Social engineering is a psychological attack against a company or an organization that aims to exploit people’s natural tendency to trust others. A social engineering attacker fabricates a pretext that is familiar to targets, and then preys on their cognitive biases to lull them into a false sense of security and trust. In short, the attacker assumes an alter ego that targets are expected to trust inherently.
Using this falsified trust relationship, the attacker coaxes targets to divulge sensitive data or perform an action they wouldn’t normally perform. Some leaked data, such as credentials, may be the end goal of the attacker. Other data, such as the name of a department manager, may be a means to an end.
The latter type of data may seem trivial, but that very fact is noteworthy for two reasons. First, because the information doesn’t seem important, targets are less likely to guard it closely. Thus, they’ll probably reveal it willingly without becoming suspicious. Second, social engineering is an iterative process. Every bit of information that an attacker gains is information that can be used to further strengthen the apparent legitimacy of the attacker’s pretext, which in turn instills greater confidence in targets, who are then more likely to divulge increasingly more sensitive information.
Social engineering may be considered a bold approach to hacking because it often requires attackers to make direct contact with their targets, either by telephone or in person. At the extreme end, an attacker will physically access areas intended to be restricted to the public, such as server rooms or vaults. These audacious social engineering tactics are often dramatized by Hollywood in heist films. And, just as in the movies, social engineering in the real world requires a great deal of research and planning, as well as elaborate pretexts.
As mentioned previously, social engineering is not always an end in itself but often a means to an end. Social engineering may be just one facet of a complex attack against a particularly robust system.
For example, suppose that through a technical exploit, an attacker has gained access to a user’s credentials. But imagine that the end goal of the attacker is to access a system that requires dual factor authentication provided by a keychain token that displays a different six digits every minute. Using social engineering and a convincing pretext, an attacker may be able to trick the user into divulging the multifactor information that allows access to the system.
Since attackers generally try to extract sensitive technical data, it is common for them to pose as IT or help desk personnel. Attackers research their targets using open source intelligence (OSINT), which aggregates public information from company websites, social networks, etc., to construct the pretext for their initial attack.
These are four popular social engineering attacks:
The human component is often the weakest link in a system. Because social engineering attacks target people, they often completely bypass many technical security controls. In short, social engineering attacks often result in an attacker gaining access to a target organization and provide the attacker with the same access as a genuinely authorized organization member, such as an employee.
Essentially, this allows an attacker to act as a malicious insider to infiltrate multiple organization systems and exfiltrate sensitive data. Ultimately, social engineering could lead to complete organization compromise, meaning all organization data (emails, credentials, source code, client data, etc.) could be stolen by attackers.
Red team assessments: To minimize the damage of social engineering infiltration, many organizations perform red team assessments to identify areas that require improvement. A red team assessment mimics a true-to-life attack scenario that uses social engineering techniques. The value of a red team assessment is that upon its completion, the assessors can prescribe actions that will strengthen the organization’s overall security posture and are tailored to integrate with the organization’s business needs.
Awareness training: One of the best defenses against social engineering attacks is social engineering awareness training. Such training will make employees mindful of the risks and encourage skepticism of suspicious activity. The ultimate goal of such training is to instill a business culture that promotes secure thought and action. Examples include disallowing tailgating, confronting suspicious individuals, verifying the identity of unknown individuals before discussing any sensitive information, reporting suspect activity, etc.
Secure architecture: A secure system is built from the ground up and designed with the expectation that one or more components will become compromised at some point. Consequently, secure systems include fail-safes designed to mitigate the collateral damage of such failures automatically. Such design features can be applied to a system in retrospect after a secure design and architecture review.