Anatomy of the modern social engineering attack
Updated: May 15, 2018
Most organisations understand that Security is comprised of People, Process and Technology.
What is surprising is that whilst this is true, security investment is usually heavily skewed to Technology-based controls alone.
The logic here was clear, why grind away at a system using a security tools or manually attempt to guess or crack passwords when you can simply ask someone for them?
In 2018, we are all super-aware of cyber attackers, scammers, phishers - right? ......Sadly, no.
So what does the modern social engineering attack look like?
Modern social engineering tends to be targeted to the following:
Footprinting & recon: Background research and identification of potential targets
Target selection: Selection of individual(s) who could enable the desired outcome
Trust establishment: Using shared knowledge, ideals, goals etc to establish trust
Psychological Manipulation: Making the victim behave/act towards the attackers goals
Exploitation: The attacker utilises the information or action provided by the victim
Benefit realisation: The attacker's goals are realised (Financial, Political, etc)
Why does this work?
When a simple Google search can reveal a lot about the people within an organisation, it is not difficult for a motivated attacker to start mapping out an organisation and conduct research on its staff, suppliers, locations, affiliates, etc.
What types of social engineering attacks are common?
1) Online account takeover - Attacker gains access to an online account (e.g. Online Bank Account), usually for the purposes of stealing funds. The incident usually occurs by the attacker gaining a username and password through the use of Malware, Phishing or Vishing.
2) Man in the Middle - this attack relies on the fact that an individual (or the organisation they work for) is unable to easily monitor unusual access or behaviour.
Recent attacks involve Cloud services such as Office365, wherein an attacker obtains the username and password of a staff member involved in the payment of suppliers or alike, then inserts him/herself in all communications between the staff member and their supplier, injecting 'can you please update our bank details' or alike in order to redirect funds.
This typically plays out over a long and frustrating, confusing few months of email ping pong until someone realises what has occurred. By which time the attacker is long gone.
What can be done to combat Social Engineering?
1) Security education and awareness (not just an annual internal compliance module) - using real people, and real examples in an environment which encourages good security behaviours. Examples might include ongoing programmes of a "Lunch and Learn" - with specific topics and current threats and what to do (practical steps), or even gamification.
2) Use of two factor authentication (2FA) (something you know + something you have) - this means that in order for an attacker to access someones online account, they need to have the username and password and something else, such as a unique code (also now commonly a number provided by SMS to an individuals phone).
3) User and entity behaviour analytics (UEBA) - depending on the solution, will assist in detecting the subtle changes in activity that could indicate a social engineering attack (e.g. access from unusual locations, at unusual times, uncommon or suspicious behaviour, etc.)
4) Spam filters and mail reputation checking - it is more difficult for an attacker to be successful if they cannot contact your staff. Filtering mail on the basis of reputation and content can assist in reducing the likelihood that a phishing email will make its way to your staff.
5) Periodic security testing and Open source intelligence gathering - These help to identify information which may enable an attacker to target individuals (e.g. The well-meaning IT developer who leaves keys exposed or is active on online forums with his work email address)
6) Cyber attack simulations, mock phishing and tabletop exercises - These help to reinforce security education and show key staff what an attack looks like and how to properly detect and respond. Almost as importantly, these activities can improve internal communications by increasing stakeholder interaction as well as help to highlight missing processes.
An important byproduct of these also includes a pre-consideration of security incident investigation and response priorities (Preserve Evidence vs Recover Service, etc) as well as an upfront agreed process.
7) Encourage staff to periodically change their password(s) - This means that any account whose password has been compromised, will be updated (requiring re-compromise by an attacker).
Contact us for assistance in educating your staff about social engineering, better understand your potential exposures or managing your response to an attack.
Author: Clinton Smith