Joe is speaking at the RSA Conference, April 16-20, 2018 in San Francisco. 

Social engineering is a growing epidemic that can be either an endgame in itself or a stepping stone toward bigger threats such as ransomware. This age-old tactic can be traced back to the Trojan Horse story featured in Virgil’s “Aeneid” and Homer’s “The Odyssey,” from which the malware variant gets its name.

As the legend goes, the Greeks built the horse as bait for the Trojans to claim as a trophy of victory. They left a single person behind to tell the Trojans that the horse was an offering to the goddess Athena to atone for the Greeks’ atrocities. The Greeks even acted as if they were sailing away to enhance the credibility of the pretext. After the Trojans accepted the massive wooden horse, 30 of the best Greek warriors exited its belly in the night and decimated the city.

Modern Social Engineering Tactics

Today, social engineering exists in a variety of forms, including phishing, spear phishing, vishing (voice phishing), pretexting (impersonation), whaling (phishing targeting the C-Suite), smishing (SMS phishing) and more. Of these threats, phishing and spear phishing seem to be the most common.

Think of the typical ebb and flow of emails: You might receive legitimate messages, sales pitches, spam and bald-faced phishing attempts throughout the course of a normal day. Run-of-the-mill phishing emails will likely wind up in your spam folder, but with a little open source intelligence (OSINT), an attacker can develop a pretext to appear at least quasi-legitimate.

Collecting OSINT

When I evaluate targets, I look at them holistically — both inside and outside of work. How can I build a rapport with them? What are they telling me via social media and what am I able to find outside of that context? Does a target post selfies and pictures of his or her workplace? Does he or she have to wear personal protective equipment (PPE)? Are there any pictures of the target with physical security controls, such as badges and passwords, in view?

The data points listed above are all examples of OSINT. Using the goals of the DEF CON Social Engineering Capture the Flag (SECTF) competition as a reference, other considerations include:

  • Trash company and dumpster locations;
  • Janitorial services;
  • Food services;
  • IT customers and vendors;
  • Technologies used, such as virtual private network (VPN), wireless and service set identifier (SSID), operating system (OS), browser and antivirus;
  • Work schedule;
  • Training patterns; and
  • Exterminators.

Knowing some of these “flags” could enable attackers to find exploits relative to technologies used in the target’s workplace. Threat actors could also develop a story around these details to build a rapport with the victim and either excavate more information or influence the target to do their malicious bidding. The career page of a company’s website is an excellent place to start. An attacker could discover what the organization is hiring for and sometimes even deduce specific software versions.

Baiting, Vishing and Phishing

Social engineering attacks can involve many types of threats, but for the sake of time and space, let’s focus on baiting, vishing and phishing.

Baiting is the simplest form: An attacker places the payload, which is typically malware or a reverse shell, on the target’s system via a USB drive or QR code specifically labeled to entice targets to download the malicious data. Common labels include:

  • Property of the CEO;
  • Bonuses;
  • Terminations;
  • Mergers and Acquisitions; and
  • W-2s.

Vishing takes a little more work. It is probably the most intense form of social engineering since the attacker must interact with the target in real time over the phone and improvise to keep the ruse going. A threat actor might pretend to conduct a survey as an excuse to ask intrusive questions. For these reasons, voice-based phishing generally requires more OSINT research than other schemes.

Finally, email phishing is the most common form of social engineering. An attacker simply sends an email in an attempt to influence the recipient to click a malicious link, download malware or enter personal information. I like to send emails from domains that are similar to standard email providers with trusted mail exchange (MX) records to direct my targets to another domain in a cloud instance. This technique is called domain squatting. I usually ask the target for his or her email address and password, and then prompt him or her for password reset questions.

Training and Phishing Awareness

To defend your organization against various types of phishing attacks, you should employ the same baseline training for all employees periodically — I recommend monthly or quarterly. This will keep security and social engineering at the forefront of their minds. Beyond general education, you should conduct role-based training for specific groups, including:

  • Senior management;
  • Sales;
  • Human resources;
  • Accounting;
  • Purchasing;
  • Customer support/help desk; and
  • IT.

It’s crucial to train employees from the top down. In my experience, C-level executives typically trust emails and phone calls they receive because they have presumably passed through numerous layers of security.

As part of awareness training, you should proactively run phishing simulations to test your employees. This will keep them on their toes and condition them to respond and report when they suspect a phishing attempt. You should also consider social engineering when formulating your incident response plan.

When reporting a phishing incident, employees should consider the following factors:

  • Who should they contact? This should be a specific person or group — not just the IT or security department.
  • How should they contact the relevant parties? When reporting email incidents, employees should not use email, for example.
  • What information should they provide?
  • What actions should they take regarding the affected computer or device (e.g., unplug the computer from the network, power or restart down the device, log off, hibernate, do nothing, etc.)?

Finally, you should employ a nonpunitive policy for phishing. We’ve all clicked a malicious link at some point in our careers, and the last thing you want is for people to avoid reporting suspicious activity for fear of being punished or terminated.

Social engineering dates back to ancient times and isn’t likely to slow down anytime soon. The best way to defend against phishing and other forms of social engineering is to spread awareness throughout the organization and train all users, from rank-and-file employees to the C-suite, to be wary of the wooden horses that roll through their networks.

Listen to the podcast to learn more: Social Engineering 101 — How to Hack a Human

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…