Social Engineering

Using this falsified trust relationship, the attacker coaxes targets to divulge sensitive data or perform an action they wouldn’t normally perform. Some leaked data, such as credentials, may be the end goal of the attacker. Other data, such as the name of a department manager, may be a means to an end.

The latter type of data may seem trivial, but that very fact is noteworthy for two reasons. First, because the information doesn’t seem important, targets are less likely to guard it closely. Thus, they’ll probably reveal it willingly without becoming suspicious. Second, social engineering is an iterative process. Every bit of information that an attacker gains is information that can be used to further strengthen the apparent legitimacy of the attacker’s pretext, which in turn instills greater confidence in targets, who are then more likely to divulge increasingly more sensitive information.

Social engineering may be considered a bold approach to hacking because it often requires attackers to make direct contact with their targets, either by telephone or in person. At the extreme end, an attacker will physically access areas intended to be restricted to the public, such as server rooms or vaults. These audacious social engineering tactics are often dramatized by Hollywood in heist films. And, just as in the movies, social engineering in the real world requires a great deal of research and planning, as well as elaborate pretexts.

As mentioned previously, social engineering is not always an end in itself but often a means to an end. Social engineering may be just one facet of a complex attack against a particularly robust system.

For example, suppose that through a technical exploit, an attacker has gained access to a user’s credentials. But imagine that the end goal of the attacker is to access a system that requires dual factor authentication provided by a keychain token that displays a different six digits every minute. Using social engineering and a convincing pretext, an attacker may be able to trick the user into divulging the multifactor information that allows access to the system.

Since attackers generally try to extract sensitive technical data, it is common for them to pose as IT or help desk personnel. Attackers research their targets using open source intelligence (OSINT), which aggregates public information from company websites, social networks, etc., to construct the pretext for their initial attack.

These are four popular social engineering attacks:

• Phone-based social engineering attacks: Attackers call targets and direct them toward phishing sites or ask them directly for sensitive data.
• In-person social engineering attacks: Attackers pose as maintenance workers, construction workers, or similar falsified roles to access restricted areas.
• Tailgating: Attackers pose as employees and follow authorized people through locked doors into restricted areas.
• Third-party social engineering attacks: Attackers pursue targets through a third party—i.e., outside the target organization. The goal is to compromise an individual’s phone or computer with malware, which will then be connected to the target organization’s network. The third party may be an online dating or social networking site.

The human component is often the weakest link in a system. Because social engineering attacks target people, they often completely bypass many technical security controls. In short, social engineering attacks often result in an attacker gaining access to a target organization and provide the attacker with the same access as a genuinely authorized organization member, such as an employee.

Essentially, this allows an attacker to act as a malicious insider to infiltrate multiple organization systems and exfiltrate sensitive data. Ultimately, social engineering could lead to complete organization compromise, meaning all organization data (emails, credentials, source code, client data, etc.) could be stolen by attackers.

Red team assessments: To minimize the damage of social engineering infiltration, many organizations perform red team assessments to identify areas that require improvement. A red team assessment mimics a true-to-life attack scenario that uses social engineering techniques. The value of a red team assessment is that upon its completion, the assessors can prescribe actions that will strengthen the organization’s overall security posture and are tailored to integrate with the organization’s business needs.

Awareness training: One of the best defenses against social engineering attacks is social engineering awareness training. Such training will make employees mindful of the risks and encourage skepticism of suspicious activity. The ultimate goal of such training is to instill a business culture that promotes secure thought and action. Examples include disallowing tailgating, confronting suspicious individuals, verifying the identity of unknown individuals before discussing any sensitive information, reporting suspect activity, etc.

Secure architecture: A secure system is built from the ground up and designed with the expectation that one or more components will become compromised at some point. Consequently, secure systems include fail-safes designed to mitigate the collateral damage of such failures automatically. Such design features can be applied to a system in retrospect after a secure design and architecture review.