High-Value Targets

Because of the nature of the access that high-value targets have, they make an extremely enticing target. Protecting high-value targets in your organization poses some unique challenges.

As attacks against high-value targets are often more sophisticated and subtitle, one must focus on defending them. And failure to protect the high-value target can have far-reaching effects.

Who Are High-Value Targets

How do you know if you are a high-value target?

There are a few classic examples of a high-value target, including executives, VPs, HR, and IT.

However, instead of focusing on the person or role, a better solution would be to look at the type of information and level of access granted to the person.

Are you a high-value target?

  • Do you have access to any of this information?

    • Executive-level information.

    • Access to core business tools/information.

    • Payroll or HR-related information.

  • Physical access to restricted areas.

  • Full (aka root) access to digital infrastructure.

When to Focus on Defending High-Value Targets

While defending high-value targets is an everyday thing, defenders should take extra care during specific events and times.

High-value targets should take extra care during any significant event in the business (layoff, merger, acquisition, IPO). Attackers will troll for businesses in these phases to send targeted phishing attacks. Disgruntled employees could potentially take advantage of these chaotic events as well.

When a high-value target is traveling overseas, there are some additional considerations.

When traveling overseas, you want to ensure the integrity of corporate information. It may be a good idea to issue a "burner" device for the high-value target to use while traveling. Enforcing the use of a VPN is also a good idea.

Important
High-Value targets Overseas

Issue a "burner device", a laptop or phone which IT can wipe upon return for use during an overseas trip.

This device should enable the high-value target to utilize a VPN to connect to corporate data and should have minimal data on the device itself.

There are also concerns about searches by US customs and border control upon returning to the US. Please consider the above when designing IT policies.

Types of Attacks on High-Value Targets

High-value targets often have different routines, and attackers will leverage this.

Travel Concerns

Executives and leadership roles often travel for work-related reasons. Always being on the move can make one fall into some bad habits.

When at a hotel, don’t broadcast your room number; write the room number on the check to charge items.

Don’t trust hotel safes. A hotel safe often has a default code set that attackers can use to access your possessions.

Verify you have all of your belongings when exiting a taxi or public transit.

Personal Digital Devices

If you use personal digital devices (tablets, cell phones, smartwatches), do not connect them to corporate information or networks. Attackers like to use what is known as a "pivot attack" to gain access to the less-protected personal devices, then "pivot" to corporate data.

A better solution for high-value targets is to let corporate IT secure your devices using the latest techniques.

General Security Practices

As a high-value target, it is vital that you continue to follow the basics of any digital security policy.

Attacks such as credential stuffing are just as common as for all of the other employees; however, the stakes for a successful attack are much higher.

High-Value Targets at Home

The network infrastructure at the home of a high-value target also requires some additional considerations.

Look into things such as:

  • Smart home assistants, these devices contain microphones and sometimes cameras and can be very difficult to detect if they are compromised.

  • Smart locks, any device with a network connection and running software can be compromised.

  • A high-value target should use a VPN for all traffic on personal devices.

  • It might be a good idea for high-value targets to have a more secure area in their home to discuss sensitive topics (door which closes and locks, no smart assistants inside).

High-Value Targets Operational Security (OPSEC)

Operational Security (OPSEC) is the process of protecting data in aggregate to prevent use by attackers.

To practice good OPSEC, one must look at the entirety of the data to determine if sharing said data might compromise security. Look at the background of the photos you take. Are you sharing more information than you planned?

Could someone determine from your CEO’s social media that they have traveled to the the city that houses the home office of a competitor multiple times, thus leaking the the potential of a merger or acquisition?

Good OPSEC is not a checklist but rather a mindset. You should view all of your actions with the mindset that you may be a target and act accordingly

The campaign "Loose Lips may Sink Ships" from World War II is a good example of an OPSEC practice.

Loose lips might sink ships

Some high-value targets may choose to do the following:

  • Harden personal devices.

  • Harden home networks.

  • Regularly take security training, including OPSEC training.

    • Test high-value employees' responses to simulated attacks, and re-train when needed.

  • Keep a separate "public" social media profile.

    • Private social media profiles could be used for friends and family.

  • Enroll their email in more advanced security profiles (such as the Advanced Protection Plan provided by Google).

  • Require the use of a password manager.

  • Use made-up or obfuscated answers to "security questions".

  • Require requests of a specific type to be verified "out of band".

    • For example, a phone call to verify the text message requesting a wire transfer.

    • Better yet, specific requests could always require multiple people to verify.

General Practices for Information Distribution

High-value targets often need to distribute information to large groups. A suitable method for this distribution is to generate the information in an internal wiki and post the link to the wiki page into the email for broadcast.

This method does two things, makes the canonical location for the information the wiki, which can be updated at will and helps to verify that the information is valid as an an attacker would have to compromise both the wiki and email logins to post it there.

There should also be a global policy in place for EVERY coworker to report suspicious activity EVERY TIME. Constant reporting is vital to help IT and security teams to see trends around these suspicious events.

Another critical policy that relates tangentially to high-value targets is a policy on the secure destruction of sensitive information. When the company has finished with hard drives or paper information, there should be a defined policy to determine the proper way of destroying said information.