The role of help desks continues to expand, and now that hackers see help desks as potential weak links, companies need to improve their cybersecurity capabilities.
Help desk attacks tactics have allowed attackers to gain access to targeted organizations' systems by enrolling their own multi-factor authentication (MFA) devices.
In these attacks, the threat actors use a local area code to call organizations pretending to be employees in the financial department and provide stolen ID verification details, including corporate ID and social security numbers.
Using this sensitive information and claiming their smartphone is broken, they convince the IT helpdesk to enroll a new device in MFA under the attacker's control.
This gives them access to corporate resources and allows them to redirect bank transactions in business email compromise attacks.
Clients, customers, and colleagues typically prefer speaking with someone who empathizes with their situation and possesses strong problem-solving skills.
On the other hand, studies indicate that over 95% of all security breaches can be traced back to that same real person making a mistake or being involved in an insider attack. Furthermore, an IBM study estimated it took organizations an average of 277 days to identify and contain a data breach.
If you are looking for ways to involve your IT help desk teams in the broader identity security program, it often starts with a clear outline of responsibilities.
Key ways to enhance user verification processes:
Empower Helpdesk Personnel with Identity Data: Provide help desk personnel with the context and information they need to verify the identity of individuals calling in to reset credentials.
Challenge the User: Implement challenge questions, require managerial approval, or send one-off push notifications.
Track Reset Activities: Analyze known accessed applications and monitor activities following a reset. Track the history of reset factors and the use of bypass codes to detect suspicious reset behavior.
Achieving these objectives hinges on providing IT help desk teams with better access to identity data, enabling them to make informed decisions, and reduce security weaknesses in the reset process.
Security Operation Centers can provide 24x7x365 monitoring to look for abnormal user behaviors. Cybersecurity experts can program alerts to identify even minor changes to the way a legitimate employee’s profile is typical used. This is an invaluable threat hunting tactic, crucial for safeguarding against evolving cybersecurity risks.
Help desks are an obvious line of vulnerability from a hacker's point of view. It's important to protect them with the same focus and layers of protection you would apply to any other threat surface in the enterprise.
Recommendations:
Require callbacks to verify employees requesting password resets and new MFA devices.
Monitor for suspicious ACH changes.
Revalidate all users with access to payer websites.
Consider in-person requests for sensitive matters.
Require supervisors to verify requests.
Train help desk staff to identify and report social engineering techniques and verify callers' identities.
Implement 24x7x365 monitoring of your systems.
References:
BleepingComputer.com. (2024, April 6). US Health Dept warns hospitals of hackers targeting IT Help desks. https://www.bleepingcomputer.com/news/security/us-health-dept-warns-hospitals-of-hackers-targeting-it-help-desks
How can CyberForce|Q services help you address this risk?
Incident Response is a time-based situation and CyberForce|Q can assist with a potential incident in your environment. Our experienced Incident Response Team can be deployed 24x7x365 – reach out to solutions@cyberforceq.com.
Learn more about CyberForce|Q.