Lillian Ablon is a cybersecurity researcher at RAND. Here, she explains the threat posed by social engineering, and the critical vulnerability posed by unwary individuals within an organization.
Some may not be familiar with the concept of social engineering. What is it and how does it relate to cybersecurity?
The human element is becoming increasingly prevalent in cyber and computer network operations—and is also the most unpredictable factor in cybersecurity. More people are connected to and interact with technology, whether they want to or not, and they aren't necessarily security-aware. This makes their digital world easier to target and access.
At its simplest, social engineering means getting someone to do something you want, or give you information you want, often without the person considering the negative consequences of the action. Since humans interact with computers—and since humans can be manipulated—they are often a company or organization's weak link. The website social-engineer.org defines “social engineering” as the act of influencing a person to accomplish goals that may not be in the person's best interest.
Social engineering is often the first step in malicious hacking. It often enables attackers to gain physical access to a target's devices and networks, and facilitates the gathering and harvesting of credentials (such as username/password combos) for follow-on network-based attacks (such as installing malware on the network or stealing intellectual property).
Social engineering and the human element are common ways to gain access to a network, database, or building. Major cyber incidents have occurred as the result of an attacker gaining initial access via social engineering, usually by convincing an insider to unwittingly download or install a piece of malware that opens up the target network to the attacker (e.g., the theft of RSA SecureID tokens in 2011, false reports on Twitter causing the Dow to drop in 2013, the massive breach of personal information of up to 110 million Target customers in 2013, and the email hack of Sony Pictures Entertainment in 2014).
A 2011 report by Check Point Software found that 48 percent of companies had confronted social engineering attacks. In 2013, a Verizon study reported that 29 percent of attacks could be linked to social engineering tactics. And a 2015 Symantec report said that five of every six large companies had been targeted by spear-phishing attacks in 2014. Attackers are shifting to methods that exploit human vulnerability, rather than relying on complex exploitation of software vulnerabilities.
What are the most common methods of approach for this kind of attack? How can hackers leverage open-source information to help them gain access to target networks?
A social engineering attack persuades the target to click on a link, open an attachment, install a program, or download a file. The link may redirect the target to a website that solicits personal information (that is then collected by the attacker) or has malware on it that then infects the target's computer. That malware might install a keylogger (a malicious program that records any keystroke, often to pilfer passwords), or some other program or code that enables the attacker to move from the target's computer to the target's network and others in the organization.
Attackers employ many tricks to try to get a human target to provide them with information or access. They appeal to ego (“Promotion details are in the attached”), financial need (“You've just won the jackpot, click here!”), curiosity (“How to lose 10 lbs. in 10 min!”), humanity (“Click this link to donate to victims of Hurricane Joaquin”), or job duties (“Please review my attached resume”) — all with the goal of getting the target to either click on a link that redirects the target to a malicious website or open an attachment that contains malware.
Phone elicitation and phishing are two of the biggest social engineering techniques that attackers use to infiltrate companies.
Phone calls—often called “vishing,” for “voice fishing”—sometimes require the malicious actor to adopt a persona to persuade the target to give up critical information. For example, a social engineer might pose as someone from the IT help desk who claims that the target's password needs to be reset.
Through phishing, a potential hacker tries to acquire such information as usernames, passwords, and financial or other sensitive information. Its name, of course, is a derivative of fishing, where some sort of bait is used to catch fish. In phishing, the bait is a persuasive email with a malicious attachment or link, and the fish (or phish) is the target. (Curious about the “ph” in “phishing”? It's a nod to the earliest hackers, who were known as “phreakers” for their exploration and hacking of phone systems).
Targeted phishing is known as spear phishing, where the “bait” is directed at a specific individual or company. Customizing the attack increases the probability that the victim will fall for the spear-phishing campaign.
In-person interactions are perhaps the most challenging to pull off, because they happen in real time, and the malicious actor needs to actually try to act out a scenario. The social engineer needs to dress the part (candidate running late for an interview, FedEx delivery man, cafeteria worker, fellow employee) and may require a badge to make it past building security.
To conduct a convincing social engineering campaign, significant homework must be done on the target. This often takes the form of gathering open-source information about the target in order to craft a legitimate-looking spear-phishing email, or a credible vishing call. The information-hunting can include scouring the Internet, for instance, or physically dumpster-diving for clues in the trash at the target's residence or company.
Social engineering via email or text (versus via voice or in-person) has a built-in big benefit. It is scalable: With the push of a button, a social engineer can attempt to attack many targets. Also, because the social engineer isn't communicating with the target in real time, the social engineer has time to change tactics or craft a new story if there is any pushback or suspicion from the target.
How have social engineering methods changed over time, and how do you anticipate they will change in the future?
In the early 2000s, phishing became popular, but the attempts were crude, rife with bad grammar and spelling, and tried to direct targets to obviously false websites. In the mid-2000s, phishing via text, known as SMiShing, started to appear, and by late in the decade, phishing attacks were commonplace. In 2010, sophisticated spear-phishing attempts started to appear, complete with believable presentation formats and malicious websites.
As social engineering attacks improved, so has the response of people and potential victims. Companies realized the need to teach employees what suspicious emails, phone calls, texts, and in-person interactions might look like.
How can organizations better protect themselves against social engineering attacks?
Attackers and defenders are constantly playing cat and mouse. Defenders try to stay ahead of attackers' methods, and attackers are always coming up with new ways to strike. This back and forth will only continue.
Humans will also continue to be the weak link. No matter how secure a network, device, system, or organization is from a technical point of view, humans can often be exploited, manipulated, and taken advantage of. However, people and businesses can take steps to better protect themselves against social engineering attacks.
No matter how secure a network, device, system, or organization is technically, humans can often be exploited, manipulated, and taken advantage of.
Individuals should be vigilant regarding emails, unsolicited phone calls, or in-person interactions that attempt to get people to reveal personal or sensitive information, or require going to an unfamiliar website or installing an unfamiliar program. Companies should regularly provide security-awareness training to employees. The training may include everything from yearly static PowerPoint presentations to regular interactive in-house phishing attempts.
To see where they are vulnerable and where to focus security efforts, organizations should undergo a penetration test (or “pen test”) of their networks and systems. The companies that conduct pen testing often also provide physical assessments to determine where the weak spots are in terms of building security so that social engineers don't physically make it through the door.
Finally, organizations should be ready to respond to a cyberattack, and have a remediation and resilience plan in place. No one should be blindsided. The accepted general wisdom is that it's a matter of when, not if, an attack will occur.
Lillian Ablon is a researcher who focuses on cybersecurity and emerging technologies at the nonprofit, nonpartisan RAND Corporation. She won a black badge at DEF CON 21 for placing first in the Social Engineering Competition.