With companies facing potential targeting from criminal, competitor, and politically motivated threat actors, a broad range of attack methods should be expected. One thing that is familiar to all these actors is their likely targeting of humans as the weakest link in the organization's security.
Executives present an attractive target for adversaries with a public profile. And in a job role widely acknowledged to result in one being time reduced, executives are on the front line. Furthermore, executives are perceived by potential adversaries as having access to desirable business information, such as customer data, employee data, and financial data, as well as the ability to move money on behalf of the organization.
For these reasons, executives face a higher risk of being used as an attack vector against the company, particularly those in marketing, human resources, and finance-related roles.
Adversaries can target executives in several ways — the most common targeted phishing emails, followed by the exploitation of corporate travel and remote working environments. I am not going to discuss phishing but would like to discuss other strategies used by adversaries in targeting executives.
When traveling executives present a unique opportunity for attackers to obtain business-sensitive information, from traditionally well-protected organizations, as the information they seek, will be outside the protected perimeter of the organization. Executives will often take sensitive business information with them when they travel. Such as mobile devices to access confidential business information when they are away.
Adversaries will exploit this to gain access to desirable information by targeting Wi-Fi such as at an airport lounge or hotel, hotel rooms including hotel safes, transportation, and meeting locations. It is for this reason that an adversary will seek to identify the travel plans and habits of executives (for example, preferred airlines and hotels) to facilitate targeting in this way.
Similar to the travel targeting strategy, adversaries also target executives working remotely, such as at home or in a café. Specifically, an adversary may seek to focus on an executive's home Wi-Fi. Adversaries don't distinguish between the personal and professional. They know that personal information (for example, personal email, social media, or online subscriptions) can be used to facilitate attacks on an executive's corporate access.
Targeting an executive's home network, an adversary will attempt to access business-sensitive information directly and personal information, including other family members. This information can be used to stage further attacks against the executive leading to business compromise.
To perform these attack strategies, an attacker must undertake a significant volume of research or 'reconnaissance' against their target.
Reconnaissance is undertaken in two ways, online and through Physical observation. Physical observation involves observing a target in their daily routine, for example driving to work, after work social activities, hobbies, and travel. Before surveillance is carried out, however, online observation is undertaken.
Online reconnaissance is essential because it allows an adversary to build up a useful and in many cases, a comprehensive profile of an individual. This can be undertaken at virtually no risk to the adversary, and this is why those seeking to stage attacks favor it, whether they be criminals, competitors, state-sponsored or politically motivated.
Online reconnaissance allows an adversary to identify which individuals are likely to be the 'softest' targets, with the highest likelihood of success. Based on the extent and nature of their online footprint, an adversary will assess the level of security awareness of a target. What role the individual holds in the target organization is what contributes to an individual being further actively targeted.