Social Engineering Kill-Chain

Threat intelligence community by Feedly

Social Engineering Kill–Chain: Predicting, Minimizing & Disrupting Attack Verticals in Ahead

Christina Lekati  on Jun 02, 2022

It was a Friday afternoon when Bill was on his way back home from work when he received a call that made him take the next U-turn back to his office. It was one of these calls that he was dedicating all of his working hours to avoid. He was not given much detail through the phone, but it seems that Andre, someone working in the account payments department, had just fallen victim to a scam and had proceeded to a hefty payment. A scam? Bill recalled all the training videos he had put this department through. What went wrong?

"They had inside information – it was so believable!" were some of Andre's first words when he saw Bill, the head of their cyber security team. Someone had called Andre a few minutes before his shift ended, claiming to be an employee from a partner company they had recently started collaborating with for an important project. The person on the call sounded distressed and almost panicked. They claimed that one of their invoices had not yet been paid. Since the project's next phase was scheduled to start on Monday, this was their last chance to get the payment through. Alternatively, they would have to temporarily freeze the project (which would have a domino effect on the project's overall timeline and deliverables). All of this sounded entirely plausible to Andre. They were indeed collaborating on the project the caller mentioned, the timeline was accurate, and the names the caller mentioned were indeed the project owners. The caller insisted on sending the invoice via email, and Andre processed that invoice. But he was left with a strange feeling. So he went back to his database and checked the account details. Sure enough, they were different. But it was too late.

Bill immediately realized -it was a spear-phishing attack combining vishing (a scam carried over the phone) and a potential phishing email (the attachment and overall email still needed to be examined). He now had to report the incident and investigate the matter. As the investigation later showed, the caller had spoofed the phone number and made it look as if the call was indeed coming from the partner company. That was also one of the main reasons Andre trusted that the call was a legitimate one and one of the main tools that cyber attackers utilize to initiate trust with their targets.

Protecting an organization from social engineering attacks is not an easy task. Rather, it is an asymmetric game in which information, education, and strategy are paramount. Social engineering is a pretty attractive option for cybercriminals. It is a low cost, low risk, and high reward approach. While security technology has been advancing, human vulnerabilities have remained the same. The stimulus-response effect in human triggers is consistent, and exploiting these vulnerabilities is consistently successful. It is not surprising, that most of our industry’s threat landscape reports or cybersecurity insight reports (including the ones from ENISA and the World Economic Forum) have been listing social engineering attacks and human errors as one of the top 3 threats during the past few years. This is not a trend that seems to be going away. Rather, it looks like cybercriminals continuously find more ways to exploit humans within their attack kill-chains.  ..... '