The Art of Deception: Social Engineering

If you lock down a network, keep every system patched, build amazing defense systems to monitor and defend against threats with a zero-trust-based design, monitored cameras, badges, security guards, attack helicopters, ancient canons, an alligator & shark-filled moat around the facility, etcetera etcetera, you decide that your program is the definition of zero trust and defense in depth. Yet with all of these technical and physical controls (perhaps even biological), no matter how perfect they may be configured, human beings are still vulnerable. Compromising only 1 person can compromise the whole defense in depth strategy you have in place, and that is what we are going to explore today.

Unlike technology, humans operate on intellect and emotion. If I can find a way to appeal to your emotions, I may be able to compromise your defense systems. I know, I know, you already know to not trust everything you hear and that you should watch out for phishing emails and to not trust phone calls from persons claiming to be from your bank, don't let people tailgate through secure doors, etc. We've all done the computer-based training. We are all experts, right? Or are we all vulnerable?

Let us look from the perspective of an attacker. I considered using the perspective of a penetration tester who is testing security, but they would be limited in scope to the timeframe they could perform their testing. They can do a lot in a short period of time but we are thinking in terms of who we think we are: not vulnerable, but experts at preventing someone from hacking us. So we will visualize a scenario with...an advanced attacker attempting corporate espionage who is not limited in scope of time and technique.

OSINT (Open-source intelligence)

How much intel could this attacker learn about you without having to interact with you? This is known as passive reconnaissance. The attacker is learning everything they can about you using open-source intelligence techniques which find information that is freely, publicly available to anyone that wants it. We all know that social media is a huge part of this. A large number of people have their entire lives posted for the world.

"Just married!"

"Just had our second baby!"

"Going through a divorce, I'm so sad."

"My loved one is sick."

This type of knowledge tells us a lot about a person. Social engineering techniques can exploit these. The person that is just married may be going on their honeymoon which could lead an attacker being able to gather intel at their home while they are away. A person that is going through a divorce may be sad and lonely, and similarly in the scenario with the sick loved one, a social engineer could appeal to that part of you and provide that connection and support that you are looking for. I do not care how much of an expert you think you are, you are human and you are vulnerable. Living life makes us vulnerable because not every day is a good day. We have families who we love...we get upset when bad things happen to us or others. Some days we struggle because life is really hard...we are human. Let us look at potential intelligence sources that an attacker could exploit.

"Baby On Board"

These signs are placed on vehicles with the intention of keeping other drivers around us aware that there is a baby in this car and to be extra cautious around our car. But to an attacker, this is a sign that you could be a prime target because you are likely to be distracted by the baby and unaware of what's going on around you.

I recently heard of the idea of not having your name on your clothes because a stranger could, in the case of a young child, pretend like they are someone the child knows because they know that child's name. Maybe they say that they are friends of the child's parents and that builds trust and the child gets in the car with that stranger. In the case of your name on your clothes as an adult, someone could sit there at the coffee shop and research you with Google searches and social media reconnaissance, learning a lot about you and potential attack vectors.

On your minivan, you have a stick figure family that has you, your spouse, two kids, a new baby, two dogs, and a cat. There may even be their names on there. On another car, there's only a sticker that shows how proud you are of your daughter because they are on the honor roll. How much information are you offering to the world? These are ways that attackers can learn more about you and potentially be more successful with their social engineering tactics.

Metadata

Returning back to social media, something that we may not realize is that we may be giving out more information than we wanted due to the metadata that is embedded in the pictures. Having location services turned on for your phone's camera, which is typically a default setting, someone can gather information about the regular places you like to hangout, perhaps where you live. "Oh, you love dogs? So do I!" They might even be able to gather more data from what is shown in the background of pictures to better understand the person. The attacker has possible locations that they can meet you and start building trust with you through friendship. Perhaps, they figured out from your social media that you were grieving from the loss of a loved one and they were able to learn that you went to a weekly grief-support group. The attacker just happened to have been grieving from a loss and also attends that support group. Is this really such a crazy idea? Maybe it is. But maybe it is good to have some educated awareness about how social engineers achieve their goals.

Exploiting Goodness

How many of us have a cause that we are passionate about? Perhaps we lost someone to breast cancer and advocate for the awareness and support of organizations who battle breast cancer, and organize and walk with breast cancer survivors and those struggling with it.

You are passionate about fighting the injustice in the world. Maybe you are fighting to end hunger; or you wish you could own a giant farm where you could bring all the abandoned stray dogs and cats home. You are passionate about human equality...about ending racism and sexism...about animals...about your political party...about feeding the hungry...about taking care of the sick...Everyone has something they are passionate about. Think about how someone could use your passion against you. How do feel when someone is so interested in something you love and you get to tell them everything you know about that subject? It feels amazing doesn’t it?!

If you saw a struggling pregnant woman or a wheelchair-bound person, you would help that person wouldn't you? Of course you would help them because you are a good person. Our inherent goodness in our hearts may be a vulnerability, but they are NOT flaws. That goodness and kindness and really, love for your fellow humans (and non-humans too), is meaningful and amazing. But if those same people say they forgot their employee badge in hopes that they can tailgate through a secure door, that could be an attempt at exploiting your goodness to reach an area they are not authorized to enter.

These are all potential attack vectors that can be used against us by an attacker looking to achieve access to a facility or computer systems they don't have access to. Slow down and think. Even the most skilled and educated people in the information security industry are vulnerable from time-to-time.

Context

Some common factors that could increase an attacker's success is by creating a sense of urgency. Additionally, creating a sense of authority or scarcity in the situation could add to that urgency. With time to think about the situation, we might realize this might not be what it seems. We might realize that someone could be trying to take advantage of us to get information or credentials or even money. This is why it is imperative to slow down and think.

Typo-Squatting and Phishing

When you receive an email that claims to be from your bank, a lot of times the email and even the link to websites can be so close that it’s hard to tell the difference between what is real and what is not. A lot of times we are just scanning with our eyes and so it’s easy to make a mistake. So we must slow down and pay attention to the details. The email says that your transaction for payment of $500 to whatever company went through. That would annoy me as well if that’s true and I didn’t do that. Instead of responding directly to the email, let’s ask some questions first. Does your bank normally contact you in this manner? Can you check the cellphone application for this account that you normally use to confirm this? Can you look for contact information on the company’s website and call and ask them about this email?

Summary

I know how farfetched some of these ideas sound. If we really wanted to lock down our defenses, we would likely have debilitating paranoia and would not be able to go outside and live. This is more of a call to pay closer attention. In the military, we call this paying "attention-to-detail". A healthy sense of paranoia/awareness would allow us to live and enjoy our lives, while slowing down a little and asking the question from time-to-time: is everything as it seems? As I was becoming interested in cybersecurity and was learning how to better protect myself, I would think that I of all people would be hard to fool. The truth of today is that social engineers can be really good. You will still have those ridiculous emails from faceb@@k and of course you won’t be fooled by that. But given the right situation, the right moment in your life, at the right time of day, in this certain location, with a properly-spoofed email, you too could be socially engineered. So remember to slow down and look at the details and ask yourself if everything is as seems to be. Thank you.