When many people think of cybercrime, they conjure an image straight from a cheesy 90’s Hollywood film: nerds sitting at computer screens frantically tapping away at keyboards, green text scrolling across terminal windows.
“The password is ‘Jellyfish123.’ We’re in!”
Indeed, there is some truth to this stereotype. I don’t think I have ever met a hacker who was shy around a command-line interface, and it is conceivable that an opportunistic hacker may possess the technical capability to computationally derive a password or decryption key and break into a system.
However, the reality is that the most effective cybercriminals are not necessarily computer scientists, they are social engineers and psychology is a core component of their rootkit.
Cyberattacks target people.
The most common attack method for high-profile incidents involves impersonating a trusted individual, encouraging the victim to click a malicious link directing the unsuspecting target to a page designed to capture login credentials or compromise a user’s 2FA device. Once compromised, credentials are exploited to gain access to sensitive information or to propagate the attackers’ presence within an environment.
Other attacks may simply attempt to extort an individual. At least twice in the last two months, someone has reported a call from an individual claiming to be tech support with demands like “install this remote access software or I will lose my job.”
The more brazen scammers will claim an invoice has gone unpaid and request that you hand over your routing and account number, or better yet, suggest that perhaps you had overpaid a past invoice and are entitled to a reimbursement.
And my personal favorite: “Do you have time for a Quick Call regarding Amazon Gift Cards?”
Hacking the human.
Social engineering attacks like these rely on psychological manipulation to gain the trust and confidence of their targets. Common tactics involve influencing targets with rapport, authority, obligation, validation, or reciprocity.
The most effective attackers will take their time to gather information. A darkweb dump of potential targets may only contain basic contact information with little context. Good hackers will investigate these contacts thoroughly including their respective organizations and affiliates.
Social media is usually a safe bet for personal information and you would be surprised at how much you can learn about someone from Google or public information searches. Social networking and employment sites are a treasure trove of information about an organization as are published org charts, leadership statements, and “about us” pages.
As attackers discover more about the target, they build a profile and begin to refine their attack methods, eventually moving to deceive the victims and attempt to gain a foothold by controlling the interactions and continually collecting information for an undetermined amount of time. Maybe one will get lucky and get in touch with a distractible victim or discover an easily exploitable technical weakness.
“Human hackers” will know how to read nonverbal cues and play on sympathy, waiting for when guards are lowered or attention is misdirected. These methods place an interesting demand on the information security professionals charged with protecting those people. What good are technical safeguards if we let the intruders in the front door?
Limited response capabilities.
Cyber incident management teams typically focus on determining the extent of the damages, attempting to reduce the impact, addressing the technical issues, and getting the victim (and organization) back on track.
Threat intelligence frameworks can help to describe the nature of an attack or techniques and the motives or organizations behind them. Often, responders only require enough information to report the activity to law enforcement, regulatory or state agencies, cyber insurance providers, and credit monitoring partners.
However, it is not as common in our post-mortem activities to consider the extent of reconnaissance or pretexting efforts leading up to the attack, let alone consider how far back the attack actually began. The truth is that it likely started long before the incident was reported.
These challenges are perpetuated by the idea that depending on who you are in a company, you might approach security differently. “Oh, the security people have this taken care of.” Hearing this type of thing may imply that the confidence game is already lost. The paranoia should be shared by everyone; that is, everyone must be at the top of our game, not just the security professionals.
Addressing the people problem.
The literature is clear: personnel training is more effective than an antivirus. If users know what to look for, they are more likely to avoid becoming a victim. Looks like it is time for the annual security awareness campaign.
However, it does make one wonder if this is our only method of developing vigilance and skepticism in our organization or if it is even adequate at all. Considering the sheer determination and persistence that social engineers possess, administrative controls should be bolstered with as much rigor as any of the many technical controls used in the organization.
Explore the world of cybersecurity.
To learn more about how to analyze your organization’s weaknesses and to improve defensive capabilities by building a defensible architecture that involves cultural change and appeals to stakeholders, check out the Security Analyst Nanodegree program.
Scammers and hackers have a lot of patience and empathy, and so must we. To learn more about the methods that hackers take to perpetrate cyber attacks, check out the Ethical Hacker Nanodegree.