Warmka is a retired senior intelligence officer with the U.S. Central Intelligence Agency (CIA) where he specialized in clandestine HUMINT (human intelligence) collection. With 20+ years of breaching security overseas for a living, Warmka now teaches individuals and businesses about the strategy and tactics of “human hacking”.
Warmka highlights how insiders are targeted, the methods used by nationstates for committing crimes, and what organizations need to help focus their security training to prevent a breach.
Here are the Three Major Takeaways
1. Prevalent open source techniques for targeting a person or company as an insider threat:
A website that defines the key personnel and mission statement of an organization provides critical context of how to target employees using social engineering techniques. Bad actors use job descriptions that provide critical targeting information about the enterprise and security technologies that are used so they may target potential technology vulnerabilities and subsequently penetrate the organization. Lastly, social media and open source content typically offer information about employees and companies that can be used for nefarious purposes.
2. Employees are recruited for nation state espionage or crime:
Adversaries pose as executive recruiters through direct engagement and through hiring platforms to elicit sensitive company information. Employees allow themselves to be socially engineered from a spearphish. Threat actors will also go so far as to create deep fakes to help sell the impression that they are a senior company executive.
3. Security awareness training should focus on verification:
There are several ways to defend yourself and your enterprise, but consistent education and training are tried and true successful methods for defense. However, annual videos for security training will not change employee behavior. They are too infrequent to modify human behavior. Employees need to be taught to be apprehensive about unsolicited outreach through email, phone call, social media, or SMS. Business procedures need to focus on quick and timely verification of suspicious activity. A policy of “trust but verify” is likely going to be too late.