Social engineering still works. Phishing still works. These are the two constants of the majority of cybersecurity attacks and breaches worldwide: Attackers feasting on the human side of cybersecurity, exploiting the trust and other psychological factors that are at play with social engineering in particular to gain a precious initial foothold on targeted networks.
In this episode of the Nexus Podcast, Alethe Denis, a senior security consultant at Bishop Fox, joins to discuss the ongoing effectiveness of these tactics from her experience in open-source intelligence analysis, social engineering tactics, and as part of red-team exercises and security assessments for critical infrastructure. Denis has extensive experience and insight as to why these tactics continue to work, and why defensive measures such as security awareness training aren’t enough to solve the problem, whether it boils down to a company culture or human frailty issue.
“I find that the majority of the social engineering attacks that we hear about in the real world are simply plays at achieving access. And typically they're going after access to accounts that have a higher level of privilege within systems,” Denis said. “So it's interesting because a lot of people think of computer hacking as very complex hacking through a network, and a lot of what we're seeing is bypassing those things and going to people using social engineering tactics.”
While awareness training has been meaningful in reducing the effectiveness of some phishing campaigns and reinforcing company culture around cybersecurity, it cannot combat the entire people problem. As Denis said, there are some people who are just not capable of recognizing a scam or when someone is trying to manipulate them.
Often, this is the foothold an attacker needs to breach organizations and walk off with sensitive business and personal information that is either sold on underground markets or held over the victim’s head in extortion campaigns that are often coupled with ransomware and other attacks. Leaked breach data, meanwhile, is a gold mine for scammers and extortionists for pretexting.
Pretexting is an important tactic in social engineering by which an attacker crafts a scenario based on stolen information about a victim to either gain their trust or extort them. Last year’s 23 And Me breach and leak and the recent alleged loss of all Americans’ Social Security numbers, for example, can provide attackers with a wealth of information upon which to build pretexts.
“So when it comes to pretexting, my way of constructing a pretext has always worked backwards from the data that I've been able to find. And in my experience, I found that most social engineers that I have worked with or learned from, they would come up with a pretext idea and then try to find the data to support it,” Denis said. “Whereas I go out and do open source intelligence (OSINT) gathering. And then I use that information to then come up with great pretext ideas from what I've learned. And in this case, breach data can be extremely helpful in creating both compelling and realistic pretexts, especially if you're trying to pose as a person.”
As for critical infrastructure sectors such as healthcare and manufacturing, Denis said she has participated in red-team engagements that include physical penetration tests.
“I have done physicals in hospitals and in water treatment centers in counties and public works type buildings and things like that,” she said. “And I found that in those facilities, there's hardly ever a middle ground. It's either wide open or extremely difficult.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.