by Christina Lekati, Social Engineering Security Specialist, Intelligence Analyst
Protecting an organization from social engineering attacks is not an easy task.It's an asymmetric game where information, education, and strategy are paramount.
It was a Friday afternoon when Bill was on his way back home from work when he received a call that made him take the next U-turn back to his office. It was one of these calls that he was dedicating all of his working hours to avoid. He was not given much detail through the phone, but it seems that Andre, someone working in the account payments department, had just fallen victim to a scam and had proceeded to a hefty payment. A scam? Bill recalled all the training videos he had put this department through. What went wrong?
"They had inside information – it was so believable!" were some of Andre's first words when he saw Bill, the head of their cyber security team. Someone had called Andre a few minutes before his shift ended, claiming to be an employee from a partner company they had recently started collaborating with for an important project. The person on the call sounded distressed and almost panicked. They claimed that one of their invoices had not yet been paid. Since the project's next phase was scheduled to start on Monday, this was their last chance to get the payment through. Alternatively, they would have to temporarily freeze the project (which would have a domino effect on the project's overall timeline and deliverables). All of this sounded entirely plausible to Andre. They were indeed collaborating on the project the caller mentioned, the timeline was accurate, and the names the caller mentioned were indeed the project owners. The caller insisted on sending the invoice via email, and Andre processed that invoice. But he was left with a strange feeling. So he went back to his database and checked the account details. Sure enough, they were different. But it was too late.
Bill immediately realized -it was a spear-phishing attack combining vishing (a scam carried over the phone) and a potential phishing email (the attachment and overall email still needed to be examined). He now had to report the incident and investigate the matter. As the investigation later showed, the caller had spoofed the phone number and made it look as if the call was indeed coming from the partner company. That was also one of the main reasons Andre trusted that the call was a legitimate one and one of the main tools that cyber attackers utilize to initiate trust with their targets.
Protecting an organization from social engineering attacks is not an easy task. Rather, it is an asymmetric game in which information, education, and strategy are paramount. Social engineering is a pretty attractive option for cybercriminals. It is a low cost, low risk, and high reward approach. While security technology has been advancing, human vulnerabilities have remained the same. The stimulus-response effect in human triggers is consistent, and exploiting these vulnerabilities is consistently successful. It is not surprising, that most of our industry’s threat landscape reports or cybersecurity insight reports (including the ones from ENISA and the World Economic Forum) have been listing social engineering attacks and human errors as one of the top 3 threats during the past few years. This is not a trend that seems to be going away. Rather, it looks like cybercriminals continuously find more ways to exploit humans within their attack kill-chains.
There are strategic uncertainties and risks when an organization has limited knowledge of the social engineering kill chain, the information attackers exploit, and the way they find them. Were the details that Andre was presented with "inside information"? Or were they publicly available? Was there a process or policy that would have prevented this spontaneous, unchecked transaction? Could some aspects of this attack have been predicted and potentially prevented or detected? While the cyber security team can proactively identify and manage certain risks and potential attack vectors, we must remember that cyber security is a shared responsibility. People with access to systems, assets, and information are also responsible for their protection. They need to have the awareness and skills necessary to handle this responsibility. They need to be able to recognize the red flags, follow the process, and respond to a social engineering attack when it targets them.
On the other hand, cyber security departments must try to ensure that as few as possible social engineering attacks will reach the employees of the rest of the organization. But we are often faced with limited information regarding knowing which scenario or psychological manipulation techniques an attacker will use. With so many uncertainties involved, we need to start with what we do know—the aspects of the social engineering kill-chain that are constant and get repeated. And then take it from there.
When analyzing a social engineering attack, we look back into all the steps a social engineer had to take to plan and then execute their attack. While the tactics and techniques can vary greatly (with some being used more frequently than others), the procedure involved in executing most social engineering attacks tends to be noticeably similar.
Most social engineering attacks involve two broad phases:
The first phase, involving planning, researching, and preparation, almost always involves the attacker taking the following steps (in no particular order):
Attackers scout for potential targets online or study the ones they have already selected. Reconnaissance refers to all the steps an attacker may take to collect information on their target(s), online or offline. This phase may last for a few hours (until an opportunistic piece of information is found) or even years, especially in cases of prolonged, elaborate attack schemes.