What happens when threat actors are faced with an impenetrable wall of perimeter defenses, hardened machines, and state-of-the-art security solutions? Well, first, the most determined attackers won’t easily throw in the towel, that’s for sure. Not when they could always use old-fashioned social engineering to exploit what’s usually the weakest link in an organization’s security–its people.
As we continue with our Diving Deeper series, we zoom in to perhaps the most low-tech but nevertheless highly effective attack type in a cyber crook’s bag of tricks—social engineering. We trace its roots, how it’s carried out, and how you can detect as well as defend your company from it.
A brief history of social engineering
Social engineering is a much older tactic than its tech-sounding name indicates. In fact, it predates all of computer technology completely. Although the information security community now calls it ‘social engineering’, under the covers, it’s just deception. It’s the art of taking advantage of a person’s ignorance or gullibility to achieve a sinister objective, and the person carrying it out is nothing more than a con artist.
Looking back at history and literature, you could see a lot of crooks who were skilled at this art and even more people who fell for their devious schemes. There’s the serpent who tempted Adam and Eve with a fruit from the tree of knowledge. There were the Greeks who gifted the people of Troy with a magnificent wooden horse. There was Victor Lustig, who sold the Eiffel Tower to scrap metal dealers after declaring it was about to be demolished. There’s Charles Ponzi, who swindled victims through, well, a Ponzi scheme. The list goes on and on.
These things still happen even up to this day because 1) there are just people who easily believe a story and 2) some of these stories can really be very convincing.
How social engineering is carried out
These days, social engineering is mostly used by cyber criminals to gain access to accounts of interest, like bank accounts, system user accounts, etc., and they do so by employing a variety of techniques.
It usually begins with a wealth of data gathering. If the attackers intend to impersonate someone from within the organization, then they’ll likely want that to know more than just that person’s name, job title, birthdate, or gender. They’ll try to gather as much as they can about that person’s daily routine, behaviors, roles in the organization, schedule, and a ton of personal information. They will also look into your business relationships; what companies do you work with routinely or have identified as a partner.
This might entail several intermediary activities like dumpster diving, shoulder surfing, tailing, and stalking. And, if the victim is active on social media, you can be sure the attackers will be looking into those profiles as well.
The people often targeted by these attacks are the ones who hold keys to vital information or resources in the organization, such as accounting, finance, legal, and HR departments. We’ve also found several new social engineering schemes who are targeting upper management and executives.
If the company they’re targeting has ample defenses, then social engineers could direct their efforts first to a third-party vendor providing services for the targeted company and then circumvent the company’s defenses through that provider.
Some attackers also work to build familiarity, rapport, and, ultimately, trust with their targets. They might interact with certain people in the target organization many times before moving in to strike. All this preparation is important for building pretext that approximates the truth and is critical to the success of any social engineering campaign.
Usually, the entire attack can be a long-drawn-out process, so not all cybercriminals have the patience for it. Although social engineering is often part of a larger cyberattack, it mostly involves non-technical areas like verbal communication, reading body language, and creating a story. It’s in turn more about human psychology than technology. If a cyber gang doesn’t have that skill set in their organization, their chances of success would be very low.
One of the reasons why these attacks succeed is because our security solutions are mainly focused on fighting malware, DDoS, brute force, and other attacks that rely on technology. Although we have a few defenses against social engineering, they’re mostly inadequate.
A classic example of a social engineering attack is to call in to reset a forgotten password and they desperately need to log back in. When prompted with the security question they will hang up and do some research to find the real answer. When they call back, they now have the answer to the security question and can begin the account takeover. This highlights the weakness of security questions, they are generally easy to research or guess.
Preventing, detecting, and countering social engineering attacks
Social engineering attacks are typically aimed at exploiting weaknesses in human psychology and behavior, so one thing that should be done is to incorporate proper employee training and foster a culture of security within your organization. Employees should be able to recognize suspicious behaviors and report them to your security team to verify whether the request is legitimate or if it’s a potential social engineering attack.
Relevant trainings and workshops can help cultivate security consciousness, which can reduce the chances of employees falling for acts of deception. Because employees tend to drift away from security consciousness after some time, it’s recommended to conduct these trainings on a regular basis. Training should also be conducted more often and at a deeper level to key personnel, such as HR, finance, and leadership teams since they’re most likely be targeted.
Employees should also be aware of the risks of posting personal information online. Inform them of the types of information that can be used by cybercriminals in a social engineering attack.
More importantly, the appropriate policies and procedures should be set in place. Policies and procedures serve as the foundation and guardrails that restrict employee actions to minimize risk.
For example, if a customer service representative receives a call that prompts him/her to ask a security question and the call gets disconnected, that incident should be logged. That way, the account can be flagged and the next customer service rep that comes in and receives a call from the same person will know about the previous request and perhaps ask a different security question.
The human aspect of information security is often overlooked in a company’s cybersecurity program. But like servers, applications, network devices, and other inanimate elements of your IT infrastructure, employees can also be exploited and used as a point of entry in a cyberattack. As such, the social engineering threat must be taken seriously.