It is easier for the thief to open the door yourself
What is social engineering? In Sally, we use the following definition: “Social Engineering is the art of human manipulation used by malicious actors to exploit human vulnerabilities exposed on cyberspace to compromise systems, networks, critical or sensitive data/information of personal or enterprise nature.”
The next question that might be relevant to this article is: Why is social engineering important in Cybersecurity? An easy answer to this question is that most successful attacks start by exploiting human vulnerabilities; in other words, social engineering, in its many different forms, has become the most significant point of security failure for organisations. So let me explain this a little bit more.
For years, we have seen, and still see, a battle between cybersecurity teams and malicious actors. The battlefield has been the IT -Security perimeter, where those two sides have developed very advanced technical skills and tactics for attack and defence. Both sides are very well technically prepared, but we could say that bad actors have been the ones leading the battle, and our cybersecurity teams have been working in the cyber trenches trying to resolve problems and build security walls around our data and technical assets to protect them as bad actors attack skills developed.
The good news is that cybersecurity teams have done, and are doing, such a good protection job that they have forced and are forcing malicious actors to find new ways to perform attacks not based on technology but on humans: moving the battlefield from the IT Security Perimeter to the Human Security Perimeter. As a result, today, the cyberbattle is a battle for the human security perimeter, making social engineering the single most important tactic cyber criminals use to compromise organisations. There are some reasons for this development:
- Once again, our cybersecurity teams make it more and more difficult for criminals to penetrate the technical walls created to protect and defend company assets, networks, systems, data etc.
- The digitalisation of our world makes digital exposure bigger and bigger. Think about your management team, employees, consultants, or partners.
- They are “professionally” exposed in places like LinkedIn, where hackers can find information about their contacts, professional likes, comments etc.
- But they are also exposed on “personal” Social Networks such as Facebook, Instagram, Twitter… And the information from those places might give a perfect hint to criminals to know what people like and dislike, whom they interact with, their hobbies etc.
- Combining the two points above, we could create an excellent profile of a human asset to attack their human security perimeter and get access to data, systems etc.
- On top of this, organisations are exposed on the same Social Networks and sometimes at a higher level, like posting jobs with much information about the company, tools, goals, contacts etc.
- It is always easier to ask someone to open the door for you than to jump over high walls.
This is precisely what social engineering is about; to use digital exposure to manipulate human assets to open the organisation’s door to bad actors. And keep in mind that we all, or almost all, have a digital footprint we have created during our years on the internet. Sometimes things we rather want to delete, sometimes just “innocent” data about how much we like things etc.
If we would like to position all this on the attack process, we could say that social engineering covers two stages in that process:
– Recognising stage: The step where criminals gather data about their targets using Intelligence methodology to find and enrich the data by combining sources such as Open, Dark, Breach, etc.
- They will analyse the data to find the best targets and tactics to perform the social engineering attack.
– Penetration Stage: Criminals will decide the attack vector, tactics and techniques depending on the gathered data; Extorsion, sextortion, Business Email Compromise, Spear- Phishing etc.
- They will try to get credentials or install info-stealers inside of the organisation to compromise it etc., leaving open doors to control devices or human assets.
– In some cases, they will deal with the information selling access to big companies. In other cases, they will install ransomware and ask for the ransom, steal relevant and privileged data from the company or ask for money etc.
As has been said, the battlefield for this type of attack is the human security perimeter.
The wools used are based on Intelligence Methodology rather than on technical skills. It is the art of manipulation using the advantage of having plenty of data about the target. This means you have as many vulnerable human assets as you have employees in your company.
So how do we propose reducing the exposure risk to social engineering attacks in Sally? In the same way, we do everything in Sally using the Information Security Process and enrich it with Intelligence Methodology as cybercriminals:
– Make an inventory of your human assets. Categorise them in different risk levels depending on their access to sensitive data, the level of impact of their decisions and the access to systems etc.
– Look for human vulnerabilities following the level of risk. This can be done in a very accurate way:
- Use Human Intelligence to find vulnerabilities related to awareness, knowledge and personality.
- Use Open and Dark Source Intelligence to find out the digital footprint of the most critical assets to find their digital vulnerabilities.
- Use Open dan Dark Intelligence to find our critical exposure of company assets such as info-stealers installed in company devices, credentials of employees, data sold in black markets etc.
– Create a mitigation plane based on the following:
- Monitoring the Digital Footprint of Key Employees
- Monitoring critical exposure, as explained before
- Creating a dynamic adapted cyber awareness and training plan for individuals and/or departments following real facts about their real human vulnerabilities. The generic awareness plans need to be revised, as discussed in many places.
- Close as much as possible the Phishing problem as the most significant way to deliver social engineering attacks. There are today excellent tools based on Ai for it. You are welcome to come to us, and we will show you what we recommend and use and the results.
– Follow up using KPIs that reflect reality and can help you improve your security process.
If you want our help to create a Social Engineering Security Program based on Intelligence facts, don’t hesitate to get in touch with us, and we will guide you and help you to improve your prevent breach security strategy.