Many of us remember our parents saying not to take candy from strangers. Today, we can apply a similar mindset to avoid social engineering.
Social engineering is the threat that keeps on coming back. Threat actors are learning to use even cybersecurity researchers’ best intentions against them. Let’s take a look at tactics threat actors use to target researchers and other experts. With social engineering getting inside people’s heads, how can you watch out for and prevent it?
What is Social Engineering?
Social engineering does something all other attempted technical attacks cannot: it gets into your head. It will attack the rational and irrational, the careful and the irresponsible, and on occasion, is still a success against the knowledgeable and paranoid.
What does social engineering mean in the context of cybersecurity? Most simply: it is the employment of deceptive tactics against a target in order to retrieve access to resources for some fraudulent or malicious purpose. Or, in simpler speak: a con artist trying to dupe you by preying on your emotions.
Social Engineering Always Evolves
Key to any successful social engineering attack is the need to exploit emotions. One recent social engineering example, identified by Google’s Threat Analysis Group, demonstrates that malicious actors are going to great lengths to pull off their latest con. This novel threat, announced in January 2021 after several months of work, targeted security researchers with tactics we’ll discuss below.
You would think security researchers would have enough knowledge — and perhaps even be paranoid enough — to avoid a sneak attack on them. But the malicious actors still go back to what they know: emotions. Let’s briefly examine this novel threat.
How to Target a Security Researcher
This threat against security researchers was novel in the sense of who it targeted but not necessarily how they were targeted. Using various social media and blog platforms, malicious actors made, controlled and updated their profiles and posts to make it seem like they were an honest and established member of the security research community.
So far, nothing terribly exciting, but this is where the hook comes in: the threat actors offered unwitting real researchers the opportunity to write ‘guest’ posts on these blogs. That right there is part of the emotional hook: people likely agreed to write a guest post for one or more of the following reasons:
- To contribute to the community
- They believed they were taking part in something real
- Or, they saw it as a means to promote themselves and become more credible within the industry
There is nothing wrong with any or all of these motivations. What is wrong is that the victims did not know they were walking into a trap.
The scheme to build credibility is worth reviewing. To pull off the con, you need to be able to build a relationship with the target. After all, this isn’t your basic phishing attempt. Once they established the relationship well, the threat actor would ask the targeted researcher to work together on a vulnerability research project together, through a Visual Studio project. That’s where the malware comes in, and there go the command and control domains into action.
Preventing Social Engineering Requires Understanding People
If you don’t know what MICE stands for, learn it and remember it:
These four motivators have been closely associated with insider threats for a long time, but you can apply them to social engineering as well. Assuming no malicious intent, let’s use the industry case as an example:
- Contribute to the community (ideology)
- Taking part in a real project (ideology and ego)
- Self-promotion and credibility (money and ego)
Therefore, to prevent attempts against your people, you not only have to ensure they have the tools (technical and non-technical) to spot attempted attacks, but you also have to dissuade behavior that could lead to MICE risks. Your people need to be able to recognize if an attacker is trying to exploit one of the four motivators.
The Future of Social Engineering
As mentioned, data is our most valuable currency today. And for some of us, personal and behavioral data is scattered across the internet. You may not realize it, but even simple and short social media posts reveal a lot about you: preferences, writing styles, habits and potentially a trove of metadata depending on the platform.
I call all these tidbits potentially unwanted leaks. When you collate all of them, however seemingly minor by themselves, when put together the final puzzle may give off more about you than you want the open internet to know.
The wildcard factor today and going forward is the power to collate, namely the use of big data and artificial intelligence (AI). Government-backed malicious actors and well-financed cyber criminals can build a profile of a target that is so accurate phishing attempts will look like dinosaurs. Spear-phishing will no longer be targeted to the person; rather, it will be micro-targeted to the behavior of the person if enough unwanted leaks are left behind.
And as AI becomes more common for commercial and even consumer use, pretexting — one of the most targeted forms of social engineering — will take on an entirely new dimension. The AI could soon perform so well based on your digital footprint that you may not even know you’re talking to a machine.
Test MICE Against Yourself
One way to keep a reality check on you is to use MICE against yourself. Any connection with strangers should be taken with caution, but do not lock yourself in a virtual bomb shelter cut off from the outside world either. Some of the best and most productive professional partnerships and projects you will come across will come out of the blue. But employ the ‘trust but verify’ model while you’re getting to know someone.
So if you get something unsolicited, perform a quick reality check in the following form, where “this” is the attempt to contact you:
- Is this an attempt to compensate me somehow? If it is, be careful: it may be too good to be true. Therefore, take time to do your homework before you take action.
- Is this lining up too nicely with what I believe in? If it does, you may have stumbled onto a like-minded individual, or you may have stumbled onto somebody who has learned you so well, that’s exactly what they want you to think. Be polite, feel it out, but proceed with extreme caution. Trusting relationships take time to build.
- Is this something that has even the smallest chance of coming back to bite me on the behind? Some bad things happen slowly, almost to the point of being unseen … and then they become very bad all at once. This is one of the most dangerous situations because you may not even realize what you have been hooked into until it’s too late. Your digital footprint matters: keep it clean.
- Is this sincere or is this an ego stroke? Ego strokes can be sincere, which makes this one difficult. Just like with attempts made to compromise you, feel this out and proceed with extreme caution.
As humans, if we really invest some time and dig into an issue, our instincts are not too bad. There is an element of gut feeling here, so if it feels wrong, it is almost certainly wrong. We can employ all the technical measures we innovate, but social engineering, however powerful it will become, can only be stopped one way. Don’t take the candy.
Avoiding Social Engineering in Cybersecurity
Two final points:
- Keep the potentially unwanted leaks to a minimum. It’s a judgment call based on your work life and personal habits, but long term, less is more. And remember, you are not the only person responsible for leaks on you. You need to be aware of what others know and say about you.
- Separate parts of your work and personal life from the wider internet. Certain things — like what security research projects you are working on, what your clearances or responsibilities are, or where you have recently traveled or eaten — just put these things in a little box and throw away the key. You don’t want to make yourself a target. Some things don’t need to be known; they are just for you and those who need to know.
If you want the candy, establish trust and build the relationship. If it’s real, the candy will still be there for you later.