Blog by Diana Selck-Paulsson, Threat Research Analyst/TDMC SecureLink
Social engineering attacks have a significant impact on organisations. They are the first point of entry enabling an attacker access, either physically or virtually. SecureLink Cyber Defense Centers see a wide variety of adversaries using social engineering, from junior cyber criminals to hardened APT actors. Looking at FBI and Europol statistics, we see that social engineering is present in the majority of the top ten attacks in 2018.
Social engineering is a technique used to deceive and manipulate victims to reach a certain goal such as unauthorised access to a computer system for financial gain or causing harm or disruption. Social engineering may, in some cases, be considered an art of manipulation; it is well planned, researched and executed in order to lure victims into revealing sensitive information or granting unauthorised access. Social engineering is an external information security threat.
Social engineering is a way in and the damage caused can be devastating. It can use several techniques resulting in reported social engineering attacks being represented in several classifications of registered attacks. Among others, this might include Business Email Compromise (BEC) and phishing in all its variations such as vishing (by voice), smishing (by SMS) and pharming (via malicious code).
Spear phishing is more targeted, increasing the likelihood of success. An employee receives an email that might include the organisation’s own email signature or a trademark of an external organisation to appear to be a legitimate business request.
Also known as voice phishing, vishing occurs when an employee receives a phone call during which an attacker attempts to trick the employee into revealing sensitive information.
An attacker deliberately leaves a storage medium, such as a disk or USB device, to be found by the target or someone close to the target. This technique relies on human curiosity leading to unauthorized access to an organisations internal network, sensitive information or financial information.
An attacker uses a pre-defined scenario based on a prepared script. The goal is to create a scenario in which the victim must reveal sensitive information to resolve an issue, even though the v victim might not disclose this information under normal circumstances.
According to the Internet Crime Report published annually by the FBI’s Internet Crime Complaint Center (IC3), BEC was one of the most reported crimes in 2017 with an estimated financial loss to organisations of $676,151,185. Phishing or vishing are number three when considering the number of victims. This means 25,433 complaints actually reported by victims to the IC3. The number of unreported attacks is assumed to be much higher meaning the financial loss is likely much greater.
While social engineering is nothing new increased research into the process of social engineering attacks means knowledge has been gained on why victims still fall for social engineering attacks. Simply put: who is to blame? The issue is twofold. Whilst human factors still play a part, the size of an organisation’s digital footprint and the employee information exposed by it continues to grow.
As with any types of crime, social engineering attacks have patterns or a certain modus operandi with which they can be associated. Mitnick and Simon (2002) developed a social engineering attack cycle providing a sufficient framework for characterising and analysing each phase of social engineering. An attack is usually initiated by some type of communication such as a phone call, email, face-to-face conversation, letter or through storage media such as a USB key.
Prior to any means of communication being initiated, a social engineer will spend time gathering information about the target. Consequently, a goal needs to be determined and a target defined as either an individual person, a group of individuals or a whole organisation, all prior to a malicious request being sent.
Once the target and the goal are identified, the first contact is initiated through a chosen communication medium. As the target varies in type, so does the attacker; the social engineer might be an individual or a group. The length of a social engineering attack can vary greatly from only a few minutes to months, depending on the goal and the resilience of the target.
From an attacker’s standpoint, it makes sense to focus on the behavioural patterns of humans. Technical countermeasures against phishing attempts and detecting malicious activities today are much more robust than they have been in the past. The human, on the other hand, is more complex and hard to predict in certain scenarios while easy to manipulate in others.
In the context of information security management, social engineering leverages today’s online information assisting an attacker to gain intelligence about a target. Organisations must find a balance between an online presence and a security stance to ensure social engineering attacks are more difficult.
“LINKEDIN AND TWITTER ARE VALUABLE TOOLS FOR SOCIAL ENGINEERS!”
Security awareness educates employees about manipulative techniques that might be used against them and also highlights the benefits of adapting their information security behaviour. Building resilience towards social engineering attacks provides a significant line of defense.
Additionally, employees should be more vigilant towards requests received and organisations should implement Two-Factor-Authentication (2FA). In this way, if a password is compromised, the attacker will not be able to easily access the targeted system, network or physical area. Secure architecture and segmenting the network provide assistance here.