Cybersecurity Awareness Month – should this even be a thing if awareness isn’t working?

If I’d written this last week, the post would have been very different.  I would have pondered whether cybersecurity awareness month should even be a thing. Granted I live in the infosec echo chamber, but I often wonder how many out there aren’t already inundated with information about staying safe online.  Does one more phishing assessment or security reminder poster really matter? Sure, I regularly perform incident response and forensics, so I know attacks happen. But the extent to which we can stop them with additional training is questionable.

But that was last week…  This week a good friend of mine who is a high profile APT target hit me up for some cybersecurity advice. Now before I tell the rest of this story, it’s important to me that you know that he’s been educated in cybersecurity hygiene and receives regular briefings on security from his organization. His organization uses regular phishing tests. He’s a smart guy.  I’m not mentioning names, but I bet if I did most of you would know who he is and would understand why he’s a no joke nation state (dare I say APT?) target.

OMG Haxor!

One idiot, two keyboards; aka the hacker stock photo every cybersecurity awareness article demands!

My friend hit me up on Signal. He gets +1 for using Signal, far better than SMS and many times better than email from a possibly compromised machine. My friend sent me a link and asked if he should install the software on his laptop.  I didn’t recommend the domain, so that was already a red flag. I found the domain was registered only two months ago, another red flag. The first passive DNS results I have on the domain were only two weeks ago. Without looking at the page, I was highly suspicious the page was serving malicious software.

I fired up a sandbox VM, opened a browser, and navigated to the website. One look at the “Install now or your PC will be owned” and I was 100% sure that the answer was “run, don’t walk away from this site.”  I asked my friend how he arrived at this link. He said, a little resigned, “I thought it was a little suspicious that this software would be bundled with Flash.” I felt a chill up my spine as I asked why he thought it was bundled with Flash. Just as I expected, he told me that he had just been notified to update Flash (and had already done so).

In my SANS class this week, we had just created fake Flash updates using the Browser Exploitation Framework (BeEF). I was immediately fearful that he had been a victim of the same type of exploitation that we had covered earlier that day. A few minutes later and we were sure that the update was fake. We removed some malware using antivirus scanners, but I recommended that due to his status as a high value target that he have his laptop reimaged by his IT department. Of course I advised him it was good to change passwords to his online accounts and enable two factor authentication where he was able.

So while I wanted to dismiss Cybersecurity Awareness Month as entirely unnecessary or as a marketing gimmick dreamed up by some training company, it’s clear that I was wrong. I have mixed feelings from the experience with my extremely tech savvy friend. At first, I felt despondent that despite all the training he’s had that he still fell victim to such a basic attack. But then I realized that we’re doing something right. Cybersecurity awareness programs are working. After all, he did realize (perhaps moments too late) that he had become a victim and took steps to rectify the issue.

All too often in infosec, we suffer from the “echo chamber effect” where we confirm each another’s biases. I frequently wonder how much awareness matters when we all agree that we’ll never get the click rate on phishing emails to zero. But this experience breaks me out of the echo chamber of despair. In sharing this story, I hope you are also encouraged that cybersecurity awareness is working, despite the negative press it often gets.