People who work in cybersecurity cannot just be good defenders, they also have to put themselves in attackers’ shoes, according to Etay Maor.
“I found out we have really, really good defenders, people who really know how to work with the tools that they’re given, but they don’t think like attackers,” said Maor, the senior director of security strategy at Cato Networks and adjunct professor at Boston College. “They don’t think [about] how an attacker is going to approach certain problems.”
In a lecture titled “Thinking Like a Cybercriminal,” hosted by Information Technology Services and the Woods College of Advancing Studies on Tuesday, Maor shared techniques and tools that hackers use, as well as the scope of their attacks.
“When you have a breach it’s a complete and utter destruction of all the security policies, procedures, and systems that you have in place,” Maor said.
Through ransomware case studies and examples, Maor demonstrated how hackers utilize publicly available information to target certain people and companies. Open-source intelligence (OSINT) data can be gathered through search engines like Google, Shodan, Censys, and Pastebin. It can then be used to help fabricate enticing phishing scams personalized to specific targets, Maor said.
Maor emphasized how easy it is to access people’s personal information. In a class he teaches, he asked students to try and gather personal information on a company’s employees, and he said they were surprised at how easy it was.
“People like to share information,” Maor said. “So this group [of students] mapped out the entire management of this company: names, spouses, children, car registration, voting, where they live, home WiFi networks, you can find that out if you really want to as well.”
Maor also warned people at the event about the dangers of hackers gathering personal information on social media, especially if they have a public account.
“I’m not saying don’t use social media, but think about who you’re approving [to follow you], and think about what could be done with that information,” Maor said.
Anyone can be the target of these cybercriminals, as they tend to target ordinary people, according to Maor.
“I keep telling this to organizations, again, why would I, as an attacker, go up against the multimillion dollar security solution when I can go up against Jack from accounting?” Maor said.
Scams get more complicated once AI is involved, as AI image generation renders reverse image searching virtually useless, Maor said. So, scammers can create fake accounts that appear real, leading people to believe they are talking to a real person rather than a bot, he said.
“All of these [profile pictures] are AI generated, none of these people exist,” Maor said.
Wrapping up his lecture, Maor explained how hackers can attack and misuse AI by using “feedback poisoning,” or poisoning the data that the AI is trained on by feeding it incorrect information.
“These [scams] are happening and are a very good way to attack,” Maor said. “And what makes things even more complicated is when you involve AI.”
