Social Engineering – A Threat Vector
What is “social engineering?” A simple working definition that I like is, “to induce an individual to take an action in which they otherwise would not engage.” This begs a second question, “What does this have to do with business?” It means that employees of businesses, both large and small, may become targets of unscrupulous and malevolent entities interested in obtaining the information or assets belonging to the business. The individuals may wish to engage in criminal behavior and break into your business headquarters; may attempt to follow an employee through the side door, or perhaps speak to you on the telephone and ask you to share the phone number of an executive; provide your user id and password; reveal the physical whereabouts of a facility or executive.
In all cases two factors are always at play – compassion and urgency. The individual will attempt to trigger the target’s basic human trait to be helpful. The individual will also infuse a sense of urgency in their quest for information or specific action with the expectation that you won’t have sufficient time to verify their proffered bona fides.
So what happens before the phone rings or you’re faced with an unknown person either face-to-face, on the phone, in an instant message window, or via a Twitter/Facebook exchange?
Step 1: Targeting: Every employee of every company could become a target. Your self-analysis may lead you to believe the information you access would have little value to an outsider. Unfortunately, you don’t get to choose whether or not the information you access would be of interest to another, those conducting the targeting effort make their decisions on who is the most viable target based on the results of their own reconnaissance.
Step 2: Reconnaissance: What type of reconnaissance? Technical? Physical? Passive? Active? Technical reconnaissance could entail a remote scan of a corporate network with intent to learn about equipment type, utility, location, security status, etc., to determine if any technical avenues are viable means by which to attack the network. While physical reconnaissance may be as simple as watching the to and fro traffic through an intersection or entrance; or performing comprehensive physical surveillance of an individual to determine patterns, residence, business associates, etc. Similarly, social media network footprints of both individuals and businesses will and do provide a plethora of information with respect to an individual’s whereabouts, their patterns of movement, their schedule of activities, etc. The information we publically display, be it physical or virtual environments, is available for all to see and collect passively.
Passive collection by and large is known as “open source” collection, and allows for the acquisition of information that is made available for public consumption, either intentionally or unintentionally. Information that may intentionally be made public may be the business hours and address posted on your company’s website. Information that may be unintentionally made public could be a picture posted online that has all individuals tagged and the address of a family’s residence visible. Regardless of the environment, passive collection presents a lower level of the discovery that a reconnaissance is taking place than active collection does.
Active collection, as the name suggests, requires the collector to engage in an action. It may be walking up to a door and pulling on it to see if it is locked; or sending an email to see if it bounces; or physically conducting surveillance of an individual’s movements. Whenever active collection is taking place, the individual conducting the reconnaissance has increased the odds of being discovered by the targeted individual or entity.
Step 3: Analysis: The physical data is merged with the electronic data and the attacker begins to create a plan of attack, identify the resource required, and puts together the plan to separate you or your company from the information, goods, or services. In their review, they are attempting to design a plan to be executed that provides the avenue of highest potential success with minimal risk of discovery.
Step 4: Execution: In every instance the targeted individual is being touched, sometimes in a number of different manners.
- Technical – Some examples may include, a specific piece of software being created to take advantage of identified vulnerabilities in your network or device which the initial reconnaissance showed as susceptible. Technical means is used to induce an individual to click on a specific url or document provided in an email, or insert a device (e.g. a USB memory stick) into a machine.
- Personal – Some examples may include the individual being directly engaged, be it via social media network capabilities such as chat or IM. Perhaps the individual chats with you in the parking lot and follows you through the doors into the building. If you’ve placed your resume online, a pretext call as a potential recruiter could be a viable avenue to learn about the work you have been engaged in, are engaged in and may be engaged in – all data points of value to the miscreant.
For an example of a professionally executed social engineering attack which moved through the cycle of target, reconnaissance, analysis and execution read, “The Tale of the Targeted Trojan” (Chapter 1 in “Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” by Christopher Burgess and Richard Power). The perpetrators created a small cottage industry of corporate/industrial espionage which used physical and technological surveillance and data accumulation, one-off-execution scenarios and successful collection of targeted data sets from the attacked companies.
I believe social engineering has and will continue to be a viable threat vector for both individuals and businesses. Why? The methodology produces the desired results for the miscreant – not only is it productive but it is also cost feasible! Can it be thwarted or stymied? Absolutely. Do realize you have little control over an entity which has crossed through the moral threshold of legality and engages in reconnaissance and analysis of you or your business with the intent on attacking you or your firm. You can however raise the bar on your person and/or business being an attractive target. This is accomplished through a comprehensive and continuous employee education and awareness program.
Employee Awareness: The first step requires that both individuals and colleagues understand and learn to recognize the signs of social engineering, accept the reality that it is occurring and that it will most likely continue to occur. Through the use of real-life experiences and scenarios, the best education and awareness programs can be created. If you don’t know if you or your firm is susceptible to a socially engineered attack, then I would recommend that a “penetration test” from a reputable pen-tester be conducted, to provide a realistic level of awareness. From this position of knowledge, effective training can evolve.
Training and Resources: At Cisco, we have evolved an internal security awareness regime. The social engineering threat is specifically called out as a viable threat vector. With respect to addressing telephone calls from an individual seeking information, the following guidance is provided:
To help keep your company safe from social engineering, Cisco publicizes these security tips for anyone receiving phone calls:
- Do not discuss or provide any company information until you confirm the caller’s identity as an employee by using the corporate directory.
- Ask the caller to provide a phone number that you can use to return his or her call. The caller should provide a company number (any number listed in the corporate directory). You can offer to send information to a highly-secure company voicemail or email account, or you can transfer the caller directly to the person requested without providing their contact details.
- Never provide employee, project, or company details to strangers or external email accounts.
- Take notes of a suspect caller, such as a particular accent, caller ID, date, time, and duration of call. File a report with security.
Please do visit the Cisco Security Education program for a comprehensive overview on how to create a program for you or your business. Continuous education and awareness are the key ingredients to turning back the social engineer.