Think your attack surface is too large? You don’t know the half of it

Purchase a cheap card swipe cloner off the Dark Web. Distract a hotel housekeeper for a moment and clone their master key.

Use your mark’s email address to access a login page. Choose to reset the password and have the code sent to the mark’s phone. Check their voicemail using the default last four digits of the number as the PIN.

Watch someone accessing their bank info or email account on their laptop in an airport lounge. They log off to get a drink but leave the laptop open. Quickly reset their password, sending the code to their phone which they conveniently left by their computer. Read the code off the phone screen without even unlocking the phone.

Or perhaps the easiest of all: wait for your victim to step away from their unlocked workstation and quickly copy down their plaintext passwords from their password manager app.

There are multiple takeaways from the examples above. First, attack surfaces continue to expand dramatically. The number and variety of endpoints are limited only by the imagination of the cybercriminal. 

Second, none of these attacks requires much technical sophistication. Even the Dark Web might be optional. Simply google for a variety of tools to accomplish the malicious goal.

But perhaps most importantly: no amount of expensive cybersecurity gear will keep someone from typing in their password in view of prying eyes, losing sight of their RFID badge for a moment, or unlocking their phone in the presence of a threat actor. In recent years, researchers have reported that 73% of mobile device users have (deliberately or accidentally) observed someone else’s PIN being entered.

Multifactor authentication and employee training help, but given time and opportunity, even less-experienced attackers can break into poorly secured accounts.

We call this a basic type of social engineering attack shoulder surfing. 

The simplest examples indeed involve looking over someone’s shoulder. The problem with shoulder surfing attacks is that there is no way to prevent all of them. Some of them are bound to succeed. 

As with the more widely known phishing attacks, all it takes is one vulnerable individual to break into an account—or into an entire organization.

Shoulder surfing mitigation: start with good cyber hygiene

Prevention will never stop all attacks, but an ounce of cyber hygiene still goes a long way. MFA is a must-have. Employee training should also include shoulder surfing awareness. 

You already have some form of social engineering mitigation (or if you don’t, then you should!). Shoulder surfing is technically a form of social engineering, but it differs from the more familiar approaches insofar as the target is often completely unaware they’re being pwned. 

Social engineering prevention techniques focus on awareness of social interactions and identifying suspicious behaviors. While this is an important piece of the puzzle, some attacks will still go unnoticed, no matter how diligent the victim is. 

Perhaps most important: adopt a zero-trust philosophy across your organization and cybersecurity roadmap. There is no longer any such thing as perimeter security. Do not grant trust without real-time evaluation of whatever network, device, or user account is accessing a resource. Trust, after all, is the most valuable asset an attacker can exploit.

The best solution: real-time detection of suspicious endpoint behavior

Regardless of the attack vector, or even the attacker’s level of stealth, shoulder surfing attacks are the beginning of an attack chain. All attack chains have one thing in common: the attacker wants to do something with their access that a compromised user wouldn’t normally do themselves.

In other words, fighting shoulder surfing and the attacks that it spawns depends upon behavioral analysis. What are the normal user behaviors when someone logs in or otherwise accesses an endpoint? Compare those to the actual behaviors for each attempt. Are they out of the norm?

Such behavioral analysis is a cybersecurity mainstay. When hunting or responding to abnormal behavior in your environment, there are some specific priorities to keep in mind:

• Catching the perpetrators in real time is essential. Once the attacker has uploaded malware to the target system and begun the process of lateral movement, the scope of the attack (and cost of containment and recovery) has expanded. Effective behavioral analysis in real-time provides the opportunity to detect and respond to suspicious actions in seconds, not hours.
• The sorts of behaviors to look for are varied. It might be unfamiliar network traffic, newly installed software, or the plugging in of a new device. Suspicious behavior might also include unusual use of already installed apps or services, including uncommon usage patterns of common administrative tools like PowerShell.
• Something that is supposed to exist might be missing. Real-time awareness of health and configuration issues of critical security and incident response tooling is essential. Prime your environment operational efficacy at any moment by monitoring for disruptions to critical endpoint agents and endpoint detection and response (EDR) products.

Tools like the Tanium platform are adept at addressing all these priorities.

Be proactive

Despite huge investments in cybersecurity protection across the industry, breaches still occur and demand a multilayered approach to visibility, security policy enforcement, detection, and incident response. Security admins can then configure the appropriate endpoint security policies ahead of time, enabling the platform to evaluate behaviors in accordance with policies in real time.

Tanium can quickly assess your environment, and report on endpoint configuration and anomalies, apply configuration policies and automate updates and configuration to ensure that everything is in a ready state for rapid response when necessary. 

While social engineering and other shoulder surfing attacks may bypass much security tooling, the goal is to identify such anomalous use of access rapidly and evict the attacker before they accomplish their goals.

The Intellyx take

Endpoint protection has always been a cat-and-mouse game. The attackers are numerous, persistent, and imaginative.

Given the inexorable pace of technology innovation, with all the devices, applications, and protocols hitting the market every day, there are always new opportunities for hackers to find some new way to achieve their nefarious ends.

Individuals and their organizations must therefore take an active, multilayered approach to protecting themselves. Don’t trust any endpoint. Expect to be breached, nevertheless. And implement a platform like Tanium’s to keep one step ahead of the attackers.