Breaking bad and good habitsUnderstanding social engineering is the first step to overcoming it. Danny BradburyreportsComplicated malware infections and cross-site scripting attacks are great techniques to compromise a company, but why use them when you can whisper in someone’s ear instead? Some of the most successful attacks involve nothing more than a phone, some self-confidence, and an innate understanding of what makes people tick.
Successful data breaches need not require expensive
technology, massive deceptions, or even expertly faked credentials. Sometimes
all it takes is a phone call to the help desk and a request for assistance
logging in. You do not even have to be a legitmate user if you are convincing
enough.Social engineering is one of the least expensive, most
powerful tools in a hacker’s toolbox. In the SC Media Special Report My Friend
My Enemy, we surveyed the social engineering landscape. In this report, we will
venture deeper into topic and detail the reasons why it works and how to defend
against it.Social engineers have two primary goals, according to Steve
Healey, chief technical officer at social engineering and security consultancy
Pratum. The first is to obtain information. “Depending on the business and the
industry there are all kinds of information with different values assigned to
it,” Healey says, adding that customers’ records can be a high-value target in
industries such as healthcare.He also sees an increase in corporate espionage, as social
engineers manipulate people inside companies to steal intellectual property and
other confidential data.Other goals are as simples as theft or malicious mischief.
Sometimes it is financial theft by hijacking a company’s money transfer
processes and diverting funds to an attacker’s account, or the attacks can also
be ideologically motivated. “Someone might want to target a particular
organization because of some vendetta or hacktivist claim,” he adds.Sometimes social engineering attacks are part of a broader
campaign, he notes. Manipulating employees might increase the chance of
successfully installing ransomware, again a crime of financial theft.On rare occasions, the attack might be part of a
diversionary tactic to misdirect a company’s resources away from another,
high-value attack.Psychological manipulationNo matter what the goal, the successful social engineer will
pursue it by getting inside someone’s head, says Shawn Moyer, CEO and founding
partner of penetration testing firm Atredis Partners. Social engineering is a
big factor in his penetration testing and red teaming practice where his
consultancy works with corporate management to find vulnerabilities in a
company’s defenses.“People tend to like people who are like themselves,” he
says. “If you’re doing social engineering in Utah and you’re not a Mormon,
there are little pins you can buy on Amazon that Mormons all use to identify
themselves to each other,” he says. Using these pins as an example, he adds:
“If you’re walking around a building and you have a pin like that, people will
be more likely to respond.”Shawn Moyer, CEO, Atredis PartnersMaking someone like you by finding common ground is one of several
principles from a favorite book of Moyer: Influence: The Psychology of
Persuasion, by Robert Cialdini, a former Stanford professor of marketing,
business and psychology. In the book Cialdini categorizes several techniques
used to influence people, such as social proof (doing what you see others
doing), along with enforced scarcity (limiting the time that you give someone
to respond to a request).This psychological manipulation is the basis of all social
engineering, Moyer says, pointing out that the term was popularized by business
leaders that wanted to manipulate their employees en masse to improve
performance. In fact, social engineering has much deeper roots. Dutch
industrialist Jacque Marken coined the term more than a century ago in the 1890s
as a way to describe a method of improving what was wrong in the world’s social
environment.Today’s attacker hacks their target’s psychology in similar
ways that marketers do, exploiting innate desires and fears to achieve a set
goal. “It’s the overlap between social sciences and dirty applications,” Moyer
says.ReconnaissancePsychological manipulation is where UK-based social
engineering consultant Jenny Radcliffe focuses her efforts. As a teenager, she
says she would spend her time infiltrating buildings for kicks with her friends
to stave off boredom and earn bragging rights. As an adult, she focused her
attention on human psychology and eventually became a negotiation trainer. She
quickly began mixing these skills to conduct penetration tests for corporate
clients, teaching them how to protect themselves from low-tech, old-school con
artist attacks.Radcliffe is an expert at exploiting a company’s biggest
weakness: its employees. “I talk about three M’s: Mistake, mischief, and
malice. They are the three kinds of insider threat,” she says.Individuals will often help her towards her goal by
unwittingly providing her with sensitive information. She can also manipulate
employees to help her by playing on their weaknesses. “There are a lot of
people who are not happy in an organization and whose level of loyalty to the
company is quite low,” she says. These can be excellent targets for an attacker
hoping to get someone on the inside working for them If all else fails,
malicious manipulation of an employee through blackmail is an option, although
this is a slower process. She draws an ethical line here when engaging in
social engineering tests for clients.Jenny Radcliffe, social engineering consultantBefore she does any of that, though, Radcliffe spends a lot
of time simply observing the company, people and processes. She begins most
social engineering jobs with a reconnaissance phase. “Once hired, I would look
at an organization as a business first. I look at its culture and setup. It’s a
macro analysis,” she says. These are the same techniques that she uses in
negotiation research.She reads articles and reports that help her understand how
the company celebrates its successes and how it treats employees who fail. She
analyzes how the company markets itself, how it grows, and identifies its
competition. It gives her a picture of the kind of person that works there. She
does all this before she singles out a selection of individual targets.“Those would be people who are chatty on social media. Those
who have left the company, too. I try and narrow it down to between a dozen and
20.”Advanced reconnaissance helps Radcliffe to prepare her for
all future interactions, including physical intrusions.“By the time I make that initial contact or turn up at that
site, I already know as much as any outsider could know and probably a bit more
about that company so that it’s natural for me to be there. It’s not a big ask
because I’m already familiar with everything that goes on.”Radcliffe will often use social media to find a person’s
weaknesses. She has found evidence of employees’ unusual sexual proclivities
online, and also sees staff members consistently posting on social networks
about how much they dislike their jobs. Each of these could be exploitable in
different ways by a malicious actor, she says.Moyer’s approach often includes looking for people on the
fringes of a company when he is identifying targets. “I go for remote workers,
branch offices, and small locations. They won’t be as consistently enforced and
inculcated into the culture as the people in headquarters,” he says.Moyer researches individual targets heavily on social media.
He surfs Facebook, Instagram and other social media accounts looking for useful
assets. Some people post their business card on their timeline to celebrate a
new job, he says. Others scan receipts or other documents using their phone,
unwittingly storing them on a public cloud account in the process. Physical
access to a building can itself be a useful form of surveillance. If an
attacker wants to access digital resources, then stealing a laptop from inside
the office is often a great way to do it, explains Moyer. To do this, he uses
another of Cialdini’s psychological manipulation techniques: authority.Social engineers convey authority by merely wearing the
right outfit. Moyer has a collection of telecom worker overalls in his office
and can often be found walking through a target’s corridors in a uniform with a
company logo, having tailgated his way into a building. This gives him access
to building layouts and contents. Most people won’t question him because they
assume he’s working there, he says.Some social engineers go for old-fashioned dumpster diving
during the reconnaissance phase. Healey uses this old-school hacker technique
to find useful insights into a company. This might include anything from a list
of employee IDs to a staff directory; even an email printed off with a list of
recipients can be helpful when mounting an attack.Phishing for secretsArmed with reconnaissance information, the savvy social
engineer will then mount an attack on a target. This happens in several ways,
but phishing is the most prevalent, experts agree. In many cases, phishing attacks
target financial gain. Business email compromise (BEC) scammers either spoof a
senior executive’s email account or use stolen email credentials to hijack the
real account.They then email another executive within the same company or at a supplier, asking for an urgent wire transfer to solve a fake problem such as an outstanding invoice. The victim faithfully sends the money straight into the attacker’s bank account.These social engineering attacks are now rampant. In
February 2018, researchers from a major systems manufacturer identified a
massive BEC campaign targeting Fortune 500 companies designed to trick victims
into fraudulent wire transfers. The attack started in the fall of 2017 with
spear phishing emails that told victims their signature was required on a
document about stocks they owned. A fraudulent “DocuSign” portal was used to
collect the confidential data. The attacks are believed to have generated
hundreds of millions of dollars for the attackers, the vendor’s report said.In the past, phishers simply altered the headers of their
emails to spoof a legitimate address, explains Chris Hadnagy, CEO at
Social-Engineer and author of several books on social engineering, including
Social Engineering: The Art of Human Hacking. Today, companies use technologies
such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to
help thwart those attacks. SPF authenticates the IP address used to send the
message against a list provided by the sender. DKIM uses private/public key
pairs to encrypt and verify message headers. Finally, messaging parties can use
the Domain-based Message Authentication, Reporting & Conformance (DMARC)
protocol to indicate that they are using SPF and DKIM to protect their
messages.That’s all very well, says Hadnagy, but it doesn’t stop more
nefarious phishing methods. These include registering domains that look like
legitimate ones at first glance. “Our eyes fill in gaps that we expect,”
Hadnagy says.For example, let us assume an attacker creates an email
using the standard Opentype font Cantoria MT Standard found in Microsoft Word
and other popular word process applications.
In that email, the attacker is trying to send a victim to a fake website
that looks like a valid one. If the site, for example, was app1e.com, it would
be almost impossible for the recipient to realize that the site is not actually
Apple Inc.’s apple.com site. In the font Cantoria MT Std, the number 1 and the
lower-case L look virtually the same — 1 and l. Can you tell which is which?
(As of this writing, the domain app1e.com is for sale for $3700 and is not
owned by Apple.)Psyops on the Phone“Vishing” (voice phishing), also known as pretexting, is
another favorite tool. Attackers misrepresent themselves on the phone and use
psychological manipulation to achieve their goals.Pretexting is easier than phishing because phone numbers are
notoriously easy to spoof, warns Hadnagy. “This has increased 100fold. Voice
servers are cheap and easy to set up,” he says. “Phone lines are still basic,
so whatever [number] I shove down the phone line is what pops up on your phone.
I can change my phone number to yours. There’s no authentication in the phone
system.”Criminals can use pretexting to siphon funds directly from
their targets. In December 2013, crooks telephoned the CFO at U.K. hedge fund
Fortelus Capital Management on a Friday night, pretending to be from its bank,
Coutts. The caller warned of potentially fraudulent activity and asked the CFO
to generate access codes using his smart card. The attackers then transferred
some £742,668 ($1.2 million) from the Fortelus account to a variety of other
accounts. The company later dismissed and sued its CFO.Pretexting isn’t unique to cybercriminals; it is used in
corporate investigations and espionage, too. Hewlett-Packard admitted that an
agency it hired might have used pretexting to obtain access to its own
directors’ phone records in 2006.Following the rulesHaving security policies and procedures in place to protect
the company is a fundamental requirement, say experts. Always wearing a security
badge while in the building and verifying someone’s identity before giving out
sensitive information should be standard procedure, but even that is not
foolproof; a smart criminal can duplicate security badges as well. The real
trick is getting users to follow the policies, says Moyer. Part of that
involves using the same psychological techniques on employees, he suggests.
“When you’re creating an awareness program and building resilience against
different techniques, you’re trying to modify people’s behavior,” he explains.As an example, he uses another of Cialdini’s psychological
pillars: Commitment and consistency. This technique relies on an individual’s
need to live up to what they have publicly said they will do and have written down.
Making someone declare that they are a custodian of sensitive data and that
their job matters — and to feel that sense of responsibility — is a powerful
tool, he asserts. “When you train someone that they have those feelings of
responsibility and accountability, you’re setting up commitment and
consistency.”Social engineering’s low barrier to entry has always been
part of the allure of the attack. As companies improve their technical
protections, social engineering is becoming a go-to technique for criminals and
spies. While technology protections grow stronger, human weaknesses stay the
same. The challenge companies face today in reducing vulnerabilites is not only
becoming more secure by breaking bad habits that some employees have, but
breaking some good ones too.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]