The idea of manipulating people and processes for gain goes back well beyond the advent of computers and cyber security. But social engineering has come to be closely associated with cyber threats by providing attackers with a route to the core of an organisation, bypassing layers of technical or procedural security in a single step. As organisations improve their network perimeter security, the human factor often presents the weakest link to protect information and assets.
In his acclaimed book, The Art of Social Engineering, Christopher Hadnagy defines social engineering as ‘the art, or better yet, science, of skilfully manoeuvring human beings to take action in some aspect of their lives’. In the context of information security, this usually involves gaining access to sensitive data or other assets, or at least getting a foot in the door.
Techniques and methods
The more information available to the attacker, the higher their chance of success. When it comes to an online cyber attack, this can be gathered from a range of sources, including:
- Open-source research against internet-facing systems
- Email addresses gathered from corporate websites, social media or dumps of credentials from compromised companies
- Unprotected files and metadata available on the internet
- Website ownership information
- Email bounce-back responses, such as error messages in response to invalid email addresses and information revealed in out of office auto-replies
- System configuration and patch level information sent by users’ browsers to websites they visit
Pretexting
Most social engineering attacks use an invented scenario and a convincing pretext is often the difference between a successful or failed attack. For example, if a social engineer is attempting to gain access to a user’s email account, simply phoning up the IT helpdesk and asking for their password is very unlikely to be successful.
However an attacker may have a work mobile number from an out of office reply that also says they are on holiday, along with personal and business information gathered from social media. It may also be possible to identify information about IT helpdesk support processes inadvertently made public on the internet.
Armed with this information, the attacker could then impersonate their target based on a pretext that they are responding to an urgent client request from holiday, but have forgotten their password to log into their web email account. The company’s procedure may be to SMS a password reset link to their work phone; but they are on holiday and do not have their work mobile with them - although they can quote the number to sound viable.
This may just be enough to persuade the helpdesk to bypass the usual process and SMS a new password to the attacker’s phone, allowing them to reset the email password and log in to the target’s account. No pretext is fool-proof and the attacker must have enough information to be able to adapt their scenario on the fly.
Influence, persuasion and rapport
The success rate of any social engineering attack depends on how well the attacker can persuade the victim to perform some action on their behalf. In his book, ‘Influence: The Psychology of Persuasion’, psychologist and author Robert Cialdini defines a number of influencing techniques through which social engineers can affect their targets:
- Reciprocation – the instinct that ‘one good turn deserves another’
- Obligation – the natural compulsion to respond to certain actions and social norms – for example, answering a leading question with the expected response
- Concession - by conceding on a minor issue, a social engineer can gain sympathy and increase the likelihood of reciprocal concessions from the target
- Scarcity - many social engineering attacks invoke scarcity of a resource such as time or money to influence their targets
- Authority - studies such as the ‘Milgram experiment’ have shown people’s willingness to submit to authority figures, even when they know the action they are asked to perform is contrary to their beliefs
- Commitment and Consistency - once people start saying ‘yes’, they have a tendency to continue to do so. It is often difficult to accept that a previous decision or action performed was incorrect, particularly if this decision was made publicly
Rapport and social proof
If a social engineer is able to build rapport with their target, they are also much more likely to achieve their goal. Social engineers use many techniques also used by successful salespeople and executives. These include, active listening, effective questioning and elicitation techniques and a good knowledge of their targets’ interests.
Multiple studies have demonstrated the ‘halo effect’, where an individual’s social attractiveness results in a bias in their favour. This is most often demonstrated by peoples' tendency to approve more people they find attractive or who look or behave like them, regardless of their empirical performance. By presenting themselves visually and behaviourally as appealing to their targets, social engineers can gain credibility and increase their chance of success.
The tools and techniques of social engineers can be used to disrupt the organisations and people that they target but the following actions may help reduce the exposure to these attacks.
Policies, procedures and awareness
Measured and considered security procedures can go a long way to prevent social engineering attacks, by providing examples of good behaviour. For example, if call centre operators are trained to follow a prescribed, secure and considered process for resetting user passwords then an attacker will find it much more difficult to persuade them to deviate from this process. If users are advised not to use their work email addresses or passwords when registering for websites, then they are less likely to be disclosed to an attacker.
However, policies and procedures can only ever be part of the solution. Social engineering by its very nature elicits users to step outside normal procedures, so no matter how robust a policy is, it is unlikely to be followed in all cases.
Staff awareness forms the second pillar of a defence against social engineering. By making users aware of the threats and risks that they face, they can make decisions that are more informed and will be less likely to fall for well-known ruses. Many organisations now run phishing awareness exercises, where users are sent simulated phishing emails and educated about the risks of malicious emails and websites. Some organisations perform wider security awareness training, for example around the risks associated with unknown USB devices.
Technical prevention and detection controls
Some users are inherently at risk of social engineering, regardless of their level of security awareness and the policies and procedures in place. The job function of HR and recruitment staff often involves receiving emails from strangers and opening attachments sent with the email. Accounts payable staff must deal with invoices, often in electronic formats, on a daily basis. Regardless of the other controls in place, these users can often be compromised if their workstation software contains exploitable weaknesses.
Traditional IT security activities such as patch management and system hardening therefore remain essential to prevent such attacks. While patch management of operating system software is improving, the updating of web browsers and plugins within corporate environments is often slow and frequently facilitates access to the internal network environment via a crafted email or website-based attack.
Workstation and device hardening are also highly important. A user may be tempted to plug in a USB key placed byCut an attacker, but this will not achieve its desired effect if USB access is blocked on their workstation. Malicious executables may bypass many anti-virus technologies, but will not run if the user’s workstation is configured to only run a whitelist of approved programs. Lastly, establishing a capability to identify and respond to security breaches as they occur is essential.
Social engineering can take many forms and is an increasingly common attack vector. A targeted social engineering attack can bypass your procedural, people and technical controls and can often form the initial compromise in a wider attack.
By understanding the techniques and scenarios deployed by attackers, you can better defend yourself against this threat.