Social Engineering
How does Social Engineering work?
- 23 Februari 2022
- TrI-C
Social engineering is a technique for extracting information from people. Companies and organizations are increasingly confronted with 'direct contact' of staff. It is not limited to only approaching from a distance and by breaking in using digital techniques. It is a shaky quest for how to achieve success as quietly as possible. That success is a question for the target/victim, but the assignment for the social engineer. Subtlety, gaining trust, empathy, offensive charm attempts, everything is pulled out to enter into a relationship with the target. The sliding scale on which the target will eventually find itself has a 'point of no return'. Most victims will try to solve the case themselves, possibly out of shame. The malicious employee could 'sell' himself/herself to his/her social engineer.
Social engineering is a technique for extracting information from people.
Social engineering can be referred to as a collective term for actions in which almost all means can be used by one or more persons to influence and/or mislead the other(s). These are age-old techniques that have been given a new look (deception, indoctrination, seduction, gaining trust, etc.). Social engineering is part of cyber security, often because several IT options are also used for making the first contacts. As examples apply; fake e-mails, fishing e-mails, but also fake news via social platforms, etc. that are used to contact (the network of) the victim. Social engineering is hacking people (Human Hacking) where the goal for the social engineer is to get the target to work with him. Have actions performed, deliver items, provide access to…, be an eye and ear for the social engineer in the organization where the target works or is affiliated. Spying for the social engineer so that he does not have to penetrate the organization itself. It relates to the performance of work for the social engineer when he would not be able to penetrate a closed organization at that time. There are several options for using the target's services. Take, for example, the introduction of the social engineer by the target in his/her own organization.
Nowadays, the use of social platforms or various chat groups is an ideal environment to make the first contacts anonymously and/or to disseminate large amounts of incorrect information. There are several definitions regarding social engineering. Triple I communication expresses it as follows:
Social engineering in the context of strategic deployment:
Using centralized planning to direct social change and regulate the future development and behaviour of groups.
Social engineering in the context of information security:
Covertly manipulating individual behavior and perception to gain access to confidential information that could be used for fraudulent and/or criminal purposes.
In the case of strategic deployment, examples given; the deliberate, frequent, subtle, and persistent dissemination of incorrect information ('weaponized narratives'). This is to influence groups during, for example, an election or a vaccination campaign. But also, the tens of thousands of fake emails that were distributed immediately after the downing of MH17 (source Bellingcat.com) to influence general opinion. In the case of information security, as an example; the conversation, social communication, with (the network of) the victim, possibly by means of a digital introduction (e.g. email). In principle, the unconscious victim does not have to be the first target that the social engineer has set his eye on during his preparation. Anyone in that network can be part of a social engineer's attack vectors. The social engineer can be directed to the right person via contacts within an organization, which is pre-eminently a network. Initially to gain trust and then to increase the pressure to draw the victim into the social engineer's spheres of influence. These techniques are hardly recognizable with digital means.
“You only see it when you realize it”
A social engineer attack on an individual can deeply affect any organization. The reputation, the image, on which the organization had been committed for years and which has been worked hard on, can just disappear. The image, how customers view the organization, can be damaged just like that. Losing customer confidence can be disastrous for commercial institutions, but that is true for any organization. This also makes non-profit organizations more vulnerable, such as ministries such as justice, defense, and organizations such as security and other government services. A well-known footballer has put himself on the map with his statements. One of them certainly applies here: “you only see it when you realize it”. Namely, the social engineer uses, among other things, to direct several fixed actions. These actions are so ingrained in our culture that they will not stand out when used. The success rate of this action is related to the dilemma in the desire of organizations to be customer-friendly and service-oriented compared to a piece of healthy mistrust. That is why one does not immediately recognize an attack. But the trajectory to which it leads, to cooperate with something that you, possibly afterwards, say you would never have wanted to participate in, can be recognized. With training and insight into the workable elements, the modus operandi can be observed over time.
Triple I communication provides training and workshops for gatekeepers, (middle) management, but especially for the workplace to allow staff to become more familiar with the phenomenon of social engineering. That does not mean that they themselves are trained as social engineers. But topics such as which 5 phases underlie an attack (engagement model). What does a social engineer focus on (behavioural styles). To be able to make the translation of the information to one's own organization and to make recommendations in the field of personnel policy, compartmentalisation, handling of company data. For more information: www.tri-c.nl.
Overview