By: Taylor Armerding, Security Advocate at Synopsys Software Integrity Group
Technology can do lots of things better than humans can — playing chess, working a factory floor and soon (supposedly) driving our cars and trucks is just the start of a very long list. But technology, at least so far, can’t trump the human when it comes to protection against cyber attacks.
Bad guys know it — they know that if they can trick, seduce, or scare a human into clicking on a malicious link or giving up personal or corporate credentials, it’s game over—in their favour.
Which is why social engineering is rampant. All you have to do to understand why is watch some videos of the Capture the Flag contest in the Social Engineering Village at DEF CON in Las Vegas every August. The relative ease with which contestants get people to hand over sensitive, proprietary information to callers they’ve never met and don’t know can be funny, but also frightening.
That’s because it doesn’t happen only in contests. It keeps happening in the real world, even though the damage is always painful and sometimes catastrophic.
The most common type of social engineering attack is phishing — an email purportedly from a trusted source, designed to manipulate the recipient into revealing sensitive information, clicking a malicious link, or opening a malicious file.
Three high-profile ransomware attacks against three cities in Florida this past summer were all enabled by an employee responding to a phishing email.
The 2019 Verizon Data Breach Incident Report found that phishing was the top cause of data breaches, at 32%, and was a factor in 50% of security incidents last year. Security firm FireEye, in its Q1’19 Email Threat Report, found that phishing attacks rose 17% in the first quarter of this year.
That, of course, is because it works. As Christopher Hadnagy, founder, CEO, and chief human hacker at Social-Engineer, put it, “Phishing is the easiest because it has the lowest cost and the potential is huge.”
An ominous trend Verizon noted is that phishing attacks are increasingly aimed at C-level executives. These targets tend to be busy and under too much pressure to be wary of any single email within the ongoing flood they receive. They also have approval authority and virtually limitless access privileges.
Vishing, smishing, and gaming, oh my!
But phishing is not the only type of social engineering attack. There’s vishing, or phishing by phone — which is what the contestants at DEF CON do. There’s smishing, in which an attacker tries to get a victim to give up private information via a text or SMS message.
There are video game social engineering scams. One involves an attacker posing as a player who sends a chat message to a victim asking him to join his team — of course complimenting his skills.
To join, however, the victim has to download and install an app, presumably necessary to be on the team. The reality, of course, is that the “app” is malware that can steal account credentials.
Social engineering via IoT
There is the Internet of Things (IoT), rapidly becoming the Internet of Everything (IoE), featuring billions of “smart” devices that in many cases are feature rich but security poor. As noted in a 2016 research paper by two professors at London’s University of Greenwich, attackers could spoof an instant message from a user’s smart refrigerator, saying the user was running low on something. The attackers could ask “whether the user would like to place an order with an Amazon-style ‘one-click’ ordering button — which conveniently leads to a drive-by download.”
It’s possible, they wrote, for attackers to know what the user was running low on by “sniff[ing] seemingly unimportant, unencrypted sensor node data sent from the fridge to the home automation controller, which connects to the user over the Internet via their home broadband router.”
Another complication with this type of social engineering attack: Smart devices are still relatively new, unlike email, which has been around for decades. Consequently, the authors wrote, “users are not sensitive to malicious behavior originating from home/city automation systems, smart devices, or social media platforms that provide access to e-health, emergency, or public services.”
Can social engineering training prevent attacks?
All this raises the obvious question: What are the best ways to help people spot, resist, and report those attacks?
Well, it ain’t easy. If it were, the problem would have been solved long ago. Many very well crafted security awareness programs have been in place for decades. Every major security conference in existence features multiple presentations on how to prevent social engineering attacks.
The reality is that it’s hard. So hard that Travis Biehn, technical strategist at Synopsys, contends that social engineering awareness training has “negligible effects.”
“The only thing that seems to make a difference is constant training—and even then attackers eventually find a weak link,” he said.
Biehn even thinks those programs can yield perverse results. “Social engineering awareness is a form of victim blaming. People aren’t built to resist subterfuge, and they can’t execute your checklist when they’re fatigued, overworked, or hungover,” he said.
Tools and tech must overcome psychology
Not everybody has that bleak a view. Mario Mercaldi, associate principal consultant at Synopsys, thinks awareness training is important and can be effective. But he agrees with Biehn that it’s much more difficult and nuanced than simply telling people that “if something doesn’t seem right, it probably isn’t.”
“It’s more complicated than that, and your ‘BS detector’ cannot replace policies and procedures — at home and work,” he said. “Add in the fact that people in general are not very good at discerning voices over a phone or otherwise, and with the new ‘deepfake’ era, it’s getting even more difficult to spot potential issues. This is why the bulk of awareness training must focus on process versus the effort of trying to spot a fake.”
Indeed, the reason social engineering is so successful is that it takes advantage of how humans are wired. Video gaming scams work, Mercaldi said, because they are “designed to make it intuitive to easily spend hundreds or thousands of dollars on digital items with little intervention to detract from the microtransaction process.”
The same psychology applies to “one-click” products. “They have the same built-in feature of making it too easy to order something you don’t necessarily need because of convenience,” he said.
How to prevent social engineering attacks
Ultimately, experts say it takes a combination of training and technology for organisations to avoid being the proverbial “low-hanging fruit” and prevent all types of social engineering attacks.
Training and technology
Thomas Richards, principal consultant at Synopsys, said the most effective training technique he has seen is for companies to “conduct continual and frequent social engineering tests of their employees. After speaking with several executives, many were able to take a click rate in the 20% range and reduce it to single digits,” he said.
Hadnagy, who presents multiple courses in social engineering throughout the year, focuses on teaching students all the techniques that attackers use. The idea is that if you know how to do it, then you are much more likely to know when somebody is trying to do it to you.
But he also agrees that “being truly secure is a blend of the right technology and the best education.”
Chris Clark, business development manager, senior staff, at Synopsys, said some examples of technology help include “security capabilities capable of catching these attacks — smart email filters, regional blocking, reactive firewalls paired with content filtering. Attackers are always scooting around, so make sure you have a good mousetrap.”
Don’t forget about process
Mercaldi said “process” can help prevent social engineering attacks as well. He cited the case of a phone call from a supposed CEO to a junior executive, directing him to wire US$250,000 to an account. But the scam didn’t work because the organisation’s policies “required a sign-off policy from multiple people ‘in person’ and if there was a need to fast-track funds, it should have been discussed before, within an active window,” he said.
Still, however, it comes down to the human in the end. “Innovations that require intervention can also be bypassed by an attacker if they can convince the victim to do so,” Mercaldi said. “I don’t think there’s a technical guard that can’t be exploited by social engineering.”