Meet the expert: Akhil Babel to speak at PrivSec Stockholm

Akhil currently operates as Engineering Manager at Klarna where he leverages over 14 years’ experience accrued in information security, business continuity, security operations, and more. 

In recent years, the rise of phishing has led Akhil to focus more on email security and identity access management – topics that he will discuss at PrivSec Stockholm on September 20.

We spoke with Akhil about his career in cybersecurity and to gain more insight into deep-sea phishing attacks and how to mitigate the threat they pose.

Could you outline your career pathway so far?

I started my career as a system administrator for a very small organisation in India, and then joined EY. Initially, I was performing systems audits, mostly providing technology audit support for financial reporting. From this point, I became obsessed with cybersecurity. I helped some clients embrace Information Security Management Systems and that is how my journey began.

I was with EY for two years, then worked as a freelancer and had my own business for four years before returning to EY to get back into a cybersecurity focused role.

During my second stint at EY, I worked in a variety of areas including information security, and business continuity, managing audits ranging from ISO 27001 to PCI-DSS; email security; running Managed Security Operations Centres; and full-fledged cybersecurity consulting for my clients.

After five years of a fantastic journey at EY, I joined Klarna, where I am accountable for productivity and platform security, helping secure certain critical platforms that Klarna uses internally – things such as collaborative suites, etc. I am also working extensively with privileged access.

This topic has been very interesting to me because I have been part of investigations and subsequent remediation of large scale phishing attacks, which are sophisticated yet simple in their nature.

What is deep-sea phishing, and what are the primary dangers it presents to global organisations?

Deep-sea phishing refers to a highly industrialised and organised form of phishing; a highly evolved form of cyberattack compared with the forms phishing that we are familiar with.

Traditionally, you would stop phishing with signatures and IOCs (indicators of compromise), that help you identify whether or not a phishing attack is taking place, using known information.

Deep-sea phishing is usually perpetrated professionally by organisations and groups that target high-value victims, or targets for a very specific purpose. In terms of techniques being used, they are now a combination of everything we’ve seen in the past, used in a very intelligent, evolutionary way, which make them far more difficult for security services and functions to identify what is going on.

Traditionally, if I wanted to phish another person, I would send out emails with malicious links where the victim would enter their personal details or credentials. In slightly more advanced example, phished credentials are not used to execute a personal attack, they’re used to phish more people, and so a chain is created, with a single purpose of compromising as many credentials as possible.

Phishing is very simple, but it works. And because your attackers are using techniques or a combination of specialised techniques, it can be very hard to discern what is right and wrong, what is legitimate and illegitimate, especially in deep-sea phishing attacks.

Traditional security methods may fall short – I’ve seen organisations with very sophisticated and expensive security tools to protect their email. But phishing isn’t just about emails, it also includes the websites you visit, the scripts that run behind these webpages; there are so many elements.

What makes deep-sea phishing and phishing in general so dangerous is the fact that there is no silver bullet to tackle them. No singular approach to combatting these attacks can work.

How have recent global events perpetuated deep-sea phishing?

Cyberattacks are always driven by global events, the situation in Ukraine being a prime example. Any events of global significance – political or economic will cause an uptick in criminal activity, just as the same will happen around holiday seasons such as summer vacation times or Christmas. These times are when the criminals are at their most active since they have so many more scenarios to work with.

Cyberattacks are also very geo-centric. If you have a global conflict zone, criminals can target relief work operations, and similar.

What primary steps can organisations take to mitigate risk of falling victim to these kinds of attacks?

Primarily it’s a case of awareness, awareness, and awareness. A very simple way to identify such attacks is the sense of urgency that they try to invoke in the target’s mind, like – “Today is the last day to verify your details so that you become eligible for a tax rebate”. It’s always a good idea to properly verify the authenticity of these emails before acting on them.

Your organisation must keep performing phishing exercises and drills, but also bring in specialised third parties that run these campaigns very effectively. Ultimately, there is no substitute for strong employee awareness.

One of my former clients used a SASE (secure access service edge) service which included web filtering, wherein if any unknown link is clicked, it would open in an isolated browser where one can’t really interact with the elements inside the landing webpage. 

Therefore, if there are background scripts running, they won’t be running on your system. Instead they’re running on a remote sandboxed system which would just stream the content to you in the form of a “view only” render – your users would be unable to upload/ post/ enter any information. This was extremely effective in reducing the materialisation of the attacks even after users would click the embedded malicious links.