Wednesday, 17 April 2019

The Power of Social Engineering, Part One: Know Your Enemy




Written by Stuart Peck

On 9th April 2019 in London, ZeroDayLab hosted our Social Engineering Masterclass, where I presented (with a line-up of other ZeroDayLab speakers), the tactics, techniques, and procedures of how attackers deploy social engineering to great effect.

This trilogy of articles looks to build upon that message in greater detail. In part one, we will detail the tactics used by attackers, with an explanation of each of the 6 core principles of social engineering and influence. In the second article we will delve into attacks in operation, looking at case studies where social engineering is most effective, and discuss target profiling and pretexting. The final article will discuss active social engineering defence, designed for both individuals and organisational strategies that can be deployed to reduce the risk of a successful attack.


What is Social Engineering?

"Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information…a type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional ‘con’ in that it is often one of many steps in a more complex fraud scheme.”

It has also been defined as "any act that influences a person to take an action that may or may not be in their best interests." -Wikipedia

In the context of this article we are going to focus on the techniques and tactics of modern social engineering, with examples of phishing, vishing, smishing, and how this supports other attacks such as hacking and physical entry.

Robert Cialdini is famous for identifying and cataloguing the 6 principles of persuasion, the foundations on which most modern-day social engineering is built upon. These include:

  • Reciprocity- people tend to return the favour if they see the value in what has been offered. This is used a lot by intelligence agents and police to coerce their target into cooperation.
  • Commitment- if people commit, orally or in writing, to an idea or goal, they are more likely to honour that commitment because they have stated that that idea or goal fits their self-image. 
  • Social Proof- people will do things that they see other people doing. There have been studies conducted which have successfully convinced people in a group that a red object is blue, for example.
  • Authority- people will tend to obey authority figures, even if they are asked to perform objectionable acts. In the workplace this is driven also by the company culture.
  • Likability- people are easily persuaded by other people whom they like. If you combine this with trust, the effect is compounded. Always be wary of the attacker who comes at you with a smile.
  • Scarcity/Urgency- people are influenced by fear of loss, or negative impacts to missing deadlines. This creates urgency, where human error is likely to be exploited the most, e.g. ransomware.

With these principles in mind, you can see how unsuspecting users can be coerced or influenced into making decisions that are not in their, or their respective employer’s, interest.

For example, one of the biggest threats (and tools for attackers) in recent history is social media, which has desensitised many to the dangers of oversharing, and has led to people sharing:
  • Images of their credit cards
  • Images of boarding passes- which when you scan the barcode contains personal information including passport information
  • Information that be used to work out passwords
  • Information about their employer including images of their badge, maybe business cards
  • Selfies and videos that contain personal information, again that can be used to build a profile.

If you combine this with the wealth of information that can be gathered relatively easily on a company and their employees using open source intelligence (OSINT), this provides an attacker with a dossier of information to build a solid pretext, or in some cases actually access mailboxes where employees have re-used weak passwords or credentials found in publicly available breaches. 

Pretext, or the scenario being presented to the target, is built upon 4 conditions to establish trust. For example, through OSINT the attacker would have gathered some critical information about the target and the organisation- this could be names of direct management, colleagues in another location, project code names, information about systems, or direct impersonation of a trusted third party.

This information builds some form of credibility, which the attacker can pivot to establish some of the following:

 Figure 1: Principles of Trust

The reality is that most phishing emails try to use credibility and some form of authority because it is very difficult to build likability without the proper tone over email, but other attacks such as vishing or in person social engineering will leverage a combination of Likeability, Authority and/or Empathy to great effect. And the reality is that without the proper training, tools, and ongoing awareness to the threats, social engineering is going to continue to be used as part of the attacker’s toolkit.


Who Uses Social Engineering, and Why?

Social engineering is used as part of or as the main attack vector for a range of threat actors. These include:
  • Hackers- social engineering is a valuable part of the toolset for black-hat hackers, usually deploying a range of techniques to gain a foothold on a target’s network.
  • Scammers- highly effective but simple attacks deployed by telephone scammers is costing the global economy billions. Vishing is still a very viable attack vector.
  • Identity Thieves- using stolen information obtained through hacking or purchased on the Dark Web, these social engineers assume the identity of their target to obtain new credit or control of existing accounts, for huge financial gain.
  • Cyber Criminals- these attackers use a full suite of social engineering techniques, but phishing is the weapon of choice, either to deliver malware to gain a foothold on the network or harvesting of Personally Identifiable Information (PII).
  • Governments- state sponsored attackers use social engineering for a range of objectives from IP theft, influencing elections (in other countries), or targeted espionage.
  • Insiders- according to the 2018 Insider report, 90% of organisations feel vulnerable to insider threats. They know your system, data, and can cause maximum damage.

The main reason why social engineering is the most widely used in the attacker’s toolkit, is that there is literally very little infrastructure or cost of the attack, yet it yields amongst the highest in returns for the attackers.

To fully understand the effectiveness of social engineering, we have to deep dive into case studies, tactics and why they work, and what companies and individuals can do to detect and protect themselves, which will be covered in part 2 and 3.