Trick or Treat – Don’t Get Tricked by Bad Actors

Trick or Treat – Don’t Get Tricked by Bad Actors

It is Halloween time and October is Cybersecurity Awareness Month. This time of year gets me thinking about the things that go bump in the dark (intentionally a bit dramatic – cue creaking sounds), reaching out from the dark places on the web and straight into computer systems. This results in business losses that can include a decline in productivity, stolen intellectual property, ransomware, fraud, and the harvesting of employees’ user credentials. I also got to thinking, “How do these things happen?” which led to the natural conclusion about how much of this is actually preventable with little to no cost for organizations. I am going to ask ahead of time that you excuse the cheesy Halloween theme for this blog – I can’t help myself, I just l love this time of year.

Let’s start with the same warnings we might give our children (in a COVID-free world) if they were going to go trick or treating. Those warnings would include be leery of strangers, don’t eat your candy until we inspect it, and follow strict boundaries for going house to house gathering Halloween goodies. We also teach them to have fun by offering the residents whose homes they go to for their Halloween loot a simple choice – “Trick or Treat!” By the smiles on children’s faces when this phrase is uttered, they are clearly hoping for the treat. This can be analogous to employees going out to the internet neighborhood to conduct daily business. Our users might find the internet is full of wonders and equally full of horrors depending on where employees go and what employees do while they are online.

We provide employees cybersecurity awareness training, or at least we should, and most training does adequately address how to recognize preventable attack vectors. However, using our trick or treat analogy, we don’t adequately teach them how to recognize when houses have turned bad, such as when our supply chain might be compromised. The rate of certain types of attacks also indicates that we don’t adequately teach employees how to inspect their candy before they open it – in other words, how to recognize counterfeit websites that look like legitimate sites but are different enough to be easily recognized.

This is not because our platforms for training are inadequate, but rather because the bad actors are so good at what they do that we have a hard time keeping up with what right is supposed to look like when compared to what is being presented to our employees. Using my “Trick or Treat” analogy, as our employees go out to our internet neighborhood, the bad actor is in their home only offering one response as people come to their proverbial doors – “Trick!”. One of the most common of these tricks is to get employees to freely provide their credentials for one nefarious purpose or another.

Therefore, it is incumbent on us as network defenders to protect our employees from the tricks used by bad actors to gain access to the business systems we are charged with defending. Given the most common attack vectors used to steal employee user credentials, we can have a bit of fun here to outline easily employable defenses that will be effective long past Halloween to protect our systems.

1. Invasion of the Identity Snatchers

Let’s start by assuming there are already people worming about our networks with stolen user credentials. It will be hard to detect these user account activities given the users’ account is a valid enterprise object, and until some kind of indicator of compromise occurs, we may not find out which user objects are being used by real users and which ones have been coopted by bad actors. Implementation of MFA on cloud services and remote connections coupled with an enterprise-wide password reset could go a long way toward preventing any future use of stolen credentials.

Additionally, MFA is offered at no additional cost by many remote access solutions and cloud services. Soft tokens are easy to come by and can be downloaded to employees’ smart phones. It is actually simple for employees to conduct self-service MFA set-up, and it does not cost much if anything to make the shift to requiring MFA be used on the cloud tenant and remote access appliances. Check to see if your appliances and services offer MFA.

2. The Upside-Down Domain

A common method used to steal employee user credentials is to phish employees by redirecting them to fake sites that mimic DocuSign and Microsoft 365. Once on the site employees are asked to input their credentials before they will be allowed to view a given attachment or a file associated with a link. While these fake sites can look like the real thing, there are some telltale signs that they are not the actual sites the attacker claims they are – meaning the URL (the web address) is usually noticeably different from the actual legitimate sites.

What is truly scary is that the victim of a phishing attempt is receiving the malicious email from a vendor in the company’s supply chain. This means a bad actor is using a vendor’s email system to send messages to correspond with employees and exploiting existing trusted communications to solicit the victim to take action on financial transactions or to give up credentials as part of change to some sort of routine process. The best way to defend against supply chain compromises is teach employees to verify before trusting. Any changes to any process or financial transaction should require voice verification from a known good number that is on file – this can be on an older invoice or existing contract.

3. Stranger Danger!

Lastly, it goes without saying, we need to ramp up our cybersecurity awareness training. It cannot be stressed enough, employees need to know how to report cyber incidents, which should include suspicious emails, phone calls, and SMS texts, to security professionals who can use the information to defend the rest of the enterprise.

In closing, it is important for network defenders to continuously be engaged with an organization’s employees and remind them that they are the first and last line of defense against cyber threats. Remember, teaching a little constructive skepticism goes a long way toward experiencing treats without all the tricks. Enjoy a safe and happy Halloween.


Jake Margolis

Jake Margolis, Chief Information Security Officer, Metropolitan Water District of Southern California

Jake Margolis is the Chief Information Security Officer for the Metropolitan Water District of Southern California (MWD). MWD provides water to over 19 million people in Southern California through 26 member agencies. Jake holds a Master’... More   View all posts


Hexaware IMS - 3 MPU 300X250
Jake Margolis


Not Member Yet?


  • Name

  • Contact Info

  • About Yourself

  • Minimum length of 8 characters
  • Upload
  • Location

  • Professional Background

  • Other Social Profiles

  • Areas of Interest