Intel describes social engineering as the deliberate application of deceitful techniques designed to manipulate someone into divulging information or performing actions that may result in the release of that information.
The report found:
Two-thirds of the world’s email is now spam aiming to extort information and money.
- A sharp increase of malicious phishing emails has resulted in more than 30 million suspect URLs recorded by McAfee Labs;
- 20 percent of attacks involve hackers using seemingly benign, bogus websites to deliver vicious malware into their targets; and
- Bogus emails are another effective form of social engineering, as 18 percent of users will unwittingly click a link in a phishing email.
In July 2014, more than 1,000 energy companies in North America and Europe were reported to have been compromised by targeted cyber attacks.
Compared with other targeted attack campaigns (such as Operation Troy, Operation High Roller and Night Dragon), this effort appears different in almost every way. However, the one common theme among all of these is social engineering. Whether the target of the attack is a consumer. or an employee in a large enterprise, the modus operandi for most cyber criminals is to employ some form of social engineering to coerce the victim into an action that facilitates the infection.
The types of malicious actors involved in cybercrime, any of whom may leverage social engineering as an attack vector, vary. The Center for Internet Security cited the following:
Script kiddies: Unskilled hackers who use simple techniques.
Insiders: Although they may not have strong technical skills, their access to sensitive networks represents a risk.
Hacktivists: Agents of hacktivism, which combines politics, the Internet, and other elements.
Lone hackers: Their skills or motivations will vary.
Organized cybercriminals: Criminal syndicates formed to conduct cyber crime.
Nation-state hackers: These actors pose the highest, consistent cyber threat to state and territorial governments, and an unknown level of risk to local and tribal governments.
Terrorist groups: The Center for Internet Security notes that skilled hackers within these groups are rare but will likely become more significant within the next one to three years as they gain a broader skill set.
The Intel report stated many organizations develop a user awareness program, but that the effectiveness of such programs varies. It used an example of an ineffective training campaign from the United States Military Academy at West Point. Cadets at West Point receive security awareness training. The freshmen spend four hours (four lessons) learning about information assurance and network security.
There is a culture at West Point that any email with a “COL” (abbreviation for colonel) salutation has an action to be executed. So, a bogus email message informed cadets of a problem with their current grade report and instructed them to click on an embedded hyperlink to make sure their grade report information was correct. Even with four hours of computer security instruction, 90 percent of the freshmen clicked on the embedded link.
The researchers said an awareness program that is combined with measures to evaluate its effectiveness is one of the best tools for fighting social engineering attacks. Although continuous measurement and refinement in education programs represent an effective counter against social engineering, they are rarely used. In fact, many organizations have not implemented any sort of security or policy awareness training for their employees. A recent study by the Enterprise Management Associates (EMA) found that 56 percent of employees had not gone through such training.
Intel recommended the following controls to mitigate the risk of social engineering. These are divided into three categories: people, process and technology. Intel pointed out that these controls are not exhaustive, and may not be applicable to all organizations.
People
Provide clear boundaries: All staff should be keenly aware of the policies regarding the release of information and have clear escalation paths should a request fall outside of their boundaries.
Ongoing education: Implement a security awareness program to consistently educate employees over time. Use tools such as the McAfee Phishing Quiz to highlight specific tactics commonly used in attacks.
Permission to verify: Provide staff with the confidence to challenge even seemingly innocuous requests. An example of this is to challenge people when attempting to tailgate into offices.
Teach the importance of information: Even seemingly innocuous information such as telephone numbers (enabling information) can be used to stage an attack.
Create a no-blame culture: The targets of social engineers are victims. Punishing specific employees who have been deceived will make all staff less likely to admit to releasing information. Once conned, they could come under the control of the social engineer, who can then use blackmail.
Process
Bogus call reports: When a suspicious activity has occurred, staff should complete a report that details the interaction. This assists investigations.
Informative block pages: When employees reach a malicious web page, use a block page to inform them why they cannot proceed. This will cause them to reflect on their prior action and can help identify sources of attack.
Customer notification: When callers are denied information, the organization should notify them and verify whether the caller was entitled to the information. Organizations should also consider how they communicate with customers.
Escalation route: A clear reporting line for front-line staff to escalate any doubts they may have about interacting with potentially fraudulent messages.
Tiger testing: Routinely test staff for their susceptibility to social engineering attacks over the use of multiple communication channels.
Technology
Call recording: Routinely record incoming telephone calls (while following federal and state wiretapping laws) to assist investigations.
Bogus lines: Route calls that are believed to be suspicious to a monitored number.
Email filtering: Remove fraudulent emails containing known and never-before seen malware.
Web filtering: Block access to malicious websites and detect malware inline with access to the Internet.
Strong authentication: Although leveraging multifactor authentication will not eliminate the risk of users being socially engineered into giving up their authentication credentials, it will make the task more difficult for would-be attackers.
“The threat of social engineering is very real,” Samani and McFarland said. “Cyber criminals use it to unlawfully extract information for various malicious uses. To best counter the problem, we must understand the nature of social engineering attacks. This means defining the likely threat actors, their attack methods, and their resources—and applying the relevant controls to reduce the risk ofa successful attack.”
