Dealing with the threat of social engineering [Q&A]
Thanks to improved security technology, most cyberattacks now rely on some element of social engineering in order to exploit the weakest link, the human.
Phillip Wylie, hacker in residence at CyCognito, believes CISOs now need to take a step back and focus on the overall picture when it comes to security. This includes securing internal and external attack surfaces, and testing the security of these environments, as well as educating employees about the risks.
We spoke to him to discover more.
BN: Why are we seeing a rise in social engineering attacks?
PW: The simple answer is because social engineering works. The more complex answer is as the profitability of ransomware and extortion crimes goes up and the value of stolen user credentials -- financial PII and sensitive IP also rise -- attackers will try harder to breach all of the above anyway they can.
Trends tied to better cybersecurity hygiene for many companies push attackers to end-run traditional cyber defenses. Better patching, reduced MTTR times and hardening attack surfaces will push determined adversaries to social based attacks.
An attacker may pose as an employee, a customer or business partner. The objective is to trick users into giving away private information such as user credentials, network access or the CFO’s cell phone number to execute an attack or perform a social reconnaissance of sorts.
That said, many of the social engineering attacks we see today are simply a means to an end. That 'end' is convincing an employee to click or download a malicious file, so the attacker can plant malware on a targeted system or trick them into sharing private data.
The human element is usually the weakest link in a company’s IT stack. As odds of success in other types of attacks go down, social based attacks go up.
BN: What's fundamentally different about a social engineering attack compared to any other type of cyber threat?
PW: Social engineering focuses on humans as the threat vector. For hardware and software vulnerabilities there are software patches, firmware updates and ways to configure devices to make them less vulnerable to attack. Those types of IT-related preventative security hardening don't correlate to the risks tied to employee fallibility.
Humans are the wildcard in your internal and external attack surface. Sure, there is employee training, zero-trust solutions, best practices and awareness around phishing and other types of socially engineered attacks. But, at the end of the day if someone finds a USB drive in the parking lot and plugs it into their home laptop while connected to the company’s VPN -- there is simply no patch to prevent that risky behavior.
BN: We have a massive security stack, with virtually an acronym for every category. Is there something out there to prevent social engineering attacks?
PW: It is hard to eliminate social engineering threats. With other threat vectors there are technologies, processes and procedures that can be put in place to reduce those risks. Hardening your external attack surface is an imperative to ensure a social engineering attack that targets external facing assets will not succeed.
Implementing email software that protects against clicking on malicious links is table stakes. End user systems should be configured to use least privileged access. If an attacker gains access to a computer that has more access than needed, the attacker can do more and further their attack efforts.
Keeping systems up to date helps reduce vulnerabilities that could be possibly exploited by threat actors via a social-based attack. Zero trust technologies, which assumes that every connection and endpoint is a threat, also can help.
So, it is really a layered approach you need to take.
The unfortunate reality is the number of actual technology-based tools to fend off social engineering attacks are limited.
Mostly, reducing social-type risks requires security awareness that helps employees understand what social engineering is and gives examples of the ways it is leveraged to launch an attack. However, security awareness only goes so far. Humans are always going to make mistakes. Developing and training staff in best practices is a starting point.
BN: You're a professional pen tester. How can pen testing help prevent social engineering attacks?
PW: Pen testing is important because as pen testers, we approach our security assessments similarly to how a malicious hacker would. This is the only way to detect all vulnerabilities and most importantly the exploitable ones, which is what any threat actors would use to try to breach an organization.
Pen testers often consider social engineering when building a company's cybersecurity-readiness assessment. Assessing the success rate of social-based phishing attacks, baiting attacks, scareware ploys, pretexting and spear phishing is an important attack surface metric for a pen tester to highlight.
BN: What steps should CISOs be taking now to prevent social engineering attacks?
PW: CISOs should use the above steps I mentioned and make sure their security teams work with employees to emphasize security awareness and education of the latest threats.
CISOs should also not punish people if they don't do well during social engineering and email phishing campaigns. This acts as a deterrent to employees to admit to falling prey to a phishing incident. Instead, security teams should reward employees for playing it safe and alerting them to suspicious activity.
Fostering a culture of security is vital within a company. Employees should never feel afraid to share if they made a mistake and clicked on something malicious.
It's also important to consider, social engineering attacks are a means to an end. That “end” is often tied to real external and internal attack surface weak spots. Successful malicious ploys sent via messages (email, text or social media) and tactics such as watering-hole attacks depend on weak attack surface management to be successful.
Here is where basic cybersecurity blocking and tackling come into play. The pen testing process, which identifies the path of least resistance for a likely attacker, is one of the best ways to mitigate the risks associated with an employee who has already fallen victim to an attacker.
CISO's are well served to take a layered approach to fend against social engineering threats. First, step is a self-analysis to determine what their social engineering attack surface is. For example, a healthcare system will have an entirely different profile versus a government entity. That will drive what investment allocations they might want to make in solutions such as external attack surface management, Zero Trust and domain-based message authentication reporting and conformance (DMARC) technologies.
I would be remiss if I didn't also mention pen testing as one of the most effective approaches to prevent social engineering attacks. A pen tester's security assessment will let a CISO know how an adversary will likely try to infiltrate your organization. A pen tester can identify which system or employees you need to concentrate on protecting and inform you on what types of social engineering attacks you may be prone to.