Joe is speaking at the RSA Conference, April 16-20, 2018 in San Francisco. 

Social engineering is a growing epidemic that can be either an endgame in itself or a stepping stone toward bigger threats such as ransomware. This age-old tactic can be traced back to the Trojan Horse story featured in Virgil’s “Aeneid” and Homer’s “The Odyssey,” from which the malware variant gets its name.

As the legend goes, the Greeks built the horse as bait for the Trojans to claim as a trophy of victory. They left a single person behind to tell the Trojans that the horse was an offering to the goddess Athena to atone for the Greeks’ atrocities. The Greeks even acted as if they were sailing away to enhance the credibility of the pretext. After the Trojans accepted the massive wooden horse, 30 of the best Greek warriors exited its belly in the night and decimated the city.

Modern Social Engineering Tactics

Today, social engineering exists in a variety of forms, including phishing, spear phishing, vishing (voice phishing), pretexting (impersonation), whaling (phishing targeting the C-Suite), smishing (SMS phishing) and more. Of these threats, phishing and spear phishing seem to be the most common.

Think of the typical ebb and flow of emails: You might receive legitimate messages, sales pitches, spam and bald-faced phishing attempts throughout the course of a normal day. Run-of-the-mill phishing emails will likely wind up in your spam folder, but with a little open source intelligence (OSINT), an attacker can develop a pretext to appear at least quasi-legitimate.

Collecting OSINT

When I evaluate targets, I look at them holistically — both inside and outside of work. How can I build a rapport with them? What are they telling me via social media and what am I able to find outside of that context? Does a target post selfies and pictures of his or her workplace? Does he or she have to wear personal protective equipment (PPE)? Are there any pictures of the target with physical security controls, such as badges and passwords, in view?

The data points listed above are all examples of OSINT. Using the goals of the DEF CON Social Engineering Capture the Flag (SECTF) competition as a reference, other considerations include:

• Trash company and dumpster locations;
• Janitorial services;
• Food services;
• IT customers and vendors;
• Technologies used, such as virtual private network (VPN), wireless and service set identifier (SSID), operating system (OS), browser and antivirus;
• Work schedule;
• Training patterns; and
• Exterminators.

Knowing some of these “flags” could enable attackers to find exploits relative to technologies used in the target’s workplace. Threat actors could also develop a story around these details to build a rapport with the victim and either excavate more information or influence the target to do their malicious bidding. The career page of a company’s website is an excellent place to start. An attacker could discover what the organization is hiring for and sometimes even deduce specific software versions.

Baiting, Vishing and Phishing

Social engineering attacks can involve many types of threats, but for the sake of time and space, let’s focus on baiting, vishing and phishing.

Baiting is the simplest form: An attacker places the payload, which is typically malware or a reverse shell, on the target’s system via a USB drive or QR code specifically labeled to entice targets to download the malicious data. Common labels include:

• Property of the CEO;
• Bonuses;
• Terminations;
• Mergers and Acquisitions; and
• W-2s.

Vishing takes a little more work. It is probably the most intense form of social engineering since the attacker must interact with the target in real time over the phone and improvise to keep the ruse going. A threat actor might pretend to conduct a survey as an excuse to ask intrusive questions. For these reasons, voice-based phishing generally requires more OSINT research than other schemes.

Finally, email phishing is the most common form of social engineering. An attacker simply sends an email in an attempt to influence the recipient to click a malicious link, download malware or enter personal information. I like to send emails from domains that are similar to standard email providers with trusted mail exchange (MX) records to direct my targets to another domain in a cloud instance. This technique is called domain squatting. I usually ask the target for his or her email address and password, and then prompt him or her for password reset questions.

Training and Phishing Awareness

To defend your organization against various types of phishing attacks, you should employ the same baseline training for all employees periodically — I recommend monthly or quarterly. This will keep security and social engineering at the forefront of their minds. Beyond general education, you should conduct role-based training for specific groups, including:

• Senior management;
• Sales;
• Human resources;
• Accounting;
• Purchasing;
• Customer support/help desk; and
• IT.

It’s crucial to train employees from the top down. In my experience, C-level executives typically trust emails and phone calls they receive because they have presumably passed through numerous layers of security.

As part of awareness training, you should proactively run phishing simulations to test your employees. This will keep them on their toes and condition them to respond and report when they suspect a phishing attempt. You should also consider social engineering when formulating your incident response plan.

When reporting a phishing incident, employees should consider the following factors:

• Who should they contact? This should be a specific person or group — not just the IT or security department.
• How should they contact the relevant parties? When reporting email incidents, employees should not use email, for example.
• What information should they provide?
• What actions should they take regarding the affected computer or device (e.g., unplug the computer from the network, power or restart down the device, log off, hibernate, do nothing, etc.)?

Finally, you should employ a nonpunitive policy for phishing. We’ve all clicked a malicious link at some point in our careers, and the last thing you want is for people to avoid reporting suspicious activity for fear of being punished or terminated.

Social engineering dates back to ancient times and isn’t likely to slow down anytime soon. The best way to defend against phishing and other forms of social engineering is to spread awareness throughout the organization and train all users, from rank-and-file employees to the C-suite, to be wary of the wooden horses that roll through their networks.

Listen to the podcast to learn more: Social Engineering 101 — How to Hack a Human