take long… ↩︎
With an advanced anti-virus/EDR on the endpoint, for instance ↩︎