Social engineering

A key way to protect critical infrastructure is with layered controls in front of sensitive assets. But these technical protections won’t matter if a bad actor still can gain access to one of the most sensitive assets of all: your users.

To help prevent social engineering or the method of gleaning information from your user base, you can introduce guardrails such as data loss prevention (DLP), proper network segmentation, and a robust identity and access management (IAM) infrastructure. Still, a determined attacker can exploit these controls, and some privileged users with access can natively subvert them.

To reduce risk, it’s wise to build your organization’s awareness of common social engineering attacks, while consistently testing for vulnerabilities:

• Vishing. In this method of attack, short for “voice phishing,” a bad actor uses the phone to coerce a user to divulge sensitive information.
  Why test for it: Running your users through vishing scenarios can help them identify ways they might be approached over the phone. For example, hacker groups like Scattered Spider are known to call help desks, posing as legitimate users in an effort to steal documents and intellectual property.
• Smishing. Short for “SMS phishing,” smishing is the sending of malicious text messages.
  Why test for it: Smishing scenarios are highly covert, may not appear malicious, and usually do not immediately seek sensitive information. Instead, hacker groups focus on building rapport with users before asking them to visit legitimate-looking websites, which are designed to steal mobile phone data such as subscriber identity module (SIM) information.
• Physical breach: In this attack, a bad actor circumvents building controls, such as badge readers and man traps, to approach employees on an organization’s physical estate.
  Why test for it: Controls such as DLP, antivirus, IAM and network segmentation assume that attackers operate remotely. But if an attacker can physically walk up to someone, they immediately bypass these controls.  
• Spear phishing. Referring to targeted social engineering, this method seeks to go after a specific user group, such as an IT administrator team. It can take the form of any of the methods described above.
  Why test for it: In addition to help desks, Scattered Spider commonly uses spear fishing to attack C-suite executives, administrative professionals, and even the family members of these groups. The typical mechanisms are tailored emails and chat messages, aiming to compromise single-sign-on credentials and security tools without using malware.

Attackers are constantly evolving their exploitative techniques, so even the most knowledgeable users are susceptible to social engineering. That’s why progressive companies are engaging managed services providers with cybersecurity capabilities that evolve at the pace of threats. The best providers offer consistent testing and education to help harden your user base against attack.