Social Engineering: an IT Security problem doomed to get worse

The problem of Social Engineering (SE) is evolving since few years at an incredible pace. Until the end of the past century, SE was an advanced but niche way of attacking dedicated systems; today is a mainstream methodology in cybercrime and cyberterrorism. The complexity level of attacks, exploiting the human element, is incredibly high and often the human layer is the enabler of the following technological attacks. As an explanatory example consider the Pawn Storm attack (see www.dogana-project.eu/index.php/social-engineering-blog/11-social-engineering/27-real-story-behind-pawn-storm-attack), one of the Organized Crime Groups (OCG) to better exploit the human layer of security. Since few years our team at Cefriel, explores the role and the evolution of SE in the attacks, to find some solutions to measure, mitigate and “patch” the human layer of security.

Despite the efforts in the contrast of SE, the problem is still spreading across the different sectors. This trend is clearly shown by the data of KnowBe4, for the US market (see Figure 1) and Cefriel, for the EU[1] (see also https://www.dogana-project.eu/index.php/social-engineering-blog/11-social-engineering/94-estimates-of-social-engineering-attacks).

Figure 1 — KnowBe4 statistics of their simulated phishing tests (updated Jan 2018). Source: KnowBe4

The first and more concrete approach was, since 2010, to develop our methodology for performing a vulnerability assessment of the employees, what we call Social Driven Vulnerability Assessment (SDVA)[2]. The natural evolution of the Cefriel’s activities was to export our experience in a European context: the project DOGANA (www.dogana-project.eu) or which I am the scientific coordinator, focused on the impact and the remediation of the human factor in security and built a more robust and stable SDVA framework.

The DOGANA aims to reduce the cyber-exposure to the threat of Social Engineering. This intention passes through a stable and efficient measurement of the vulnerability, the calculation of the associated cyber risk and its reduction using training.

Some recent data

Today, only about 3% of malware tries to exploit an exclusively technical flaw. The other 97% target instead users through Social Engineering (SE) (source KnowBe4), i.e. an approach in which attackers use humans as channels to reach their target. Hacking attempts increasingly focus on the human vulnerabilities of an information elaboration system instead of lapses in software or hardware. This one is a growing trend. The “Phishing activity trends report. Unifying the global response to Cybercrime”, periodically released by the Anti Phishing Working Group (APWG)[3], reports what is in Figure 2: the number of attacks that include to some extent the human layer of security counts to approx. 97% of the successful attacks. Trojans, Aware/Spyware and PUP[4] have in common the need of being activated by a human body, which clicks, open, or executes them, attracted by some deceptive content. Only Viruses and Worms, by definition, can infect a system without any human intervention.

Figure 2 — Statistics reported by APWG for Q2 and Q4 2016. Elaboration of the APWG data reported in the periodic “Phishing activity trends report. Unifying the global response to Cybercrime.”

Exact percentage-wise estimates may vary from study to study, but the majority of today’s cyber attacks are designed to take advantage of the human errors and only further in the infection process of flaws in hardware or software. According to the ProofPoint’s (a leading cybersecurity company) Human Factor Report 2018, “human vulnerabilities are more dangerous to modern organisations than software flaws[5]. This plague equally hits all the sectors, and all are equally vulnerable. Targeted Attacks (TAs) are among those that efficiently exploit SE techniques to facilitate data breaches and exploits in general[6]. TAs are not the most widely used, but they are the most successful as they have the highest likelihood of leading to data breaches in hospitals, public bodies and in general any business sector. Hence, the costs of SE are the costs of any cyber-attack. SE is the human-side of hacking, and we are currently in the “era” of human hacking. However, SE is also evolving, and today we are talking about SE 2.0 vs old school SE[7].

From old-school SE to SE 2.0

However, also SE evolves, and today we are speaking of SE 2.0 vs old-school SE. The old-school SE is an adaptation of the ageless art of deception to the modern communication media (mainly phone and early use of email, besides physical intrusion), where the level of personal talent involved and effort required practically limited this type attacks to few famous attackers concentrating their interests mostly on valuable targets.

Modern SE includes and extends the former SE concepts into a wider vision. Probably the cornerstone that splits between old school and modern SE is the possibility to exploit the SE techniques on a larger scale, using automated attacks.

What triggered the transition from old school to modern SE was the large amount of data that today is freely available in the social networks that are also easily machine-readable. The advent of social networks and the new trends in sharing information changed the landscape. However, another cornerstone was the involvement in the planning of the attacks of unforeseen competences such as psychologists, marketing experts and in general all the human sciences. Figure 3 lists the main characteristics of SE 2.0 that were not present in former SE.

Figure 3 — Peculiar characteristics of SE 2.0 (source: Cefriel)

At its roots, the early social engineers were all IT experts or talented hackers. Despite being well prepared in hacking logics and personally talented, their results were not comparable to the results achievable nowadays due to the involvement of professionals such as psychologists, marketing experts or cognitive scientists in the hacking attacks.

Since most cyber attacks include non-technological exploits, the impact of SE on modern information security has increased significantly.

In Cefriel we performed a significant number of assessments using the SDVA methodology in large and small enterprises (more than 40,000 employees in more than 20 companies) What we understood is that a wise use of memetic, marketing techniques and cognitive sciences enhances the effectiveness of the penetration test. Nonetheless, the level of preparedness of the averaged victims is usually low, and the risk exposed by social engineering is so high that even at a relatively poor contextualization level is enough for an attacker to be successful.

The average results of SDVAs provide relevant insights such as the following:

  • 3 email average to obtain one click (average click-rate is 34%);
  • 4 email average to obtain a valid credential;
  • After 2 hours, the attack is exhausted, and the attack captured almost 100% of the potentials victims;
  • High promptness of the attack: 4 minutes to capture more than 20% of the victims, 40% after 10 minutes, 50% in 20 minutes;
  • Slow reactions: 6 minutes to report the phishing attempt and 20 minutes to block the site (this is the fastest reactions we ever observed).

Attacks have become narrower, involving less generic victims at the same time. This fact is, on the one hand, a consequence of improved hiding tactics, whose aim is to keep the attack “under the threshold” reducing the risk of being detected, but it is also a sign of a better a-priori selection of the potential targets and thus a more aggressive use of SE techniques.

Attacks phases are usually two:

  • Preparation which is often passive (i.e., not detected).
  • Execution, actually it is the “real” attack. Only this part, being “active”, can be detected.

As reported by RSA[8], the passive part of an attack lasts an average of 5 months vs 1 hours or less of execution.

Therefore, if the Human IS the “system” under attack the natural question that follows is, which sciences contribute to model the attacked target?

In general, a model of the attacked target defines the vulnerabilities, which a threat can exploit. As reported in Figure 4, this is a multidisciplinary problem, which involves several if not all the human sciences.

Therefore, since the human at the centre of Figure 4 is the attacked entity, a similar multidisciplinary approach is mandatory also to defend the IT systems. This assumption implies the involvement of the human sciences in the defence strategies. Because of this assumption, many competences never involved in until now are increasingly involved in cybersecurity.

This collaboration among IT security and human-sciences specialists is fundamental to understand and possibly anticipate the tactics used by the attackers to bypass the “human firewall”.

Figure 4 — a non-exhaustive list of sciences involved in the definition of the human target in modern SE (source: Cefriel)

Mitigations

As reported, the majority of cyber-attacks use several SE strategies, for example:

  • attacks for which the final goal, e.g., a data breach, is attained by SE only;
  • attacks that are exploiting poor knowledge and awareness;
  • attacks for which SE is the first step to gain information.

Therefore, whatever the role of SE in the “kill-chain”, it is easy to see that it is a necessary step for a cyber-attack to be effective.

This fact raises the question of whether or not to train employees well enough to withstand SE attacks. Has the human element of cybersecurity been neglected, or are the classical awareness training methods becoming obsolete, and is there a need for new and improved methods for discovering the social vulnerability of companies and for training employees more effectively? A recent study from Webroot[9] shows that companies are taking cybersecurity seriously “almost 100 per cent of respondents conducting some form of employee cybersecurity training”. However, the long-term beneficial effects of training are still not easy to measure.

It is evident, from the above dissertation, that SE is probably the most efficient cyber-weapon in the arsenal of cybercriminals. The art and science of SE evolved to a level of unforeseen sophistication, which builds upon the modern lifestyles (pervasiveness of the social networks, liquid society[10] and blended lifestyles[11]). This sophistication not only comes from the complexity of our cyber-lives but also from the abundant use of all the modern techniques for data collection and analysis, glocalisation[12] of the attacks and interaction with other human sciences (mainly cognitive sciences). Enterprises are largely unprepared to face this challenge. The defence solutions have largely evolved along the technical strand (antivirus, firewall, intrusion prevention system, etc.) and largely ignored what was happening on the human side of security[13]. This fact is perfectly understandable: by the ICT security point of view, modelling the human behaviour is extremely difficult, and it is difficult to modify it, to prevent dangerous actions. By the information theory and by the Enterprise ICT security points of view, we could liken the humans to legacy systems, which cannot easily be patched and are, by different angles, vulnerable to more or less advanced deception attempts.

The big challenge in ICT security today is how to assess, mitigate and accept the risk of breaches in the Enterprise’s information space, due to the human element weaknesses. As it happens for the technological penetration tests, the most efficient way to assess the SE-risk is to emulate the tactics used by cybercriminals

What DOGANA delivers

ISO and NIST security standards, which many companies are contractually obligated to follow, include security training as an important component of security compliance[14]. These standards describe a three-level framework that includes awareness, training, and education. Security awareness activities are usually for all the employees and often include videos, newsletters, and posters. Generally, the delivering of Training is to employees who are involved with IT systems, mainly to provide basic computer security knowledge. Delivery of training happens primarily through classroom lectures, e-learning materials, and workshops. Education, intended for IT security specialists, is usually delivered via seminars or reading groups.

By supporting the intent of these standards, we experimented within DOGANA a training awareness and cybersecurity training system that is adaptable to the main characteristics of the trainees and risk driven.

Given these general objectives at a high level of abstraction, the DOGANA project developed two main outputs:

  • A complete framework to perform SDVA tests to identify the social engineering vulnerability and calculate the associated cyber risk that is GDPR compliant. What composes the framework is a software solution and a set of policies, best practices and a cost-and-benefit analysis. The TRL of this result is 7
  • An experimental training solution, tested in the field-tests, that, as described in the deliverable D6.3 is adaptive and built around the personality profiles of each trainee. The scope of DOGANA is to prove the efficiency of the proposed training methodology at TRL3

DOGANA is still the only H2020 financed project that is directly targeting the problem of social engineering from the ICT security point of view. Another related project is called HERMENEUT (Enterprises intangible Risk Management via Economic models based on simulation of modern cyber-attacks www.hermeneut.eu) adds, besides DOGANA, the perspective of the econometric models, to evaluate the economic impact of a cyber-attack in general terms.

References

[1] R. Puricelli, “The Underestimated Social Engineering Threat in IT Security Governance and Management”, https://www.isaca.org/Journal/archives/2015/Volume-3/Documents/The-Underestimated-Social-Engineering-Threat-in-IT_joa_Eng_0515.pdf

[2] www.sicherheitsforschung-magdeburg.de/uploads/journal/MJS_033_Frumento_Assessment.pdf

[3] See online the reports http://docs.apwg.org/reports/apwg_trends_report_q2_2016.pdf and http://docs.apwg.org/reports/apwg_trends_report_q4_2016.pdf

[4] Potentially Unwanted Programs

[5] ProofPoint, “The Human Factor Report 2018, people-centered threats define the landscape”, April 2018

[6] AA.VV. “D2.1 — The role of Social Engineering in evolution of attacks”, DOGANA Advanced Social Engineering and Vulnerability Assessment Framework (2016)

[7] E. Frumento, “What the Enterprises can do to measure and mitigate the latest evolutions of Social Engineering,” https://medium.com/our-insights/what-the-enterprises-can-do-to-measure-and-mitigate-the-latest-evolutions-of-social-engineering-938c62143918

[8] Source of the attack schema is “Intelligence Driven Threat Detection & Response”, RSA Blog, 2017. [Online]. Available: https://blogs.rsa.com/wp-content/uploads/2014/09/H13402-wp-Intelligence-Driven-Threat-Detection-and-Response.pdf

[9] https://www.helpnetsecurity.com/2018/06/27/confidence-cybersecurity-threats/

[10] Z. Bauman, “Liquid modernity”, Social Theory Rewired, 2018. [Online]. Available: http://routledgesoc.com/category/profile-tags/liquid-modernity.

[11] “Blended lifestyles shape tomorrows office”, Ravie, 2015. [Online]. Available: http://www.ravie.eu/blended-lifestyles-shape-tomorrows-office/

[12] Glocalization is the practice of conducting business according to both local and global considerations.

[13] S. L. Pfleeger and D. D. Caputo, “Leveraging behavioral science to mitigate Cyber security risk,” 2012. [Online]. Available: https://www.mitre.org/sites/default/files/pdf/12_0499.pdf

[14] ISO/IEC 27001:2005 — Information technology — Security techniques — Information security management Systems — Requirements. Tech. rep., International Organisation for Standardization (ISO) and the International Electrotechnical Commission (IEC), October 2005.