Social Engineering: A Successful Method of Attack

Social Engineering
A Successful Method of Attack
Posted by Jeremy Scott

A recent Iranian cyberspy campaign included attackers posing as journalists. The long-standing attacks shed some light on how combining social engineering and social media was successful in gaining credentials from US military, government and defense contractors. This campaign takes social engineering one step further because companies and people are often prone to help journalists in the hopes that they can get their name in the press.

Social engineering is a successful method of attack that has been used for centuries, even before the age of the Internet. This is old-school spy stuff that comes right out of the times of the Cold War. Social engineering uses techniques to exploit the human nature to trust. It preys on the individual’s desire to be helpful. People who don't trust are often ones that have been hurt by previous trust or have been deceived in the past.

The simple fact is that social engineering works. Regardless of the exact form social engineering takes, a skilled social engineer can talk another person into something or out of something.

We probably hear more about SQL injection attacks, cross-site scripting and malware attacks, but it is more difficult to detect, defend and track a social engineering attack. In traditional attacks there are tactics, techniques and procedures (TTPs) and indicators that are used to track similar actors, campaigns, etc.

Social engineering attacks have the same indicators that can give you the ability to track past campaigns and even understand the TTPs typically used by a threat actor or group but it's not always enough to defend against it. While we might be able to use the intel to defend against the command-and-control (C2) post attack and repeated use of the delivery system, the attack itself is unpredictable.

While we can program an IDS or firewall to see, report and track a technical attack, we simply do not have the same ability to automate the identification of a social engineering attack. Even for those attacks we watch for, the exact form with which they are delivered varies. And the attacks are directed against individuals, not machines. For example, we know spear phishing is acommon TTP of most APT groups but these types of attacks are still successful because they exploit the human element to open a very well-crafted email, even when people know they are a target.

I know of a penetration tester who posed as a journalist to gain access to a confidential new data center, and had himself photographed with the CIO who had hired his company for a penetration test. You can imagine the CIO’s surprise when he got the photo of a potential attacker standing next to him in the supposedly highly-secure, confidential data center. The penetration tester used social engineering techniques and some phony credentials, that he made himself, to gain access to the data center, even though half the company knew they were in the middle of a test. Their level of awareness and caution should have been elevated, but they still let the “journalist” into their data center.

Kevin Mitnick, former hacker now turned consultant, said:

“…the first line of attack would be what I call a social engineering attack, which really means trying to manipulate somebody over the phone through deception. I was so successful in that line of attack that I rarely had to go towards a technical attack. The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption and secure access devices, and it's money wasted, because none of these measures address the weakest link in the security chain.”

How do you stop social engineering attacks from being so successful? We can’t run a program in someone’s brain to make them recognize a social engineering attack when it hits them. Our only real option is to keep performing security awareness and training until everyone gets to a sufficient level of cautiousness that these attacks stop working aswell as they do.

This training should include things like:

  1. Explain what social engineering attacks are, and use examples.
  2. Explain that users should be cautious about opening email attachments (and consider using technical controls to block or strip them).
  3. Explain that users should never click on links in emails.
  4. Explain that users should verify the caller’s identity before revealing any sensitive or private information over the phone, or taking any sensitive action, like changing another user’s password.
  5. Define and explain proper reporting procedures if a user thinks someone may have attempted (or succeeded with) a social engineering attack on them.

One of my coworkers wrote an article a while back that described social engineering, and included a longer list of recommendations.

Unfortunately, we need a little more paranoia. Then we might be able to at least slow the attackers down.

References:

http://www.darkreading.com/attacks-breaches/iranian-cyberspies-pose-as-journalists-online-to-meet-their-targets/d/d-id/1269270?

http://en.wikipedia.org/wiki/Kevin_Mitnick

http://www.solutionary.com/resource-center/blog/tags/social-engineering/ 

NTT Group 2014 Global Threat Intelligence Report

The NTT Group 2014 Global Threat Intelligence Report is now available for download. Click here for key findings, global statistics, real-world case studies and recommendations to reduce the threat mitigation timeline.

Read more on Solutionary Minds about: