Social Engineering

Executive Summary

Threat actors use social engineering to manipulate users into performing actions on their behalf. It works by exploiting a natural emotional stress response that causes victims to bypass rational thought. Mitigation best practices include stress reduction techniques, scenario based training and supplementary security to reduce damage in the event of a successful social engineering attack.

Background

Social Engineering is the use of psychological tactics to convince a person to carry out specific behaviors [2]. This is often used with cyberattacks. By praying on a target’s emotions, a cyber criminal can manipulate a target to get them to take an action [7].  If successfully employed, a threat actor does not need to fight the target to get what they want. They can simply ask the target to hand it over. 

Social engineering works through the concept of amygdala hijacking [5]. There are two main areas in the brain that process information are the frontal lobe and amygdala. Critical thinking occurs in the frontal lobe.  The amygdala is responsible for survival instinct; it detects environmental threats and uses the fight-or-flight response to act to remove the threat as quickly as possible. Since information is processed consciously through rational decision making, the frontal lobe works more slowly than the amygdala. If an attacker can hijack the victim’s amygdala, they can make their target bypass rational decision making.

This is why strong emotions create connections – people have a natural tendency to be helpful and reciprocate action [4]. If a target feels connected to an attacker, they are more suggestible and less likely to question the request. This includes the act of bypassing security measures the target previously agreed to follow. It doesn’t necessarily matter if the emotion that is elicited is positive or negative, it just has to be strong [6]. Other common emotions include excitement, curiosity, irritation and greed. This is why urgency is often used as a social engineering tactic – it is very persuasive in convincing people to only think about the request at hand out of fear of what will happen if time runs out. Threat actors who use this method tend to take advantage of significant events such as natural disasters, holidays, and economic and political events [3].

Social engineering attacks usually take place in four phases: information gathering, deception, the actual attack and retreat. They start an attack by getting as much information on a target as possible. This can be done using social media, search engines or other means of observation. They progress to psychological manipulation. During this phase, they influence their target’s emotions to build to a heightened state. After the priming is complete, the attack takes place. They may request the target take an action such as relaying information or installing an application that can damage or take over a system.  Once the target carries out the desired action, the attacker retreats. 

Impact

Social Engineering is especially impactful because targets are insiders [1]. This type of target usually possesses authorizations that an attacker can use as a vector to infiltrate a system. Additionally, social engineering can be carried out in a plethora of ways. It can be performed in-person or remotely, use low-tech impersonation narratives or high-tech websites and applications, and have the goal of accessing anything. As long as one person can be influenced, threat actors gain an opportunity to do harm based on the victim’s permissions. 

Mitigation

It is important that users remain in control of their emotions and aware of the signs of a social engineering attack. Taking a step back to calm down heightened emotions may prove useful in reducing a fight-or-flight response [8]. One best practice is to engage in activities that permit users to recover from stressful situations. Allowing users to take a break to calm heightened emotions diminishes the strength of the attack. Threat actors are more likely to be questioned, allowing users to apply critical thinking to the situation. Quick relaxation techniques include meditation, prayer and breathing exercises. Long-term stress reduction activities can also help lower buildup of chronic stress. Exercise and relationships can also lessen the effects of stressful situations. 

Additional security controls can be used as a backup. This can limit the extent of damage that could be done in the event of a successful exploit. For example, many credential harvesting attacks employ social engineering.  If the victim does give their credentials to the attackers, they should not be able to access the same information as the victim. This can be accomplished with additional controls such as device and location restrictions.

Users and organizations should be educated on social engineering regularly. Training best practices include scenario-based examples that allow trainees to practice what they might experience in real life. This allows trainees to understand the cause and effect of their choices and actions in a safe and realistic environment. Organizations can also test their security measures to gauge the effectiveness of backup controls in the event of a successful exploit.

Relevance

Social engineering is often used in data breaches, which can be costly. According to the cybersecurity company, Aura, about 20% of 2023 data breaches involved social engineering. Because the last step of this type of attack is to leave quickly and quietly, there is a risk that criminals can exit an attack undetected until it’s too late. 

References

[1] Acalvio Technologies. (July 30, 2024). The Rising Risk of Insider Threats: Strategies for Cyber Defense. https://www.youtube.com/watch?v=Tt844KrJnUk&t=23s

[2] Cisco. (n.d.).What is Social Engineering? Cisco. https://www.cisco.com/c/en/us/products/security/what-is-social-engineering.html

[3] Cybersecurity and Infrastructure Security Agency. February 01, 2021. Avoiding Social Engineering and Phishing Attacks. https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks

[4] Defendify. (2022, October). The Emotions of a Social Engineering Attack. Defendify. https://www.defendify.com/wp-content/uploads/2022/10/The-Emotions-of-a-Social-Engineering-Attack.pdf

[5] Hazari, G. (2024, February 5).How Phishing Attacks Use Human Evolution To Their Advantage Forbes. https://www.forbes.com/councils/forbestechcouncil/2024/02/05/how-phishing-attacks-use-human-evolution-to-their-advantage/

[6] Jones, T. (2023, December 8). The 12 Latest Types of Social Engineering Attacks (2024). Aura. https://www.aura.com/learn/types-of-social-engineering-attacks

[7] Lenaerts-Bergmans, B. (2023, November 08). 10 Types of Social Engineering Attacks and how to prevent them. CrowdStrike. https://www.crowdstrike.com/en-us/cybersecurity-101/social-engineering/types-of-social-engineering-attacks/

[8] LeWine, H. (2024, April 3). Understanding the Stress Response. Harvard Health Publishing. https://www.health.harvard.edu/staying-healthy/understanding-the-stress-response