Deepfakes and its important implications on all of us from cyber perspective
Author: Nyan Tun Zaw, VP, Athena Dynamics
Advisory Editor: Ken Soh, CEO, Athena Dynamics
Copyright © July 2021 All Rights Reserved Athena Dynamics Pte Ltd
Recently I have come across an article about scammers taking a step up from the typical business email compromise (BEC) attacks and using publicly available deepfake libraries to mimic the voice of the parent company’s CEO and tried to trick the subsidiary company’s CEO into wiring USD 243,000 to a Hungarian supplier urgently.
The rise of powerful deep learning algorithms
This is a very interesting use case on how the advancements in neural networks and machine learning meant in a good way for the betterment of humanity are being abused by people with malicious intents. For the record, the concepts of neural networks and machine learning has been around for a very long time but until recently, with the availability of immensely powerful GPUs and other related hardware components, artificial intelligence (AI) and machine learning (ML) have become one of the sexiest and most exciting fields to work in.
This growth, of course, is also catalyzed by exciting new algorithms such as Generative Adversarial Networks (GANs), a type of deep learning algorithm that can pit two neural networks against each other and let them compete, which allows the model to become more accurate in its predictions. GANs are well known for their ability to create photorealistic generation of images and text, which gives rise to a technology that is really a double-edge sword called Deepfake.
Abuses on deepfake technology
It was started by a reddit user of the same name in 2017 and the tech itself has since gained huge popularity and following, most notably due to the ultra-realistic fake videos such as that of Tom Cruise and Korean news caster Kim Joo Ha.
Up until recently, deepfake videos and photos have mainly been spreading around as a form of entertainment and funny videos but the potential of this to be mis-used is extremely huge. We have already seen cases of deepfake pornography where people substitute the faces of celebrities on erotic contents. These could be abused to tarnish a person’s reputation and many would still fall for it due to the fact that these generated videos look extremely real. This also raises huge concerns amongst the public figures since they have a large amount of audio and video “samples” available online and the kind of deepfake videos people are creating from such contents are extremely realistic.
The incident mentioned at the top with fake CEO voices used in social engineering and scamming has proved that the technology has now spread to even the cyber criminals who are now well aware that people will not fall for another “Nigerian prince” scam so easily anymore. One of the most common advices against spear-phishing emails has been to go for a second factor of verification, which is to give the person a call and check if the email has indeed been sent by them or the instructions were accurate. This has worked well on emails but with the rise of deepfake voices, cyber criminals are studying and getting the voice samples of important people in the company such as CEOs from public forums, spoofing the phone number of the CEO and calling the CFO or finance team to perform “urgent” financial transactions. It is a very clever use of psychological trick because the scammers know that majority of the employees would not question an urgent-sounding CEO calling them directly to perform an important action and chances of them questioning the boss’ request are very low.
How can we be protected against such attacks hence?
One of the easiest way is again to fall back on the 2nd factor of verification. Many employees are worried that calling the boss back to ask what he has just said would make them look stupid, but this is an area where both the senior management teams and the rest of the employees should be well educated and made into a process that must be followed. If the employee feels the CEO / manager is not responding to the questions in a natural way or the communication was mostly one-way, he or she should raise the suspicion and call them back afterwards to validate and can directly mention that just as a form of due diligence, they are double-confirming the details of the call earlier citing the common occurrence of such attacks, and this culture or practice should be well encouraged and appreciated by the management of the company. Hence, from the first place, all the staffs in the company including the senior management need to have a better awareness level in cyber through training, and initiatives like email and voice phishing campaigns should be amalgamated into the company’s standard IT Security procedures. We have initiatives like Athena Dynamics Academy (ADA) with the main mission on helping companies secure the people perspective.
Additionally, threat intelligence services that help to monitor if anyone is targeting the company and generate alerts if there are any breaches or targeted attacks could be very useful in preparing and anticipating against upcoming attacks.
From the technology angle, using zero-trust technologies such as Content Disarm & Reconstruction (CDR) for non-detection based file cleansing for all incoming files including emails, USBs and files downloaded from the browsers would be highly effective since it addresses the cause (the APT) and not the effect (the context sensitive phishing). For example, anyone can simply send a perfectly normal looking picture that could be embedded with malware using steganographic techniques. This would easily be missed by many detection-based mechanisms because the malware content would be encrypted by steganography and hence, will not be visible to these solutions whereas CDR, by default, would be able to effectively render the malware un-useable by playing around with the innate structure of the file itself.
Other notable zero-trust technologies such as isolation and containment both on browser and windows OS level, as well as strong network monitoring tools to be protected against malicious traffics, will also help in making sure that necessary protections are in place and would reduce the chances of employees being phished and breached (or even against insider threats from disgruntled employees).
Making sure an organization is cyber secure is never a simple task, especially when highly sophisticated technologies like deepfakes come into play. It is always about covering all three dimensions of people, process and technology. Most organizations have certain level of process and technologies in place but people are still the weakest link and as such all of us, like the guys from the dark side, should step up our game and making sure that everyone in the company has access to updated cyber awareness knowledge, at least at the most basic level.
Nyan Tun Zaw is the VP of Business Development at Athena Dynamics Pte Ltd, which is a subsidiary of BH Global Corporation Ltd, an SGX mainboard listed company.
With a wide range of background in cybersecurity, software development, web development as well as networking, Zaw has in-depth experiences in deploying security solutions for several highly confidential government and critical infrastructure projects, particularly in the CDR/CDNR field as a technical lead. His interest mainly lies in Cybersecurity and AIML.
Zaw holds a Bachelor of Business Management, with double majors in Finance and Information Systems, from Singapore Management University as well as Master of Business Administration (MBA) from Quantic School of Business and Technology. He is also a holder of the Certified Ethical Hacker (CEH) and EC-council Certified Security Analyst (ECSA) certificates.
Being a technical person who also likes sharing his experiences and knowledge, Zaw has also been part of a speaking panels with global C-level executives at various events and conferences in the region.
Contact: [email protected]
Ken Soh holds concurrent appoints as Group CIO of mainboard listed BH Global Corporation Limited since 3 Mar 2014 and as the founding CEO of the group subsidiary cyber security company Athena Dynamics Pte Ltd.
Ken has more than 25 years of working experience in the ICT industry. Prior to joining BH Global, Ken held various senior positions in public and private sectors at CxO and business leader levels with Master Planning and P&L responsibilities.
Ken has been an avid industry speaker and writer. He holds a Master of Science in Computer Studies from the University of Essex; and a Master of Business Administration (eMBA) from the Nanyang Business School (a Nanyang Technological University and University of California, Berkeley joint programme).
More information of Ken’s past industry and media sharing is available via this link.
Contact: [email protected]
Disclaimer: Neither BH Global, Athena Dynamics nor the writer guarantees full and timely accuracy of the write-up. Readers shall read with their own discretion, judgement and research if in doubt. If you wish to contribute further writings, please feel free to contact us.
Not for General Distribution. Copyright © 2021 All Rights Reserved. No part of this presentation materials may be distributed/reproduced without the writers’ expressed consent.