The idea that humans are the weakest link shouldn’t guide the thinking on social-engineering defense.
In the pantheon of catchy cybersecurity slogans that should never have caught on, two about social engineering spring to mind almost immediately: “End users are the weakest link” and “attackers only have to be lucky once; defenders have to be lucky all the time.” Both of those statements have been repeated by practitioners for time immemorial and seem to make sense superficially, but should we be comfortable with the onus we put on end users to overcome the deficiencies of our defensive systems?
In 2019, with cyberthreats on the rise and breaches increasing in both frequency and magnitude, is it anything other than feigned impotence to claim that a roll of the dice and a potential, stupid (albeit very human) mistake is all that is keeping any given organization from being the next Maersk, Equifax or Capital One? Are we comfortable acknowledging that our defenses are so brittle that they can be shattered with one errant click? We certainly shouldn’t be.
Indeed, even when end users do exactly what they’re told they should, it may still not be enough. It’s hard to forget what is perhaps the most spectacular and consequential example of successful social engineering: The phishing attack on Hillary Clinton’s campaign manager, John Podesta. It was reported that Mr. Podesta thought the official-looking Google password reset email he received was suspicious but the campaign IT department either cleared it or mistyped their reply, causing Mr. Podesta to supply his credentials to state-sponsored attackers. It’s a perfect – but likely not unique – case of someone acting in good faith, performing the actions prescribed by experts, and still becoming a victim.
Take a moment to consider a few explanations as to why attackers target end users for social engineering:
- There are a lot of end users. It should go without saying that in order for attackers to succeed, they need attack surface. In general terms, there are more users than systems. Moreover, many systems are not directly accessible via the internet, but most end users are. Social-media sites also offer attackers effective reconnaissance tools that are difficult to prevent or detect.
- End users already have what attackers want. When attackers target systems, their path to the loot may be circuitous. They have to find a system they can compromise, escalate privileges and/ or pivot to another system, and continue to map the environment to find out where the valuable data is. The process can be extremely repetitive and time-consuming. End users, on the other hand, offer a fairly direct route to the desired data. If you’re after personnel files, why not get them from someone in HR? If it’s financial statements you seek, isn’t the finance department the logical place to start?
- Social-engineering attacks give attackers a surprising amount of leverage over their targets. While some campaigns still rely on very old and very obvious tropes – and are therefore very easy to avoid – many modern social-engineering attacks seem authentic. This is especially significant in a corporate setting because the context is such that the consequences of not acting could be severe if the scenario were legitimate. For example, emails that appear to be from supervisors requesting action or information, or notifications from IT regarding password changes – these are the sorts of things that simply can’t be ignored in the normal conduct of business without serious impact.
The most commonly proposed remedy for social-engineering attacks is more end-user awareness training. While training is definitely part of the solution, it’s only one of several elements of an effective defense. Other elements include:
- Giving users better tools to help reduce risky behavior. One of the most oft-repeated mantras in end-user awareness training is, “Don’t click on attachments from people you don’t know” which is good advice, as far as it goes. Unfortunately, many phishing campaigns are now designed to appear as though the message is coming from someone the victim does Employees also still need to exchange files for legitimate business purposes. Secure file transfer products and cloud-based enterprise file sync and share (EFSS) solutions can help mitigate some of the risks associated with malware-infected files, as well as helping users break the habit of exchanging files via email.
- Implementing strong(er) authentication. Credential-harvesting is a frequent objective of social engineering and, according to reports like the Verizon Data Breach Investigations Report (DBIR), credential theft features prominently in many breaches. Stronger authentication – whether it’s cryptographic, multifactor authentication (MFA), or some combination of the two – means that a successful attack won’t necessarily yield anything useful. It’s also worth pointing out that, while NIST no longer officially recommends SMS as a second factor of authentication, even weak 2FA is better than no
- White-listing applications. Malware installation or execution is another common objective of social-engineering attacks. Though the list may be long and difficult to compile, most organizations should know what software they’re actually running. A successful application white-listing rollout is never easy, but it does make the task of executing malicious software much more difficult and allows threat hunters and other members of security teams to focus their efforts on much a smaller attack surface.
- Network segmentation. Humans, and the defenses we design, will always be fallible. A number of high-profile attacks over the past two years have featured malware that was able to move laterally through networks, significantly increasing both the overall damage and the time needed to recover. Network segmentation, like application white-listing, is a non-trivial exercise for most organizations but is easily one of the best “insurance policies” for those times when an attack succeeds.
In general, the best overall approach might be to start thinking of social-engineering defenses the same way that we’ve been thinking about automobiles and automotive safety for over half a century: Train users to become competent operators, assume that mistakes are unavoidable, supplement the training and capabilities of operators with technologies that make doing the right thing easier and doing the wrong thing harder, and, lastly, implementing additional safety features to eliminate or reduce harmful results during a catastrophic event.