Why HR needs cyber threat intelligence

Intelligence gathered about adversarial intent and capabilities enables an organization to assess threats and devote resources toward preventing and detecting attacks.

While many cyberthreats target an organization’s business processes and intellectual property, many others affect companies’ employees directly or indirectly. Therefore, organizations must understand why and how underground actors threaten their employees.

Why employees are targeted

The first stage of a cyberattack is initial access, in which the attacker establishes a presence on the targeted network. An attacker can gain initial access in many ways, such as malware and exploits. However, deploying these requires sophistication and risks triggering protection mechanisms.

This story was published in partnership with Atlas, a single HR platform that streamlines global people operations.

Instead of breaking into the vault, convincing someone with the keys to open it up is often much easier and more effective. Therefore, attackers frequently seek to gain access to privileged employee accounts (through phishing or malware) and to convince employees, usually unwittingly, to give credentials or to do their bidding (such as in business email compromise attacks).

Furthermore, if an attacker can effectively impersonate an actual employee, they might be able to interact with other employees and gain deeper penetration into the system. For example, in the recent breach of Uber, the attacker posed as a company IT worker and requested that another employee give him access to internal systems.

Finally, sensitive employee data can enable an attacker to extort or embarrass a worker, potentially causing severe economic, legal, and reputational damage to them and the company. The Sony breach of 2014 is the archetypical example of this: attackers (allegedly working on behalf of North Korea) stole and posted terabytes of data from Sony Pictures. This data included shameful and sensitive emails, prompting the co-chairperson to resign.

How employees are targeted

The cybercriminal underground--the deep and dark web--is saturated with employee data. This includes:

Data breaches: Threat actors post or sell breached organizational data on underground forums. These breaches can include sensitive employee information. Even if an organization did not suffer a direct attack, it might still be affected, as its data may have been compromised if a business partner was breached.

Figure 1: An actor shared data from a breached French retailer on an underground forum. This data includes information from 7,883 employees, including names, email addresses, and phone numbers.

Data from ransomware leak sites: Many ransomware groups threaten to release stolen data unless the ransom payment is met publicly. This data can include internal files, such as internal communications and payroll information. Similar to regular data breaches, an organization can be affected by a ransomware leak even if it was not directly targeted.

Figure 2: A ransomware group posted on their DLS that they exfiltrated over 140 GB from their victim. This includes “personal data of employees and clients,” such as passports, contracts, financial documents, and internal correspondences.

Compromised credentials: Threat actors procure corporate usernames and passwords from various sources, including breaches, malware, and social engineering. They can use these credentials to take over an employee account.

Figure 3: An underground actor shared a dump of 119 million LinkedIn usernames and passwords. Many usernames belong to corporate email addresses, and attackers can use associate passwords to crack corporate accounts.

Employee PII: Threat actors transact personal identity packages, known as fullz, which often include details such as name, address, DOB, and SSN. Sometimes, the fullz include the company names (and even when they don’t, actors can quickly connect individuals to companies through some social media searching).

Figure 4: A threat actor selling fullz on an underground forum. These identity packages include the victims’ SSN, DoB, driver's license, and company.

Doxing: “Doxing”--the deliberate exposure of an adversary’s personal details--is a form of harassment and intimidation that spilled over from the gamer world. Motivated by ideology or a desire for personal revenge, threat actors dox business figures, exposing their details and even those of their family members' names and contact details.

Figure 5: A dox of Cloudflare's CEO in revenge for removing KiwiFarm's protection.

Insider threats: Occasionally, underground actors solicit insiders in organizations to recruit them for malicious activities. We often see this type of activity in attacks known as SIM swapping, in which a victim’s phone number is ported to the attacker’s SIM card, enabling the attacker to take over accounts connected with the number.

Figure 6: A threat actor posted on a forum that they seek an AT&T insider to “pretend to be a customer” against a single target, presumably for a SIM swap attack. 

What HR needs to do

HR’s response to these many threats needs to be twofold.

The first step is to monitor. Human resources and internal security teams must consume threat intelligence to understand how attackers threaten their employees. This includes checking underground channels for employee credentials and data. They must note threats against their executives and be aware of any malicious insiders.

Next, they must implement processes to mitigate risk and to prevent, detect, respond, and recover from attacks. This is critical; threat intelligence is only as valuable as the organization is receptive to receiving it. If the CTI team is too isolated or not influential enough within the company hierarchy, its reports will go nowhere. Likewise, the fanciest endpoint protection will be useless if employees fail to recognize or report social engineering attempts.

Instead, companies must be equipped to deal with these threats and discover new ones. They must internalize that solutions to cyberthreats are not just technological. They also include people and processes. The human resources department must take the lead in implementation to keep the organization's employees secure.

Cybersixgill automatically aggregates data leaks and alerts customers in real time.