Open up any news feed on the security industry and you’ll read stories on attacks that started with the end user of the affected company. Whether it’s phishing schemes, social engineering or drive-by downloads, there’s no shortage of ways for attackers to compromise the least patchable resource in a company: its employees.

When I first read the article on ransomware in the 3Q 2015 edition of the “IBM X-Force Threat Intelligence Quarterly,” I thought of different ways endpoint protection products could guard against ransomware attacks. Then I remembered an incident from a couple years ago when a family member called me in a panic because suddenly an FBI warning popped up on the computer. Anyone who works with computers, especially in the security industry, know how those phone conversations go:

Friend: The FBI says I did something illegal but I didn’t do anything! Can you fix it?

Me: Well, did you?

Friend, aghast: No! Of course not! But now I can’t even find the right cat reaction GIF to post to complain about it.

Me, sighing: OK, what was the last website you visited or thing you downloaded?

Friend: Uh, I can’t remember.

Me: Mmhmm. What was it?

Friend: *Lists some egregious thing I’ve told them never, ever to do for just this reason.*

I don’t want to malign my friends or family, but I am frequently reminded of what it was like to parent toddlers when I’m in the middle of this conversation. Let’s take that approach to user education since users, like toddlers, can be quite willful when it comes to what they want.

Don’t Stick Your Fingers in There

Gone are the days when sites hosting malware were obvious. When so many content application vulnerabilities, drive-by downloads and malicious packages can be delivered without major warning flags to users, vigilance on the sites your users are visiting is imperative. Common sense is often touted as a necessary tool, but we in the security industry have seen varying degrees of success in the application of it. To spell it out a bit more, remind your users to look for these warnings signs:

  • Does the site look weird? Is the color off? Is the logo grainy or distorted? These are signs of a malicious site posing as a legitimate one.
  • Did you click through the link from an email or a social media site? Click-bait headlines are still all the rage, but it’s always better to type in the URL in the browser instead of clicking through the link as presented just to make sure you’re going to a legitimate site.
  • Is a site you’ve visited in the past now asking for personal information it didn’t before? This could mean that you’re visiting a fake version of a legitimate site, particularly if you clicked through a link from email or social media.
  • For secure sites, does it have HTTPS in the address bar? Most browsers will also display a lock icon around the address bar to indicate the site is secure, although users should click the lock icon to make sure the certificate matches what they expect from the site.

Don’t Talk to Strangers

Hopefully your users are not in the habit of opening up emails from unknown recipients and blindly clicking through links. Where it gets tricky is when a known recipient is spoofed in email or social media, lulling users into a sense of safety. Odd behavior from known users can be another warning of stranger danger: Is someone who doesn’t normally request wire transfers in the company now requesting them? Encourage users to validate these appeals in a channel other than the one the request was made in — use texting or instant messaging, a phone call or a visit to the office in person to validate instead of just hitting reply on that email.

Referring back to websites that look weird, there are ways to check their legitimacy that require varying levels of user involvement. For less proactive users, IT admins can leverage tools like built-in browser safety measures. Popular browsers have built-in browsing protection that will notify users of suspicious sites, particularly on items like unsigned or mismatched SSL certificates. Safe browsing software can blacklist entire classifications of sites or give a rating on the site’s safety based on a variety of scoring systems to draw user attention to a potential issue before clicking.

Proactive users can take the reins and do their own research on a threat intelligence platform like IBM X-Force Exchange, where they can check the rating of URLs or Web applications that seem suspicious. X-Force Exchange has a database of over 25 billion URLs and images to search against and conveniently presents scores with color-coded risk ratings. Even young children can learn red means stop and green means go!

Make Routine Your Friend

Parenting strategies can vary here, so I’m going to sidestep the potential mommy-blog landmine and recommend that consistency across workstations and user behavior will be your friend. It’s much easier to achieve consistency across workstations in term of setup and patching with endpoint compliance solutions, but enforcing consistent user behavior is a tougher nut to crack.

One of my teachers was famous for not allowing gum in the classroom unless you brought enough for the entire class. In an age of bring-your-own-device (BYOD) and the disappearing perimeter, now it seems one user can bring gum, another a lollipop and 10 more have a straight-up suitcase full of sugar. Where IT admins can help control the proliferation of these treats is enforcing connection rules to corporate networks. Requiring users to have a base level of enterprise-mandated endpoint protection installed on any device connecting to the corporate network ensures you don’t end up with metaphorical gum in your hair.

Outlet Safety Covers for the Internet

Running an IT organization is a bit like parenting. You can set up guidelines and instructions, but at the end of the day, you have to send your users out into the world and hope they make good choices. Infections like ransomware or the common cold might happen regardless. If you need help boosting your own user education or recovering from an infection, check with a managed security services provider for their expertise, or explore some of IBM’s other work on the issue.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…