Protecting our company’s most important asset — data, has become increasingly harder. Companies spend enormous amounts of money on data protection, but still lose billions of dollars to data breaches every year. Why is that happening? The simple answer is — because they don’t allocate the right amount of resources in the right areas. Many companies believe that a firewall and an antivirus will protect them from any threat. They couldn’t be more wrong. To put the money and resources in the right place, it is extremely important to know what the most dangerous attack vectors are and how to protect against them.
“I am a pilot, doctor and an attorney”
Many of you probably saw the movie “Catch me if you can”. If you didn’t — I highly recommend it. In this movie Leonardo DiCaprio plays the role of Frank Abegnale, who before his 19th birthday successfully performed frauds worth millions of dollars. During that period he was an airline pilot, a doctor and an attorney. After his imprisonment and serving less than five years in prison, he started to work with an FBI. So what does it have to do with cyber security? As it happens, it has a lot. Frank Abegnale used the most dangerous weapon back then and now — social engineering. It is the foundation of most of the attacks that are happening today.
Before we go any further, we should understand social engineering. “Social engineering is any act that influences a person to take an action that may or may not be in his or her best interest.” It can also be defined as: “the psychological manipulation of people into performing actions or divulging confidential information”. Now that we know the definition of social engineering, you might ask, why anyone would do anything against his or her best interest. The simple answer is — because humans are not perfect. The longer answer is that all techniques are based on human attributes of decision making known as cognitive biases. Cognitive biases is a way of thinking of and perceiving the real world that doesn’t reflect a reality. To be successful, social engineering relies heavily on eight principles of influence. It is very important to understand them, as it will help us to detect social engineering attacks and protect from them.
Under the influence
You can define influence as getting someone to want to do what you want them to do. So let’s take a look at the eight principles:
- Reciprocity — It is based on the way humans want to reciprocate to those who do kind things that we enjoy. Simply put, it is a social norm to respond to a positive action with another positive action.
- Authority — When someone with the right kind of authority makes certain statements, other people take them very seriously. People will obey them even if they are asked to do objective acts.
- Intimidation — Attackers will inform or imply people that if certain tasks are not performed, there will be negative consequences.
- Social proof — People will do things that other people are doing.
- Scarcity / Urgency — Perceived scarcity or urgency will generate demand. Things like “Limited time offer!”, “Available to the first ten people!”, “Only three knives left!”.
- Liking — People like people who are like them. People like people who like them. Although at first glance the two sentences are similar, they are different. The first sentence simply means that if we’re similar, in the same tribe — comfortable and similar, we will be liked, accepted and trusted. The second one — if you like someone or make someone feel like they are liked or trusted, that person can’t help but trust you.
- Trust — Attackers will try to convince that their request comes from a trusted source — a company, department or a person.
- Concession — Admit or agree that something is true after first denying or resisting it. If the person feels ownership of an idea, then that person most likely thinks it is a great idea.
How can I get you?
Attackers will use social engineering techniques in many ways. The ones that are most often used are — phishing, vishing, smishing, impersonation. Of course there are more like spear phishing, whaling, tailgating, baiting, water holing, but for now, let me explain the four most important techniques.
Phishing is defined as the act of sending malicious emails that pretend to be from reputable sources. The goal of phishing can be either to deliver malicious payload to the victims corporate network, to gain user credentials or just to gather more information for future attack. It is very important to be able to spot such attacks, as this is the most common form of attack today. The only reasonable way to protect from such an attack is to educate employees. One way this can be done is to do educational phishing attacks. Those attacks don’t do any harm, but provide information on how employees can deal with such attacks. We must remember that it only takes one person to click on a malicious link to do harm to our corporate infrastructure.
It is simply phishing done over the phone. This type of attack is very often used to get credentials, gather information about the company or to do a full compromise of the target.
It is an attack carried by using SMS messages. From time to time you can see surges in such attacks. Recently, after 500 million telephone numbers were leaked from Facebook, many people started to receive short messages with a link. They used some of the principles described above — for example — “your package is held at a custom, you must pay $5 to release it within an hour” (urgency), or “you must pay $10 for the ticket, otherwise the case will land in court” (intimidation). That’s why it is important to carefully check any message before clicking on a link.
This is one of the most dangerous methods that can be used by attackers. Impersonation is the physical impersonation of an employee of the target company or someone in authority who can be trusted (law enforcement, utility worker, etc.). There is another twist with this technique. As the technology advances, especially in the AI and ML powered voice technology, and recently in the deepfake area, it brings more tools to the attackers. Recently, there was a situation of this kind in which attackers used voice bots to impersonate a CEO of a company. They were successful in convincing someone from an accounting department to wire over 200k Euros to the attackers account.
Ransomware is another way of doing penetration testing, in which the scope and payment is negotiated after the attack
This article wouldn’t be complete without mentioning the most dangerous form of phishing attack which uses a special type of malware to infect target computer systems. The attackers use it to encrypt the target’s data, and then offer them a way to decrypt the data if they pay a certain amount of money. Since some companies had actually a good backup strategy, not all of them paid. That’s why now attackers first steal the data, then encrypt it. If the targeted company doesn’t want to pay, the data is often released into the public.
It is very important to understand what social engineering is, what techniques are applied, and what vectors the attackers use. It is also important to be prepared. To properly educate employees about the threats and protect your company resources. If you want to check how your organization is prepared to defend against the most malicious attacks, please contact us, and we will provide you with information about our security services.
Author: Jacek Bochenek, Cloud and Security Team Leader — CISSP, CISM, CCSP