Social Engineering

Social Engineering #

Human side of cybersecurity

Social Engineering #

  • And phising often preceed password attacks.
  • Using the “Human Threat vector”
  • Goal: Influence target(s) to take actions that they else would not
  • Key Principiples to sucess:
    • Authority - Give the impression that you have authority, most people obey to someone that seems in charge or knowledgable, regardless if they are or not.
    • Intimidation - Scare or threaten the target so they feel threatened and they take the action that the attacker wants them to do.
    • Consensus - (aka Social Proof) people tend to do what other (many people already did), “everyone in here did this except for you”
    • Scarcity - Make something look more desirable to the target
    • Familiarity - Making the target like the attacker or the organization that the attacker claims to represent
    • Trust - Similar to familiarity, here the attacker builds a connection with their target to them make them do things.
    • Urgence - Sense or urgency to take the chance away for the target to evaluate the situation
  • Often a combination of principles are used.
  • Understand the target, how humans react, how stress reactions can be leveraged to meet a goal.

Social Engineering Techniques #

Phising #

Fraudelent acquisition of information

  • Spear phising - targetting a specific individual/group
  • Whaling - aimed at senior people (CEO, CTO, …)
  • Defenses: Awareness training

Vishing #

  • Vishing - Phising via phone call
    • Often based on urgency/trust and authority

Smishing #

Phising via SMS/IM

  • Often based on urgency/trust and authority
  • Often trick someone to click on a link to enter credentials or senstive information

Misinformation & Disinformation #

Online influencer campaigns

  • Social media, email, online mediums
  • Types (MDM) *** Misinformation - Not True, without malicious intent
    • I believe it’s true, but its wrong *** Disinformation - Not True, with malicious intent *** Malinformation - based on reaility, but consciously removed context and using exaggeration with malicious intent
  • CISA recommends “TRUST” process to counter mis/disinformation *** Tell your story *** Ready your team *** Understand and assess MDM. *** Strategize response. *** Track outocomes.
    • Defense: asses info environment, identify vulnerabilities, proactive communication, develop incident response plan.

Impersonation #

Attack pretends to be someone else

  • Might use identity guard

Business Email Compromises (BEV) #

Business Email Compromises (BEV)

  • AKA Email Account Compromise (EAC)
  • Defeneses: Awareness and MFA
  • Methods
    • Using compromised accounts
    • Sending spoofed emails
    • Using common fake but similar domain techniques
    • Using malware or other tools

Pretexting #

Using a made up scenario on why the attacker approaches the target

  • Often to make impersonation more believable
  • Defeneses: Be critical, and do a verification call

Watering Hole Attacks #

Use websites that the target frequently uses

  • Attackers can set an attack, knowing the target will visit the site. By compromising the site or deploying malway through advertising networks

Brand Impersonation/spoofing #

Also a phising attack

  • Send email as if it comes from the brand
  • Often intended to have the target log in to a link

Typosquatting #

Have a copy/compromised site with a common typo im url

  • Pharming - Changing the host file of a person to do similar attack
Previous Security Governance And Compliance Theat Modeling Next