Social Engineering

Social Engineering #

  • Human side of cybersecurity

Social Engineering #

  • And phising often preceed password attacks.
  • Using the “Human Threat vector”
  • Goal: Influence target(s) to take actions that they else would not
  • Key Principiples to sucess:
    • Authority - Give the impression that you have authority, most people obey to someone that seems in charge or knowledgable, regardless if they are or not.
    • Intimidation - Scare or threaten the target so they feel threatened and they take the action that the attacker wants them to do.
    • Consensus - (aka Social Proof) people tend to do what other (many people already did), “everyone in here did this except for you”
    • Scarcity - Make something look more desirable to the target
    • Familiarity - Making the target like the attacker or the organization that the attacker claims to represent
    • Trust - Similar to familiarity, here the attacker builds a connection with their target to them make them do things.
    • Urgence - Sense or urgency to take the chance away for the target to evaluate the situation
  • Often a combination of principles are used.
  • Understand the target, how humans react, how stress reactions can be leveraged to meet a goal.

Social Engineering Techniques #

  • Phising - Fraudelent acquisition of information
    • Spear phising - targetting a specific individual/group
    • Whaling - aimed at senior people (CEO, CTO, …)
    • Defenses: Awareness training
  • Vishing - Phising via phone call
    • Often based on urgency/trust and authority
  • Smishing - Phising via SMS/IM
    • Often based on urgency/trust and authority
    • Often trick someone to click on a link to enter credentials or senstive information
  • Misinformation & Disinformation - Online influencer campaigns
    • Social media, email, online mediums
    • Types (MDM)

      Misinformation - Not True, without malicious intent #

      • I believe it’s true, but its wrong

      Disinformation - Not True, with malicious intent #

      Malinformation - based on reaility, but consciously removed context and using exaggeration with malicious intent #

    • CISA recommends “TRUST” oricess to counter mis/disinformation

      Tell your story #

      Ready your team #

      Understand and assess MDM. #

      Strategize response. #

      Track outocomes. #

      • Defense: asses info environment, identify vulnerabilities, proactive communication, develop incident response plan.
  • Impersonation - Attack pretends to be someone else
    • Might use identity graud
  • Business Email Compromises (BEV) -
    • AKA Email Account Compromise (EAC)
    • Defeneses: Awareness and MFA
    • Methods
      • Using compromised accounts
      • Sending spoofed emails
      • Using common fake but similar domain techniques
      • Using malware or other tools
  • Pretexting - Using a made uo scenario on why the attacker approaches the target
    • Often to make impersonation more believable
    • Defeneses: Be critical, and do a verification call
  • Watering Hole Attacks - Use websites that the target frequently uses
    • Attackers can set an attack, knowing the target will visit the site. By compromising the site or deploying malway through advertising networks
  • Brand Impersonation/spoofing - Also a phising attack
    • Send email as if it comes from the brand
    • Often intended to have the target log in to a link
  • Typosquatting - Have a copy/compromised site with a common typo im url
    • Pharming - Changing the host file of a person to do similar attack
Previous Security Governance and Compliance Threat Landscape Next