Social engineering: Strengthening the weakest link
Published: Oct 27, 2017
Author: Amy Ayers
Social engineering is the act of deception, manipulation, or intimidation of a person in order to gain access to information assets. In our 2017 Data Breach Investigations Report (DBIR), we found that social engineering played a key role in 43% of confirmed cybersecurity incidents involving data disclosure. Social engineering is difficult to prevent because it exploits the human element of IT, and cannot be stopped by firewalls or other security applications. Social engineering attacks take many forms and even the IT-savvy sometimes fall prey to them.
Social engineering has always existed as a way of stealing other people’s possessions. It was once carried out face-to-face. But, in more recent history, threat actors have utilized mail, telegraphs, telephones and even newspaper ads. Today, these attacks are increasingly sophisticated—and are primarily carried out via email, phone calls, text messages, websites and social media. Any technology that allows one person to communicate with another can be used in social engineering attacks.
Different types of social engineering
The 2017 DBIR reported on 1,616 cybersecurity incidents, with 828 involving confirmed data disclosure. Social attacks contributed to 43% of the 828 confirmed data disclosure incidents. The attack methods included email (95%), phone (2%) and in-person (2%). The remaining 1% utilized other methods. Additionally, phishing and pretexting made up 98% of the social attacks resulting in data disclosure. Most social attacks leveraged more than one communication method to entice the victim to reveal information.
The social engineering attacks tracked by Verizon last year took on many forms—several can be read about in the 2017 Data Breach Digest. These attacks ranged from generic phishing attempts to “spear-phishing” (when an attacker researches the target beforehand to improve their chances of success) and “whaling” (attacks targeted at executives or senior management to steal sensitive company information). For examples of these, see the 2016 Data Breach Digest scenario “Social Engineering—the Hyper Click” or the 2017 Data Breach Digest scenario, “Crypto Malware—the Fetid Cheez.”
Pretexting involves an actual dialogue between the attacker and the victim, and generally begins with a phishing attempt. Attackers use this method to trick individuals into revealing information that can be used in a later attack, as shown in the 2017 Data Breach Digest scenario, “The Golden Fleece.”
An example of pretexting—“The Golden Fleece”
The “Financial Pretexting—the Golden Fleece” scenario tells the story of a threat actor that had deceived a finance employee into initiating a substantial fraudulent wire transfer. This was no soft target—the compromised company had security measures in place designed to prevent fraudulent wire transfers. But by utilizing social engineering, the threat actor was able to deceive the employee and gain access to sensitive information. This allowed them to create a convincing wire transfer approval email.
Our investigation revealed that the finance employee had received a phishing email regarding a “late invoice.” This containing a link, which required domain credentials to review. With these credentials, the threat actor was able to access the employee’s email and study the wire transfer approval process. A domain was registered that was very similar to the corporate domain. This was used to fabricate a convincing wire transfer approval email chain, which was sent to the Wire Transfers Department.
The malicious link in the original phishing email was blocked by the corporate security application; but the finance employee was at home when they received the phishing email. All the security precautions put in place to avoid this type of fraud were rendered obsolete by one deceived employee at an inopportune time. This demonstrates that while security needs to get it right 100% of the time, the bad guys only have to get it right once.
How can you protect yourself?
With nearly half of the confirmed data disclosure incidents involving social engineering, why haven't we been able to prevent more of these types of attacks? The simple answer is that, while people are an organization’s greatest asset, they're also the weakest link in the cybersecurity chain. One deceived employee can render all of the applications, policies and procedures in a mature security program powerless to stop a cyberattack.
Moreover, it's not just the un-savvy or careless who fall victim to social engineering; threat actors use advanced psychological techniques to their advantage as well. They may exploit employees who are distracted or busy, target employees on vacation, or choose specific times when an industry is busy. These threat actors use intimidation, fear, greed, and even the inherent goodness of people who are trying to be helpful. This means that even the most security-minded individuals can be deceived given the right circumstances.
Knowing that anyone can fall victim to a social engineering attack, what can be done to stop it? Although social engineering is difficult to prevent, there are still steps you can take to mitigate the threat. Here are our recommendations.
- Include a requirement for at least annual security training in your Incident Response (IR) plans. Test employees with simulated phishing attacks.
- Use posters, login banners and regular emails to remind employees about the dangers of social engineering. Real-life scenarios are a useful way of illustrating these threats.
- Utilize multi-factor authentication to validate communication sources (for example, webmail access and financial transactions).
- Deploy Group Policy Objects (GPOs) to block executable files, and disable macros and other risky attachments.
- Use strong passwords and change them frequently.
- Remove local administrative rights.
- Test and validate back-up processes, and maintain offline back-ups.
- Patch and update operating systems and third-party applications as early, and as often, as possible.
- Regularly test your IR plan and security posture with real-life scenarios, to see how your organization would stand up against social attacks.
In the event your organization does suffer a social attack, it’s important to handle the incident correctly. Here are some of the response and investigation measures that should be taken.
- Review the corporate IR plan to check it covers social attacks, including mitigation and response actions.
- Get the IR team to train with the IR plan to help it react to and neutralize threats effectively.
- Maintain a sufficient amount of email and network logs.
- Develop valuable third-party relationships prior to an attack. Useful third-parties include law enforcement, forensic firms, outside counsel, external public relations firms, cyber insurance carriers, etc.
- Follow forensically sound methodologies during an investigation.
- Collect evidence by order of volatility—volatile data; memory dumps; then forensic disk images.
- Engage Law Enforcement when necessary.
- Know your IR team’s skill limitations and do not attempt to exceed your abilities. Call a third-party forensic firm for help when necessary.
Amy Ayers holds a Master's Degree in Cybersecurity, Intelligence and Forensics and is a Certified GIAC Forensic Analyst. Amy is a senior security consultant working as part of the cyber incident response group for the VTRAC | Verizon Threat Research Advisory Center. As part of the VTRAC team, Amy responds to cyber-security incidents, including data breach and PFI incidents, provides incident response training along with tabletop simulation exercises and performs incident response capability assessments.