The latest high-profile hack suffered by Twitter, while still being investigated with the FBI taking point, seems to have been the result of a successfully coordinated social engineering attack. It's been widely reported that hackers had been given access to internal Twitter user administration tools and further reported that whoever was behind the attack had gotten someone inside Twitter to provide the information willingly and potentially as a result of being paid. This is more of an insider threat scenario than social engineering as a typical social engineering attack will involve an employee being unaware of the role they may have played - nonetheless, this highlights the significant risks that many companies currently hold - the real questions are whether you're taking these risks seriously enough and what are you doing to mitigate them?
What, exactly, is a social engineering attack and how do they happen? Let's dig in:
A favorite social engineering definition from a McAfee/Intel Security report: The deliberate application of deceitful techniques designed to manipulate someone into divulging information or performing actions that may result in the release of that information.
From the same report.... "During a social engineering interaction, the victim is not aware that his or her actions are harmful. The social engineer exploits the target's innocent instincts, not any criminal instincts. Attackers employ a variety of methods to trick victims into divulging useful information or performing actions such as clicking a link. Social engineering uses subterfuge to get its targets to take an action that, if they were aware of its real purpose, they would not take. Contrast this with direct techniques such as bribery or the threat of violence. Direct techniques of exploitation do not fall within the scope of social engineering."
An all too common example of this type of attack seen frequently today is the unsolicited IT help desk call. Typically perpetrated in two types or organizations: a company that is large enough that there's a good chance the average user may not know everyone on the IT support team, or a company that has outsourced their first line service delivery function to a third party organization. "Hi, this is Steve from IT - we're having some issues today and we need to reset your account. Can you tell me what your password is so I can do a reset on this end?" The number of users who answer this question without questioning the caller, even in today's higher security awareness environment, is staggering. The risk here is significant as the right credentials from the right user can easily turn into a privilege escalation. This can also look something like "Hi, this is Pam from IT Support - we just sent you an email to reset your access to your network shares - can you click the link please?" .....and again, the positivity rate on this one is scary. It works, which is why it's still in use.
This type of attack has grown more sophisticated in recent years and has become much more targeted in nature, and along with more sophisticated spear phishing emails, presents a serious challenge. Where previously the targets seemed much more random, today's proliferation of social media tools and our increased internet presence has made it easier for the bad guys, whether a criminal organization or a nation state hunting for sensitive IP, to be increasingly more effective at compromising their marks. It's easier to learn personal information about ANYONE today, making social engineering attacks both easier to conduct and more likely to succeed - imagine the CFO of a multi-million dollar tech firm getting an email that APPEARS to be from someone in his direct reporting chain referencing an ACTUAL contract that the company is working on and a transfer of funds request from the CORRECT bank. Again - the number of positive hits we see today on successful attacks like this one is concerning.
Common Threat Vectors - what are the pathways for an incoming social engineering attack?
Websites: still a popular vector of attack are websites with malicious links. While many old-school malicious website links persist, these have also evolved to become much more targeted as per the example above, often requesting a specific user to click a specific link.
Email: the pervasive phishing attacks continue, also having evolved to become more sophisticated and more targeted (spear phishing). This remains an incredibly effective method of infiltration for cybercriminals.
Telephone: while not as popular as it once was, telephone direct contact can still be an effective vector for a social engineering attack as per the example above. The more common example in today's environment is the shift of these attacks to predominantly text-message based links. Often the user will not be as careful with a shortened text link that looks valid.
In Person: again not as commonly seen but still a risk. Many larger organizations continue to report examples of security badge access violations and piggy backing internal access controls within a physical facility. This one can result in serious data exfiltration risk with access to unattended computer facilities.
Who are the bad actors?
This can be a difficult question to answer and frequently depends on your specific business. Typically, the higher risk and more sophisticated attacks will be either Cybercriminals looking to profit, either directly or indirectly (holding your data for ransom/selling your Intellectual Property) or malicious Nation State hackers looking for IP or sensitive information. Not quite as skilled categories of infiltrators can include script kiddies hacking for fun or hacktivists with a political agenda. One of the most serious bad actors to be concerned about are the insiders as their internal access to sensitive data presents a more serious risk, as per the Twitter hack discussed above. The motivations of bad actors is another concern, and again an area where the insider threat can be the most significant - a disgruntled employee with administrative access can prove disastrous. In today's business climate, your most precious resource is your data.
How to protect against social engineering risk?
Three categories of controls need to be implemented for any effective social engineering risk management : people, process and technology.
People is all about user training. Your people need to be clearly aware of your acceptable use policy and accountable for their behaviors. User training needs to be consistent with a security awareness program and occasionally testing the waters. There are a number of phishing awareness tools and training campaigns that are very effective at reducing your positive hit rate if implemented correctly.
Process defines how to use the tools in place to behave properly to protect your data. Helpdesk ticket and incident reporting, security response plans, user communications and clear escalation paths for the user base can ALL dramatically improve your readiness and resilience to fend off a social engineering attack.
Technology gives your people the tools to follow the process. This one can get complicated when you need to ensure you're selecting the right tools and implementing them in an effective way. From perimeter security to authentication tools to remote access mechanisms to security monitoring and logging tools and on and on and on, this is the area where most organizations need some help to right-size their plan.
What's the take-away?
Social engineering is a real threat vector that continues to impact business today. It's in the headlines almost every day. Whether it's a Cybercriminal or another bad actor, your data is at risk. Protecting against these threats as well as the internal risk from insider threat can be complicated, but there is some well understood best practice and many available toolsets that can make the job easier. It's important to understand the risk that's specific to your business and adjust your investment to meet the RIGHT level of acceptable risk. It's all too easy to either OVER invest in this area or worse, to UNDER invest and end up a victim.
Need some guidance? We can help....it's what we do.
Comments