I often find myself asked the same question: what is the most difficult type of attack to detect but easiest to launch? My answer is always the same: social engineering.
Social engineering can be generally defined as the use of manipulation and deceit to obtain information or trick the target to undertake an action.
This desired action can be something as simple as filling out a form or opening a file. Complex examples can range from willingly sending payments to providing confidential information over a prolonged period of time.
This is not a new phenomenon. Social engineering becomes redefined every once in a while but essentially stays the same. It predates every type of cyber-attack – it is as old as espionage itself.
While hackers often cast wide nets with automated messages and clever digital traps, the most prolific uses involve a personal touch that builds on psychology. Targeting is the go-to for those. The perpetrators carefully select their victims and use their basic humanity against them.
Trust, compassion, fear, openmindedness, anxiety are all tools in the perpetrators’ utility belts. They are waiting for the victim to believe them or to have a moment of confusion.
Social engineering against key targets, particularly executives and those with a large scope of responsibility, can reveal vital strategic information that allows the adversary to move to the second stage of their targeted campaign.
For instance, tricking the executive to reveal minor personal details about themselves can allow the adversary to complete a profile of the victim and formulate a natural-sounding, believable approach. That profile can then become the gateway to establish a trusted connection and develop a major attack against the corporation.
In the past week, I received about half a dozen collaboration requests from very nice, well-mannered individuals (who do not exist). We all know to never open files of unknown nature or follow unsolicited links, yet it is still worth repeating.
The adversary that uses social engineering is operating with due complexity and will initiate contact.
Many no longer try the common phishing emails because they know those are sifted through and blocked automatically by baseline security measures. They will formulate a convincing story and may even represent a business that seemingly exists and has a website to prove it. The adversaries may present themselves as a client, an agent, or even a prospective partner. They are so convincing they make us feel inadequate.
Even though we are often prepared to detect social engineering, we have to remember that the ‘results’ these individuals are after do not need to be anything of consequence alone. It’s sufficient to find out that the desired target exists.
Take the presence of a key document as an example. All it takes is one word to leak the existence of this critical piece of information. Now, the adversary knows there’s a lucrative asset being kept by the victim and will formulate their next steps.
Meanwhile, comprehensive social engineering attacks are technical in scope and involve several stages.
The attack commonly starts with the initiation of contact and the reception of files and is crafted to be applicable to the intended target. The preferred target is someone unsuspecting, who thinks themselves to be of low priority.
It’s common to send malicious files in a package of other benign files. The files can be packaged with vendor-specific documents or simply a client request.
Once the virus has been planted in the target computer, the victim receives a message from the attacker that they must comply with all requests or their most valuable data will be destroyed or leaked.
Sometimes there is no virus at all, simply a threat. Depending on who the victim is, in particular, if they have a reputation to uphold or a job to keep, this is a serious threat, even if they have done nothing wrong and have very little to hide. Their cooperation is the victory the attacker desired.
To obtain pieces of miscellaneous, yet important information to fill any gaps, the adversary uses a variety of methods. These may be both digital and physical.
Digital methods include scouring news releases, social media accounts, and other publicly-available ‘open sources’ as well as using private databases or information stolen in previous exploits.
Physical methods can include following the target, shoulder-surfing at opportune locations, or even sifting through trash. In cases where the real target is too wily, the adversary may pick another secondary target first. Instead of the famous actor, they may go for their personal assistant or even one of their children.
Threats have been becoming more explicit as of late.
Most people are afraid of social hysteria triggered by bot armies on social networks, particularly when they themselves or their business are the targets. Even if the main target does not care, their service provider would.
The threat of having masses harassing your business connections to terminate all contact with you is a serious source of fear for many irrespective of their success so far. Adversaries who specialize in social engineering know this and do everything they can to exploit said fear.
In general, the more the adversary knows about their target, the more successful their social engineering endeavors are. They will orchestrate complex plans and put together the bits and pieces of information like a puzzle. It is quite simple to spot an attempt that misquotes information or employs a catch-all type message but preventing inadvertent leaks triggered by psychological manipulation is another matter.
There is no single method of mitigating social engineering.
There is only so much that a program or boxed security measures can identify and intercept. The only real solution is awareness and forward-thinking.
Similar to how we are taught as children to be alerted to people who look ‘suspicious’ and approach us, we have to be aware of all individuals and entities that make contact. If someone is a bit too sympathetic, something sounds too good to be true, if a new friend is flawless, if a business prospect is a sure win, if a proposal is overly-favorable, then chances are that something is not right.
While we can not forego our basic humanity and become immune to social engineering, we can be smart about it and through our own vigilance keep ourselves and our clients secure. It is a conversation worth having with ourselves and our clients. But never with the adversary.
Diana Elkin is a dynamic security leader and entrepreneur with over 20 years of experience in the information technology, security, and intelligence space. She has tackled a broad range of cybersecurity and physical security challenges over the span of her career, leveraging the unique approach developed through her diverse background.
Diana is the principal consultant and managing partner of Method Intelligence Ltd. She holds a Master’s degree in Intelligence Analysis and a Bachelor’s degree in Political Science. She is a Certified Security Management Professional and also supports the trade by mentoring future candidates.
