The Human Element in Cybersecurity: Understanding Trust and Social Engineering
Human Trust
Most people associated with information technology roles understand the application of technical controls like the use of firewalls, encryption, and security products for defenses against digital threats. Proper configuration and implementation of these defense tools in keeping with industry best practices doesn’t hurt when it comes to fending off attacks. However, the vulnerability in human trust is something that can’t be precisely controlled like a firewall can. Trust is what human relationships are based on and relates to both the offline and online realms. In the digital realm, it takes on a unique dimension. Online interactions often lack the physical cues that individuals rely on during face-to-face communication, making it easier for cybercriminals to exploit this vulnerability.
In cybersecurity, trust manifests in various ways:
Trust in Authority: People tend to trust those in positions of authority or those posing as such. When authority is exerted, people often comply with requests without questioning the legitimacy of the authority.
Trust in Familiarity: Trusting someone due to existing or prior relationships is often exploited by hackers by impersonating acquaintances or using information gathered from social media to appear trustworthy.
Trust in Urgency: Pressure coming from a sense of urgency causes individuals to act quickly without having the time to scrutinize the authenticity of the request.
Social Engineering
The term sociale injenieurs (“Social Engineers”) was first used by Dutch industrialist J.C. Van Marken in an essay in 1894. Later, the term had evolved into “social engineering,” which referred to an approach of treating social relations as “machineries.” However, social engineering, or manipulating the psychology of others, has been around since the beginning of time.
As social engineering relates to cybersecurity, it is commonly defined as coercing/manipulating someone with the goal of obtaining valuable information. In essence, social engineering is aimed at exploiting the human trust. There are several tactics utilized by hackers to acquire the “valuable” information. These tactics might be used on their own or chained together.
- Phishing: This attack is associated with electronic mail. An email is sent with the goal of appearing to be legitimate communication that will entice a user to complete the activity desired by the attacker (like clicking on a malicious link). The outcome is based on the goal of the attack. The user action may result in credential harvesting, malware execution, or other more complex attacks. Data is often compromised when the attack is successful.
- Spear Phishing: This is the same as a phishing attack, except instead of targeting a large audience, a specific individual is targeted. These types of attacks usually require a significant amount of research on the specific target.
- Whaling: Same as a phishing attack but usually targeted toward high-profile users, such as executives or members of the C-Suite.
- Smishing: Phishing over instant messaging, usually via a Short Message/Messaging Service SMS (also known as a phone text).
- Vishing: Performing social engineering via a phone call.
- Baiting: An attacker entices the user with a free item to lure them into clicking on a link. (Get a free sandwich if you take the survey at the following link).
- Quid Pro Quo: This is a variation of Baiting where the attacker gives “something for something.” Example would be getting a free software download if you click a malicious link.
- Catfishing: Attacker creates a fake online identity to lure others into false relationships.
- Pretexting: The attacker impersonates a representative from a trusted organization, hoping that the target doesn’t question the legitimacy of the attacker.
- Reverse Social Engineering: The attacker does not initiate direct contact with the target. The target is tricked into contacting the attacker. (The attacker is in distress and needs help).
- Watering Hole: An attacker compromises a legitimate website that their targets are known to visit. When the site is visited by the target, malware is deployed.
- Scareware: These are where an attacker inserts malicious code into a website which causes the page to render a pop-up window with flashing colors and alarming sounds to entice the user into clicking a link or downloading malware.
- Urgency: The attacker creates a sense of urgency or fear in the target, to convince the target to perform the attacker’s desired activities.
- Honeytrap: An attack which specifically targets individuals looking for love on online dating websites or social media.
- Diversion Theft: An attacker tricks a target into sending or sharing sensitive data with the wrong person.
- Tailgating: Is a physical attack where an attacker follows someone into a secure or restricted area that they are not authorized access to.
- Physical Mail Phishing: Sending a letter or postcard to a target in the hope that they will perform the desired actions of the attacker.
As you can see, there are several types of attacks. These attacks have the goal of getting a target to perform desired actions of the attacker. In some cases, the attacker might ask them to provide sensitive internal details (password policy, user’s password, etc.), or to perform some unauthorized action (password reset, Multi-Factor Authentication reset, etc.), or to run a legitimate tool (like QuickAssist). In addition, some ruses, like device code abuse, are more complicated, requiring a user to submit a code on a legitimate site, granting the attacker access.
Social Engineering Real World Examples
As a penetration tester, I have had the opportunity to conduct social engineering attacks. Below are a few that I found to be entertaining.
Much More Than a Social Engineering Call:
One of my favorite social engineering calls happened to be against a customer who wanted me to attempt to get employees to go to a website I controlled. The website was a doppelganger of a commerce site which sold wearable items. Having malicious content on the site was not in scope for the test, as the customer just wanted to get some insight on how their employees would react to the social engineering calls. One of the targets that I picked out was a secretary for one of the C-Suite executives. After conducting research about the company, I was able to acquire the help desk number. While spoofing the help desk number, I called the secretary and told her that I was from IT. I told the employee that I was a representative from the IT department that was trying to track down a possible threat. I asked the secretary to proceed to my website and click on a link embedded in it. The secretary obliged, and I got a log entry that contained her IP address, showing proof that she had clicked on the link which redirected her to another page. The secretary told me that she had never been to that site before. I told her that I believed her, and I had some more investigating to do before I could conclude if the threat was legitimate. I thanked her for her time and then attempted to end the phone call after stating that I had everything I needed from her. She, however, had questions about personal online hygiene related to her passwords. I couldn’t help myself and spent over an hour on the phone answering her questions before ending the call.
Giving It to the Phisher:
Several years ago, a colleague and I were on a Red Team engagement together and sent a phishing email to many of the client’s employees. The context of the email was that there was an update to the company’s benefits package which provided a link to view document (this ruse had been highly successful during other engagements). When they clicked on the link, they were redirected to a Microsoft login page and after inputting their credentials, a document about benefits was presented to the user. In this scenario, we attempted to capture login credentials so that we could use them to access data. We launched the phish early that morning and watched the log file on our server for credentials. After about an hour, we finally got a hit and were excited about having valid credentials to use for further exploitation. But, after looking at the credentials, we found that the username was blank and the password was “Your Mom!” After communicating with the customer about the unsuccessful phishing attempt, they were very apologetic about the message, and I told them not to be because it was an awesome comeback to our phishing ruse. (Yes, as a pentester, you are not always successful on the first attempt.)
Flustered During a Physical:
First, I would like to state that with any physical assessment, you have to be able to think on your feet. Since you hardly ever know what you will run into or what type of situation you will be presented with, the ability to rehearse all situations is not feasible or possible. This is also true when conducting different types of social engineering tests, such as social engineering calls.
For this particular engagement, the customer wanted us to infiltrate the main headquarters of a company with the goal of gaining access into their data center. We had already performed physical assessments on three other facilities operated by the company and were successful at two of them. This was our second target of the day, which didn’t give us much time as it was already 3:30pm. The headquarters building had a very small entry way, where a receptionist was located behind a big glass window. There was a door to the receptionist’s left visible to her and a hallway on the other side where the receptionist had no visibility. The ruse included matching work shirts with a generic logo on it. The logo was duplicated on the fake work order that we created, which stated that maintenance was to be performed in the data center. We had placed our point of contact on the work order as a contact person. Since we didn’t have a lot of time to prepare for this site due to this location being added to the scope at the last minute, we were sure that we would get turned away and would be tasked with testing their guest procedure.
Both my colleague and I entered the small entrance to the building and presented the receptionist the work order. I stated that we are running a little behind and were hoping to get this job done before they closed at 5pm. While the receptionist was looking at the work order, I attempted to answer her questions before she was able to ask them. This seemed to frustrate and distract her. While I had the receptionist distracted, I motioned to my colleague to slip into the hallway. My colleague had taken the cue and took off without the receptionist noticing. The receptionist didn’t realize that my colleague was gone and contacted our point of contact to confirm the work order. When the point of contact arrived, she had entered the reception area from the door that adjoined the entrance. The point of contact turned me away, stating that the work was not authorized. I left and then called her from the parking lot. I explained that we used the work order ruse to get my colleague into the building unnoticed and asked if we could proceed. The point of contact stated that it was a good ruse and didn’t realize that we had someone inside the building. We were authorized to proceed with the test.
I left out of the front door and texted my colleague, who had found himself locked in a stairwell which had access to the loading dock on the main level and the data center door on the other level. I met him at the loading dock where he let me into the stairwell. Once at the data center door, we found a gap in the door which was covered with a plate so that the hasp was not exposed. We performed a hasp bypass by using a wire found under the stairwell with gold bells on them (yes, a Christmas decoration). After opening the door, we were met with an employee who caught us (bad timing).
The lessons learned from the social engineering calls and physical engagements prompted the customers to review and edit their policies and procedures. This included training requirements for identifying social engineering tactics.
From the examples above, you can see how various social engineering tactics were deployed with and without success. Humans inherently tend to trust people and have compassion toward other individuals, especially if they are having a rough time or appear to be in distress. There are several other examples where BHIS has demonstrated this to be true. One blog post that stands out is one by Carrie Roberts: https://www.blackhillsinfosec.com/social-engineering-sometimes-easy/.
Protections
How do you protect yourself or employees from being a social engineering victim? The following can help:
Verify the Source:
- Take the time to verify where the communication is coming from and do not blindly trust unknown parties. Did you get an email stating that you have a package on the way with a link, when nothing was ordered? Did you find a USB in the hallway and have the urge to plug it in to see what is on it?
- Did the president of the company request sensitive information via an email message?
Verification of the source is as easy as directly contacting the source to validate the request or going directly to a website instead of trusting the link provided.
Inspection of emails:
- Hovering over a link could identify a mismatch between the link and the targeted resource.
- Spelling and grammar errors can be a good indication of a phishing attempt.
- Consider using a spam filter.
- If you cannot validate a QR code or get a QR code unexpectedly, don’t open it (especially if it urges you to act immediately).
Ask Questions:
If you are suspicious of the source pertaining to phone calls or in person interactions:
- Ask questions that only that person would know. It might be as easy as asking how their vacation last week went, when you know the co-worker didn’t take vacation.
- Ask for identification to confirm the legitimacy of the individual.
- Validate any work orders or other paperwork by directly calling the individual responsible and not the number disclosed on the document.
- Contact the originator out-of-band using internal corporate resources (email, phone, chat, etc.)
Urgency:
If you get a sense of urgency, do not act in haste.
- Take the time to understand if it is urgent and verify the source by calling or going directly to the website.
- Use another form of communication to validate the legitimacy of the request.
Controls:
Implementation of controls can help in instances where a social engineering attack is successful.
- Include Multi-Factor Authentication where employees access corporate resources.
- Require another employee to authorize sensitive tasks (electronic transfer of funds).
- Conditional Access Controls for corporate businesses where employees are only granted access to systems that are needed for their specific job title.
Training:
Perform periodic training of employees on identifying and knowing how to handle social engineering tactics. This should include testing policy and procedures often through social engineering calls, phishing, and physical security engagements.
Conclusion:
Social engineering exploits human trust and is used for gaining initial access into an environment, collecting sensitive data, and/or performing malicious activities such as defaming or damaging a corporation’s reputation. Training yourself and employees about what social engineering is, and how to handle situations when they suspect that they are getting social engineered, is essential.
My favorite customer quote after we conducted a physical security test is: “We have had the first-person shooter training, and this experience was much better than that because it demonstrated that someone could gain access to our secure office without proper authorization. We will always verify the identity of visitors due to this exercise. Not because we were told to in a class but because we failed and who knows what you guys had in those backpacks.”
You can learn more straight from Rick himself, in person, at Wild West Hackin’ Fest.
Learn more here: