The Weakest Link

The Weakest Link
Photo by Bryson Hammer / Unsplash

This post will be a bit different today, as we’ll explore some of my blue team experience in conjunction with offensive studies, focusing on the human factor in cybersecurity. To provide context, I have worked directly on the blue side for about 2.5 years as of writing this article. My experience on the defensive side has significantly altered my understanding of how real compromises begin, which we will delve into in this article.

The human factor:

I will argue to my last breath that the human factor will always be the weakest link in any field of security. As human beings, we have tendencies and traits that can be exploited. Think of these as permanent, unpatched vulnerabilities.

Adversaries are very much aware of these factors and will often exploit the human element when the machine side is hardened to a point where the effort required outweighs the potential profit.

Looking into this a bit further, let’s discuss some of these human factors:

  • Laziness: Choosing weak passwords, leaving default passwords in place, and failing to apply patches when needed.
  • Complacency: Believing that "That would never happen to me."
  • Ignorance: A general lack of knowledge about the risks in the cyber realm.
  • Ego: Overconfidence and the desire to prove oneself by any means, disregarding the associated risks.
  • Desperation: Individuals in less stable financial situations may be more susceptible to being exploited or engaging in malicious activities.
This not an all inclusive list

This post is not intended to slander individuals with specific tendencies but to make readers aware of these factors. Understanding them helps in grasping how attackers think and what they are likely to exploit.

The solution is simple in theory but nearly impossible in practice:

"Knowing your people and proactively addressing potential issues."

Some ideas to address this could be:

  • Laziness: Regularly audit your security measures and ensure patches are up to date.
  • Complacency: Conduct internal training and simulations to identify and address areas of complacency.
  • Ignorance: Provide information to individuals to raise awareness of cyber risks.
  • Ego: Have honest conversations to address risks and make individuals aware of who they are trying to impress or "prove" themselves to.
  • Desperation: Create a safe space for individuals to discuss challenging situations, ensuring they don’t inadvertently expose themselves to malicious parties.
Again this list is not all inclusive and these are simply my opinion.

Reading the above, the solutions might seem straightforward, but they can be deceptive. People rarely overtly admit their own risks, so these risks often remain unknown until an incident occurs. Even after an incident, individuals may be resistant to feedback, making the real challenge even more difficult.

The best advice for managing these risks is to understand how to communicate effectively with your team. Not everyone can be handled in the same way.

Bonus topic: MFA

While discussing the human factor, I want to address a common misconception about Multi-Factor Authentication (MFA). I often hear claims that enabling MFA makes phishing obsolete and prevents various threats.

Let me peel off the band-aid: MFA is not bulletproof. It primarily protects against brute-forcing and credential stuffing attacks. In today’s environment, MFA can be bypassed through session stealing, which is a key focus of modern phishing attacks.

A great resource to explain how this is possible is Kuba’s Evilginx tool:

https://academy.breakdev.org/

Summary:

Adversaries today are well aware of the human factor in cyber risks, and we must recognize how certain behaviors pose risks to organizations as a whole.

We also discussed MFA, including the risks it effectively mitigates and its limitations, particularly how it does not fully prevent phishing-style attacks.