While conducting assessments and incident response exercises, I’ve talked to many clients about cyber security training, including how to avoid being a target of social engineering. Cyber security training covers a broad range of potential topics – everything from current threats to cyber hygiene to information assurance and organizational policies, and training employees and other staff how to protect themselves is certainly important. I must admit that even as a cyber security professional, sometimes the training begins to wear on me, and I get in the mode of “everything is a threat” to the point where I don’t want to click on anything.
One thing that’s been on my mind lately is the widespread damage and vast costs that companies have suffered during ransomware attacks. Which brings me back to today’s topic, social engineering, as it’s the primary attack vector of ransomware. I’m sure, as we slowly find out the details of the Norsk Hydro or the Hexion incident, as well as others, that social engineering – specifically phishing – was responsible for a large part, if not all, of these incidents. For example, Hexion, who was targeted with LockerGoga, recently published SEC Form 8-K, detailing the impact of the attack on their business operations.
In this blog, I offer some ideas from my experience in cyber security that may help you or your team be more aware of different types of social engineering.
Learning from the Best
Recently, I’ve really enjoyed listening to two audio books by the infamous hacker Kevin Mitnick. If you haven’t read or listened to these books, I highly recommend them:
- Ghost in the Wires: My Adventures as the World's Most Wanted Hacker, By Kevin Mitnick and William L. Simon, narrated by Ray Porter (2011).
- The Art of Deception: Controlling the Human Element of Security, by Kevin Mitnick, narrated by Nick Sullivan (2003).
In 2019, most of the technical techniques he talks about are a little outdated and may even sound cute. But that’s not the point. The takeaway for me is paying close attention to his detailed stories about the social engineering techniques he’s used over and over again to gain access to restricted systems and information. Listening to a known hacker talk about how he got into systems is captivating and extremely easy to visualize.
I think about all the times I’ve seen and been trained on social engineering scenarios from a PowerPoint slide or online training modules. Yes, it’s an easy way to educate a lot of people at once to meet your annual corporate training goals, but personally, I’m inclined to know that this is training, and a “con is coming”, so I’m ready for it. I easily recognize the “email from unknown person with spelling and grammatical errors.” As I watch the training, I say to myself, “I’d never click on that, or fall for such a line over the phone.” I’m sure you probably feel the same way. When we go to take a course knowing its training, we treat everything as a threat. So, we take the training, pass the quiz, and then go back to our day, hopefully with a little bit more awareness.
But listening to Kevin telling stories of his experiences, I recognize the commonalities of his approach. He’s a great storyteller and it’s much easier to absorb how a social engineer is constantly working multiple avenues and gathering small pieces of information to use later.
Into the Trash
One of the techniques Mitnick talks about in his books is “dumpster diving.” This technique is exactly what it sounds like. By using this technique, a determined social engineer can get vital pieces of information about employees who work at a specific location.
I learned my lesson the hard way when I was a young soldier deployed to Bosnia in 1999. Our basecamp employed local national workers, who did tasks like cooking, cleaning, trash removal, and light construction.
Our commanding officer made a point of telling all the soldiers to shred or burn any personal letters. All official military documents were tightly controlled at the headquarters building. Some of the soldiers didn’t take his instructions seriously, though, so the commander had some of the senior sergeants periodically rummage through the trash cans and find personal letters. The commander read some of the more innocuous letters aloud at company formation, to the stark embarrassment of some soldiers. To this day, I fastidiously shred mail and correspondence.
Were You Distracted?
Where and when might you be off your “skeptical” guard? Think about recent world events with charity or relief operations. Flooding in the United States and the mass shooting in New Zealand. A social engineer could be posing as a helpful charity worker, all while gathering customer information. Or you might be taken in with an official-looking email purporting to be raising money for a charity. Others have written about this attack vector, and it’s uncomfortable to talk about. Bruce Sussman has some excellent examples of this in his recent article.
I’m the Target
This brings me to the part you’ve likely been waiting for: when I was the target of a social engineer. I used to work at a bank and would come in early to open the branch, and review accounts and the previous day’s work. Looking back, it seems likely that someone was watching me. One morning, someone called claiming to be a private banker from the Midwest. The person was desperately trying to help a high-profile bank customer.
His tone of voice was deliberate and excited, but he held off being pushy and desperate (a good balance for a social engineer). He said that he was trying to complete some new account paperwork on behalf of the client (not uncommon) and he just needed two pieces of information. He claimed he could see that the customer opened an account at my branch and had used a federal government-issued ID to do so. Initially, I was happy to help, and as I had the social engineer on the phone, I brought the customer information up on my system.
I asked him again for the information he wanted, and I found what he was asking for on my system. At that point, though, I hesitated. I was about to reveal confidential customer information over the phone, to an unknown individual. Instantly, my attitude changed and alarm bells started ringing in my head. I immediately hung up the phone.
I sat there for a minute, thinking about the conversation and what just happened, and got angry. The social engineer had almost fooled me. After I cooled off, I called bank security to report the incident. I thought about just how close I had come to being part of a social engineering con. I thought about where that social engineer might have used the data. It could have been used open a fraudulent account at another bank, or for a fake identity to sell on the dark web.
I offer these examples of listening to “dramatized” versions of social engineering attacks and reflecting on my personal experience to make awareness of social engineering cons and exploits more real. I believe anyone and any organization can use these examples, as well as draw on their own experiences, to make it easier for employees to understand the impact of social engineering attacks and how easy it can be to be tricked by a determined adversary. I believe strengthening the mental awareness of individuals is one of the most effective measures to prevent social engineering, phishing attacks, and consequently, ransomware.
Social engineering continues to be a very real, and near daily threat, for most organizations. One of the best ways you can prepare your employees and protect them is to make sure your training includes real-world examples, including scenarios related to your industry or business, that can help them better understand the types of methods that social engineers use, and how to avoid becoming a victim.
Understanding that a determined attacker after a high-value target will almost always find a way to get to someone, the best way limit the damage from an attack is by having a well-tested incident response plan and conducting cyber security exercises. At Delta Risk, we respond to social engineering attacks, phishing attacks, and ransomware incidents all of the time. We evaluate existing security defenses, offer testing options for new procedures, and help establish fundamental methods for training on evolving threats and new defense tactics.