Not too long ago, one of my fellow penetration testing consultants at Trustwave sent phishing emails to a large number of "targets" - employees who work for an organization that asked us to simulate attacks against its user base to help quantify its insider risk.
After the emails were delivered, the consultant randomly picked targets to call. For this, he spoofed the phone number of the company's IT help desk to add legitimacy to the ruse. Known as a pretext call, the exercise involved the consultant stating: "Hey, we heard people were getting phishing emails and wanted to test if our password policy is in place." The goal of the call was to confuse, rush and pressure the target into doing things they normally wouldn't, namely changing their network password over the phone.
Many did, and few realized they were handing it over to a complete stranger.
As hardware and software security systems have become more effective and agile in responding to intrusion attempts, hackers are increasingly turning toward the human component of the equation, as was perfectly evidenced by a story in the news this week.
I myself have successfully performed penetration-testing engagements against organizations by being nothing more than a smooth talker or by exploiting a user's everyday activities, such as checking email. Don't be static. That is to say, don't assume your information security program covers everything. Last week, a Trustwave Blog post offered nine tips for pumping up your security awareness program. In this post, we are going to drill down specifically into social engineering defenses.
Threat actors are constantly honing their skills against every kind of organization. These skills include how to break down mental defenses of their target to exploit human nature. Pushing back all begins with education.
You should first teach users that they are a prime target because they are far easier to attack than a hardened system. Explain why someone would use social engineering to attack them - and make the message personal.
Next, you must teach them how to identify a social engineering attack. By first establishing and adhering to strict policies regarding what should be transmitted via email, end-users can then identify suspicious solicitations. Requests for credentials, or to just confirm/test if something is working, are indicators of someone trying to sound legitimate. Training and simulating attacks come in quite handy here. For example, users should be conditioned to check for oddities in links they receive.
In the case of emails, simply reporting a suspected phishing message to the IT security group is generally sufficient. Phone calls, on the other hand, present an additional immediate high-stress scenario where the caller is generally trying to put the target on the spot. When an untrained user is under such pressure, they often forget what they learned from that one training module on social engineering that they had to complete once upon a time.
If they feel pressured or nervous, they should fall back on a "last-resort checklist" to verify the individual calling on the phone. The checklist would contain a list of best practices. For example, it may remind employees to ask a special code of the day to confirm the caller's legitimacy - or, for the example above, calling back the actual help-desk number to verify the caller's identity. Being able to focus on a checklist with the authority to overrule anyone on the phone gives a user confidence and forces the attacker to scramble, potentially revealing their true motives.
While this checklist is primarily for the high-pressure phone call situation, it can easily be adapted for use when an individual receives email communication. It would contain basic things already in an infosec awareness program, such as never giving out usernames and/or passwords, or not opening emails or attachments from sources you do not explicitly know.
Through a combination of receiving education and understanding psychology, your users stand a better chance of resisting social engineering attacks in their purest form - an attack on a person's thoughts and emotions.
Ismail Saifudin is a Trustwave security consultant on the SpiderLabs Network Penetration Testing Team.