Sun Tzu Social Engineering v2.0
by Joshua Tengeo
The Art of War (孙子兵法, Sun Zi Bing Fa) is the oldest and most successful book on military strategy in the world. Over the past few centuries, the ancient military text has been a huge influence in military thinking and business strategy. These strategies have survived for more than 2500 years because of its compelling, concise and easy to understand advice, while staying highly malleable to suit multiple scenarios. However, can the same strategies be applied to the contemporary cyber domain, where weaponized codes are being deployed by nation-states and other organizations?
Sun Tzu and Cyber War
“The cyber warfare is of vital importance to the business, it is a matter of life and death” Sun Tzu
The Art of War is the most influential military publication in human history. The book has survived over 2,500 years in part because its strategy is highly malleable. Tacticians have adapted Art of War to new situations across many scientific revolutions, and Sun Tzu’s insights have never lost much of its resonance.
In the modern context, high-profile security breaches has elevated cyber security to the top of the international agenda, with fears that such breaches may endanger the global economy ensuring that cyber security is no longer just a privilege, but a necessity. The essence of cyber security is about being proactively prepared to secure your intellectual property and operational capabilities within cyberspace. Failure to do so could expose the company to regulatory malpractice, criminal litigation and the inability to meet contractual obligations leading to a damaging loss of trust amongst customers and corporate sponsors.
Sun Tzu and Social Engineering
“All Social Engineering Is Based Upon Deception” Sun Tzu
Within context of Sun Tzu’s Art of War, the common malicious practice of ‘Social Engineering’ is the deception and manipulation of human behavior. Despite centuries of technological advancements, human behaviour has remained almost unaltered when compared to our technological advancements into cyberspace over the last decade.
When it comes down to decision making, humans operate distinctively on two different types of processes:
● System 1 is an automatic response which is a fast and unconscious way of thinking typically requiring little mental effort, but is prone to biases and systematic errors. Let us call these automatic-responses.
● System 2 is an efforted, slow and controlled thought process. It requires user attention and has the ability to filter out instincts used in system 1. Let us call these cognitive-responses.
The majority of social engineering attacks focus on triggering automatic-responses, and is the foundation of how ‘phishing attacks’ are conducted. Such attack strategies, given its exploitation of the innate, albeit complacent aspects of human behaviour, remains the top cybersecurity threat prevalent today. However, despite its staggering successfulness, these attacks have continued to evolve from simple “email click to advanced” malware exploitations to more progressive forms involving other means of digital compromise.
Currently, there are 3 types of Phishing Attacks that are highly prevalent in today’s cyber landscape.
● Action Phishing — Tricking an individual into divulging information that in itself is vulnerable or to take action which will leave the individual vulnerable. For example, this might involve spoofing an email from the company CEO, asking an employee to transfer a large sum of money for various enterprisal reasons.
● Exploit Phishing — Malicious email content which taps on exploiting the zero-day vulnerability or an unpatched machine. For example, a malicious PDF content that is distributed as an attachment in an enterprise or user wide email, esulting in the infection of multiple machines and workstations utilized in the campaign.
● Credential Phishing — Attempts to harvest credentials from a legitimate user. For example, an email that pretends to link to a webmail provider, but actually links the victim to a cloned page where their login credentials can be captured by the malicious attacker orchestrating the scam.
“Be extremely subtle, even to the point of formlessness” Sun Tzu
Whilst enterprises are exposed to all three types of phishing attacks, it is the mid-senior executives that are quite often targeted for their access to core networks or sensitive databases. Given the stealthy nature of credential phishing campaigns, it is a highly employed strategy by hackers as a means to infiltrate corporate networks to support deeper penetration into more sensitive and access controlled systems.
In a modern world dominated by the Internet-of-Things and online services, users are often required to generate and enter their credentials on a routine basis. As more connections are created within our technology-dependent environment, our brains are conditioned to create simplistic processes for repetitive tasks — something that is often exploited by attackers adept at utilizing social engineering techniques. Now that we understand the psychology behind such attacks, we will need to investigate how subtle a well-crafted phishing campaign can be.
Social Engineering in action
Meet Joe Blackhat, an imaginary attacker who wants to create a phishing campaign against the company. He has some specific targets, mainly the the executive employees within the corporate top brass, whom might not have formal cyber security training or awareness. At a minimum, he will need email addresses of the targets for basic phishing requirements, but these letters must be convincing enough to gain access to more information when placed under scrutiny.
First, Joe conducts some intelligence gathering and discovers that the company he is targeting utilizes Slack as a company-wide communication platform. Armed with this knowledge, Joe crafts a malicious email with an embedded link to a fake website designed to mimic the Slack user interface.
The ‘spoofed’ email (a common term representing a forged replica) has no visible differences from the original slack verification and thus can easily fool most employees utilizing the platform for their daily activities. The email is designed to exploit the automatic-response process among most employees who follow an established operational ‘pattern’ upon receiving such platform updates. Once the victim clicks on the link provided, they will be redirected to another compromised web page where the user must input their login credentials. Here, the user will never know that they’ve just accessed a fake page, as the page is immediately redirected to the actual site upon the submission of their login credentials.
For Joe’s plan to work, the spoofed website must be made convincing to the user to avoid suspicion when they enter their login credentials. A common tactic employed by attackers to achieve these goals is the utilization of ‘Homoglyphs’. Homoglyphs are typography techniques where combinations of characters are generated to form shapes that appear identical to the original. This tactic is commonly used when attempting to spoof a website’s domain name to fool the user.
In phishing campaigns where attackers employ such tactics, the attacker only has to prepare the ‘trap’ and wait for the victims to fall in. Within the cyber security community, this is known as a ‘Watering-Hole’ attack, where the attack is akin to a crocodile lying in the water waiting for unsuspecting zebras to wander in unexpectedly. As the imaginary attacker here is most likely a seasoned hacker, he will find an unprotected server on the internet, break into it, and replace the phishing sites whilst cover his tracks in cyberspace.
Preventing Phishing Attack
When it comes to phishing, Awareness is your most powerful defense. When browsing the web, remember: your instinctual thought process is the best instrument for a cybercriminal and your awareness is his or her worst enemy. Always check for suspicious email content and verify the domain name in the browser address bar carefully with multi-authentication factors enabled in the email.
In this article, we have covered how Sun Tzu’s strategies relate to cyber warfare in terms of social engineering and deception and the various preventive measures. However, cyberspace possesses many characteristics that are unlike anything Sun Tzu could have imagined in ancient China. As strategists begin to strategize cyber warfare with the Art of War in mind, they should be aware of key differences such as the intangible nature of cyberspace that can make the calculation of victory, defeat, and battle damage highly subjective matters for interpretation.