What, Why, & How - Anatomy of Social Engineering & Phishing
Updated: 5 hours ago
We all hear terms tossed about and many of them we know and some we may not. Let us start with a brief introduction – what exactly is Social Engineering (SE)?
Oxford’s English Dictionaries
noun: social engineering
the use of centralized planning in an attempt to manage social change and regulate the future development and behavior of a society
(in the context of information security) the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
What we are looking at is number two. The use of deception to manipulate people. Social engineering is the broader category that encompasses phishing and its various forms of nuanced variants such as vishing, smishing, etc. Essentially social engineering is the tactics, techniques, and procedures (TTP) leveraged to attack the human element.
After all this time and all the training, why are people still falling victim to social engineering at such a high rate? Well, social engineering techniques can be hard to overcome when executed by even a reasonably skillful threat actor, and generally, people are naturally trusting and want to expect the best.
People who do not specialize and make security an absolute focus in their lives really stand no chance against a trained attacker who does, day in and day out. We would not expect our average civilian to be able to take on Mike Tyson in a boxing match, so why do we expect average civilians to be able to take on threats such as syndicated crime elements and nation-state actors?
Gone are the days of poorly worded emails being the mainstay of these attacks, attackers are routinely becoming much more sophisticated. Add to that being busy and distracted, and you have all the ingredients necessary to make social engineering one of the weapons of choice in today's ever-expanding cyber landscape.
Now, let us look at the evolution of some of these techniques and what makes them so effective.
Phishing is essentially attempting to trick people into doing something, often providing a password, via email. Phishing is extremely effective and very low risk. Phishing can be part of a campaign or a one-off. Likewise, phishers can target a person, a group, or an entire organization. The options and the timing are all on the attackers’ side.
Below is a phishing template that I have used in the past to great effect. Granted I was operating in a legal capacity with an authorization letter, but many real-world attackers use templates like this to harvest credentials. Users willingly and dutifully type in their domain credentials. This template is not very sophisticated, but it does not have to be. Many people I asked after the fact simply said they were not thinking straight, or they panicked.
The image to the right is an excerpt of a real-life scenario where I posed as a core application vendor for a banking institution and was taking a new user through the setup process for their new account.
The user happily provided me with their domain account information including their password. The user had no idea they were even doing it, they just wanted to make sure their new account worked.
Like Phishing, Vishing attempts to trick a person into revealing their PBX voicemail credentials. Due to the increase in employees working from home, reset credentials from applications like VPNs are left as a voicemail. These are scooped up with vishing attacks.
REMOVE THE PASSWORD!
We have an idea of the problem, but how do we fix it? Take the human out of the equation to the greatest degree possible, and eliminate, arguably, one of the most valuable and impactful targets- passwords.
Ultimately removing the password from the equation removes the ability of users to divulge their secrets, because they themselves do not know the secret. Eliminating the password in favor of certificates is the quintessential piece of removing humans from the equation, but why not take it a step further with very little additional effort or overhead?
Biometrics are readily available in most of the world’s smartphones, tablets, and laptops. These devices can be left unlocked and unattended which could lead to someone other than the owner of the phone accessing accounts on the device. That is why biometric use is paramount to eliminating that fractional remaining degree of uncertainty. Biometrics positively attributes a person to a certificate and then the certificate is able to positively attest the user’s identity to the service.
However, there is one extra step that eliminates any chance of getting social engineered or spoofed by a man-in-the-middle attack. This is to employ Full-Duplex Authentication® – where the authenticating service authenticates to the client authenticator. If the authenticating service is legitimate, then allow the client authenticator to present the certificate.
This is done in such a way that there is no extra burden on the user to perform these actions. The user simply taps a confirmation and performs a natural biometric operation by the device to authenticate. By combining full-duplex, certificate-based authentication with biometrics, the certainty that the authenticating party is who they say they are is essentially unequivocally assured. Attackers leveraging social engineering can no longer impersonate or take over someone’s online account. The result is simple and secure authentication without passwords, that everyone can perform.