What is a social engineering attack?

A social engineering attack is a cyber attack designed to trick people into taking certain actions. Social engineering attacks do not rely on technical measures, although they are often the first phase of a more sophisticated cyber attack.

Social engineering attacks are a major concern for cybersecurity professionals because it doesn’t matter how good the security safeguards are or how specific the policies are: if such an attack has tricked a user, they may be able to provide their legitimate credentials propagates to a malicious actor without even being aware of it. Once this actor gains access, they can use the stolen credentials to pose as a legitimate user and move laterally, discover the security measures in place, install backdoors, commit identity theft, and steal data.

Why are social engineering attacks so successful?

Social engineering attacks work well because strong motivations can trick people into taking action, e.g. B. money, love and fear. Attackers take advantage of this by providing false opportunities to fulfil those desires. The least sophisticated social engineering attacks are just a gamble: if you give enough people a shot at a few million dollars, they will come forward. However, these attacks are often quite sophisticated, allowing even the most suspicious individuals to be fooled.

A malicious actor can spend significant amounts of time—months or even years—educating themselves about a victim by watching them on social media, searching private databases, and even coming physically near them.

With enough information, the malicious actor can design a likely successful attack. No one should assume that they are immune to social engineering attacks: if the malicious actor has created the right conditions, obtained the right information, and created the right supporting documents, anyone can be fooled.

How do social engineering attacks work?

A social engineering attack can be carried out via email, social media, phone, or person. However, regardless of the channel chosen, the methods remain the same. The attacker will pose as a person with a legitimate need for information, e.g., an IT worker asking the person to “verify their credentials” or a new employee who urgently needs an access token but doesn’t know the correct process for requesting the token.

Threat actors can also pretend to be an authority figure, e.g., a law enforcement officer who needs sensitive information as part of an investigation or a business executive who needs to quickly wire a large sum to an outside party to meet payment deadlines.

Social engineering attacks typically follow these simple steps:

  1. Research:The attacker identifies victims and chooses an attack method.
  2. Interaction:The attacker makes contact and establishes a basis of trust.
  3. Attack:The attack begins, and the attacker gets the desired data.
  4. Exit:The attacker covers their tracks and completes the attack.

What types of social engineering attacks are there?

phishing

Phishing is the most well-known social engineering tactic. A phishing attack uses an email, website, web ad, web chat, SMS, or video to trick victims into taking action. Phishing attacks can appear to come from a bank, delivery service, or government agency. However, they can also be more specific and look like they come from a department in the victim’s company, e.g. B. from the HR, IT or finance department.

Phishing emails contain a call to action. The victim may be encouraged to click a URL to a fake website or a malicious link that contains malware.

Phishing attacks are a well-known danger that even inexperienced users are aware of. However, they still work because the victims are distracted and busy or because the attacks are so well designed that no one would doubt their authenticity.

A spear-phishing attack is a phishing scam in which the attacker targets a specific audience, e.g. B., the employees of a certain company or the finance directors in a certain industry.

Similar to spear phishing, a whaling attack is a targeted phishing tactic. The difference is that executives or senior employees are targeted in a whaling attack.

Baiting Attacks

Baiting attacks typically lure the victim with an interesting offer, such as free music, games, or ringtones, hoping that the victim will use the same password to log into the digital products as they do for more important websites. Even if it’s a one-time password, the attacker can sell it as part of a bundle with thousands of other passwords on the dark web.

In corporate environments, a baiting attack might be more likely to use a USB memory stick left in a conspicuous place, e.g. B. in the break room or the lobby. When the person who finds the drive plugs it into the corporate network to determine who owns it, it launches malware into the environment.

Quid pro quo

A quid pro quo attack is a social engineering scam similar to a baiting attack. However, the scattering can principle is not applied here, but an individual with an offer to pay for a service is targeted. For example, the threat actor may pretend to be an academic researcher and want to pay for access to the corporate environment.

How can you protect yourself from social engineering attacks?

The best way to stop socially engineered threats is to incorporate people and technology into the defence strategy.

What can people do?

Security awareness is the best way to prevent a successful attack. It’s important to know common social engineering tactics to spot the signs. Your organization should have a process in place if employees, for any reason, believe they have been the victim of a social engineering attack. This process should describe how employees can consult IT security personnel.

As part of a security awareness program, organizations should continually remind employees of the following common practices:

  • DO NOT CLICK ON LINKS FROM PEOPLE YOU DO NOT KNOW. First, hover over it with the mouse pointer. Trust is good; control is better!
  • Do not open email attachments from senders you cannot identify.
  • Be suspicious of emails or phone calls asking you to provide account information or to verify your account.
  • Do not include your username, password, date of birth, social security number, financial information, or other personal information in an email or robocall.
  • Requests for information, even from a legitimate source, should always be independently verified.
  • Always check the web address of legitimate websites and enter them manually into your browser.
  • Check for misspellings or mismatched domains in links (for example, an address that should end in .de but ends in .com instead).
  • Verification by voice or video call should always occur before transferring money or data.
  • Be on the lookout for counterfeit items such as disinfectant products and personal protective equipment, or anyone claiming to be selling products to prevent, treat, diagnose or cure COVID-19.

What can technology do?

Besides the human component, every business should also use a cybersecurity solution that relies on the following:

  • Sensor Coverage:You can only stop what you can see. Organizations should implement capabilities that allow security leaders complete visibility into the entire environment, leaving no blind spots for threat actors to exploit.
  • Technical data:Leverage technical data, such as indicators of compromise, and feed them into a SIEM (security information and event management) system for data enrichment. This gives you a broader base of information for event correlation and can identify events on the network that would otherwise have gone unnoticed. Implementing reliable indicators of compromise across multiple security technologies improves much-needed situational awareness.
  • Threat Analytics:Threat analytics reports show threat actors’ behaviour, tools, and practices. Threat analytics help with threat actor profiling, campaign tracking, and malware family monitoring. Now more than ever, knowing the context of an attack is important. Simply knowing that an attack has taken place is not enough. In this context, threat analysis plays a crucial role.
  • Threat Hunting:Now more than ever, knowing that technology only takes a business so far is important. Security technologies alone cannot guarantee 100% protection. Keep in mind that technology is not infallible. This demonstrates the importance of 24/7 managed human threat hunting.

Another best practice for avoiding social engineering is to implement a zero-trust architecture, which limits users’ access to specific systems to specific tasks, and only for a specific period. When this period expires, the access authorization is revoked. This approach limits the damage a malicious actor can do, even if they manage to break into the system using stolen credentials.

About Author