September 6, 2018
Securing enterprise information is a difficult job – protecting systems, networks and endpoints from ever-evolving external and internal threats is a constantly moving target. Social engineering makes it a next-to-impossible feat as it sneaks under the radar and slowly spreads its tentacles.
It can be broadly classified as any attempt where the criminals don’t try to breach a network through system vulnerabilities, but by playing on human psychology and manipulating people into breaking normal security procedures or best practices. The attack makes people share sensitive information that is used to gain access to physical locations, systems or networks. An organization could have the best firewalls in place, the best cybersecurity systems and procedures implemented, and yet realize one fine morning that it has lost sensitive information to cybercriminals.
Unlike a general phishing attack with blind emails or calls to a few thousand, a social engineering attack is a very customized and targeted mode of gaining access that requires a lot of preparation but also has a much higher chance of success. The preparation involves finding very specific information on the target firms’ organization chart, employees, and systems. It may be targeted at employees in the finance or accounts division, or in general, employees with low-level access to the systems that can act as an entry point. The idea is to find a vulnerable person rather than a system vulnerability, and then to create fear, greed or curiosity to entice them into breaking a security protocol.
It normally starts with the attacker finding company information from online and offline sources to determine the people that would be the target. Internet and social media have made it much easier to access specific information needed to engineer this kind of an attack. Organization charts are a good starting point for a non-physical approach. Social media like LinkedIn and Facebook are a mine of information. It is very easy to find a list of people working in a particular department of a company on LinkedIn, and then to track their behavior using Facebook to find gullible targets. The next step is to discover the contact information (email ID, phone number) of these people.
The targets are then manipulated into thinking that they are being approached by a trustworthy source and encouraged to reveal information by gaining their trust, creating a sense of fear, or a sense of urgency; whereby they act before they can think it through.
Making people believe they have received an email from the top management (e.g. CEO), a co-worker, or a business associate by spoofing an email ID. Malware can be launched through embedded links or attached downloads, or they could be asked to share sensitive information urgently. Imagine the scenario where you receive a mail from your CEO or colleague asking your inputs for an attached document. Your default reaction would be to download the document. Another situation could be getting an email from a regular supplier who has the required access to a particular section of the system, stating that he is not able to log in and needs to confirm the login details urgently to be able to deliver something on time. Again, the impulse would be to reply with the credentials, as he is anyways supposed to have access. Nobody wants to be the guy that delayed a delivery.
A person receiving a callback from tech support. The attacker calls a number of people within the organization, making it sound like a callback on a service request. Chances are that he will find someone who has either lodged such a request or is happy to use the opportunity to get a problem addressed. Once a person falls for the pretense, credentials can be sought, or malware can be remotely installed.
Receiving a call from the IT team informing that the computer or the login credentials have been breached or a policy has been violated. The target could then be either asked to share the login details for resetting purpose, or asked to install a file or run a command or change the password by using a specific link, purportedly to ensure security, but which actually launches a malware.
Call from the auditor or a law enforcement officer or some other authority with a right-to-know asking for sensitive information.
Using company lingo or using the company ‘hold’ music to mislead the recipient into thinking it is from within the organization.
Leaving a USB with an enticing tag (payroll, appraisals, etc.) within company premises in a conspicuous manner (in the parking lot, elevator, or other shared facilities). The employee may either deposit it with the right authorities or plug it into their office or home systems. Either way, the embedded malware finds a way into the system.
Gaining access to a secured access building by following someone in with an authorized access card (tailgating). The impression created on the authorized person is that the attacker has legitimate access to the premises. This impersonator could achieve this by wearing a company T-shirt or uniform, or by having an ID card that looks similar to a genuine one.
Gaining access by infecting a specific group of websites an employee is known to trust. A related tactic is to send a link to a spoofed or similar sounding domain.
Posing as external support staff like fire safety marshals, technicians, or exterminators to evade suspicion while stealing information.
Social engineering has a higher degree of complication and danger attached to it than other cybersecurity attacks. Here are some of the reasons:
The approach is made to look genuine at first glance. The source is supposed to be trustworthy. This makes the approach very difficult to evade unless the recipient is on guard all the time.
The approach could take place outside of the workplace, negating all control systems. E.g., a physical approach to fish out information made to look like a chance meeting in a bar, park, fitness center, etc.
Firewalls and other safety procedures are not effective as there is no breach of a software vulnerability that can be identified and plugged. Instead, mistakes are made by legitimate users, and the subsequent masqueraded entries into the system show up in the logs as genuine logins.
Once access is gained, the attack normally progresses as a slow-go attack, thus avoiding the normal alarm bells and alerts. The perpetrators sit around hiding in plain sight, evaluating internal weaknesses & access points over a period of time and slowly spreading their presence from one part of the system to the next, progressing to the sensitive parts, collecting & storing information within the system for that one-big-exfiltration, or exporting it slowly by masking it as normal traffic.
The attackers sometimes remove evidence of their presence as they move through the system, wiping all traces of malware from places they have been and already gleaned information from.
The attackers may leave a backdoor open for re-entry after exfiltrating data, enabling them to re-enter at will.
The attacker may try to gain access through an external entity that has access to limited parts of the system, like a business associate, its employees, or employees of a cloud service provider where the company’s data resides. As the target company would not have any control over the security practices of these entities, its vulnerability increases. The Target data breach is an example of this.
Social engineering, when combined with cross-platform attacks, can be especially lethal and difficult to prevent. If an employee falls prey to it on his home or personal device, which may not be as well-protected as the office computer, the malware can spread even to the better-protected office computer, and through that, to the entire network.
Normal malware tools may not be effective as these attacks use legitimate IT tools to further their attack.
Preventing a Social Engineering Attack
Given the sophistication of these attacks, it is extremely challenging to prevent or even identify an ongoing attack. As highlighted earlier, the prototypical prevention and identification systems may not be adequately effective. However, some techniques can be especially focused on preventing these attacks:
Regular training of employees should be conducted, sensitizing them to social engineering techniques. Red Team exercises are especially effective here. Including the employees of business associates in these training exercises can be considered.
Secure email and web gateways can be installed to filter out malicious links.
Emails should be monitored to identify the ones originating from outside the corporate network and automatically be marked.
Alerts should be set up for the registration of domain names similar to the company’s domain.
Networks should be segregated; access controls should be hardened to be completely need-based and should incorporate the zero-trust-principal.
Second-factor authentication or multi-factor authentication should be used for sensitive systems and employees handling sensitive information.
The use of allowed protocol and excessive privilege should be limited.
Access to systems should be monitored and profiled to identify abnormal activity.
Monitoring of internal traffic for pattern identification and anomaly detection to identify slow exfiltration of data should be done regularly. For example, if an authorized person is regularly noticed to be exfiltrating data outside office hours, it should be flagged for further investigation. If the employee records disclose that while the exfiltration was taking place from office premises, the employee had already logged out from office, it could be a case of slow data exfiltration using an authorized account. Information gathering should also be monitored and tracked.
User lists should be regularly monitored and new additions, especially privileged ones, flagged for sensitive accounts like administrator accounts and Active Directory. A number of legitimate activities that are used in an unauthorized manner to enable these attacks can be identified by this monitoring, as the Active Directory is used at multiple stages.
Signs of reconnaissance, especially excessive and abnormal Lightweight Directory Access Protocol (LDAP) queries, should be monitored. Reconnaissance through queries is essential to further these attacks as every network is structured differently. This behavior is very different from normal user behavior patterns and is easily identifiable.
Program whitelisting can be undertaken for single-purpose sensitive servers.
Timely endpoint patching should be undertaken.
Regular risk reviews should be conducted.
Authorized emergency procedures should be put in place to handle urgent executive requests. All employees having access to sensitive information should be well-versed with, and regularly updated on these procedures.
If such an attack is discovered, any backdoors left open should be scanned for, identified, and closed.
While these attackers have to use considerable resources to put the logistics of the attack together, there are a plethora of websites and dedicated online forums that help non-sophisticated threat actors enhance their capabilities in terms of ready-made software and sharing of technical details. Protecting your organization from their nefarious activities would need pulling out all stops and being active and focused, but in the end, it would be a worthwhile exercise. Just remember the Target incident.