Joe is speaking at the RSA Conference, April 16-20, 2018 in San Francisco. 

Social engineering is a growing epidemic that can be either an endgame in itself or a stepping stone toward bigger threats such as ransomware. This age-old tactic can be traced back to the Trojan Horse story featured in Virgil’s “Aeneid” and Homer’s “The Odyssey,” from which the malware variant gets its name.

As the legend goes, the Greeks built the horse as bait for the Trojans to claim as a trophy of victory. They left a single person behind to tell the Trojans that the horse was an offering to the goddess Athena to atone for the Greeks’ atrocities. The Greeks even acted as if they were sailing away to enhance the credibility of the pretext. After the Trojans accepted the massive wooden horse, 30 of the best Greek warriors exited its belly in the night and decimated the city.

Modern Social Engineering Tactics

Today, social engineering exists in a variety of forms, including phishing, spear phishing, vishing (voice phishing), pretexting (impersonation), whaling (phishing targeting the C-Suite), smishing (SMS phishing) and more. Of these threats, phishing and spear phishing seem to be the most common.

Think of the typical ebb and flow of emails: You might receive legitimate messages, sales pitches, spam and bald-faced phishing attempts throughout the course of a normal day. Run-of-the-mill phishing emails will likely wind up in your spam folder, but with a little open source intelligence (OSINT), an attacker can develop a pretext to appear at least quasi-legitimate.

Collecting OSINT

When I evaluate targets, I look at them holistically — both inside and outside of work. How can I build a rapport with them? What are they telling me via social media and what am I able to find outside of that context? Does a target post selfies and pictures of his or her workplace? Does he or she have to wear personal protective equipment (PPE)? Are there any pictures of the target with physical security controls, such as badges and passwords, in view?

The data points listed above are all examples of OSINT. Using the goals of the DEF CON Social Engineering Capture the Flag (SECTF) competition as a reference, other considerations include:

  • Trash company and dumpster locations;
  • Janitorial services;
  • Food services;
  • IT customers and vendors;
  • Technologies used, such as virtual private network (VPN), wireless and service set identifier (SSID), operating system (OS), browser and antivirus;
  • Work schedule;
  • Training patterns; and
  • Exterminators.

Knowing some of these “flags” could enable attackers to find exploits relative to technologies used in the target’s workplace. Threat actors could also develop a story around these details to build a rapport with the victim and either excavate more information or influence the target to do their malicious bidding. The career page of a company’s website is an excellent place to start. An attacker could discover what the organization is hiring for and sometimes even deduce specific software versions.

Baiting, Vishing and Phishing

Social engineering attacks can involve many types of threats, but for the sake of time and space, let’s focus on baiting, vishing and phishing.

Baiting is the simplest form: An attacker places the payload, which is typically malware or a reverse shell, on the target’s system via a USB drive or QR code specifically labeled to entice targets to download the malicious data. Common labels include:

  • Property of the CEO;
  • Bonuses;
  • Terminations;
  • Mergers and Acquisitions; and
  • W-2s.

Vishing takes a little more work. It is probably the most intense form of social engineering since the attacker must interact with the target in real time over the phone and improvise to keep the ruse going. A threat actor might pretend to conduct a survey as an excuse to ask intrusive questions. For these reasons, voice-based phishing generally requires more OSINT research than other schemes.

Finally, email phishing is the most common form of social engineering. An attacker simply sends an email in an attempt to influence the recipient to click a malicious link, download malware or enter personal information. I like to send emails from domains that are similar to standard email providers with trusted mail exchange (MX) records to direct my targets to another domain in a cloud instance. This technique is called domain squatting. I usually ask the target for his or her email address and password, and then prompt him or her for password reset questions.

Training and Phishing Awareness

To defend your organization against various types of phishing attacks, you should employ the same baseline training for all employees periodically — I recommend monthly or quarterly. This will keep security and social engineering at the forefront of their minds. Beyond general education, you should conduct role-based training for specific groups, including:

  • Senior management;
  • Sales;
  • Human resources;
  • Accounting;
  • Purchasing;
  • Customer support/help desk; and
  • IT.

It’s crucial to train employees from the top down. In my experience, C-level executives typically trust emails and phone calls they receive because they have presumably passed through numerous layers of security.

As part of awareness training, you should proactively run phishing simulations to test your employees. This will keep them on their toes and condition them to respond and report when they suspect a phishing attempt. You should also consider social engineering when formulating your incident response plan.

When reporting a phishing incident, employees should consider the following factors:

  • Who should they contact? This should be a specific person or group — not just the IT or security department.
  • How should they contact the relevant parties? When reporting email incidents, employees should not use email, for example.
  • What information should they provide?
  • What actions should they take regarding the affected computer or device (e.g., unplug the computer from the network, power or restart down the device, log off, hibernate, do nothing, etc.)?

Finally, you should employ a nonpunitive policy for phishing. We’ve all clicked a malicious link at some point in our careers, and the last thing you want is for people to avoid reporting suspicious activity for fear of being punished or terminated.

Social engineering dates back to ancient times and isn’t likely to slow down anytime soon. The best way to defend against phishing and other forms of social engineering is to spread awareness throughout the organization and train all users, from rank-and-file employees to the C-suite, to be wary of the wooden horses that roll through their networks.

Listen to the podcast to learn more: Social Engineering 101 — How to Hack a Human

More from Data Protection

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…