Social Engineering
Social Engineering is the practice of manipulating people through a variety of strategies to accomplish desired actions. Social engineers work to influence their targets to take actions that they might not otherwise have taken.
7-key Social Engineering principles
Authority: which relies on the fact that most people will obey someone who appears to be in charge or knowledgeable, regardless of whether or not they actually are. A social engineer using the principle of authority may claim to be a manager, a government official, or some other person who would have authority in the situation they are operating in. Intimidation: relies on scaring or bullying an individual into taking a desired action. The individual who is targeted will feel threatened and respond by doing what the social engineer wants them to do. Consensus-based: social engineering uses the fact that people tend to want to do what others are doing to persuade them to take an action. A consensus-based social engineering attack might point out that everyone else in a department had already clicked on a link, or might provide fake testimonials about a product making it look safe. Consensus is called “social proof” in some categorization schemes. Scarcity: is used for social engineering in scenarios that make something look more desirable because it may be the last one available. Familiarity-based attacks: rely on you liking the individual or even the organization the individual is claiming to represent. Trust: much like familiarity, relies on a connection with the individual they are targeting. Unlike with familiarity, which relies on targets thinking that something is normal and thus familiar, social engineers who use this technique work to build a connection with their targets so that they will take the actions that they want them to take. Urgency: relies on creating a feeling that the action must be taken quickly due to some reason or reasons. Social engineering relies on human reactions, and we are most vulnerable when we are responding instead of thinking clearly.
Social Engineering Techniques
There are both technical and nontechnical attacks that leverage those 7-key principles to get results that are desired by both attackers and penetration testers.
Phishing
Phishing is a broad term used to describe the fraudulent acquisition of information, often focused on credentials like usernames and passwords, as well as sensitive personal information like credit card numbers and related data. Phishing is most often done via email, but a wide range of phishing techniques exist, including things like smishing, which is phishing via SMS (text) messages, and vishing, or phishing via telephone. Spear phishing targets specific individuals or groups in an organization in an attempt to gather desired information or access. Whaling much like spear phishing, targets specific people, but whaling is aimed at senior employees like CEOs and CFOs—“big fish” in the company. Teaching staff members about phishing and how to recognize and respond to phishing attacks, and even staging periodic exercises. Email Filtering also is a technical way to mitigate the chances of successful phishing. SMS and Voice Filtering technology also helps.
Credential Harvesting
Credential harvesting is the process of gathering credentials like usernames and passwords. Credential harvesting is often performed via phishing attacks but may also be accomplished through system compromise resulting in the acquisition of user databases and passwords, use of login or remote access tools that set up to steal credentials, or any other technique that will gather credentials for attackers. Multifactor Authentication (MFA) remains a strong control that can help limit the impact of successful credential harvesting attacks. User awareness, technical tools that can stop harvesting attacks like phishing emails or related techniques, and strong monitoring and response processes can all help with credential harvesting and abuse of harvested credentials User awareness is always the top priority, but having a strong monitoring system + response process in place can definitely help against credential harvesting.
Website Attacks
Attacks on specific websites are also used by social engineers. Pharming attacks redirect traffic away from legitimate websites to malicious versions. Pharming typically requires a successful technical attack that can change DNS entries on a local PC or on a trusted local DNS server, allowing the traffic to be redirected. Honestly, from a user’s perspective there’s nothing that can be done to prevent Pharming from occurring. It’s more a Network Security ordeal, rather than a user orientated one. So having a strong DNS security in place is key here. Typosquatters use misspelled and slightly off but similar to the legitimate site URLs to conduct typosquatting attacks. Typo squatters rely on the fact that people will mistype URLs and end up on their sites, thus driving ad traffic or even sometimes using the typo-based website to drive sales of similar but not legitimate products. Be sure to check your spelling before going to a website. Make sure it’s the correct down to the last letter. Watering Hole Attacks don't redirect users; instead, they use websites that targets frequent to attack them. These frequently visited sites act like a watering hole for animals and allow the attackers to stage an attack, knowing that the victims will visit the site. Once they know what site their targets will use, attackers can focus on compromising it, either by targeting the site or deploying malware through other means such as an advertising network. Only visit secure sites, meaning ones with HTTPS in the URL. Keep your software updated and monitor your internet traffic with antivirus software. Consider installing antivirus software on your devices to flag cyber threats. Only access websites by searching for them yourself versus clicking on an unsolicited link sent to you via email, on social media, or another digital means. The link could lead you to a third-party site infected with malware.
Spam
Spam, sometimes called unsolicited or junk email, may not immediately seem like a social engineering technique, but spam often employs social engineering techniques to attempt to get recipients to open the message or to click on links inside of it. In fact, spam relies on one underlying truth that many social engineers will take advantage of: if you send enough tempting messages, you're likely to have someone fall for it! Spam over Instant Messaging (SPIM) is the act of sending unsolicited or junk text messages via SMS.
In-Person Techniques
Dumpster Diving is a very effective information gathering technique. Retrieving potentially sensitive information from a dumpster; Dumpster diving can provide treasure troves of information about an organization, including documentation and notes. Shoulder surfing is the process of looking over a person's shoulder to capture information like passwords or other data. Although shoulder surfing typically implies actually looking over a person's shoulder, other similar attacks such as looking into a mirror behind a person entering their credentials would also be considered shoulder surfing. Preventing shoulder surfing requires awareness on the part of potential targets, although tools like polarized security lenses over mobile devices like laptops can help prevent shoulder surfing in public spaces. Tailgating is a physical entry attack that requires simply following someone who has authorized access to an area so that as they open secured doors you can pass through as well. Much like shoulder surfing, tailgating is best prevented by individual awareness Eliciting information, often called elicitation, is a technique used to gather information without targets realizing they are providing it. Techniques like flattery, false ignorance, or even acting as a counselor or sounding board are all common elements of an elicitation effort. Talking a target through things, making incorrect statements so that they correct the person eliciting details with the information they need, and other techniques are all part of the elicitation process. User training is the best method to combat this. Prepending can mean one of three things: Adding an expression or phrase, such as adding “SAFE” to a set of email headers to attempt to fool a user into thinking it has passed an antispam tool Adding information as part of another attack to manipulate the outcome Suggesting topics via a social engineering conversation to lead a target toward related information the social engineer is looking for Physical Attacks
Malicious flash drive
Penetration testers (and potentially attackers) may drop drives in locations where they are likely to be picked up and plugged in by unwitting victims at their target organization. Labeling the drives with compelling text also works: performance reviews, financial planning, or other key words that will tempt victims. Malicious USB Cables
Less common since they require dedicated engineering to build, rather than simply buying commodity flash drives. Can be effectively invisible when it replaces an existing cable and will not be noticed in the same way that a flash drive might be. Often configured to show up input device (e.g., a keyboard) and may be able to interface with the computer to send keystrokes or capture data in addition to deploying malware. Card Cloning
Card cloning attacks focus on capturing information from cards like RFID and magnetic stripe cards often used for entry access. Skimming attacks use hidden or fake readers or social engineering and hand-held readers to capture (skim) cards, and then employ cloning tools to use credit cards and entry access cards for their own purposes. Can be difficult to detect if the cards do not have additional built-in protection such as cryptographic certificates and smart chips that make them hard to clone. Can be detected only by visual inspection to verify that they are not the original card. Supply Chain Attacks
An Attempt to compromise devices, systems, or software before it even reaches the organization.
Identity Fraud and Impersonation
Pretexting
Pretexting is often used as part of impersonation efforts to make the impersonator more believable; is the process of using a made-up scenario to justify why you are approaching an individual. Identity Fraud
is the use of someone else's identity. Although identity fraud is typically used for financial gain by malicious actors, identity fraud may be used as part of penetration tests or other security efforts as well. Hoaxes
which are intentional falsehoods, come in a variety of forms ranging from virus hoaxes to fake news. Social media plays a large role in many modern hoaxes, and attackers and social engineers may leverage current hoaxes to assist in their social engineering attempts. Invoice Scams
which involve sending fake invoices to organizations in the hopes of receiving payment. Reconnaissance
Means the gathering of information about a target, whether that is an organization, individual, or something else. On-site and In-person reconnaissance efforts use social engineering techniques to gain access, gather information, and bypass security systems and processes. Influence Campaigns
Hybrid Warfare
Hybrid Warfare is generally accepted to include competition short of conflict, which may include active measures like cyberwarfare as well as propaganda and information warfare. Influence Campaigns are used by Individuals and organizations conduct influence campaigns to turn public opinion in directions of their choosing. Most influence campaigns are associated with disinformation campaigns.
1.1 Compare and Contrast different types of social engineering techniques.
