"ishing" and Social Engineering attack kill-chain for cybersecurity awareness tailoring - non-technical approach
TL;DR: Playing with words describing most popular social engineering attack, we describe social engineering activities as something happening to everyone, every day, including attacks. We discuss how technology, social and personal vulnerabilities are exploited within social engineering attacks and how to detect and block such activity. #ishing #socialEngineering #cognitiveBiasIndex
Most likely you've heard about phishing – way that criminals tricks people to make errors during Internet activity. This is an example of adversary use of social engineering. This term you may also know, but there is more behind ?phishing” and other social engineering attacks. Let’s go find what, where, and mostly why this is happening to all of us.
Technology context
Phishing is popular, but there are other attacks: vishing, smishing, quishing, someshing, and maybe more, we don’t have name for, yet. You may already noticed that all of mentioned names have common core ?ishing” which can be our definition of social engineering used in attacks. If such attack is executed using specific channel or technology we add additional letters at front, like ph- for emails, v- for phone/voice, sm- for sms or messaging, qu- for QR codes and some- for social media... see below for ?big picture”.
Take a look, by simple analyzing word construction, we find out one of most useful defense technique against social engineering: be aware about where attacks happened. Practically, find your answers to following questions:
You may realize, that little or no-one is keen to invest time for such awareness, making technology awareness unpractical in reality. What more, technology may be tricky for end-user, check below how.
Adversary use of social engineering requires spoofing of identity, or at least make impression of real identity in use. As our perception has physical and cognitive limits, each communication technology or channels have specific design issues that enable adversary to exploit our perception gaps. Some are pure technical like limited space for internet address in smartphone web browser, some ?are opportunities within technology protocols, like caller ID spoofing for voice and sms channels. Other are originated from bad implementation of security knowledge like ?green padlock” that is read as ?secure” but should be as ?hard to sniff, but sender unknown”. There are also ones, specific to technology process like password policy, user age verification and application or device updates. Breaking attack at this stage, by detection of suspicious messages, requires knowledge and experience about how to use communication technology. This is hard, even for technical skilled persons. However such exploits may be detected and blocked by technology, these may also impact regular business communication, and are implemented so slow, that criminals have time to adopt and bypass them.
First defense step against practical use of social engineering is to understand technology behavior and respond to anomalies. This requires time, skills and experience, being very rare activity. Bad communication practices and technology implementation also make this step harder, and require understanding of local culture for effective detection of attacks and not disrupting legitimate communication by false detection.
Social context: norm or attack?
One go, more to come. Let’s focus on ?ishing” as social engineering attacks. Why attacks? As we know a lot of them, and defining these adversary activities with words like: scamming, baiting, pretexting, doxing, bullying, stalking, whaling, impersonating, trolling, targeting, swatting, pretexting and many more... attacks having common pattern, abusing or manipulating social context. As activity they are represent by ?-ing” part. With all above, you may realize that social engineering is common, and was around us many years before we build computers and internet. You have right! What more, technology make it easier, but is not required to make it happen.
Social engineering in fact is a broader term, not related to technology. You may understand it as (social part) manipulate any social relations, norms or interactions that (engineering part) will outcome in specific tasks done successfully. It happens to everyone, including you, every day. Social context is used all the time to drive your decisions by your family, friends, work environment... any social activity is full of ?engineered” patterns and rules, we are aware and agree to follow. This is WHY social engineering attacks happen to everyone and are so hard to detect before is too late. These are simply speaking little alteration of our normal life. Responding to commercials, quid pro quo, businesses – are normal and daily social engineering activities. When context of above is altered, we may not find difference and follow attack disgusted as regular activity becoming victim of social engineering attack. Fake news, hate speech ... we know this well.
Second defense rule applicable to this stage of social engineering attacks is availabe to everyone: Know your limits and rules, and by rule, not cross them easy. We used to call this rule – common sense and it’s very true.
Social and personal context: your cognitive biases
We have discussed almost all, apart this one: -ish- that is in the middle of each social engineering attacks. Ish means around something, when you can’t be specific... little deviation... that alteration of both: physical and social context that make social engineering attacks so successful. This is part is our mind ?interpretation” or more precisely perception and cognitive skills. This is how we are ?filling gaps” in knowledge to make decision, how we explain ourselves, how we project future events even without good understanding of presence. We also know these patterns of ?ish” as cognitive biases and below you can find map of most common ones.
Impressive, right? Now you can understand why technology can’t block social engineering attacks, and you need educate and train yourself. Don't be discouraged with picture above. Fact that you learned human threat landscape spanned by cognitive bias vulnerabilities may help you expand your protection practices with cognitive awareness - mindfulness. Yes, this is challenge, and if you need help, find inspiration in pop culture messages like these in movies Matrix or Inception, where fixed mindset lead to missing situational awareness.
领英推荐
Third rule useful to defense from social engineering attacks is tricky one: Don’t trust your perception. Practice testing yourself, as often you can. Use available tools and tips to prevent from bias in your cognition. Find other people you trust and practice peer review. Consider mindfulness.
Private context as secret sauce: your emotions
There is one more secret ingredient that is mostly discussed for social engineering and plays important role in any social engineering attack. Your emotions. Basic social context altering is not enough, as well as exploiting technology limitations. You need to be pushed to complete engineered task. This will happen only if you will believe that this is the best course of action. Emotions give you that. As designed by nature, emotions driving your body and mind reaction, from fight, through fly up to freeze and obey. You may fight for limited goods, fly from danger to unpleasant but acceptable situation, you may find yourself trapped and just follow instruction of your predator. Unprepared, or not aware about your emotions taking control over you, you don’t have chance to stop. Disruptions may help to cool down, but mostly there is too late. Practicing detection of emotions rising, and controlling your body reaction gives best results when blocking social engineering, including attacks. With this approach, no matter if greed, curiosity, fear, urgency or any other emotion is rising – you can be prepared to detect it, contaminate, cool down and move forward. This practice is hidden within common cybersecurity campaign: stop.think.connect!
There comes ultimate rule for defense from social engineering attacks: practice emotional intelligence. Be aware of your body signals like holding your breath, or rising shoulders. These are red flags, when you should start emotional cool down.
Social engineering attack kill-chain (simplified)
Now you have all three in deadly efficient chain:
With emotions rising up during process (heat map above). Without disruption or emotional intelligence skills, you lose control about exploitation of your cognitive bias phase.
How to brake it?
Be aware about:
You may be hungry for examples of above. Please find more, not only examples, about human Factors in cyberspace here:
This article was created as helper for describing various and broad social engineering activities across cyber domain, however is not limited to cyber space events. Introducing "ishing" as term describing social engineering attacks is done by purpose to bring attention to differences between awareness and training needs as well as activity structure and content. More "kill-chain" tailored response in trainings may lead to more efficient behavior change of potential victims, and ultimately stop or brake social engineering attack and report it.