By Scott Jarkoff, Director of Intelligence Strategy for APJ & META, CrowdStrike
Despite extensive educational campaigns to boost employee awareness of social engineering tactics,
threat actors continue to use social engineering with alarming efficacy. Adversaries use emotion, urgency, and pretext to manipulate employees and harvest legitimate credentials, which allow them to enter a target organisation while bypassing security measures like authentication portals and firewalls. Once inside, adversaries can swiftly and covertly navigate the environment, engaging in malicious activities such as data theft and ransomware deployment, severely disrupting business operations. By using legitimate privileged credentials, adversaries can remain undetected for months, providing ample opportunity to fully compromise the organisation.
The CrowdStrike 2024 Global Threat Report found that 75% of attacks to gain access were malware-free. As identity-based attacks continue to rise, security teams must defend against social engineering techniques. We explore the most common methods below:
Phishing: This technique involves deceptive emails intended to steal credentials or deliver malware, often through malicious attachments or links posing as legitimate authentication portals. Sometimes, instead of an attachment, a link leads to a seemingly legitimate authentication portal along with urgent messaging alerting, for example, to password expiry or “suspicious activity” around the account. The false login portal captures entered credentials, which the adversary can then use to access the account and ultimately the target organisation.
Vishing: A portmanteau of “voice” and “phishing”, vishing relies on impersonation and pretext to manipulate phone call recipients — for example, an adversary may become an “employee” calling the help desk in distress. With information gathered from reconnaissance, the attacker creates an urgent scenario pressuring the target to bypass procedures like multifactor authentication or password reset approvals to gain authenticated access into the target network.
Delivery is a key element of vishing. If security processes are weak and the adversary has enough context to convince the target their call is benign, simple pleasantries may suffice. If needed, emotion and manipulation can be used to convince the victim that they should deviate from standard procedure to help the “employee”. Examples include crying, intimidation or claiming difficulty with technology.
Smishing: This technique uses SMS messaging to manipulate a target into providing information or
granting access to a system or account. Smishing can target a wide group of persons or specific individuals. The message itself may sometimes solicit personally identifiable information (PII) from the target or attempt to convince them to click a link.
When used against a business, smishing can take on a variety of forms. If the target phone number is associated with a business device, the sensitive access and information on the device are at risk if the user clicks a malicious link. Even if the target is a personal device, the threat actor may be targeting a specific user to collect information that can later be leveraged to answer security questions in another phase of the social engineering attack.
The consequences of a successful social engineering attack can be devastating, highlighting the importance of robust security processes and employee awareness. Organisations should follow these tips to fortify defenses against common social engineering techniques:
Use non-researchable security questions: Prompt users to provide information that cannot be
easily found online, such as an asset identification number for their workstation.
Implement strong multifactor authentication (MFA): Require all employees to use strong MFA,
such as security keys, to access organizational resources, adding an extra layer of security in case
passwords are compromised.
Strengthen password reset processes: Create multiple layers of security in the password reset process. For example, require security questions, manager approval or push notification
acceptance.
Train help desk staff: Educate help desk associates on security processes and risks of non-adherence.
Educate employees on current cyber threats: Notify employees immediately about active social
engineering campaigns targeting the organisation and provide channels to report suspicious activity.
Use allowlists for software installation on systems: Limit software installation on organisational
systems to an approved list, preventing the execution of potentially malicious software, such as remote monitoring tools.
Adopt modern identity protection technology: With a modern identity threat detection and response (ITDR) solution, organisations can differentiate between normal and malicious user behavior and stop identity-based threats in real-time.
Monitor for harvested credentials: Employ a solution capable of monitoring the dark web for access brokers selling exposed credentials, and alerting when an organisation’s credentials are for sale. This provides early warning to mitigate the threat before an attacker purchase and uses legitimate credentials to compromise the targeted organisation.
Adversaries have long used social engineering to trick their victims into providing access or information
not available to the public. With generative AI supporting the efficiency and effectiveness of social engineering campaigns, we expect this approach to remain prevalent throughout 2024. Security teams must understand evolving social engineering tactics and put the appropriate combination of people, processes and technology in place to safeguard their organization’s critical assets.
