As more personal and corporate information is shared on the Web, social engineering techniques and attacks are becoming increasingly sophisticated, forcing enterprises to adopt new awareness training methods to protect employees.
While the term social engineering is relatively new, Amy Baker, vice president of marketing for Pittsburgh-based Wombat Security Technologies Inc., noted that the practice has a long history.
"What I think is interesting about social engineering is that it goes back very far; we used to call them con men," said Baker. "It just starts with the act of manipulating someone to get something that they need."
When looking at enterprise security, the manipulation that Baker refers to is often convincing a company employee to click a malicious link or open a malware-infected file, and the transmission method of these attacks is most often through email. To this end, social engineering is often a major component of IT's longstanding battle with phishing schemes. It's also an element in the resurgence of macro viruses, which are caused by socially engineered messages that convince employees to override security settings designed to prevent macros from running.
According to Cody Pierce, director of vulnerability for Arlington, Va.-based security research firm Endgame, Inc., these types of attacks remain popular because they are reliable, version agnostic, and can often be coded to avoid traditional antivirus software.
"Without the social engineering aspect, it's harder to get past the point where you need user interaction for the exploit," Pierce said. "For macro viruses and such, there will be warnings, so you need social engineering to get users past that point."
Pierce and other experts said that these types of attacks are getting more difficult to stop because of the wealth of information made publicly available on the Web via social media. That information can be used to craft much more convincing and targeted attacks, which had led to something of a renaissance for social engineering.
"Twitter will tell you what app is used to post, which leads to what platform is used. LinkedIn connects to work acquaintences, and Facebook has everyone," said Pierce. "Phishing will continue to stay popular as long as we're all connecting over the Internet and easy to talk to or build a relationship with, because someone will take advantage of that situation."
Baker pointed to the 2014 Capture the Flag Report by Hop Bottom, Pa.-based Social-Engineer, LLC, which describes a contest where contestants are given three weeks to gather information from the Web about Fortune 500 corportations and parlay that into more specific information obtained on a phone call.
Contestants were able to obtain what antivirus system each used, what operating system, Web browsers, mail clients, or what kind of disk encryption. Some contestants even coerced those they called to visit a specific URL.
Contestants also gathered on-site information that could later be used to gain access to the office itself, like the names of the companies responsible for pest control, janitorial services and trash removal, and what types of badges are used for building access. Lastly, contestants were tasked with gathering employee-specific information, including schedules, length of time at the company, and even when they last had security awareness training.
All of this info, Baker said, can aid a threat actor in finding the weak spots in a company's defenses and determine what attack vector is most likely to be successful. Baker noted that it is especially difficult to track physical security breaches that are aided by this information.
"It's hard to identify when there are imposters, and it is unlikely that organizations will share when someone gains physical access to the office," said Baker. She said that people might feel awkward about confronting someone suspicious or would worry about being rude, and "so security can lapse in terms of letting people into the office."
According to Randy Trzeciak, technical manager at Carnegie Mellon University's CERT Insider Threat Center, outsiders will often use social media sites like Facebook, LinkedIn and Twitter to gather information and piece it together to look like an employee is receiving a message from someone they trust.
"I do believe [attacks] are getting more realistic looking in terms of impersonating someone in the organization," Trzeciak said. "With the amount of information publicly available on an organization's employees, outsiders are more able to craft a message that looks authentic."
This level of authenticity can be attained by even the smallest detail, Baker said, including using a shared interest in a local sports league, based on an employee sharing an Instagram photo from a game. Trzeciak also said that it was common for attackers to impersonate someone inside the organization, often someone from the payroll or human resources department, because another key in socially engineering someone to unwittingly work against company security is to promise some sort of financial gain.
As social engineering techniques get more sophisticated and attacks appear more like authentic messages, experts say that training methods need to evolve as well. Baker said that the trick to educating employees has always been to make people suspicious of these requests, but that is getting more difficult because it often isn't enough to simply have users keep an eye out for improper use of language or odd typos.
Rick Holland, principal analyst for security and risk management at Cambridge, Mass.-based Forrester Research Inc., said he is tired of seeing employees blamed for falling victim to social engineering because the attacks are getting so sophisticated that anyone would fall victim.
"On the most sophisticated attacks, they are going to get in one way or another, so detection and response is much more important," Holland said. "Enterprises need to hold email security vendors accountable. If I'm paying vendor X for an APT solution and it's consistently not catching attacks, I want to keep them accountable."
Holland advocated email security vendors use more machine learning to develop better technology for catching phishing attacks and suggested IT departments perform routine pen testing. But he also admitted that it is impossible to stop everything, which would mean the need for better retroactive detection and response technologies. Holland said that the last line of defense is the user, and this necessitates better training methods.
Experts all agreed that traditional training sessions that happen infrequently is not enough. Trzeciak said that training needed to be done in levels, beginning with teaching employees to look out for misspellings and improper use of language. The next level includes making some employees aware when they are at more of a risk to be targeted, including those with access to financial information and other sensitive data. Lastly, employees should be made aware of sharing habits on social networks, and to be especially careful of potentially fraudulent friend requests, which could ultimately negate any controls put in place to limit access to information.
A number of experts also advocated the use of more real-time training, which would include simulated internal phishing campaigns, sending text messages or social messages to employees trying to catch those who lapse.
Baker said that the IT department should run realistic phishing campaigns and leave USB sticks for employees to find, which will pop-up notifications when they click a link or insert the USB into a computer that they could have just been attacked.
"The ultimate goal is to lead to a teachable moment, because they are great ways to wake up users to the potential of an attack," Baker said. "Once they know they are susceptible, they want to be protected. They don't want to be responsible for a breach, because it could cause them to lose their jobs."