Over the years I have heard of some really well-crafted social engineering attacks, it is a really great way for malicious actors and Pentester's alike to get past well-trodden security measures. To be honest there really aren’t many proven systems that can defend against talented social engineering malicious actors. They know what makes humans tick and they will abuse every possible emotion or human nature angle they can twist to their benefit. Talented ones are amazing to watch and can be a little terrifying to see how easy it is for them to worm there way past checks and measure with ease.
One that comes to memory that was a pretty amazing and personally the guy who put her up to the attack was shocked you could see it on his face. I really don’t think he thought she would be that successful, but she nailed it. Jessica Clark the social engineer who completed the attack pretended to be his wife and was using social engineering at his request to try to gain control of his accounts – I bet he is feeling stupid about that now. She puts audio of a crying baby on in the background and in less than 3 minutes has complete control of his accounts. It’s funny, check out the video on YouTube.
Another one was on a CNN report in which a team of professional social engineers demonstrated how easy it was for them to spoof their phone number to appear as though they were calling from a number within the target organisation, they then called through to the IT support desk and started saying that they were not very good with IT and they can't get access to their project they have online. He then continued to give them a web address and got them to click to open the file. The tech just gave him access to his machine and a fake project file come up and the guy said that he must have done something as it works now. The tech on the other end said no problem and was none the wiser that he just let the attacker into his systems. Check it out on YouTube this one was even faster with no tricks, just simple manipulation and some number spoofing.
People put up big expensive security perimeters around their worlds thinking that they are impenetrable but that is far from reality, the above examples are just two of hundreds or even thousands you can find on YouTube or social media (Don’t believe me – do a quick search). So, we need to ensure that we have a plan for social engineering, set up a plan for how we can best manage the processes to ensure that systems are protected as they can be.
I am not talking about more blinky lights and more security firewalls or some other fancy AI, that won’t protect you from social engineering (okay so there might be some technology that may help but that’s not what we are here to talk about). you need to train your staff and train your staff until they are comfortable with detecting these types of threats and then train them some more just to make sure. Security awareness training is great, but this is not about meeting compliance which most companies just use it for, this is supposed to help your staff be better at identifying risks. Help them to better understand how their actions can put the company at risk and what can be done better as a team to improve.
If people don’t understand help them, don’t belittle victims, use an incident as a learning tool so they can know what happened and how to spot the issues next time. Spotting social engineering is a learned skill, even us security folk had to learn it at some point how else would we know how it happens? So now we have done all the training and our staff are aces at detecting social engineering attacks mistakes will still happen. So train and train make it fun but don’t stop at that.
Review your daily processes that could be manipulated by malicious actors, run through them and outline the particular stages that could be a problem. Then change the procedures to include secondary or even third or fourth checks in high-risk cases to ensure that staff can't be manipulated easily. Ensure that these new processes are implemented and have them tested if they don't work and can still be manipulated somehow change them again and again until you have a solid process that will reduce the risks of these attacks being successful.
In these procedures ensure that all financial records that there are always two staff members involved with the process and ensure that customer or supplier checks are in place if requests are sent through specifically about payment details changes. It will ensure that your organisation and your suppliers/clients will be better protected by your processes.
Now once this is done and you have the training flowing nicely, the procedures are practised and hardened then it can be time to come back to looking at the blinky light solutions that could extend the protection for your staff. You can get some great email filtering services that can help to reduce the number of malicious social engineering emails that actually reach the targets email inbox ( I am not going to name them as I am not here to sell you solutions that are not my goal at all, I want to help you be better and protect your organisations). They can include click protection and spam filtering and some are now also including a training section to teach your staff as they go while protecting them from incoming threats.
I know some of you are probably moaning and groaning right now saying that all of this is too much hard work but I am sure unless you have been hiding under a rock lately that you would be aware that there is at least one high profile breach every week and they are just the ones that make the news, so I am sure you can imagine that the number would be dramatically higher as the news isn't concerned by Tim's pies or Jill's flowers but we need to be.
So, quit the whining and make a plan to secure yourselves from social engineering attacks you will be much better off in the end. This isn't just about your business though as if you train your team they will pass on their new skills to their circles, in turn, making everyone that little better prepared.