Security Awareness Not a Strategy in Defending Against “Sophisticated” Attacks


Posted on by Ira Winkler

When Twilio announced the recent, successful attack that allowed an attacker to take over employee accounts, I was dismayed. The attack essentially used “smishing” techniques, sending phishing messages through text messages. Twilio’s announcement stated that they worked with the appropriate Internet and telecom providers to shut down the attacker’s infrastructure. They also mentioned they locked the impacted accounts. Both are good and necessary steps. My dismay was not over those actions but with their statement that they will reemphasize their awareness efforts to help stop future attacks.

Awareness-related vendors hopped right on board, portraying the attack as an awareness failing. After all, the attacks involved tricking users into entering their login credentials, including MFA codes, into a fake website. Yet increased awareness training is a specious solution to the problem.

My book, Security Awareness for Dummies, serves as an example that I am a huge proponent of security awareness efforts. Awareness is an incredibly valuable tactic to reduce organizational risk. It is not perfect, but for a phishing message to be successful, the email has to reach the user in the first place, which means that the entire email infrastructure has to fail. No countermeasure is perfect, and while improved awareness is a tactic to implement, it is not a strategy.

To be fair, the Twilio announcement did say that they are also looking into technical countermeasures, which is great. But technical countermeasures are not a supplement to awareness. While the compromises resulted from a takeover of legitimate accounts, awareness does nothing if an employee is malicious, which is not an uncommon occurrence. Organizations must also be looking for those very real possibilities.

Reading the reports of the attack does beg the question of what infrastructure is in place and whether that infrastructure is looking for the inevitability of a malicious actor inside the system (a concept detailed in my RSA Conference 2020 presentation with Tracy Celaya Brown).

In contrast to this attack was a similar one at Cloudflare. Cloudflare’s CSO, Joe Sullivan, shared a post detailing how Cloudflare dealt with what appeared to be the same attack that Twilio experienced. Fundamentally, they describe that employees who fell for the attack did not inevitably have their accounts compromised because hardware security keys were required for login. Their endpoint security prevented downloading of associated malware. They did not need to mention internal detection tools, which you can assume are there but did not become relevant for this attack. In short, their endpoints expected users to fall for phishing attacks.

The response to the Twilio attacks reminded me of two incidents from the summer of 2020. Cloudflare had a major outage that was the result of an engineer making a typo. Someone tweeted that they would hate to be the engineer, but Matthew Prince, Cloudflare’s CEO, replied with the following:

At about the same time, Twitter experienced an incident in which several employees fell for a similar phishing attack that Twilio and Cloudflare experienced. Twitter had a materially identical response to Twilio, focusing on awareness as a solution noting that only a few employees fell for the attack. The key difference among the responses from these three companies is that Cloudflare demonstrated how to implement a systematic strategy of implementing resilience into their environment and had executives publicly taking responsibility for both resilience and security.

There is no such thing as perfect security. The only people who sell or promote perfect security are fools, liars, or both. I don’t expect Twilio, Twitter, or any organization never to be breached. At the same time, while awareness, like all countermeasures, is useful when applied appropriately, as Cloudflare demonstrated, it should be considered a tactic, not a resilience and security strategy. The default response to a successful phishing attack should not be a knee-jerk response of more awareness but a comprehensive review of the whole system.

Contributors
Ira Winkler

Human Security Engineering Consortium, Director

Security Strategy & Architecture

security awareness phishing cyberattacks incident response security architecture

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community