The rise of social engineering attacks has left many organizations hanging their heads in shame. As one of fastest growing threats to businesses, attackers are increasingly using sophisticated social engineering attacks to deceive even the most astute users into handing over valuable data, such as login credentials or financial information like credit card numbers.
Social engineering attacks ultimately lead to a type of insider threat known as user error. One of the most common user errors occurs when someone accidentally clicks a malicious link in a phishing email or in a text message, resulting in an account becoming compromised. User error can also be the result of someone leaving a laptop unattended, subsequently leading to data theft.
It highlights the fact that the insider threat doesn’t always have to be malicious, coming from a disgruntled employee looking to steal company information from right under the noses of execs.
According to the 2019 Verizon Data Breach Investigations Report, user errors were causal events in 21 per cent of breaches. The reality is that every time an employee clicks on a phishing link, they are unknowingly putting the entire organization at risk.
The motives of phishing attacks can be varied; often they are intended to steal money, but more commonly, they are attempting to steal data or credentials, far more valuable assets in many cases.
Aside from email phishing, vishing (the telephone equivalent to phishing), spear phishing and quid pro quo attacks (where an attacker offers a service in exchange for critical data) are all common ways in which attackers gain ‘insider access’ into an organization’s network.
According to Cybersecurity Insiders’ 2020 Insider Threat report, 68% of organizations feel moderately to extremely vulnerable to insider attacks, and 63% of organizations think that privileged IT users pose the biggest insider security risk to organizations.
The most common way that attackers infiltrate organizations, however, is email phishing. It relies on a couple of key components: the email looking sufficiently realistic; tricking the recipient into believing it’s from a reliable source; and the receiver being insufficiently trained to spot a phishing attempt.
When looking at social engineering attacks that target credentials, it brings to light two different types of insider threat. The first is when a reckless employee clicks on a phishing link and exposes the organization’s network to malware, which the attacker will use to infiltrate the network. A good example is the recent cyber-attack in New Orleans which saw a phishing attack lead to a declaration of a state of emergency and the city having to shut down its entire network to investigate.
On the other hand, if the attacker is looking to steal credentials, as many are, the user might be redirected to a very convincing, but fake website that’s masquerading as a site they normally use, where it will ask them to enter their credentials for that site.
Hijacked accounts that use legitimate credentials are normally associated with espionage or other types of advanced attacks. They are an enormous problem for organizations because they can’t be detected through traditional security mechanisms, yet they can do quite a bit of damage.
There are, however, many ways that organizations can fight social engineering attacks. Inherently, social engineering differs from other attack types due to its reliance on the human element for success so the methods of detection and prevention must take this into account.
Several solutions include security awareness training, which is, of course, vital, while others will rely mostly on technology. By implementing User and Entity Behavior Analytics (UEBA), organizations can detect when a user’s credentials have been compromised by analyzing how the user behaves after logging in. If the actions of the user fall outside the user’s normal baselined behavior, UEBA will flag suspicious activity that can then be investigated further.
By focusing on what users do on a regular basis, organizations are better positioning themselves to fight social engineering attacks and potential insider threats. Without solutions like UEBA, organizations must rely solely on successful security awareness training as a proactive defense, or else hope that retroactive defense will be good enough to clean up the mess after an attack has taken place. Companies are often mistaken not to take phishing and other social engineering attempts seriously.
Many organizations don’t have a strategy in place to monitor employee behavior as a means of preventing social engineering attacks from coming to fruition. It’s important that, in an age where social engineering attacks are so effective, that organizations utilize technical solutions alongside security awareness programs to maximize the chances of detecting and preventing social engineering attacks at their core.