Interview: How Home Is The New BEC Battleground
High profile targets in organisations are now faced with a new battle arena: the home. We talked to the founder of BlackCloak on combating cyberattacks that use professionals’ homes as an attack vector.
As the lines between the home and work sphere grow blurrier and blurrier, security networks become more porous and new attack vectors spring up. It’s not good enough anymore for companies to only consider the traditional network perimeter when it comes to devising their cybersecurity strategy—they need to think of the extended network of their personnel. This is especially true of high-ranking targets in a company—i.e., your C-suite members, directors, and high-flying personnel.
BlackCloak offers a cohesive and comprehensive concierge cybersecurity solution that delivers advanced cybersecurity protection to executive members in their personal lives. This minimizes the attack surface area threat actors can use to attack the companies those executives work for.
We spoke to CEO and founder of BlackCloak, Chris Pierson about how executives are being targeted in their personal sphere and how attackers use the information they find to go after their real targets: the companies these executives work for.
Chris has over 22 years of experience in the cybersecurity industry. He served for over a decade as a special government employee for the Department of Homeland Security’s Privacy Committee and Cybersecurity Committee, was the chief privacy officer for the Royal Bank of Scotland, chief information security officer for two different Fintech corporations, and served as president of the FBI’s Arizona InfraGard. Chris began his career as a corporate attorney for a national law firm, where he established its cybersecurity practice. Now, he can add founder and CEO to the list.
Can you give us an overview of BlackCloak’s executive protection solution and who your typical customers are?
BlackCloak provides digital executive protection to companies and corporations—these could be companies with ten people in their executive team, 20, 50, even 100 different high-profile persons that exist within that leadership realm. We provide security to the C suite, the executive leadership team, the senior leadership team, the board of directors, and other key personnel.
It’s not exclusive to just corporate executives, but also key personnel who in their personal lives may be a target of other nation states and/or cybercriminals. An example would be a key personnel member that is responsible for the creation of a laser that’s used in a missile system. That person might not be a named executive of the company, but what they have and what they know in their personal life can be an attack vector into the company.
So, what do we do? At BlackCloak, we’ve created a platform that provides both cybersecurity and privacy protection. And it does this in four ways.
The first way is privacy. We shrink the attack surface for those executives by removing the Data Broker information that’s out there about them. So, that’s their home phone numbers, their home addresses, their personal emails—that’s all of that personal information that could allow an adversary to reach out and touch them either physically or digitally. In addition, we do deep and dark web reconnaissance to find out where their information is and solve the problem for them. We will assist with password resets, dual factor authentication, password vaults, and privacy hardening.
The second aspect of protection is cybersecurity or the device realm. That’s BlackCloak acting as endpoint security on all their devices; their cell phones, tablets, and computers, which we monitor and keep malware off those devices. We also offer botnet and command and control protection and deception technology. Every single one of our endpoints is a deception engine, it’s like a fake computer within a computer. If the endpoint becomes compromised, the attacker is going to migrate towards the fake computer because it’s attractive. Then we just sit back and watch and monitor what they do and how they act in that environment, and ensure the main asset is protected and safe.
Third, the home. It’s basically ensuring that the home cannot be remotely hacked. Many of these executives have smart homes with things like Crestron, Savant, Lutron systems which are all great products, but they’re often not secured properly by the home AV installers. What we do is we try to expose those weaknesses for the user’s home equipment, cameras, IoT devices, and networking gear. We do that every single week.
And finally, the concierge feature—that’s the peace of mind. Anything that is cybersecurity and privacy related, we provide advice, guidance, and help. For instance, it could be phishing emails that they receive. We will go ahead and tell them whether it’s safe to click or not click based on our team’s analysis of those links and the payloads that are attached to those documents.
As the world continues to embrace hybrid working, there’s often a lot of overlap between the business and personal sphere. Can you tell us more about how attackers are exploiting this to attack businesses, and how these lateral attacks operate?
The home is definitely the new battleground. It’s almost like the soft underbelly of corporate security. So, while the CISO is focused on the four walls of a company 24/7, it’s actually the home which is becoming the new office—especially in the post COVID world. As a result of this shift, we’re facing different attacks. If there’s weaknesses in the home network, it means every single device within that home network is discoverable, including any work devices that have been brought home. You see it a lot with corporate executives because their work and personal lives are so heavily intertwined, as are their emails, and devices and so on.
And the thing is, once things are outside of the corporate realm it’s very, very hard to keep control and monitor and protect them. More often than not, we’ll see instances where cyber criminals have targeted corporate executives or other high-profile individuals within those companies through their personal email because they can also monitor what’s going on in a company through that and see everything that has been sent or sent to that account, documents, files, and anything else that might be sensitive.
And finally, we see a lot of instances of people using weak or insecure passwords, password reuse, or users adding an extra character or an exclamation mark at the end of an old password. And they’ll use the same or basically the same password for both their work and personal life. It creates an imbalance and serves as a huge attack vector.
As those two worlds continue to combine and continue to get conflated together, we will only see that attack surface grow, with lateral attacks moving from personal to corporate accounts, by accessing corporate information from a personal account or harvesting credentials stored in the personal account. For attackers, it just makes those things much easier.
How does BlackCloak’s Concierge Platform help companies mitigate these kinds of attacks?
We do so in a few different ways. Number one is shrinking the attack surface. So, obviously if you can’t see something, it makes it harder to actually hit that target. If you can’t find your target’s personal email or their personal cell phone number, it makes it harder to attack them via their personal life. Which, in turn, makes it harder to get into their corporate life as well.
So, the first thing is removing that information. Once that’s done, it makes them a harder target overall; you’re not able to do a SIM swap, you’re not able to send a phishing email to their personal account, you can’t call them, and you can’t go ahead and send them over something into their personal account or target a personal account to swindle someone in the inside of the company using that personal email.
The second thing is that, in terms of devices, when BlackCloak onboards executives, we’ve been finding that roughly one in four will already have malware on their devices that they don’t even know about. This malware on a personal device just creates an attack surface that is much wider. So, we work on making sure all of these devices are protected, monitored, and malware free.
And third, it’s making sure that the home environment can’t be breached and is secure from the get-go. Really, it’s all of these three things together that prevent threats in the personal sphere. If that’s prevented in the personal sphere, then it can’t move laterally over to the corporate sphere.
What would your advice be to organizations who are struggling particularly with business email compromise and other such targeted attacks against their executives?
Business email compromise is an interesting one. The fact of the matter is that BEC attacks can happen when internal emails are taken over and an internal email server has a weakness and some type of control weakness. But more often than not, it’s a compromise of a personal account, or the use of a lookalike account. If it’s a compromise of a personal account, for the CFO or the CEO or general counsel or someone of high stature, those attacks can be prevented. But they can only be prevented by hiring an external third party to go ahead and protect that personal life for privacy and legal reasons. Church and State must be separated, the personal life must be separated in the work from the work environment.
But if you’re able to secure that personal account, it doesn’t become a vehicle for BEC attacks. So, for example, personal Gmail addresses. It’s making sure that the executive’s personal Gmail address is secure; it has dual authentication on, it has no mysterious logins attached to it—this is all going to be critical to making sure that that email is not used to level an attack against another person at the company on the inside. That’s where you stop compromising attacks.
Lastly, there’s the education and training side of things. Say in instances of gift card scams where requests to purchase gift cards are made. That stops that attack because the personal email address is no longer being used to form that attack—educating on what is an email-borne attack and what isn’t, or when it comes to lookalike attacks. It’s hardening the human security solution. So, to harden the human, you have to make sure that you communicate effectively and continuously with the employees at your company on these attacks, what they are, how likely they are to happen, and make sure that they have the right resources to be able to spot and identify these and then seek remediation and report it.