By Diwakar Dayal, Managing Director and Country Manager, SentinelOne India and the SAARC region
It’s no secret that social engineering is a powerful tool in a cyber criminal’s arsenal. Threat actors use psychological manipulation to convince unsuspecting users to hand over their passwords, personal information, or money. To date, social engineering attacks have served as the most common tool to gain an initial foothold and perform the lateral movement in the network.
Social Engineering Attack Techniques
There are several social engineering attack techniques. However, those that are the most frequently seen as part of cyber-attacks that target enterprises are:
Phishing
One common social engineering technique is phishing. This is where cybercriminals send out emails that appear to be from a legitimate source, such as a bank or an online retailer.
It is important to be very cautious of the email on a Friday evening at 4 PM when one is about to leave for the weekend, from the e-commerce company asking to click on the link to process a refund, check some unusual activity, or open some attachments.
The email may contain a link that leads to a fake website that looks identical to the real one. Once the user enters their login details, the cybercriminal can access the account.
Baiting
Another social engineering technique is baiting. This is where the cybercriminal leaves a USB drive or other types of storage devices in a public place. When someone finds the device and plugs it into their computer, the device will trigger specific actions targeted at the organisation’s systems, infecting them with malware and leading to allowing attackers to gain access.
Whaling / Business Email Compromise (BEC)
Phishing attacks that are targeted to high profile employees in an organisation such as C-suite, VP, etc., are known as Whaling. BEC, on the other hand, looks to impersonalize company executives to trick a normal user into performing certain activities. Both whaling and BEC require planning and study of the normal behavioral patterns and potentially result in much higher value outcomes.
Protection Against Social Engineering
Cyber security is always a fine balance between people, processes, and technology. Social engineering is the art of psychological manipulation. Most victims fall prey to social engineering attacks unmindfully without having any malafide intentions. However, social engineering attacks are evolving to lure people into mindfully clicking on certain links or sharing confidential information. As such, organisations must start with the people aspect and build a security-aware culture by investing in end-user cyber awareness. Naturally, as organisations build a formal end-user awareness program, the next center of focus will be on processes. Employees must know how to report social engineering attacks to the security teams. Security teams need technologies that help them protect, detect, and respond to these attack techniques, through a comprehensive cybersecurity program.
Defense Begins with Awareness and Training
It is imperative to train employees to recognise suspicious emails and not to click on links or open attachments but instead report them to the security team. Employees should be made aware of threat actor tactics. Training employees to understand how to identify a potential phishing attack and how to report it can prevent a serious compromise. Ensure employees understand they shouldn’t plug unknown devices into their endpoints, and instead turn them over to the IT or Security team.
These proactive measures help in building foundational resilience against phishing attacks. However, this should be taken a level higher by imbibing a sense of responsibility among the employees by empowering them and letting them use cyber judgment.
Empower Users with Clarity and the Confidence to Report Suspicious Activity
Organisations should have policies and procedures in place for dealing with suspicious emails, phone calls, and other communications. Providing employees with a simple, clear process for reporting social engineering attempts so that they can be investigated and stopped before any damage is done is fundamental to enterprise security. Fostering the cyber empowerment culture is hugely important.
Phishing simulation exercises are a useful assessment tool to evaluate employees’ resilience against phishing emails, but the same tool won’t be effective for intentional clicks by employees.
Simulation tests should only be done after having attained a certain level of maturity in imparting cyber training and awareness among the employees. The test should be followed by training to close the loop.
Leverage Technology to Counter Social Engineering
From a technology perspective, there are several security controls that organisations can evaluate that will reduce the risk of social engineering-based attacks:
1. Multi-Factor-Authentication (MFA): Although MFA bypass methods exist as manipulating an employee to share their one-time password, implementing MFA can reduce the threat.
2. Additional Authentication: In case of business email compromise attacks where a high-level executive is being impersonated, double checking using an offline method such as a voice call in response to an email marking the urgency should be done before initiating the action.
3. Conditional Access (CA): By implementing CA, organisations can ensure that only trusted identities on healthy endpoints can gain temporary access to corporate resources and services as required.
4. Identity Risk Assessment (AD Assessment): With the user’s identity often being center stage in an attack, having the ability to uncover security misconfiguration in real-time, the risk level of identities and performing remediation action is critical.
5. Identity Threat Detection and Response (ITDR): As identity-based attacks continue to increase, organisations are looking for ways to detect and respond to these types of attacks, and with that, ITDR technology is important.
6. Endpoint Detection and Response (EDR): As the majority of cyber-attacks are happening on the endpoint, and this remains true even in the context of social engineering, having the ability to detect and automatically or with a 1-click response to these threats is critical and with that EDR technology is also essential.
Conclusion
Social engineering is a serious threat to consumers and enterprises worldwide. By increasing our awareness of these attacks, having robust procedures in place, and the right tools, as defenders, we have the opportunity to reduce the exposure risk to these attacks significantly.
