Preparing for Social Engineering Attacks
Social engineering is a perfect example of a security vulnerability that requires the human touch to understand and combat. For this reason, even the most extensive GRC software needs to be married together with the expertise that only experienced governance and cybersecurity teams can offer – to form a robust compliance and risk management plan.
Identifying vulnerabilities within the human side of your workforce and resources, and developing a series of solutions and fail-safes, requires a combination of penetration testing and adversary simulation – to see how easily attackers could gain access to systems via your staff, and then how easily that access could become detrimental.
While much of the focus of penetration testing within any risk management plan is often centred on the tools used in cyber-attacks, there is an important role for social engineering in the attackers’ physical estimation of a business when preparing to hack them. This includes trying to gain access to offices to gather intelligence, obtain credentials, and gain access to the IT infrastructure from within the building. Attackers will assume a plausible guise, with a plausible explanation, for needing this information.
SureCloud consultant Sarka Pekarova shared her expertise at BSides Manchester, one of the UK’s leading hacker and cybersecurity conferences, and spoke about the role of psychology in social engineering exercises.
This aspect of penetration testing is all about manipulation and deception, rather than trying to outsmart a machine. It is just as crucial in improving an organisation’s security risk management as probing networks for vulnerabilities.
But what does this look like in practice?
Here are some of Sarka’s key considerations when launching social engineering penetration testing.
Creating a Persona
One of the most critical considerations of any social engineering attack is creating a persona that you know inside and out. You wouldn’t want to give away your real identity or intentions, but equally, you need to be able to appear genuine, respond promptly and not give away any signs that you may not be who you say you are.
Establishing a convincing and manipulative persona and becoming that person is the crucial first step in getting targets to believe in you and behave as you want them to.
Reading Pacifying Behaviour
Confrontation is commonplace in a social engineering penetration test– people challenge who you are, why you’re there and what your intentions are. From the perspective of the attacker, it is crucial that this is successfully navigated, and requires them to accurately read the body language of the person confronting them.
As the attacker, for those that are challenging me, it is usually a stressful experience. It’s not something they feel comfortable doing, and under stress, they will start to exhibit pacifying behaviours that inform me on how I should approach them.
A common misconception is that it is the face that gives away the most in these situations, however, the face is the easiest part of the body for people to control. It is actually people’s extremities – i.e. hands, feet, arms, and legs – that give away the most.
For instance, a person speaking to me with one leg pointing away forming an L shape signals that they want the encounter to be as brief as possible. This tells me that if I speak in vague terms, they are unlikely to challenge me further, or that if I quickly flash fake credentials, they are likely to accept this without digging deeper.
Equally, if a target begins stroking or rubbing their neck with a hand, this signifies that they are calming themselves to deal with the situation in a considered way to ensure they are acting appropriately. In this instance I might try to fluster them, by talking quickly, for example, to hurry them into a mistake before they can fully gather their thoughts. However, if a target folds their arms, it means their guard is up, and I have to be more considered and offer more detailed responses that make my presence seem more credible.
Reading Facial Expressions
While the face is easier to control, this does not prevent it from giving away small tells about the target’s emotion and how they are thinking.
Facial tells can loosely be split into six categories: fear, content, surprise, happiness, anger, and disgust. As targets can manipulate their faces, they often give away quick glimpses of how they are feeling before they establish control. For instance, a split-second lip raise is a sign that somebody is happy or content with how you are interacting with them.
By looking for these minor tells, it becomes possible to tailor my interaction with them to achieve my goal, manipulating their emotion to allow me to proceed.
When it comes to social engineering, I will often look to exploit the stereotyped behaviours of the different genders.
For instance, when trying to gain entry to an office if I can see that the gatekeeper is female, I will pretend to be on a phone call to a boyfriend who is upsetting me as this will often generate a sympathetic response that I can work to my favour.
Equally, if the gatekeeper is male, I will again pretend to be on the phone with a boyfriend, but act angry, ranting into my mobile as men tend to want to steer clear of this behaviour and will give me access just to avoid confrontation with me.
Manipulating the Situation
A final tactic in a social engineering exercise is to create or manipulate a situation that guarantees you will get what you want. For instance, in an open plan office, you might be able to establish who the manager is. You can then approach them, announcing very loudly that you are from head office and you need their laptop as it has been flagged that as a result of viewing porn it has malware running on it.
Out of embarrassment and desperation to clear their name, they will very quickly hand over the laptop – which will usually have all credentials and elevated access rights on it – that can then be taken away and used to gain access to the infrastructure in a cyber-attack or in this case, a penetration test.
Manage the Risks of Social Engineering Hacks
With so much focus on the technical tools required to compromise a network, it is often overlooked that networks and devices are manned by people.
As such, when evaluating vulnerabilities, it is critical that social engineering is an integral part of penetration testing.
Penetration testing and adversary simulation of this kind are an integral part of overall security risk assessment and management within a business. Understanding where opportunities for socially-engineered attacks arise in your day-to-day processes is the first step to overcoming them. As such, they should be built into your business’ compliance and risk management plan.
Read more about our social engineering services.
Watch Sarka’s BSidesMCR Presentation here.