Hello! Welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.
Today we are going to start discussing Social Engineering, what it means, various methods used, and what can be one by the threat actors if social engineering attempts are successful. One social engineering definition by the Cambridge dictionary is “attempts to trick people into giving secret or personal information, especially on the internet, and using it for harmful purposes”.
Hmmm…attempts to trick people. Wow, if one has paid attention to the news at all over the past year to several years, you would recognize that there have been numerous attempts to trick people. Think of recent events. Has anyone here seen a fake email touting information on the latest COVID vaccine? How about ads that pop up claiming you have just won a prize? Or, even better, information that Bill Gates is sharing his fortune, but you have to click a link to receive your share?
Those are a few examples of social engineering, but each one of those examples are tech-based, electronic examples. How about face to face social engineering attempts? Ever heard of someone claiming to be someone they are not in an effort to gain access to a particular location or business?
Many of us have seen the multitudes of movies where someone is tricked into thinking a particular character really isn’t who they say they are. These are examples of social engineering as well. The attempt is to convince (or trick) the target into providing useful information. Maybe that useful information is access to another area that has …you guessed it…even more useful information.
Well, some may say “who cares?”. “Why do I need to worry about someone stealing my information? I don’t have anything useful out there to steal”. Well, that seems like a valid point, but look into it a bit deeper. Let’s say I am a threat actor trying to figure out how to purchase more equipment for my harmful intentions. I don’t want to use my own name since I don’t really want to have an early run-in with law enforcement.
So, I start trying to harvest other peoples’ information. Now, a target may believe they have nothing important for me sitting out there on the web. If I can grab their name, maybe their birthday, some more info about them, I could possibly impersonate them in an effort to obtain what I need for my own intentions. That way it wasn’t “me” that opened that line of credit, or that applied for that loan, it was my target. All I did was act like them and provide an updated address/account for the funds I need.
That is just one small example of what threat actors can do and have done. This is also one simple reason why folks should protect their information, regardless if they deem it important or not.
There are several different terms used (that you may have heard of) that fall under the broader category or term of social engineering. Phishing, baiting, pretexting, etc. These and other social engineering terms will be discussed in future TomCasts.
It is important to know the social engineering “life cycle”; there is a definite process that is in use when it comes to the succession of social engineering. Identification, Hook, Play, and Exit are the main four steps in the life cycle.
First, reconnaissance is performed on the target or targets; this is where the threat actor attempts to identify their “in” or their first point of access.
Once identification has occurred, the method of the hook is determined, a.k.a. how are they going to successfully lure and catch their target? This could be logical OR physical. A phishing email would be a logical attempt at the hook, while impersonating a vendor or another employee would be a physical attempt.
Once the target is caught (has clicked on the link or has allowed physical entry or access as an example), the play is employed. What information can now be extracted from the target? This is also typically the period where malware is injected (if the target is a logical one) to spread it throughout the network.
Then, the self-defined step of Exit, where the threat actor has achieved their goal and makes an exit of the network or facility, etc.
The important takeaway from this is that there is no definitive list of social engineering tactics; as technology advances and evolves so do social engineering methods. If one was around back in the 60’s or 70’s, well before the public internet, social engineering tactics were quite a bit different than now.
Technology has increased the attack surface for social engineering attempts exponentially, so each and every person needs to be on their guard at all times. Sounds like a tall order, but once one starts employing regular security practices they become like any other repeated behavior in their life or in the life of the organization that employs them. It becomes habit.
Well, I do not wish to make this first social engineering TomCast super long, so I will stop here. I will dive into social engineering types over the next couple of TomCasts to give you all a better idea of what the terms mean and how they are used. We here at GuardSight thank you for taking the time to listen to this TomCast. Please share this if you believe it would be of assistance to anyone in your contact list, and please provide us some feedback in the comments so we can continue to improve. Thanks!