Social engineering: the elusive enemy in the cybersecurity world
Protecting corporate information, networks and workstations from constantly changing external and internal threats is a task similar to firing at a moving target. And social engineering makes this work an almost impossible feat. Activities aimed at "hacking" of human consciousness, as a rule, are invisible and can penetrate very deeply into the enterprise system.
What is social engineering?
In a broad sense, this concept covers any situation in which criminals play on the peculiarities of the human psyche and manipulate individuals so that they violate the usual security procedures and protocols. Attackers do not attempt to penetrate the corporate network through system vulnerabilities. Their attacks are directed at people. And they themselves share confidential information that gives access to office space, systems or networks.
Even if an organization has the best cyber defense systems, firewalls, and procedures, it still might one day turn out that cybercriminals managed to get important sensitive data.
The attack with the use of social engineering methods is always thought out and adapted to the individual characteristics of the object of attack, in contrast to the usual phishing attacks with mass random sending of emails or calls to thousands of people. It requires more preparation, but the chances of success are also many times higher.
First, the attackers are looking for specific information about the target company, its organizational structure and employees. Their actions can be directed against employees of certain departments or against any people with a low level of access to the system, through interaction with whom it is possible to reach higher levels. The idea is not to find the weakest link in the security system, but to find a vulnerable person. Playing on his fears, greed, or curiosity, attackers force him to break the protocol.
To do this, the offender is looking for information online and offline sources and identifies potential victims. The Internet and social media have greatly simplified access to such data.
So, a good starting point for indirect action is organization charts. Social networks like LinkedIn and Facebook are a wealth of information. For example, on LinkedIn it is very easy to find a list of people working in a particular division of a company. Then you can watch their behavior on Facebook to calculate the most trusting individuals. After that, it remains to get their contact information (e-mail address, phone number).
The attackers are trying to earn the trust of the victim or play on the feelings of fear and haste, so that people do not have time to think about the situation.
Examples of attack scenarios:
- With the help of a fake sender address, attackers make people believe that the letter was sent by a top manager(for example, a CEO), employee or business partner. Next, the malware is launched by clicking on the attachment or link in the message body. Or the letter sets out a request to urgently provide classified information. Imagine you receive a letter from a company director or colleague, where he asks you to share your thoughts about the attached document. Your first reaction is to download the file. Another example: you received a letter from a regular supplier in which he complained that his credentials did not work, and he needed your help to enter a specific segment of the system. In this situation, you may also have an impulsive desire to help. Why not? After all, the supplier does have access. And it is unlikely you want to be the person who prevented urgent delivery.
- An employee can receive a “callback” from “technical support”. The attacker calls around a group of employees of the organization and expresses a desire to collect information about a certain request sent to the support service earlier. There is a possibility that he will actually find the person who sent such a request or simply wants to help. When a gullible victim is found, the criminals lure out of her login information or try to remotely install malware.
- Imitation of a call from the IT department about a violation of security policy or leakage of authorization information. The victim is asked to provide personal data for “resetting the password”, install a certain file, run a command, or follow the link to check if the data is in the list of compromised passwords. In fact, these actions will lead to the installation of malware.
- A call from an “auditor,” “law enforcement officer,” or other government officials who “have the right” to gain access to sensitive information.
- To convince the victim that they are calling from a certain company, the criminals use specific professional jargon or telephone music "jingles".
- Criminals leave a USB drive with an attractive note (“salary” or “cost estimate”) in a visible place in the company's premises, for example, in a parking lot, in an elevator, or other publicly accessible places. An employee who has found a USB flash drive can either transfer it to the security service or, out of curiosity, connect it to your office or home computer. One way or another, the embedded malware will find its way into the system.
- An attacker can enter a closed building with an employee who has a key card. In this case, the offender behaves as if he actually has the right of access to the premises. To do this, he can wear a company uniform or hold in his hands a card that looks similar to the present.
- Attackers gain access by infecting a specific group of websites that the employee trusts. In this case, they fake links using domain names that are similar in appearance and sound.
- Attackers impersonate technical workers, cleaners, or security guards in an attempt to avoid drawing too much attention to themselves when information is stolen.
Why are social engineering attacks more dangerous?
The social engineering approach is always more complex than other cyber attacks, and therefore they pose a significant threat. Here are some reasons that make social engineering more dangerous than other attacks:
- Attackers are always trying to create a seemingly quite natural situation. Their sources look like they can be trusted. Recognize forgery is possible only if you constantly be on the alert.
- Criminals often receive information from employees outside their workplace, in a more relaxed and relaxed atmosphere. For example, when meeting in a bar, park, fitness center and other similar places.
- Firewalls and cybersecurity measures are ineffective because criminals do not attempt to exploit vulnerabilities in the software or company system. Instead, they provoke ordinary employees to make a mistake, and the subsequent penetration into the system takes place under the cover of the credentials of legal users.
- If criminals manage to gain access, then the attack proceeds gradually, bypassing the possible recognition functions of anomalous activity. The attackers hide in a prominent place and merge with the system, studying its weak points and access points for some time. They seek to gain a foothold, expand their capabilities, penetrate into other segments, collect and prepare as much data as possible for transmission to the outside, including under the guise of normal network traffic.
- Attackers sometimes destroy evidence of their presence as they move through the system, removing malware from those segments where they have already acquired important information.
- Attackers can leave a hidden entry point (called a backdoor), allowing them to return to the system at any time.
- Attackers can penetrate the system through employees of external organizations with a certain level of access. These are, for example, business partners or cloud storage service providers. Since the company targeted by the attack cannot control the security procedures of partners or service providers, the risk of data loss increases. A prime example is data leakage in the retail giant Target system.
- Social engineering is especially dangerous when combined with a cross-platform attack. Tracking down such cases is even more difficult. A victim's home computer or personal device is usually much less secure than office networks. Through their hacking, malware can also get onto a more secure work computer, and through it - into other parts of the corporate system.
- Conventional anti-malware tools can be ineffective, since attackers gain access to the software that is allowed in the system and use it for further penetration.
Attacks using social engineering methods are quite sophisticated, and it is not easy to stop them or at least detect them. As noted earlier, hacking detection systems in this regard may not be sufficiently effective. However, there are some practices that are useful in preventing attacks:
- Companies should regularly train employees, informing them about common social engineering techniques. Effective may be modeling situations with the division of employees into teams of attackers and protection. If possible, employees of partner companies should be included in this process.
- It is useful to establish secure email and web gateways that filter malicious links.
- Letters should be monitored and noted coming from an external, non-corporate network.
- You can configure the alert system to detect domain names that are similar to the company name.
- Corporate network should be divided into separate elements. Control over access to them must be tightened, and the authority to provide only the degree of official needs of the employee. When managing access rights, one should proceed from the principle of zero trust.
- Key systems with important information and accounts of employees working with confidential data should be protected using two-factor or multi-factor authentication.
- It is important to minimize access and redundancy of authority.
- It is necessary to set up monitoring of access to the systems, analysis of the obtained data and determination of abnormal activity.
- It is necessary to regularly check the internal traffic for abnormal trends in order to identify the slow copying of data from the system. It is necessary to notice and investigate situations when an employee with access to this or that data regularly copies them during off-hours. Or such when copying data comes from the office, and the employee has already left the room. It should also monitor and track attempts to collect inside information.
- User lists should be regularly audited and tagged with the most widely available accounts, especially administrative ones. Special attention should be paid to checking Active Directory, since many actions of intruders leave traces on this system.
- You must monitor abnormal or redundant LDAP requests. Intelligence with their help is an important part of the attacks, since the structures of the networks of different enterprises are different, and the attackers study each one separately. This behavior is very different from the behavior patterns of ordinary users and is easily recognized.
- It will be useful to limit the range of trusted programs for few task servers.
- It is important to install fresh patches on all workstations.
- Risk assessment should be carried out regularly.
- The company should develop and implement procedures for authorized extraordinary changes to handle urgent management requests. All employees who have access to confidential information should be familiar with them and their latest versions.
- If an attack is detected, backdoors should be found and eliminated.
Attackers have to make serious efforts to coordinate the attack. However, there are many websites and specialized online forums that help inexperienced criminals to improve their social engineering skills through ready software and detailed theoretical information. Therefore, the protection of the organization from such illegal activities will require increased activity and attention. But all efforts will pay off in full, because it is a way to avoid incidents similar to what happened in Target.