Welcome To My New Topic About Social Engineering, Turk Hack Team Members,
Social engineering is a cyber security threat that takes advantage of the weakest link in our security chain our human workforce to gain access to corporate networks. Attackers use increasingly sophisticated trickery and emotional manipulation to cause employees, even senior staff, to surrender sensitive information. Learn about the stages of a social engineering attack, what are the top social engineering threats according to the InfoSec Institute, and best practices to defend against them.
What is social engineering? Stages of an attack
Social engineering is an attempt by attackers to fool or manipulate humans into giving up access, credentials, banking details, or other sensitive information.
Social engineering occurs in three stages:
Researchthe attacker performs reconnaissance on the target to gather information like organizational structure, roles, behaviors, and things that target individuals may respond to. Attackers can collect data via company websites, social media profiles and even in-person visits.
Planningusing the information they gathered, the attacker selects their mode of attack and designs the strategy and specific messages they will use to exploit the target individuals weaknesses.
Executionthe attacker carries out the attack usually by sending messages by email or another online channel. In some forms of social engineering, attackers actively interact with their victims; in others, the kill chain is automated, typically activated by the user clicking on a link to visit a malicious website or execute malicious code.
Top 5 social engineering techniques
According to the InfoSec Institute, the following five techniques are among the most commonly used social engineering attacks.
Phishing
In a phishing attack, an attacker uses a message sent by email, social media, instant messaging clients or SMS to obtain sensitive information from a victim or trick them into clicking a link to a malicious website.
Phishing messages get a victims attention and call to action by arousing curiosity, asking for help, or pulling other emotional triggers. They often use logos, images or text styles to spoof an organizations identity, making it seem that the message originates from a work colleague, the victims bank, or other official channel. Most phishing messages use a sense of urgency, causing the victim to believe there will be negative consequences if they dont surrender sensitive information quickly.
Watering hole
A watering hole attack involves launching or downloading malicious code from a legitimate website, which is commonly visited by the targets of the attack. For example, attackers might compromise a financial industry news site, knowing that individuals who work in finance and thus represent an attractive target, are likely to visit this site. The compromised site typically installs a backdoor trojan that allows the attacker to compromise and remotely control the victims device.
Watering hole attacks are usually performed by skilled attackers who have discovered a zero-day exploit. They might wait for months before performing the actual attack to preserve the value of the exploit they discovered. In some cases, watering hole attacks are launched directly against vulnerable software used by the target audience, rather than a website they visit.
Whaling attack
Whaling, also known as spear phishing, is a type of phishing attack that targets specific individuals with privileged access to systems or access to highly valuable sensitive information. For example, a whaling attack may be conducted against senior executives, wealthy individuals, or network administrators.
A whaling attack is more sophisticated than a regular phishing attack. Attackers conduct meticulous research to craft a message that will cause specific targets to respond and perform the desired action. Whaling emails often pretend to be a critical business email sent by a colleague, employee or manager of the target, requiring urgent intervention from the victim.
Pretexting
In a pretexting attack, attackers create a fake identity and use it to manipulate their victims into providing private information. For example, attackers may pretend to be an external IT service provider, and request users account details and passwords to assist them with a problem. Or they might pretend to be the victims financial institution, asking them for confirmation of their bank account number or bank website credentials.
Baiting and quid pro quo attacks
In a baiting attack, attackers provide something that victims believe to be useful. This may be a supposed software update which in fact is a malicious file, an infected USB token with a label indicating it contains valuable information and other methods.
A quid pro quo attack is similar to baiting, but instead of promising something that will provide value to the victim, the attackers promise to perform an action that will benefit them, but requires an action from the victim in exchange. For example, an attacker may call random extensions at a company, pretending to be calling back on a technical support inquiry. When they identify an individual who actually has a support issue, they pretend to help them, but instruct them to perform actions that will compromise their machine.
Other social engineering attacks
The following are additional variants of social engineering that can endanger your systems and sensitive data:
Vishingvoice phishing is similar to phishing but is performed by calling victims over the phone.
Scarewaredisplays notices on a users device that trick them into thinking they have a malware infection and need to install software (the attackers malware) to clean their system.
Diversion theftdiverts a messenger or delivery person to the wrong ıocation, and takes their place to pick up a sensitive package.
Honey trapan attacker pretends to be an attractive person and fakes an online relationship, in order to get sensitive information from their victim.
Tailgatingan attacker walks into a secure facility by following someone with authorized access, asking them to just hold the door for them so they can also enter.
Social engineering prevention
The following measures can help preempt and prevent social engineering attacks against your organization.
Security awareness training
Security awareness education should be an ongoing activity at any company. Staff members may simply not be aware of the dangers of social engineering, or if they are, they may forget the details over time. Conducting, and continuously re-freshing, security awareness among employees is the first line of defense against social engineering.
Antivirus and endpoint security tools
The basic measure is installing antivirus and other endpoint security measures on user devices. Modern endpoint protection tools can identify and block obvious phishing messages, or any message that links to malicious websites or IPs listed in threat intelligence databases. They can also intercept and block malicious processes as they are executed on a users device.
Penetration testing
There are countless creative ways of penetrating an organizations defenses with social engineering. By using an ethical hacker to conduct penetration testing, you allow an individual with a hackers skillset to identify and try to exploit weaknesses in your organization. When a penetration test succeeds in compromising sensitive systems, it can help you discover employees or systems you need to focus on protecting, or methods of social engineering you may be especially susceptible to.
SIEM and UEBA
Social engineering attacks will inevitably happen, so you should ensure your organization has the means to rapidly collect data about security incidents, identify what is going on, and notify security staff so they can take action.
For example, the Exabeam Security Management Platform is a next-generation security event and information management (SIEM) system powered by user event and behavior analytics (UEBA). Exabeam collects security events and logs from across your organization, and uses UEBA to identify normal behavior, and alert you when suspicious activity occurs. Whether it is a user clicking through to an unusual web destination, or a malicious process executing on a users device, UEBA can help you identify social engineering attacks as they happen, and rapidly react with automated incident response playbooks to prevent damage.
//Quoted
Social engineering is a cyber security threat that takes advantage of the weakest link in our security chain our human workforce to gain access to corporate networks. Attackers use increasingly sophisticated trickery and emotional manipulation to cause employees, even senior staff, to surrender sensitive information. Learn about the stages of a social engineering attack, what are the top social engineering threats according to the InfoSec Institute, and best practices to defend against them.
What is social engineering? Stages of an attack
Social engineering is an attempt by attackers to fool or manipulate humans into giving up access, credentials, banking details, or other sensitive information.
Social engineering occurs in three stages:
Researchthe attacker performs reconnaissance on the target to gather information like organizational structure, roles, behaviors, and things that target individuals may respond to. Attackers can collect data via company websites, social media profiles and even in-person visits.
Planningusing the information they gathered, the attacker selects their mode of attack and designs the strategy and specific messages they will use to exploit the target individuals weaknesses.
Executionthe attacker carries out the attack usually by sending messages by email or another online channel. In some forms of social engineering, attackers actively interact with their victims; in others, the kill chain is automated, typically activated by the user clicking on a link to visit a malicious website or execute malicious code.
Top 5 social engineering techniques
According to the InfoSec Institute, the following five techniques are among the most commonly used social engineering attacks.
Phishing
In a phishing attack, an attacker uses a message sent by email, social media, instant messaging clients or SMS to obtain sensitive information from a victim or trick them into clicking a link to a malicious website.
Phishing messages get a victims attention and call to action by arousing curiosity, asking for help, or pulling other emotional triggers. They often use logos, images or text styles to spoof an organizations identity, making it seem that the message originates from a work colleague, the victims bank, or other official channel. Most phishing messages use a sense of urgency, causing the victim to believe there will be negative consequences if they dont surrender sensitive information quickly.
Watering hole
A watering hole attack involves launching or downloading malicious code from a legitimate website, which is commonly visited by the targets of the attack. For example, attackers might compromise a financial industry news site, knowing that individuals who work in finance and thus represent an attractive target, are likely to visit this site. The compromised site typically installs a backdoor trojan that allows the attacker to compromise and remotely control the victims device.
Watering hole attacks are usually performed by skilled attackers who have discovered a zero-day exploit. They might wait for months before performing the actual attack to preserve the value of the exploit they discovered. In some cases, watering hole attacks are launched directly against vulnerable software used by the target audience, rather than a website they visit.
Whaling attack
Whaling, also known as spear phishing, is a type of phishing attack that targets specific individuals with privileged access to systems or access to highly valuable sensitive information. For example, a whaling attack may be conducted against senior executives, wealthy individuals, or network administrators.
A whaling attack is more sophisticated than a regular phishing attack. Attackers conduct meticulous research to craft a message that will cause specific targets to respond and perform the desired action. Whaling emails often pretend to be a critical business email sent by a colleague, employee or manager of the target, requiring urgent intervention from the victim.
Pretexting
In a pretexting attack, attackers create a fake identity and use it to manipulate their victims into providing private information. For example, attackers may pretend to be an external IT service provider, and request users account details and passwords to assist them with a problem. Or they might pretend to be the victims financial institution, asking them for confirmation of their bank account number or bank website credentials.
Baiting and quid pro quo attacks
In a baiting attack, attackers provide something that victims believe to be useful. This may be a supposed software update which in fact is a malicious file, an infected USB token with a label indicating it contains valuable information and other methods.
A quid pro quo attack is similar to baiting, but instead of promising something that will provide value to the victim, the attackers promise to perform an action that will benefit them, but requires an action from the victim in exchange. For example, an attacker may call random extensions at a company, pretending to be calling back on a technical support inquiry. When they identify an individual who actually has a support issue, they pretend to help them, but instruct them to perform actions that will compromise their machine.
Other social engineering attacks
The following are additional variants of social engineering that can endanger your systems and sensitive data:
Vishingvoice phishing is similar to phishing but is performed by calling victims over the phone.
Scarewaredisplays notices on a users device that trick them into thinking they have a malware infection and need to install software (the attackers malware) to clean their system.
Diversion theftdiverts a messenger or delivery person to the wrong ıocation, and takes their place to pick up a sensitive package.
Honey trapan attacker pretends to be an attractive person and fakes an online relationship, in order to get sensitive information from their victim.
Tailgatingan attacker walks into a secure facility by following someone with authorized access, asking them to just hold the door for them so they can also enter.
Social engineering prevention
The following measures can help preempt and prevent social engineering attacks against your organization.
Security awareness training
Security awareness education should be an ongoing activity at any company. Staff members may simply not be aware of the dangers of social engineering, or if they are, they may forget the details over time. Conducting, and continuously re-freshing, security awareness among employees is the first line of defense against social engineering.
Antivirus and endpoint security tools
The basic measure is installing antivirus and other endpoint security measures on user devices. Modern endpoint protection tools can identify and block obvious phishing messages, or any message that links to malicious websites or IPs listed in threat intelligence databases. They can also intercept and block malicious processes as they are executed on a users device.
Penetration testing
There are countless creative ways of penetrating an organizations defenses with social engineering. By using an ethical hacker to conduct penetration testing, you allow an individual with a hackers skillset to identify and try to exploit weaknesses in your organization. When a penetration test succeeds in compromising sensitive systems, it can help you discover employees or systems you need to focus on protecting, or methods of social engineering you may be especially susceptible to.
SIEM and UEBA
Social engineering attacks will inevitably happen, so you should ensure your organization has the means to rapidly collect data about security incidents, identify what is going on, and notify security staff so they can take action.
For example, the Exabeam Security Management Platform is a next-generation security event and information management (SIEM) system powered by user event and behavior analytics (UEBA). Exabeam collects security events and logs from across your organization, and uses UEBA to identify normal behavior, and alert you when suspicious activity occurs. Whether it is a user clicking through to an unusual web destination, or a malicious process executing on a users device, UEBA can help you identify social engineering attacks as they happen, and rapidly react with automated incident response playbooks to prevent damage.
//Quoted
