Social engineering is a tactic that has been used by criminals for a very long time, but never more so than in the current digital age when socially-engineered attacks and scams can be carried out at speed with the press of a few buttons.
Social engineering attacks represent a significant percentage of security incidents, forming a large part of the threat landscape. In typical social engineering attacks, cyber-criminals deceive or manipulate victims into divulging sensitive information, ranging from personal data and credentials, to corporate secrets and intellectual property.
It has therefore become vital that organizations are able to protect their workforce, as well as their customers, from falling victim to social engineering attacks by prioritizing user training, security awareness and technology around the risks that exist.
However, with social-engineered attacks now so diverse and, at times, sophisticated, how should businesses go about defining, quantifying and mitigating social engineering threats?
Infosecurity spoke to Stephan Gailey, head of solutions architecture at Exabeam, to find out.
What are the top five most common social engineering techniques used by attackers?
- Phishing: In a phishing attack, an attacker uses a message sent by email, social media, instant messaging or SMS to obtain sensitive information from a victim or trick them into clicking a link to a malicious website
- Watering hole: A watering hole attack involves launching or downloading malicious code from a legitimate website, which is commonly visited by the targets of the attack. The compromised site typically installs a backdoor Trojan that allows the attacker to compromise and remotely control the victim’s device
- Whaling attack: Whaling, also known as spear-phishing, is a type of phishing attack that targets specific individuals with privileged access to systems or access to highly valuable sensitive information
- Pretexting: In a pretexting attack, attackers create a fake identity and use it to manipulate their victims into providing private information. For example, attackers may pretend to be an external IT service provider, and request a user’s account details and passwords to assist them with a problem
- Baiting and quid pro quo attacks: In a baiting attack, attackers provide something that victims believe to be useful. A quid pro quo attack is similar to baiting, but instead of promising something that will provide value to the victim, the attackers promise to perform an action that will benefit them, but requires an action from the victim in exchange
“Typically, social engineering occurs in three stages”
What are the typical stages of a social engineering attack?
Social engineering is an attempt by attackers to fool or manipulate humans into giving up access, credentials, banking details or other sensitive information. Typically, social engineering occurs in three stages:
Stage One – Research: The attacker performs reconnaissance on the target to gather information like organizational structure, roles, behaviors and things that target individuals may respond to. Attackers can collect data via company websites, social media profiles and even in-person visits
Stage Two – Planning: Using the information they have gathered, the attacker selects their mode of attack and designs the strategy and specific messages they will use to exploit the target individual’s weaknesses
Stage Three – Execution: The attacker carries out the attack usually by sending messages by email or another online channel. In some forms of social engineering, attackers actively interact with their victims; in others, the kill chain is automated, typically activated by the user clicking on a link to visit a malicious website or execute malicious code
“Early detection is both your last, and best, line of defense”
How can organizations pre-empt and prevent social engineering attacks?
While criminals will nearly always have the element of surprise when it comes to the timing and techniques used, that does not mean organizations and/or individuals are powerless to prevent them. The following measures can go a long towards helping identify, prevent and mitigate attacks before the perpetrators have the chance to do significant damage.
Regular security training: Sometimes the simplest solutions are also the most effective. Regular security training ensures security is always top of mind for everyone. Without it, employees may not be aware of the dangers of social engineering, or if they are, they may forget without periodic refreshers. For this reason, security training should be every organization’s first line of defense.
Anti-virus and endpoint security tools: Another effective measure is to install effective anti-virus software, along with other endpoint security measures on all user devices attached to the network. Modern endpoint protection tools do a great job of identifying and blocking obvious phishing messages, or anything that links to malicious websites/IPs listed in threat intelligence databases. They are also effective at intercepting and blocking malicious processes as they are executed on a user’s device.
SIEM and UEBA: Unfortunately, even with the best security processes in place, it’s impossible to stop attacks from happening completely. As such, organizations should also make sure that if it comes to it, they have the ability to rapidly identify what’s going on and take the appropriate action.
For example, Security Information and Event Management (SIEM) systems powered by User and Entity Behavior Analytics (UEBA) can collate security events and logs from across an organization and identify benchmarks for normal user behavior. Then, should behavior that deviates too far from these benchmarks be detected, an alert will be sent to the security team for immediate investigation. This could be anything from a user clicking through to an unusual web destination, to a malicious process executing on a user’s device. UEBA helps identify social engineering attacks as they happen and rapidly reacts to prevent major damage.
At some stage, social engineering attacks will succeed. They will catch someone when they are busy, tired, emotional or distracted and off their guard. The only real defense is to spot that they have succeeded. This is the one chance to shut things down before you lose data or money. Early detection is both your last, and best, line of defense.