pattern recognition and applications lab social engineering · emotional state such as fear, anger,...
TRANSCRIPT
Pattern Recognition and Applications Lab
Universityof Cagliari, Italy
Department of Electrical and Electronic Engineering
Social Engineering
Giorgio Fumera
http://pralab.diee.unica.it 2
http://pralab.diee.unica.it
Social Engineering“The art of intentionally manipulating behaviour using specially crafted communication techniques.”
“Social engineering is the ‘art’ of utilizing human behavior to breach security without the participant (or victim) even realizing that they have been manipulated.”
"Only amateurs attack machines, professionals target people."(Bruce Schneier)
In the context of information security, Social Engineering (SE) refers to psychological manipulation of people into performing actions or divulging confidential information.
SE focuses on the human factor, beside technological factors, leveraging on the natural human tendency to trust systems, other humans, ICT devices, etc.
3https://www.dogana-project.eu
http://pralab.diee.unica.it
Evolution of Social Engineering
4
Ageless artof deception
Old-school SE: adaptation to modern communication media (phone, early email usage)High-level skills and direct involvementwere required: IT experts, talented hackers
http://pralab.diee.unica.it
The "triangle of security"
5
The space where the assets exist and where all possible attacks fall
http://pralab.diee.unica.it
Evolution of Social Engineering
6
Ageless artof deception...
Old-school SE: adaptation to modern communication media (phone, early email usage)Required high-level skills and direct involvement
Current SE (SE 2.0): increasingly simpler for attackers- large amount of data
freely available andeasily machine-readable
- attack automation tools- involvement of
professionals:psychologists, marketingexperts, cognitivescientists
http://pralab.diee.unica.it
Modern Social Engineering features
7
Main factors:• evolution of social networks, scalability (mobile platforms), naivety of users• evolution of technologies enabling SE attack automationAbuse of technologies originally developed in different contexts
http://pralab.diee.unica.it
The role of Social Networks
8
SNs provide machine-readable and classified information, which can enable more contextualized attacks
http://pralab.diee.unica.it
The role of Open Source Intelligence
9
Linked open data
http://pralab.diee.unica.it
The "triangle of security" revisited
10
(Social Network Analysis)
http://pralab.diee.unica.it
Verizon Data Breach Investigation Report 2019
11
Threat actions in data breaches from 2013 to 2018
Top threat actions varieties in breaches
http://pralab.diee.unica.it
Verizon Data Breach Investigation Report 2019
12
SocialWhile hacking and malicious code may be the words that
resonate most with people when the term "data breach" is used,
there are other threat action categories that have been around
much longer and are still ubiquitous. Social engineering, along
with Misuse, Error, and Physical, do not rely on the existence of"cyberstuff" and are definitely worth discussing. [...]
Research points to users being significantly more susceptible to
social attacks they receive on mobile devices. This is the case for
email-based spear phishing, spoofing attacks that attempt to
mimic legitimate webpages, as well as attacks via social media.
The reasons for this stem from the design of mobile and howusers interact with these devices. [...] relatively limited screen
sizes that restrict what can be accessed and viewed clearly. Most
smartphones also limit the ability to view multiple pages side-by-
side [...] which make it tedious for users to check the veracity of
emails and requests while on mobile.
Top social actions varieties in breaches
http://pralab.diee.unica.it
Some facts about SE: phishing
13
12% of targeted users click on infecting links
23% of phishing emails are still opened
269 billion email sent each day
3.7 billion people send email each day
A.Binks, The art of phishing: past, present and future, Computer Fraud & Security, April 2019, 9–11
Phishing is the most common form of attack
http://pralab.diee.unica.it
Some facts about SE: fake accounts
14
http://pralab.diee.unica.it
Some facts about SE: fake accounts
15
http://pralab.diee.unica.it
Some facts about SE: targeted attacksSocial Engineering is becoming an efficient instrument to carry out serious targeted attacks
– identity thefts– industrial spying– on-demand attacks (e.g. Denial-of-Service on demand)– commoditization of SE services in cybercrime
and cyberterrorism
16
TARGETED ATTACK GROUP INFECTION VECTORS (ALL TIME)
Spear phishingemails
Watering holewebsites
Trojanized softwareupdates
Web serverexploits
Data storagedevices
0
10%
20%
30%
40%
50%
60%
70%
80%
65%
23%
5%1% 2%
Percentage of groups
INFECTION VECTORS PER TARGETED ATTACK GROUP (ALL TIME)
Three vectorsTwo vectorsOne vectorNo known vector(s)0
10%
20%
30%
40%
50%
60%
4%
15%
27%
54%
Percentage of groups
TOP COUNTRIES AFFECTED BY TARGETED ATTACK GROUPS (2016-2018)
COUNTRY ATTACKS
USA 255
India 128
Japan 69
China 44
Turkey 43
Saudi Arabia 42
South Korea 40
Taiwan 37
UAE 30
Pakistan 28
NUMBER OF ORGANIZATIONS AFFECTED BY TARGETED ATTACKS (YEAR)
2018201720160
100
200
300
400
500
600
455
388
582
Organizations
Spear-phishing emails remained the most popular avenue for attack and were used by 65 percent of all known groups.
ISTR 24 | February 2019 Facts and Figures 51Back to ToC
Symantec 2019 Internet Security Threat Report
http://pralab.diee.unica.it
Psychological Foundations
17
http://pralab.diee.unica.it
Psychological foundationsThe Theory of Gullibility
susceptibility to persuasion as an extension of credulity: willingness to believe someone or something even in the total absence of reasonable proof
The Theory of Optimistic Bias believing that positive events are more likely to occur to ourselves than to other people, and vice versa
As a consequence, people think that a. they will not be selected as a social engineering target b. they are more likely to resist than others
18
http://pralab.diee.unica.it
Social influenceSocial influence: change in one’s attitudes, behavior, or beliefs due to real or imagined external pressure.
Types of social influence:– compliance: change in behaviour resulting from a direct
request (e.g., signing online petitions)– persuasion: change in private attitude or belief resulting
from receiving a message (e.g., movie A is better than B)
19
R.E. Guadagno, R.B. Cialdini, Online Persuasion and Compliance: Social Influence on the Internet and beyond. In Y. Amichai-Hamburger (Ed.), The social net: The social psychology of the Internet, pp. 91-113, Oxford University Press, 2005. Available online: http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.2.6571
http://pralab.diee.unica.it
Social influenceCompliance: the six fundamental principles of influence
– reciprocity: returning assistance received from others– scarcity: items and opportunities appearing more attractive as they
become less available– social validation (conformity): consensus heuristic– liking (friendship): better to say "yes" to those one knows and likes– consistency/commitment: whether one has committed oneself to a
similar position in the past – “foot-in-the-door” influence tactic: successful because it affects one’s self-perception, leveraging desire for internal consistency
– authority: “believe an expert” decision heuristic
20
empirically examined also in online contexts: R.E. Guadagno, R.B. Cialdini, Online Persuasionand Compliance: Social Influence on the Internet and beyond.
K.v.L. Rhoads, R.B. Cialdini, The Business of Influence: Principles That Lead to Success in Commercial Settings.In J.P. Dillard and M. Pfau (Eds.), The Persuasion Handbook: Developments in Theory and Practice, Sage Press, 2002. Available online: https://www.d.umn.edu/~rvaidyan/mktg4731/Cialdini_InPress.doc
http://pralab.diee.unica.it
On-line interactionsComputer mediated vs face-to-face communication is characterized by
– greater anonymity (but: user names, email addresses etc. can provide cues)
– lower relevance of physical appearance– physical distance is no longer a barrier– greater control over communication time and place
(but: blending of professional and personal life)– lack of social cues (e.g., eye contact, voice tone)
These features provide solid ground for effective social influence techniques.
21R.E. Guadagno, R.B. Cialdini, Online Persuasionand Compliance: Social Influence on the Internet and beyond.
http://pralab.diee.unica.it
Manipulation techniques• Pretexting and
impersonation• Reverse Social
Engineering• Baiting• Pressure and solution• Chain of authentication• Gaining credibility• From innocuous to
sensitive
• Priming• Social proof• Emotional states• Selective attention• Framing information• Leveraging authority• Personality types and
models• Body language
22
http://pralab.diee.unica.it
Pretexting and impersonationPretextingExploiting early intelligence gathered about a target individual to set up a scenario in which the attacker appears to know enough information to be deemed trustworthy, to convince the victim to give up valuable information
– plausible situation– character
ImpersonationNeed not being a real individual: likely a character specifically designed for the pretext
23ISTR 21 (2016) Symantec
http://pralab.diee.unica.it
Reverse Social EngineeringA classic, special case or pretexting technique used to ensure the attacker has solid credibility.Basic idea:
– to get the victim to seek assistance from the social engineer to solve a problem
– the social engineer then provides the assistance, which also aids the attack
The victim is requesting something from the social engineer, rather than the other way round.
24
http://pralab.diee.unica.it
Baiting• E-mails
Hi James,I don’t have time to follow up this lead so do you want it? The client wants to know more about our new services, sounded like a great opportunity:http://vulnerableinc.com/contact
• Dropped USB drives or CDs / DVDs with enticing labels
25
http://pralab.diee.unica.it
Pressure and solution• Pressure…
applying pressure to the victim in the form of a negative emotional state such as fear, anger, indignation, or shame
e.g., a fake message from the police claiming that you have breached some law, leveraging authority
• …and solutionpresenting the victim with a solution thatwould mitigate or remove the emotion
e.g, by asking to pay a (fake) fine
Similar to baiting: victims are blindedby the emotion much like they are blindedby the bait.
26
http://pralab.diee.unica.it
Chain of authenticationManufacturing or orchestrating a situation where the victim “assumes” the social engineer has already been validated
To gain access to a hospital’s server room, a social engineer (SE) approaches the receptionist (R) posing as an air-conditioning repair engineer.SE: I’m here to perform a maintenance check of the air conditioning units in the server room, the IT department sent me here as apparently you have keysR: Sorry we don’t have them, the only person with keys is the porter, his office is just down the hallSE leaves and then returns a few minutes later saying: SE: Sorry but no one is answering at the door, I’ll try again a little laterSE could continue pretending to try the door and telling R that they are not answering, until R agrees to investigate herself. When R tries the door, the porter answers and R explains:R: Ah you are in after all, this gentleman is here to do some stuff with the air conditioning in the server room, can you take him up there
The porter will then very likely assume that R has already validated the engineer, creating the chain of authentication.
27
http://pralab.diee.unica.it
Gaining credibility• An employee might be suspicious by receiving a call asking:
“Hello, could you tell me what version of Web browser you’re using?”
• A more credible call would be:“Hello, I’m calling from the IT department, we’re performing some remote patching, can you tell if your Web browser has been updated to version 7.0?”
• An even better call:“Hi James, it’s Simon from the Service Desk, have you got 2 seconds or are you guys still busy with the xyz project? …Ah well listen, we’re performing some remote patching, can you tell me if your Web browser has been updated to version 7.0? If not I’ll need to send Dave down to sort it out there.”
28
http://pralab.diee.unica.it
From innocuous to sensitiveTo a social engineer any piece of “innocuous” information is a piece of a jigsaw puzzle, one that could be used to identify another, possibly more significant piece of information.
Example– you throw in the garbage a letter from your insurance
company with an additional offer, since no sensitive data is present, but...
– ...if a social engineer finds this letter, he/she gains the knowledge that you have an insurance, with a particular company, paving the way for impersonation, pretexting, etc.
29
http://pralab.diee.unica.it
PrimingA fascinating psychological phenomenon
– an individual can be exposed to certain words, ideas or actions that will make them more likely to “choose” associated words, ideas or actions, even without knowing they have
– a victim could be primed into a specific state, such as being more “agreeable”
Priming can support phishing attacks.
30
http://pralab.diee.unica.it
Social proofPeople follow the crowd: it is human nature to seek the comfort that comes with fitting in with everyone else.Compare the following messages: which one will be most successful?
Dear all,We’re trying to push our social media presence. Unfortunately, the vast majority of staff haven’t liked our corporate page. Please could you follow the link to remedy this.http://www.somesocialmediawebsite.com/IT Support
Dear all,Thank you for the great positive response to our social media push. The vast majority of your department have responded with a ‘like’ and we’re really pleased. Join the rest of us if you haven’t already using the following link.http://www.somesocialmediawebsite.com/IT Support
31
http://pralab.diee.unica.it
Emotional states• The social engineer tries to invoke a certain emotional
state in the victim– pity– kindness– fear– trust
• This is not an easy task, as emotions are unpredictable
32
http://pralab.diee.unica.it
Selective attention• Sometimes referred to as “cocktail party effect”
we are able to filter out the unwanted sounds, and single out and understand a single voice among the many others
• All that social engineer needs to do is ensure the victim’s attention is focused on something complicated enough to prevent any other information from being processed
• The “anything else” would be the element that achieves the objective
33
http://pralab.diee.unica.it
Framing information• Framing is about presenting information in such a way
as to steer the viewer’s subjective perception in a certain direction– sales advertisement: “Up to 50% off”
• Compare the following messages: which one will be most effective in getting the help?– Hey Susan, I have already spoken to David and Simon in
your department. They were really helpful and answered most of my questions, send my thanks. However, they couldn’t answer a couple of questions, can you help?
– Hey Susan, [...]. However, there were a couple of questions they said you’d be the best person to answer, have you got a couple of minutes to help me out?
34
http://pralab.diee.unica.it
Social Engineering and Computer Security
35
http://pralab.diee.unica.it
Social Engineering attack model
36
F. Mouton, L. Leenen, H.S. Venter, Social engineering attack examples, templates and scenarios, Computers & Security 59 (2016) 186–209
http://pralab.diee.unica.it
Social Engineering attack taxonomies
37
Greitzer et al., Analysis of unintentional insider threats deriving from social engineering exploits, IEEE S&P, 2014
http://pralab.diee.unica.it
Social Engineering attack taxonomies
38
Semantic Attack: manipulation of the user-computer interfacing with the purpose to breach a computer system’s information securitythrough user deception (a specific definition of Social Engineering)
R. Heartfield and G. Loukas, A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks, ACM Computing Surveys 48, Art. 37, 2015
http://pralab.diee.unica.it
Example: drive-by download attack
39
R. Heartfield and G. Loukas, A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks, ACM Computing Surveys 48, Art. 37, 2015
http://pralab.diee.unica.it
Example: WiFi evil twin phishing attack
40
R. Heartfield and G. Loukas, A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks, ACM Computing Surveys 48, Art. 37, 2015
http://pralab.diee.unica.it
Example: SNS malvertisement attack
41
R. Heartfield and G. Loukas, A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks, ACM Computing Surveys 48, Art. 37, 2015
http://pralab.diee.unica.it
Example: fake mobile app attack
42
R. Heartfield and G. Loukas, A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks, ACM Computing Surveys 48, Art. 37, 2015
http://pralab.diee.unica.it
SE for Advanced Persistent Threats
43
targeted attacks
allowing the attacker to gain a privileged access inside the company network
assets are accessible by the victims, other vulnerable systems
http://pralab.diee.unica.it
Example: document attached to email
44Microsoft Security Intelligence Report – Volume 21, 2016
http://pralab.diee.unica.it
Social Engineering attack cycle
45
K.D. Mitnick, W.L. Simon, The art of deception: Controlling the human element of security. John Wiley & Sons, 2002
T R U S T
Limits of this model:• SE attacks are often iterative, not sequential• no suggestions on how to protect
http://pralab.diee.unica.it
Social Engineering attack cycle
46
M. Nohlberg, S. Kowalski. The cycle of deception – a model of social engineering attacks, defenses and victims.Proc. of HAISA 2008, pp. 1–11
the attack circle
http://pralab.diee.unica.it
Social Engineering attack cycle
47
Greitzer et al., Analysis of unintentional insider threats deriving from social engineering exploits, IEEE S&P, 2014
Specific model of single-stage phishing attacks
http://pralab.diee.unica.it
Social Engineering attack cycle
48
Greitzer et al., Analysis of unintentional insider threats deriving from social engineering exploits, IEEE S&P, 2014
Specific model of multiple-stage phishing attacks
http://pralab.diee.unica.it
Social Engineering attack cycle
49
F. Mouton, L. Leenen, H.S. Venter, Social engineering attack examples, templates and scenarios, Computers & Security 59 (2016) 186–209
http://pralab.diee.unica.it
Technical• Spam e-mails• Phishing (fake web sites and
e-mails)• Vishing (voice phishing)• Context-aware phishing
– spear phishing– whaling
• Popup window• Interesting software
(trojans)
Non-technical• Dumpster diving• Pretexting/impersonation• Spying and eavesdropping• Acting as a technical expert• Support staff
50
Attack vectors
http://pralab.diee.unica.it
E-mail fraud statistics
51proofpoint – The Human Factor 2018
http://pralab.diee.unica.it
Phishing statistics
52proofpoint – The Human Factor 2018
http://pralab.diee.unica.it
Context-aware phishingPhishing targets generic victims.
Context-aware phishing is more sophisticated:– spear phishing: targets employees or customers of a
specific organization– whaling: targets a highly valuable member of a specific
organization, e.g., a senior executive (aka CEO fraud)
53
http://pralab.diee.unica.it
Fake web sites: typosquatting statistics
54proofpoint – The Human Factor 2018
Examples: www.gooogle.com, twiter.com, facebok.com
http://pralab.diee.unica.it
Defense Strategies
55
http://pralab.diee.unica.it
Defence strategies
56
M. Nohlberg, S. Kowalski. The cycle of deception – a model of social engineering attacks, defenses and victims. Proc. of HAISA 2008, pp. 1–11
The attack cycle (circle)...
...the defense cycle...
http://pralab.diee.unica.it
Defence strategies
57
The attack cycle (circle)...
...and the victim cycle
"Many crimes can be more readily prevented by focusing on the victim rather than the attacker"
M. Nohlberg, S. Kowalski. The cycle of deception – a model of social engineering attacks, defenses and victims. Proc. of HAISA 2008, pp. 1–11
http://pralab.diee.unica.it
Defence strategies
58
Greitzer et al., Analysis of unintentional insider threats deriving from social engineering exploits, IEEE S&P, 2014
"Improved training and awareness are an organization’s most potent mitigation tools for thwarting social engineering exploits that target human psychological characteristics and limitations"
http://pralab.diee.unica.it
Protection mechanisms
59
• Policy and Process Control• Awareness Training
(user deception is the primary attack vector)Organisational
• Sandboxing Mechanisms• Authorisation, Authentication, and Accounting (AAA)• Monitoring• Integrity Checking• Machine Learning
Technical
R. Heartfield and G. Loukas, A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks, ACM Computing Surveys 48, Art. 37, 2015
http://pralab.diee.unica.it
Defense strategies: summing up
60
Anti-virus software, robust firewalls, etc.Useful, but not sufficient
Technology measures
The most effectiveway to prepare for a phishing attackNot limited to IT staff: company-wide education
Training
http://pralab.diee.unica.it
Some (obvious?) suggestionsIf something looks ‘phishy’, it probably is
– if an offer in an email looks too good to be true, it’s almost certainly a spam email
– poor spelling or grammar is a good sign that something is not right
– keep an eye on the sender’s email address: spoofing works by using a similar name or email combination with a few small, often unnoticeable, differences
– do not trust shortened links: search for a shortened link checker online; if you are still not sure do not click on it
61
A.Binks, The art of phishing: past, present and future, Computer Fraud & Security, April 2019, 9–11
http://pralab.diee.unica.it
Training• EU H2020 Project DOGANA
https://www.dogana-project.eu“Social Vulnerability Assessment”
• Survey on simulation and training platformsSee document 3.1 in the Dogana repository – open source toolkits (e.g., trustedsec SET, gophish)– companies: e.g., knowbe4
• Take your free test of phishing vulnerability– https://www.opendns.com/phishing-quiz– https://www.phishingbox.com/phishing-iq-test
62