Engineers at work: How to identify and prevent the most common social engineering techniques in use today
Whether we like it or not, humans are the weakest link in nearly every security chain. That’s because, unlike machines and security software, people are prone to lapses in judgement, poor decision making and a whole host of other impulses that can quickly compromise even the most secure systems and networks.
Of course, criminals are only too aware of this, which is why social engineering has become such a big area of interest for both sides of the cybersecurity divide. This article will delve into what social engineering is, discuss some of the most common techniques in use today, and highlight a few of the ways organisations of all sizes can identify, or even prevent an attack before it’s too late.
Understanding social engineering
Simply put, social engineering is an attempt by cyber attackers to deceive or manipulate victims into divulging sensitive information, ranging from personal data and credentials, to corporate secrets and intellectual property. From a hacker’s perspective, why try to brute force a control when you can just ask the administrator to give you the keys. Through this method, social engineers can bypass preventative controls and IT security by posing as someone that belongs to the company, swaying the victim for the information or credentials they need to infiltrate a network. Stronger and stronger encryption is useless when the master key is handed to you on a plate.
Social engineering typically consists of three main stages. First is the research stage, during which attackers will perform surveillance of a victim, online and sometimes even in-person, in an attempt to gather as much information about them as possible. Next is the planning stage, where the information gathered is used to establish the most effective attack strategy to capitalise on vulnerabilities identified. Finally, the execution stage is where the attack itself is carried out, usually via email or another online channel.
In some forms of social engineering, attackers actively interact with their victims; in others, the kill chain is automated, typically activated by the user clicking on a link to visit a malicious website or execute malicious code.
Common techniques in use today
As you might expect, there’s a plethora of social engineering techniques out there, ranging from rudimentary to highly elaborate. According to the InfoSec Institute, the following are some of the most common techniques in use today:
1. Phishing
In a phishing attack, an attacker uses a message sent by email, social media, instant messaging clients or SMS to obtain sensitive information from a victim or trick them into clicking a link to a malicious website.
Phishing messages get a victim’s attention and call to action by arousing curiosity, asking for help, or pulling other emotional triggers. They often use logos, images or text styles to spoof an organisation’s identity, making it seem like the message originates from a work colleague, the victim’s bank, or other official channel. Most phishing messages use a sense of urgency, causing the victim to believe there will be negative consequences if they don’t surrender sensitive information quickly.
2. Spear phishing
Spear phishing, also known as whaling, is a type of phishing attack that targets specific individuals with privileged access to systems or access to highly valuable sensitive information. For example, a whaling attack may be conducted against senior executives, wealthy individuals, or network administrators.
A spear phishing attack is more sophisticated than a regular phishing attack. Attackers conduct meticulous research to craft a message that will cause specific targets to respond and perform the desired action. Whaling emails often pretend to be a critical business email sent by a colleague, employee or manager of the target, requiring urgent intervention from the victim.
3. Watering hole
A watering hole attack involves launching or downloading malicious code from a legitimate website that’s commonly visited by the targets of the attack. For example, attackers might compromise a financial industry news site, knowing that individuals who work in finance and thus represent an attractive target, are likely to visit this site. The compromised site typically installs a backdoor trojan that allows the attacker to compromise and remotely control the victim’s device.
Watering hole attacks are usually performed by skilled attackers who have discovered a zero-day exploit. They might wait for months before performing the actual attack to preserve the value of the exploit they discovered. In some cases, watering hole attacks are launched directly against vulnerable software used by the target audience, rather than a website they visit.
How to identify and prevent social engineering attacks
While criminals will nearly always have the element of surprise when it comes to the timing and techniques used, that doesn’t mean organisations and/or individuals are powerless to prevent them. The following measures can go a long towards helping identify, prevent and mitigate attacks before the perpetrators have the chance to do significant damage.
Regular security training
Sometimes the simplest solutions are also the most effective. Regular security training ensures security is always top of mind for everyone. Without it, employees may not be aware of the dangers of social engineering, or if they are, they may forget without periodic refreshers. For this reason, security training should be every organisation’s first line of defence.
Antivirus and endpoint security tools
Another effective measure is to install effective antivirus software, along with other endpoint security measures on all user devices attached to the network. Modern endpoint protection tools do a great job of identifying and blocking obvious phishing messages, or anything that links to malicious websites/IPs listed in threat intelligence databases. They are also effective at intercepting and blocking malicious processes as they are executed on a user’s device.
SIEM and UEBA
Unfortunately, even with the best security processes in place, it’s impossible to stop attacks from happening completely. As such, organisations should also make sure that if it comes to it, they have the ability to rapidly identify what’s going on and take the appropriate action.
Security Information and Event Management (SIEM) systems powered by User Event and Behaviour Analytics (UEBA) collate security events and logs from across an organisation and identify benchmarks for normal user behaviour. Then, should behaviour that deviates too far from these benchmarks be detected, an alert will be sent to the security team for immediate investigation. This could involve anything from a user clicking through to an unusual web destination, to a malicious process executing on a user’s device.
A SIEM system addresses the key processes of cybersecurity, establishing an all-in-one solution to detect advanced threats. Functions include automating log monitoring, correlating data, recognising patterns, alerting, and providing data for compliance and forensics. UEBA detects security incidents that traditional tools do not see because they do not conform to predefined correlation rules or attack patterns, or because they span multiple organisational systems and data sources. Together, SIEM and UEBA help to identify social engineering attacks as they happen and rapidly react to prevent major damage.
Social engineering poses a major threat to all of us, from individuals to multinational enterprises, and the more unaware/uneducated we are, the greater the threat becomes. Fortunately, the reverse is also true. By investing in regular training and the right technology solutions, much of the threat can be mitigated or even eliminated, sending criminals back to the drawing board and ensuring sensitive data remains secure.
Stephen Gailey
Stephen is an experienced Information Security Manager used to working in highly regulated environments, dealing with compliance and legislative challenges from multiple jurisdictions. Much of Stephen’s career has been spent in financial services; primarily investment banking but also in retail banking, telecoms, utilities and insurance business environments.
Stephen is currently Head of Solutions Architecture at the Smarter SIEM company, Exabeam. He joined Exabeam from Splunk, where he ran the Financial Services practice and the EMEA Security Practice. Prior to Splunk, Stephen spent seven years at Barclays where he was the Group Head of Information Security Services. At Barclays, his team built what was probably the largest SIEM in the commercial world and delivered some of the largest programmes around privilege access management and data governance and control, as well as many other projects. He was also instrumental in the rapid integration of Lehman Brothers and in helping the bank unify its security organisation across several distinct business units.
Steven’s other key achievements include: creating and running the Deutsche Bank Global Internet Services team; helping Eircom to create a formalised IT governance structure based upon international standards and developing a major e-commerce and trading platform for Standard Bank Offshore.