The Different Players in Social Engineering
Most people inherently trust others, unless given a reason not to. This element of human nature makes it possible for social engineering to occur. Social engineering occurs when a person uses psychology and persuasion to manipulate another into doing a certain activity or revealing secret information. In the end, the victim is taken advantage of and the social engineer obtains something of value for themselves or the organization they represent. The victim or their related organization are left exposed if important information is stolen or damaged if an action results in harm.
This post looks at the elements of social engineering in circumstances where there is a single social engineer. Attacks can also use automation or social engineering at scale to work. For example, sending 100,000 phishing emails might rely on a social engineering technique, but the dynamic is not 1×1. The channels for social engineering can be face-to-face, email, telephone calls, or any place that two people are interacting. The impact can be stolen physical or virtual goods.
Social engineers, spies, criminals, and hackers are not going to target just anyone. There must be a reason and end goal for the actions. If you work for a government organization that has information or secrets that are valuable, you should be on guard. If you are able to access sensitive information from your workplace computer, the adversary knows that.
In addition to having access to desired information or the ability to do certain actions, the central victim is going to have characteristics that appeal to the social engineer. Perhaps they are an outsider at the organization or their views conflict with the organization. The social engineer can use various information-gathering techniques to find this out. After finding out an angle to establish the relationship, they are going to cultivate the relationship until trust is established.
The Social Engineer
Social engineers have been around since civilization began. People with charisma and insights into human nature, obtained through training or instinctual, can influence others to do things or provide the information they desire. In the 20th century, social engineering was used by spies in the World Wars and the Cold War. Classified government information was exposed in countless situations.
As the Internet and computers came to be the driver of communication and information, the goal of social engineering progressed from documents in a file folder to files on a harddrive. This means the social engineer would need to be tech-savvy in many instances to deliver.
The classic channel for social engineering is simply face-to-face. Two people run into each other and friendships or romantic relationships form. Over time, trust is established and the social engineer asks the mark to get what is needed or they compromise them in another way. After the mission is accomplished, the former supposed-friend vanishes.
The Threat Actor
The largest social engineering attacks are largely the domain of countries and criminal organizations. Nation-states have whole departments dedicated to espionage and intelligence. The Cold War was fought on this front primarily. Like Q giving James Bond a spy gadget, a threat actor gives the social engineer the information and tools to succeed. Criminal organizations have raked in billions executing ransomware and other attacks. For a modern threat actor, the resources brought to bear might be money, intelligence, or training.
Small groups, hacktivists, or even individuals can also make waves. The social engineering-based hack of Twitter in 2020 was the result of a single teen and his friends. For smaller groups, there might not be an overarching organization orchestrating strategy. The social engineer and threat actor are the same.
If a threat actor successfully attacks a target organization, attributing an attack to a threat actor is often possible using forensics. But given the nature of global politics and dynamics, it is difficult to pursue legal action of any sort. The response from the victims might amount to a tit for tat if the perpetrator is a known nation or organization, and the cycle continues.
The Target Organization
The company that is the target of a social engineering campaign is another player in the field of information warfare. A company might be a target if they hold valuable information or control. Companies that are the supply chain of a company could also be a target. These companies fall victim to supply chain hacking. Often, the partner of the primary target might be less prepared.
All companies that handle sensitive information, control important infrastructure, or even partner with companies that do should take steps to prevent social engineering. The steps they should take should include employee education. Train employees to be suspicious of unknown people online. Social engineering offline is not as common or warned about. But if a company is in an industry of interest to threat actors, even real-world interactions need to be analyzed.
For the company itself, different tools and services can be used to monitor suspicious activity. Cipher can analyze network activity using CipherBox MDR. Monitoring access logs to sensitive areas or other anomalies is a proactive practice that can stop damage before it happens. Prosegur can monitor for damage in the physical world.