Written by Stuart Peck
ZeroDayLab hosted our Social Engineering Masterclass, where I presented
(with a line-up of other ZeroDayLab speakers), the tactics, techniques, and
procedures of how attackers deploy social engineering to great effect.
This trilogy of articles looks to
build upon that message in greater detail. In part one, we will detail the
tactics used by attackers, with an explanation of each of the 6 core principles
of social engineering and influence. In the second article we will delve into
attacks in operation, looking at case studies where social engineering is most
effective, and discuss target profiling and pretexting. The final article will
discuss active social engineering defence, designed for both individuals and
organisational strategies that can be deployed to reduce the risk of a
successful attack.
What is Social Engineering?
"Social
engineering, in the context of information security, refers to psychological
manipulation of people into performing actions or divulging confidential information…a
type of confidence trick for the purpose of information gathering, fraud, or
system access, it differs from a traditional ‘con’ in that it is often one of
many steps in a more complex fraud scheme.”
It has also been
defined as "any act that influences a person to take an action that may or
may not be in their best interests." -Wikipedia
In the context of this article we are going to focus on the
techniques and tactics of modern social engineering, with examples of phishing,
vishing, smishing, and how this supports other attacks such as hacking and physical
entry.
Robert Cialdini is famous for identifying and cataloguing
the 6 principles of persuasion, the foundations on which most modern-day social
engineering is built upon. These include:
- Reciprocity- people tend to return the favour if they see the value in what has been offered. This is used a lot by intelligence agents and police to coerce their target into cooperation.
- Commitment- if people commit, orally or in writing, to an idea or goal, they are more likely to honour that commitment because they have stated that that idea or goal fits their self-image.
- Social Proof- people will do things that they see other people doing. There have been studies conducted which have successfully convinced people in a group that a red object is blue, for example.
- Authority- people will tend to obey authority figures, even if they are asked to perform objectionable acts. In the workplace this is driven also by the company culture.
- Likability- people are easily persuaded by other people whom they like. If you combine this with trust, the effect is compounded. Always be wary of the attacker who comes at you with a smile.
- Scarcity/Urgency- people are influenced by fear of loss, or negative impacts to missing deadlines. This creates urgency, where human error is likely to be exploited the most, e.g. ransomware.
With these principles in mind, you can see how unsuspecting
users can be coerced or influenced into making decisions that are not in their,
or their respective employer’s, interest.
For example, one of the biggest threats (and tools for
attackers) in recent history is social media, which has desensitised many to
the dangers of oversharing, and has led to people sharing:
- Images of their credit cards
- Images of boarding passes- which when you scan the barcode contains personal information including passport information
- Information that be used to work out passwords
- Information about their employer including images of their badge, maybe business cards
- Selfies and videos that contain personal information, again that can be used to build a profile.
If you combine this with the
wealth of information that can be gathered relatively easily on a company and
their employees using open source intelligence (OSINT), this provides an
attacker with a dossier of information to build a solid pretext, or in some
cases actually access mailboxes where employees have re-used weak passwords or
credentials found in publicly available breaches.
Pretext, or the scenario being
presented to the target, is built upon 4 conditions to establish trust. For
example, through OSINT the attacker would have gathered some critical
information about the target and the organisation- this could be names of
direct management, colleagues in another location, project code names,
information about systems, or direct impersonation of a trusted third party.
This information builds some form
of credibility, which the attacker can pivot to establish some of the
following:
Figure 1: Principles of Trust
The reality is that most phishing emails try to use
credibility and some form of authority because it is very difficult to build
likability without the proper tone over email, but other attacks such as vishing
or in person social engineering will leverage a combination of Likeability, Authority
and/or Empathy to great effect. And the reality is that without the proper
training, tools, and ongoing awareness to the threats, social engineering is
going to continue to be used as part of the attacker’s toolkit.
Who Uses Social Engineering, and Why?
Social engineering is used as part of or as the main attack
vector for a range of threat actors. These include:
- Hackers- social engineering is a valuable part of the toolset for black-hat hackers, usually deploying a range of techniques to gain a foothold on a target’s network.
- Scammers- highly effective but simple attacks deployed by telephone scammers is costing the global economy billions. Vishing is still a very viable attack vector.
- Identity Thieves- using stolen information obtained through hacking or purchased on the Dark Web, these social engineers assume the identity of their target to obtain new credit or control of existing accounts, for huge financial gain.
- Cyber Criminals- these attackers use a full suite of social engineering techniques, but phishing is the weapon of choice, either to deliver malware to gain a foothold on the network or harvesting of Personally Identifiable Information (PII).
- Governments- state sponsored attackers use social engineering for a range of objectives from IP theft, influencing elections (in other countries), or targeted espionage.
- Insiders- according to the 2018 Insider report, 90% of organisations feel vulnerable to insider threats. They know your system, data, and can cause maximum damage.
The main reason why social engineering is the most widely
used in the attacker’s toolkit, is that there is literally very little
infrastructure or cost of the attack, yet it yields amongst the highest in
returns for the attackers.
To fully understand the effectiveness of social engineering,
we have to deep dive into case studies, tactics and why they work, and what
companies and individuals can do to detect and protect themselves, which will
be covered in part 2 and 3.