8 Strategies for Defending Against Help Desk Attacks

The help desk is under siege from AI-based and other attacks. Next-gen tactics call for in-depth cyber-defense strategies.

John A. Smith, Founder & Chief Security Officer, Conversant Group

December 21, 2023

4 Min Read
Red question mark inside a cutout in the shape of a headset
Source: Andriy Popov via Alamy Stock Photo

COMMENTARY

Defensive security techniques often lag offensive attack tactics, opening companies to heightened risk from rapidly evolving threats. This often explains the frequency of devastating breaches: security strategies rarely evolve in tandem with (or in anticipation of) new threats.

An alarming case in point is the help desk, one of today's most exposed organizational Achilles' heels. Attacks on the help desk are an obvious offensive play by cybercriminals: Malicious actors want credentials to penetrate networks and move laterally, and help desks dispense credentials and IT equipment to users experiencing password lockouts, lost devices, and so on. Compromising the help desk can give attackers access to sensitive information that can fuel additional company breaches. So, it stands to reason that the help desk is ripe for attacks.

While many companies rigorously try to secure the network perimeter, end users, emails, and almost every frontier of risk, the help desk often gets lost in the mix. Many companies have no process for validating the identities of employees who contact the help desk for assistance with accessing their devices and data. Many help desks are outsourced (and may not even be in country), and many rarely ask for any validation of the user beyond their name. Even those with user validation processes have little standardization in protocol. Some ask users for basic information, such as date of birth or address; others ask for work email addresses or office phone extensions. These types of information are easily obtainable by hackers through breaches or common hacking techniques.

Help desk procedures have escaped the security rigor applied to other areas of the threat surface. So, it's predictable that help desks have become a focus for threat actors. Worse, attackers are taking it a step beyond, wielding generative artificial intelligence (AI) tools against anticipated advances in defensive tactics.

AI-Based Help Desk Attack Tactics in the Spotlight

Help desk social engineering attacks are a common vector for breaches and ransomware attacks that can lead to devastating consequences. Much of the information needed to wage social engineering attacks is easily available: social media sites like LinkedIn provide a wealth of information about employees, including their names, positions, and office locations. Lax help-desk validation procedures make it easy for attackers to impersonate employees requesting password resets, for example.

Even though smaller companies and those with onsite help desks may be more likely to recognize employees' voices, deepfakes can trip them up. There are open source tools available to create live, deepfake audio to bypass audio-verification controls. There are also AI-based deepfake video tools that can trick organizations that go a step further and request visual validation of the user. Top company leaders and others that speak publicly are likely targets for deepfake impersonation, as their voice and video images are often available online.

How to Protect the Help Desk from Social Engineering

It's essential to create robust help-desk procedures to validate an employee's identity before resetting passwords or issuing credentials. Some recommendations include:

  • Deny access to all but company-vetted or company-issued devices to corporate resources or applications. Ensure that any device that has access to the network has been properly vetted for security and is adhering to security best practices.

  • When a user request is received, IT should call the user on their trusted, registered device to verify their identity.

  • Issue an authentication push using a multifactor authentication (MFA) application — not SMS or email — to the trusted device to minimize the risk of SIM-swapping attacks; ask the user to read the code aloud and push "accept."

  • Request the serial number of the user's device, and validate the number.

  • For smartphone replacement requests, if the user is purchasing a new smartphone and wants to get it authorized or registered, they should notify IT in advance. When IT knows it is a planned event, it can issue an authentication push from the chosen MFA application to validate the change.

  • For password resets, once the user is validated using the steps above, the suggested policy is:

    • Adjust the Active Directory account so that the password is temporarily set to "never expire."

    • Direct the user to use their last password and then reset to a new password using the prescribed password conventions.

    • Reset Active Directory to the standard password expiry policies.

    • IT should never know user passwords.

  • For issues where you cannot send an MFA push, initiate a video call with the user displaying their government-issued ID and their computer and its serial number.

  • Ensure that sensitive data like passwords, crash dumps, and session tokens are not left in the service desk platform.

A Never-Ending Battle Worth Fighting

Help desks are an obvious line of vulnerability from a hacker's point of view. It's important to protect them with the same focus and layers of protection you would apply to any other threat surface in the enterprise.

About the Author

John A. Smith

Founder & Chief Security Officer, Conversant Group

John A. Smith is Founder and Chief Security Officer of Conversant Group and its family of IT infrastructure and cybersecurity services businesses. He is the founder of three technology companies and, over a 30-year career, has overseen the secure infrastructure design, build, and/or management for over 400 organizations. He is currently serving as vCIO and trusted advisor to multiple firms.

A passionate expert and advocate for cybersecurity nationally and globally who began his IT career at age 14, John is a sought-after thought leader, with dozens of publications and speaking engagements. In 2022, he led the design and implementation of the International Legal Technology Association’s (ILTA’s) first annual cybersecurity benchmarking survey.

John studied Computer Science at the University of Tennessee at Chattanooga and holds a degree in Organizational Management from Covenant College, Lookout Mountain, Georgia.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights