Security+ Journey – Social Engineering

In today’s day and age, attackers and defenders can both be very sospisticated. Threat actors can have ways to obfuscate their attacks and exploit zero day vulnerabilities. Conversely, defenders can leverage defense in depth to put multiple layers of defense between valuable assets and attackers. However, at the end of the day, there is a human element, which can be thought of as the last line of defense. Organizations can invest a large amount of money in layered defenses, but if an attack gets through a specific vector, for instance email, and the person opening the email falls for the phish, the org can be in big trouble. This is why, that even with technical defense in depth, continuous end user security training is vital. Threat actors will continue to use social engineering as an attempt to kick off their malicious endeavors. Sometimes to hack a system, an attacker must hack a human first. I know that sounds a bit extreme, but in my mind, that is essentially what an attacker is doing with social engineering. Social engineering involves using deception to get targets to do something unknowingly malicious. Examples could be trying to get someone to click a link to a fake login page to accomplish credential harvesting or tricking a user to download and install a malicious file. These attacks are leveraging technology, however they are exploiting the vulnerability of the human nature of trust. There are multiple forms that social engineering can take on that we should all be aware of, so that we can be alert and vigilant.

Sometimes, a social engineer may realize that they could catch more flys with honey. This means that an attacker will attempt to get a target to do something malicious by playing to a potential victims interests, or by just being kind and considerate. We as a society post a lot about ourselves on social media. Threat actors can use this information against us. They can play to our likes and dislikes to gain our trust. This is a big reason for being careful about what we post about ourselves online.

Authority and Intimidation
As a contrast approach to familiarity and liking, threat actors may attempt a method leveraging autority and/or intimidation. The authority approach can exploit individuals’ level of trust with authority figures, such as government agencies. An example of a phishing attack leveraging an authority approach would be email campaigns around tax filing time, claiming to be from a government agency requiring information about a target. This could also lead into the intimidation method. Nobody really wants to get in trouble, and attackers will try to exploit that by potentially threatenting legal action or penalties for not complying with what is asked of them in the notice or email.

Consensus/Social Proof
We often do not like making decisions on our own. It seems we constantly look to others for advice and recommendations. That in it of itself is not necessarily a bad thing at all, as long as we can trust the the person or group providing the advice or recommendations. When shopping for goods and services online or for the next coupon mobile app (my attempt at a joke), we will tend to look at the reviews left from others to see if the product is any good and if it can be trusted. Threat actors know this too and can leverage methods to leave false comments and reviews to trick us into something malicious because it appears to have rave reviews. It would be good to also look for another method of validation as well, to be safe. Multifactor product validation, anyone? C’mon, I’m trying to start a new thing. That at least sounds cool, right?

Scarcity and Urgency

Nobody wants to miss out on a “good deal”, right? Well, threat actors understand this and will definitely try to take advantage. Phishing attempts can try to exploit this desire by offering up something enticing that “will expire soon” or is a product in short supply, so you “must click NOW!”. When it comes to deals like these examples, we must always question if something seems “too good to be true”. If it seems that way, it often is a scam or malicious attempt to get your data or financial information. The scarcity and urgency tactic could potentially also be used along with the authority and intimidation tactic to trick people into a malicious activity right now “or else”.

Organizations can spend a lot of money and resources to protect against threats and migitage risk, however people are still the last line of defense and threat actors will try to exploit different weaknesses in human behaviors. This is why continous security training programs, security testing, and employee engagement about security are important. Employees of an organization need to understand that they are part of the defense against security related threats and that we cannot rely on technical, operational, and managerial controls alone.

Published by Tim Bertino

Systems Architect passionate about solutions and design.

One thought on “Security+ Journey – Social Engineering

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: