Steven Fox is a top government cybersecurity expert, Distinguished Fellow with the Ponemon Institute and frequent speaker at top security events all over America. In this exclusive interview, Steven shares several low-tech but sophisticated social engineering techniques that hackers use to gain (unauthorized) privileged access into government systems and large and small company networks. Most important, what can we do to prevent fraud and respond to incidents that do occur?
A few weeks ago, I ran into Steven Fox, who is an industry expert and longtime friend. He gave an excellent presentation at a local Michigan ISSA event. The topic of Steven’s presentation was: “Social Aftermath — Responding to Social Engineering Incidents.”
His fascinating presentation opened my eyes (anew) to the vast (and underreported) world of social engineering attacks through a wide variety of channels. Our own data is being used against us in evolving ways — including the basic information that many of us voluntarily give away online via Facebook, LinkedIn and other online sources.
Steven F. Fox has spoken at hacker events such as the Black Hat Executive Summit, the RSA Conference, DefCon and Hacker Halted. He has extensive professional experience in the public and private sectors, and his practical stories are unique and powerful.
What you won’t see on Steven’s online profiles (because he practices what he preaches) are the many examples he can provide of top businesses getting duped by their own marketing teams that reveal information that is used to penetrate companies sensitive databases.
Steven is a humble security pro who I respect and admire for his expertise, style and practical advice. I know that we can all learn from what he has to say. So on to the interview with Steven F. Fox.
Dan Lohrmann (DL): Steven, thanks so much for doing this interview. What is a social engineering attack? Are these attacks as serious as other online threats, such as ransomware?
Steven Fox (SF): I like Chris Hadnagy’s definition of social engineering (SE) — “Any act that influences a person to take an action that may or may not be in their best interest.” All social engineering exploits use the social queues that create rapport and trust in order to accomplish some goal; one that is not always negative. For example, I’ve used social engineering techniques to “work the room” in professional networking meet-ups. I’ve also used them to gain access to server rooms during professional consulting engagements.
Are these attacks serious? The release of over 20,000 FBI agency contact records and the Office of Personnel Management breach are attributed in part to social engineering campaigns. SE attacks bypass the rigid, digital defenses of the enterprise and go after the malleable social analog interface that many organizations use to connect with their customers and business partners.
DL: How common are these attacks in the public and private sectors? Do you think this topic gets neglected in most enterprises?
SF: According to the PCI Security Standards Council, 156 million phishing emails are sent globally every day. Sixteen million of those make it past enterprise spam filters. Users open 8 million of those emails — 80,000 users tend to click on the links. Indiscriminate phishing email may catch users with low-value system authorizations, lowering the value of that breach. However, attackers that target high-value managers/executives through spear-phishing can gain information of greater sensitivity.
I see it as a matter of prioritization rather than neglect. Social engineering was a component of approximately 25 percent of my penetration testing engagements when I was a private-sector consultant. While the 75 percent of my clients recognized the social exploit risks, their compliance and business mandates emphasized infrastructure testing. Many of the security leaders with whom I spoke at Black Hat 2016 are starting to view enterprise risk from a supply-chain perspective. This view expands the scope of a risk discussion beyond the boundaries of the organization to include its partners and suppliers.
DL: How do social engineering attacks begin? What are the first steps the bad guys take?
SF: What do most of us do when we are preparing for a job interview? We research the company, its mission, its leaderships — individual pieces of information that taken together help build rapport with the prospective employer. In this case, the objective is to collect information that increases the chances of employment. The first step in a social engineering attack is identifying the campaign’s goals and analyzing what is needed to accomplish them. The next step is identifying the target’s processes, people and technology associated with the assets sought. Third, the social engineer identifies the best means by which he/she can blend into the organization. This step is a blend of art and science in that the social engineering must be flexible and responsive to their interaction with the target.
DL: Do bad guys build profiles on us and use that information? How? What information is most valuable to them?
SF: Building profiles for the organization and its people is critical to social engineering success. In early 2015, I taught intelligence analysis at Eastern Michigan University. The students thought at first that intelligence analysis and social engineering were just about gathering a lot of information and looking for useful patterns. I refined this perspective by assigning five public companies to five student teams. The semester-long project required that each team build a profile highlighting high-risk business processes, along with the supporting people and technology. Each team also needed to build a high-level map of how money flowed through these processes.
This exercise showed the students that profiles provide an important context for any information you gather during the intelligence process. A profile helps focus an engagement on what information is important and what constitutes noise. It also informs the way that information is used to influence your target’s personnel. For example, I constructed a profile for a popular discount retail chain that allowed me to identify the official code words used over their public announcement system. This helped me pass myself off as a person from corporate that needed to get sensitive store information.
DL: How is the business infiltration process the same and different from other types of cyberattacks? What are the bad guys trying to do?
SF: The attacker is trying to influence a user to take some desired action. The infiltration process that allows this to occur will vary with the target process. For example, the increased use of online process interfaces has led to greater use of phishing attacks. Such attacks take advantage of a user who is already authenticated and authorized on a given system. On the other hand, some business processes require face-to-face contact. In these situations, an on-premises SE attack may occur.
As noted before, the SE target profile will inform many aspects of the attack.
DL: How can executives and security professionals help protect businesses from social engineering incidents?
SF: Business and security professionals should understand that the same information they use to connect with and serve customers can be used to attack the organization. A handful of enlightened businesses that rely on social media to do business also have business intelligence teams monitoring what information is available on the Internet. At the extreme end of the spectrum, large pharmaceutical and energy firms secure counterintelligence services from the likes of Deloitte, E&Y and PwC.
The common theme in these examples is being aware of, and in some instances controlling, the information that cyber-miscreants use to attack the business. The first step is to communicate with your marketing teams to understand what is published — remember always that marketing owns information associated with the customer experience. The second step is to understand how that information flows through your business process. Third, make sure that processes exist to escalate suspicious interactions to — whether they are in-person, over email or phone-based. Last, ensure that the organization’s security awareness training incorporates these insights to ensure that everyone benefits from shared knowledge.
DL: How can each of us adjust our online personae to help? How much should we share on Facebook?
SF: Internet Relay Chat was my first exposure to the seductive allure of connecting with others without the constraints of distance. I spent hours on end every day forging relationships on the fledgling Internet — until I realized that all my public messages were saved on several computers and could never really be deleted. This put a major damper on my usage.
Today I use LinkedIn, Facebook and Twitter — sites that view me as a data asset. And I am OK with that. I choose to share information that supports my personal and professional brand. I am also aware that my status as a federal employee increases the risk that I will be profiled as part of an SE campaign. Thus, I am very careful with what I post and I make judicious use of each site’s privacy controls.
DL: Any final words of wisdom or things I missed?
SF: I know people that over-share on social media and open themselves, and their employers, to social exploits. I also know people that work in the defense sector that choose a misinformation approach to their social media activities. There is a middle ground that we can all maintain, but that requires understanding the value of the data you share and the context in which you share it. Most of us that use social media have digital personae on the Internet. We have the power to influence how representative those avatars are.
DL: My thanks to Steven for sharing his insights into how social engineering attacks are playing out in 2016. You can follow Steven on Twitter: @securelexicon.