This blog was written by an independent guest blogger.
Social engineering is the art of human deception. In the world of cybersecurity, it’s how to fool human beings in order to conduct cyber attacks. Some of these cyber attacks can be very expensive to your business! In fact, many of the worst cyber attacks to your organization’s network start with fooling you or one of your employees. Penetrating a network without human interaction is really tough. But the people who work for your company have privileged access that can be easily exploited.
I was at a Leading Cyber Ladies meetup in Toronto recently, where threat research expert Sherrod DeGrippo visited all the way from Atlanta to talk about how cyber threats often work these days, and what their attack chains are like. I had the idea to write about social engineering before I attended the meeting, but I wasn’t expecting to do research for this post by attending it. It was just a very fortunate coincidence that DeGrippo said some things about social engineering that really captured my attention. After the meeting, we had a quick chat and followed each other on Twitter.
During her talk at the meeting, DeGrippo mentioned how she sees a lot of cyber attackers, from APTs to script kiddies, target human beings as an initial attack vector a lot more often than they used to. She said doing reconnaissance for a corporate network is very difficult, whereas doing reconnaissance on a person is a lot easier. We post about ourselves on social media all the time. We talk about the places we’ve visited and the things we like on Twitter. We talk about who our family and friends are on Facebook. And we tell LinkedIn our job titles, who we work for, and what we do there. An individual who works for a targeted company has privileged access to their networks and to their physical buildings. Socially engineer them, and you can get malware on their systems to send sensitive data to a command and control server, or you could possibly walk into an employees-only area of an office.
The other thing she discussed which intrigued me is that she sees information security professionals targeted for social engineering attacks more often than ever before, and how we can be really lucrative for social engineering exploitation. Contrary to us thinking that we know better, it often works!
I asked DeGrippo about it. She said:
"Yes, targeting infosec professionals is my big concern lately. The more sophisticated actors are doing really specific targeting. This includes people in security roles and lots of people in software development roles. There is so much info out there. A job offer, a security report, a discussion of a new technology and a code snippet-- all potential social engineering lures to send to technical people with privileged access.”
I said, “Maybe some of us are way too confident. That confidence can be dangerous.”
"… totally. I worry about that. I worry that as an industry we are so focused on protecting others that we let our own opsec (operational security) slip or we just don’t have time to focus on it as much. It’s not really hubris in most cases, it’s just forgetting to do a threat model on ourselves.”
She also spoke to me about how cyber attackers often choose their social engineering targets.
“The thing I like to do is get into the psychology of a threat actor. If I could be anyone I wanted to be, but only online, who would I choose?
A software dev at a fancy car company? I could hack some luxury car software to unlock for me anytime, anywhere! A junior HR admin at a large company? Steal a ton of identity and payroll data!
Maybe I would be a fancy CFO’s assistant and make changes to deposit instructions for invoices to my own mule account in Cyrus.”
Of course if you’re reading this, you’ll want to know how you can security harden yourself and your employees against social engineering attacks. So I asked DeGrippo for her advice.
"First, it has to be fun and cool and full of jokes. I’m done with FUD (fear, uncertainty and doubt) forever. That’s not where I want us to go as an industry ever again.
Ultimately, I think the best training is turning the tables and letting users think of what they would do if they had threat actor tools at their disposal. How would they target their victim? What steps would they take? What would they do when their first attempt didn’t work? Trying out the scenarios as if you’re a threat actor gets attention and can paint a really vivid picture for people. It sticks in their minds.
Take an hour. Write up an attack plan on your colleague. Then switch, show the plans, have the target point out the weak points and show where or why it wouldn’t work. Go back and iterate again. Then have the target explain how they would attack themselves. Sounds fun! Use stickers and candy as prizes.
I think it’s important to focus on people. Attackers are focusing on people, learning about them, learning about the organizations where they work. We have to focus on people too if we’re going to protect them. It’s not about systems anymore. It’s about people and who is actually getting attacked.”
And here are some of my own tips. Phishing emails and websites are becoming increasingly clever, especially with the easy availability of phishing kits from Dark Web markets. They could possibly fool even us, even more so once a cyber attacker knows what our bank is, which companies we work for, and so on. Links, email attachments, and web forms are all the means and vectors cyber attackers want us to engage with in order for their cyber attacks to be successful. The federal government isn’t going to make a link in an email the only way I can pay my taxes. The credit card company can take a phone call if there’s a problem. Your regional supervisor can also be phoned, emailed, or even text messaged.
If an email is the first contact made to you about a particular matter with a company or a person, don’t open that email attachment or click that link. Phone, email, or text the company or person to verify that the email is legitimate first. Remember, email addresses can also be spoofed.
If your video streaming service emails you about an account problem, instead of clicking on a link in an email, open a new web browser tab and enter the URL of their website (or do a web search for them), and visit them directly before you enter your account credentials in their web form. Do the same for any online service that you subscribe to which might contact you. Do the same for your bank and your utility company.
And remember if something sounds too good to be true, it probably is. I’m not going to win a vacation from a contest that I didn’t enter. Resist temptation, don’t be overconfident about your ability to spot social engineering, and teach your employees to do the same!
