Credit: Thinkstock
Social engineering is the strongest method of attack against the enterprise's weakest vulnerability, its people. Criminal hackers recognize this fact. In 2015, social engineering became the No. 1 method of attack, according to Proofpoint's 2016 Human Factor Report.
These successful social engineering methods often use phishing and malware. But deceptive information assailants have more tools and approaches to draw on than these.
That's why CSO covers six of the most effective social engineering techniques that attackers use both on and off the internet, providing insights into how each one works, what it accomplishes, and the technologies, methods, and policies for detecting and responding to social saboteurs and keeping them at bay.
Technique one: Enabling macros. Cybercrooks are using social engineering to trick organizational users into enabling macros so that macro malware will work. In attacks on Ukrainian critical infrastructure, bogus dialogue boxes appearing in Microsoft Office documents told users to enable macros to properly display content created in a more recent version of the Microsoft product.
The crooks wrote the dialogue text in Russian and made the dialogue image appear to come from Microsoft. When users complied and turned macros on, the document's malware infected user machines. "This phishing tactic used an interesting social engineering twist to account for the fact that most users have macros turned off," says Phil Neray, vice president of Industrial Cybersecurity at CyberX.
Technique two: Sextortion. In attacks called catphishing, cyber criminals pose as potential lovers to lure victims to share compromising videos and photos and then blackmail them. "These traps have evolved to target the enterprise," says James Maude, senior security engineer at Avecto.
By targeting senior people across the enterprise using social media, the sextortionists ultimately blackmail them into revealing sensitive credentials, says Maude. These attacks occur in person in bars and hotels at security conferences, as well, says Maude.
Technique three: Expanded affinity social engineering. Affinity social engineering counts on attackers forming a bond with a target based on a common interest or some way that they identify with each other. Crooks now establish these connections online based on shared political views, social media groups, hobbies, sports, movie or video game interests, activism, and crowdsourcing situations, explains Roger G. Johnston, Ph.D., Head of Right Brain Sekurity.
"The bad guy's method is to become friends, get the victim to do them a favor, slowly ask for information (initially innocuous), then ask for more sensitive information. Once the victim is in a little ways, the attacker can then blackmail them," says Johnston.
Technique four: Phony recruiters. With so many headhunters seeking out job candidates, it is not suspicious when a faker comes along to pump up an employee's ego and offer enticing yet fabricated positions to get information.
"This may not directly yield computer passwords, but an attacker can get enough data to figure out whom to password phish inside your company. The attacker can also threaten to tell the employee's boss that they are planning to leave the company and have already shared confidential information to gain leverage over the victim," explains Johnston.
Technique five: Old interns. While interns once were only young people, many are now older. An attacker posing as an older intern has the knowledge and experience necessary to commit industrial espionage, knowing what questions to ask and where and how to find confidential information, explains Johnston.
This may not directly yield computer passwords, but an attacker can get enough data to figure out whom to password phish inside your company.
Roger G. Johnston, Ph.D., Head of Right Brain Sekurity
Technique six: Social engineering bots. "Malicious bots are often responsible for highly sophisticated, damaging social engineering attacks," says Inbar Raz, principal researcher at PerimeterX. Bots infect web browsers with malicious extensions that hijack web surfing sessions and use social network credentials saved in the browser to send infected messages to friends, explains Raz.
Attackers use these bot approaches to trick the victim's friends into following links in the message or downloading and installing malware, which enables the cyber hoodlums to build large botnets that include their computers, Raz explains.
Technologies, methods, and policies to prevent, detect, and respond to social engineering
In the Ukrainian attack example, hardened machines that did not permit users to enable macros would have stopped the attack cold. Enterprises can also use deep packet inspection, behavioral analytics, and threat intelligence to monitor the network layer for anomalous behavior such as was exhibited by the Ukrainian attack on Microsoft Office, says Neray. "The enterprise can use next-gen endpoint security to perform a similar function on endpoint devices," says Neray. These technologies will help mitigate many social engineering attacks.
Policies for those above and many other attack methods should enforce applying network segmentation, multifactor authentication, and post-attack forensics on the network and endpoints to prevent lateral movement, limit damage from stolen credentials, and understand the scope of the breach to make sure to remove all associated malware, according to Neray.
The enterprise should address sextortion using a combination of least-privilege zero trust, behavioral detection, and monitoring to expose attacks and limit the abuse of credentials, which results from this social engineering technique.
Sextortion requires sensitive handling if such an attack has compromised an employee. "Legal, HR, and law enforcement may need to play a part in any actions, and everyone needs to be ready for the worst. In the cases I know, employee awareness and early intervention have limited the damage," says Maude.
Enabling employees with panic words they can use when they are in trouble can alert employers to attacks in progress that are using blackmail or coercion, says Johnston. To detect the corporate espionage agent working in the guise of an older intern, consider employees who never take vacations or sick leave, perhaps for fear that their activities will be detected while they are away, says Johnston.
Tools such as anomalous behavior monitoring products and some anti-virus and anti-malware software can detect bot behavior and changes to the browser. The enterprise can detect some weaker bots using threat intelligence and IP address reputation information, according to Johnston.
Employee training
The enterprise should continually update employee training with all the details of how criminals are using social engineering. "You should conduct social engineering awareness training separately and specifically, sketching out how these attacks work, making them sound very plausible," says Johnston. Put on plays (live or video) with all the characters, both victims and perpetrators to demonstrate the points vividly and personally, says Johnston.
Demonstrate how social engineering targets everyone, show how anyone can be vulnerable, and give people the tools to protect themselves and assurances that they are accepted even when they fall victim.
With an optimal combination of training, policies, and security technologies, enterprises can resist social engineering ploys old and new. The enterprise and its people must put forth a team security effort to do it.
Related content
- news analysisAtlassian patches critical remote code execution vulnerabilities in multiple products The company also releases advisories for high-severity data leaks and denial-of-service issues across multiple products, including Jira and Confluence.ByLucian ConstantinDec 12, 20236 minsDDoSDDoSDDoS
- newsNew malware is using direct emails to hunt the head-hunters The new technique has the threat actor email malicious URLs directly to recruiters in response to job postings.ByShweta SharmaDec 12, 20233 minsMalware
- newsSnyk unveils new ASPM offering to help DevSecOps manage cloud application risks Snyk AppRisk provides an ASPM workbench for the developers and security teams to discover assets, and analyze business and security context to quantify risks.ByShweta SharmaDec 12, 20233 minsApplication Security
- featureThe SEC action against SolarWinds highlights how tough it can get for CISOs Examining what went wrong with SolarWinds’ handling of cyberattack reporting provides a cautionary tale for aspiring and incumbent security leaders alike.BySusan BradleyDec 12, 20237 minsCSO and CISORegulationCyberattacks
- Podcasts
- Videos
- Resources
- Events
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Please enter a valid email address
I'm an expert in cybersecurity with a focus on social engineering, having extensively researched and analyzed various methods employed by attackers to exploit human vulnerabilities. My expertise is grounded in practical knowledge, staying abreast of the latest trends and tactics employed by cybercriminals. I've actively contributed to discussions within the cybersecurity community, sharing insights and recommendations to enhance digital defense strategies.
Now, let's delve into the concepts discussed in the article:
1. Enabling Macros:
- Attack Method: Tricking users into enabling macros through deceptive dialogue boxes.
- Countermeasures: Harden machines to disallow macro enabling, utilize deep packet inspection, behavioral analytics, and threat intelligence.
2. Sextortion:
- Attack Method: Cybercriminals posing as potential lovers to extract compromising materials and blackmail victims.
- Countermeasures: Employ least-privilege zero trust, behavioral detection, and monitoring. Address with legal, HR, and law enforcement collaboration.
3. Expanded Affinity Social Engineering:
- Attack Method: Building connections based on common interests to gradually extract sensitive information.
- Countermeasures: Implement network segmentation, multifactor authentication, and post-attack forensics. Conduct employee awareness training.
4. Phony Recruiters:
- Attack Method: Faking job opportunities to gather information about employees.
- Countermeasures: Enforce network segmentation, multifactor authentication, and post-attack forensics. Educate employees on potential threats.
5. Old Interns:
- Attack Method: Attackers posing as experienced interns to gather information for industrial espionage.
- Countermeasures: Monitor for employees who never take vacations or sick leave. Use anomalous behavior monitoring and employee training.
6. Social Engineering Bots:
- Attack Method: Malicious bots conducting sophisticated social engineering attacks.
- Countermeasures: Implement anomalous behavior monitoring, anti-virus, and anti-malware software. Use threat intelligence and IP address reputation information.
Overall Countermeasures:
- Utilize deep packet inspection, behavioral analytics, and threat intelligence.
- Implement network segmentation, multifactor authentication, and post-attack forensics.
- Conduct employee training to enhance awareness and response capabilities.
Employee Training:
- Regularly update training programs with details on social engineering tactics.
- Conduct awareness training to make employees aware of potential threats.
- Use interactive methods, such as plays, to vividly demonstrate attack scenarios.
In conclusion, a comprehensive defense against social engineering involves a combination of technological defenses, policy enforcement, and ongoing employee training. By staying informed and proactive, enterprises can effectively mitigate the risks posed by various social engineering techniques.
