When we think of a digital attack, I think many of us go straight to attack campaigns that involve exploiting application or operating system vulnerabilities. Not all attacks involve these, of course. There are plenty of attacks that solely leverage social engineering tactics to undermine our “human” defenses.
To protect against these types of attacks, it’s important to have a firm understanding of what social engineering is. I’ll use this post to define social engineering, and I’ll include several examples to illustrate how the true danger of social engineering lies in the difficulty of detecting it. I’ll then discuss how Network Detection and Response (NDR) is one of the keys to defending against these attacks.
A Breakdown of Social Engineering
Security awareness training provider KnowBe4 defines social engineering as the “art of manipulating, influencing, or deceiving you [the user] in order to gain control over your computer system”. In other words, social engineering attacks treat human beings as the initial entry point into an organization. Bad actors may still conduct recon to learn about the hardware, operating systems, and software installed on our networks, and they might still leverage known vulnerabilities affecting those assets to base their attacks on. But in social engineering attacks, these actions are contingent on fraudsters first tricking someone into doing something they shouldn’t.
A pretty broad definition, isn’t it? That’s not unintentional. In fact, social engineering attacks take on lots of forms and use various kinds of media to prey upon users. I’ve identified five of these common social engineering subcategories below and have provided an example for each.
Phishing is one of the most common types of social engineering attacks, and it’s one most of us are familiar with. We often see it being used by attackers who send out emails indiscriminately to try to trick recipients into visiting a phishing landing page. This page resembles the website or support panel of well-known, trusted organizations to convince victims into disclosing their authentication credentials. If they fall for the ruse and hand over their login credentials to digital criminals, they might not know anything happened, as many of these attacks simply redirect victims to the homepage of the legitimate service in order to convince them that nothing malicious happened. Victims just chalk up the redirection to the authentic login page as a bug or glitch and goes on with their day.
Digital fraudsters have singled out many firms in their efforts to conduct phishing attacks. In an attack documented by Naked Security, for instance, scammers sent out emails to Instagram users informing them that someone had attempted to access their accounts. The messages provided them with a useless verification code along with an embedded link leading to a fake Instagram login page that looked very close to the real thing.
Just as phishing is a subset of social engineering attacks, spear phishing is a subcategory of phishing. This technique differentiates itself from ordinary phishing attacks, however, in that it does not involve the use of “spray and pray” tactics to reach as wide of an audience as possible. Indeed, spear phishing requires additional effort on the part of an attacker to research their targets carefully so that they can craft a convincing email and compelling scenario to convince the victim to divulge credentials or install malicious software. Spear phishing is therefore a more focused means by which attackers can specifically target a limited number of users with more convincing lures.
As an example, PhishLabs outlined a spear phishing campaign whose attack emails used real contact details and employee information to impersonate a private equity firm and VC. The emails, which made their way to only a few employees, arrived with what appeared to be a signed nondisclosure agreement. However, that attachment redirected victims to a lookalike domain designed to steal users’ Office 365 credentials.
Another form of social engineering, pretexting, is not too dissimilar from phishing and spear phishing. Those who turn to this technique simply create a false scenario, or pretext, to trick someone into divulging personally identifiable information and other data from a target. To accomplish this goal, an attacker commonly impersonates another person or known individual to get what they want. They might even go so far as to create a new identity to achieve their malicious ends. Per Social Engineer, this process entails a great deal of research, with malicious actors commonly creating multiple pretexts/identities across their careers. One basic example is criminals calling someone posing as Apple or Microsoft technical support and saying that the victim’s machine has been infected by malware or has another security issue requiring the attacker’s intervention.
Bad actors use pretexting to go after a variety of employees. This being said, Verizon found in its 2019 Data Breach Investigations Report (DBIR) that digital criminals are increasingly going after C-level executives. Attackers usually stage these attacks by using fraudulent business emails to trick senior executives or their assistants, who might be in a rush and therefore might not be reviewing their emails carefully, to divulge passwords or click on a malicious link.
Sometimes, digital attackers don’t even need to directly communicate with their targets. This is where baiting comes in. For these attacks, bad actors simply attempt to exploit users’ curiosity so that they’ll unknowingly do something malicious.
Fraudsters resort to various means to bait users. In particular, bad actors have been known to leave infected USB drives in public places with the hope that someone will load these items on their computer. Often, they’ll have enticing labels on them such as “HR files”, “Payroll”, or “Salary Information”, expecting someone to let curiosity get the better of them. Amazingly, this tactic works more often than you’d think. Back in 2016, Researchers from Google, the University of Illinois Urbana-Champaign, and the University of Michigan found in a study that half of people who discovered unknown USB drives plugged them into their machines.
As baiting helps to illustrate, not all social engineering attacks involve the use of computer technology. Take vishing (“voicemail phishing”), for instance. The premise behind vishing is identical to phishing in that attackers want their targets to reveal personal, sensitive, or confidential information. But instead of relying on email to communicate with their targets, they make a phone call.
News of a high-profile vishing attack came to light in September 2019 when bad actors used voice-generating AI software to impersonate the voice of the boss of a German parent company. They then used this software to contact a UK-based energy subsidiary and trick its chief executive to quickly wiring funds to a Hungarian supplier. The company’s CEO heard nothing suspicious, according to The Next Web, so they wired approximately $243,000.
Why Social Engineering Attacks Are Dangerous
In the sub-categories discussed above, bad actors focus on people as the subject of social engineering attacks. This highlights how technology can only do so much to counteract human fallibility and curiosity. Social engineering attacks can look legitimate, meaning they can easily fool untrained employees. And once they have succeeded, these attacks are very hard to detect – bad actors use legitimate credentials to log into an asset. In some cases, attackers can even use these credentials to move to other parts of the network, something that an endpoint detection and response (EDR) tool or firewall can’t stop.
Acknowledging the reality of social engineering attacks, we have an obligation to instruct our employees to be on the lookout for social attacks. We should specifically use security awareness training to teach our workforce about the dangers of suspicious links and email attachments as well as the importance of regular patching schedules and updated antivirus software. Encouraging employees to trust, but verify requests by using a different channel to verify odd or out-of-the-ordinary instructions can go a long way to prevent incidents.
But our defensive strategy against social engineering can and should go beyond that, too. When awareness training fails and an attack is successful, the attack shows up on the network somewhere. At some point during the attack, the bad actor will do something that will raise a red flag when compared to normal network activity… we just need to be able to spot it.
While nothing can prevent criminals from logging in using stolen credentials, it is possible to use NDR to observe their activity when they inevitably do something that is unusual for the legitimate user. Ideally, we should use an NDR solution that leverages Network Traffic Analysis, Intrusion Detection and Prevention, Artifact Analysis and Global Threat Intelligence powered by Artificial Intelligence to provide high-fidelity context into the whole infection chain, including the compromise of an employee’s account by a social engineering attack and a bad actor’s subsequent movement across the network. Having a plan beyond just prevention, which includes detection controls, to deal with the inevitability of an incident due to a successful social engineering campaign is no longer just nice-to-have. Making sure you can detect something while it happens can go a long way towards responding quickly before an attacker can do significant damage to your organization.
Learn more about Lastline’s NDR platform and how it detects social engineering attacks.