Effective Awareness Campaign - Social Engineering is a 'Why' Question
TL;DR - in this blog post, I will review my approach to conducting effective social engineering awareness campaigns (phishing, vishing, spear-phishing, smishing, Etc.).
Let's start with a question - how many of you, my readers, participated in a phishing awareness campaign at least once in your organization? Did you find it efficient? In August 2022, I participated in Defcon 30. One of the primary villages I visited was the new social engineering community, which hosted a vishing contest. For those of you that never heard about the contest - different teams get a month to collect intelligence open-source based (aka OSINT) about a company, and during the contest, they call their targets and try to phish them. All are monitored and made for educational purposes. I was amazed by the number of people that received a call and answered "yes" to the question, "did you participate in a phishing awareness campaign?" while the 'attacker' phished them. You can read more on the vishing contest at Jason Puglisi's blog.
In the last few months, vishing, and social engineering in general, returned to the headlines. More and more high-profile threat actors returned to use it as their primary initial access vector, leaving aside the vulnerabilities. Some actors were affected by regulations, some executed social engineering attacks and succeeded, and others just used it from day one - because it works. Take the notorious attacks of the year - Lapsus$, Cisco, Uber (in this attack, we don't know yet if the initial access vector is Social Engineering, the assessment based on the hacker's publication, which might be a false flag). What do all these attacks have in common? The initial access vector was Social Engineering. Not limited only to it, but very prominent. Another thing that all these attacks have in common is their publicity. We can examine reports about all the new threat actors that were forked from CONTI and how they relied mainly on social engineering.
Why do we fail in the least sophisticated attacks? First, the problem is not a lack of security tools. The companies promoted themselves this week after Uber's breach claiming that they would have prevented the attack entirely, just don't tell the truth. First, as mentioned, we don't know yet what is the right vector - Uber is the only one that really knows, and we can't rely only on what the hacker said. Second, these companies might assist in preventing the attack, but when the attack surface gets bigger, the odds of a security breach based on social engineering increase the same way. My friend JC Carruthers and Corin Faife wrote a blog about the place of Social Engineering in the latest Uber attack. I wish to quote one paragraph from the blog:
"Even for a company with Uber's resources, these kinds of social engineering threats are impossible to completely defend against. It doesn't matter how good a firm's password policies are, whether sensitive information is properly stored or encrypted, and even whether multi-factor authentication is used — there's always a chance that a human employee will be fooled into letting the attacker in through the front door."
Second, and more importantly, in my opinion, we have a problem in our industry - we fall into a bias that technology is the main factor for cyberattacks. We forget that hackers don't hack things just because they can; they have a motivation that leads them. Thus, the hackers don't search for the most sophisticated tool to conduct the most unprecedented cyberattack; they search for a tool that works and answers their goals.
It's very salacious to do some malware analysis about comprehensive attacks like Solarwinds or attacks by Sandworm. We see vendors and security researchers call for organizations to fight these threats or to simulate these attacks via a red team operation. How many organizations are really going to face an attack like this? This technology bias made us think that cyber security is linear - if the defensive security tools got better, the attackers are going the same way. I think the actors' sophistication level and arsenal are not the primary aspects of adversaries - their motivation is. A cyberattack is not a theoretical war game. Can you imagine a hacker that ran into a wall, got detected, and said to himself, "The target won! Good for them! I need to stop attacking them"?
Cyber threat intelligence researchers from our community and academia examine the attacker's power according to their technical sophistication level. They check how unique the technology is, how original it is and how difficult it is to detect. I claim this analysis doesn't help the organization get protected from the threat nor assess the threat level for the organization. I spoke about this subject in my Defcon Biohacking village presentation - what's the point of investing resources for defensive and offensive capabilities if the actor is going to leverage your pain point and enter your city through the front gate as the Greeks did in the Trojan war? In my opinion, intelligence-driven defensive and offensive capabilities can change the organization's threat landscape, not the trends we find on Twitter, not the fear we have from sophisticated threat actors.
Let's break another axiom in our industry. The core competence of a business, which is not a security company, is not cyber security. Thus, the
team members do not think about security. Similarly to people not from the military, most people are less aware of cyber attacks. Perhaps they never saw an actual cyber attack live. People from the industry who blame the non-security people do wrong with these people. It's hard to detect cyber attacks when you don't understand that you are a target. We can't fight threat actors alone, especially if they target non-security people. Consequently, we have to give our team members a way to understand threats, how to fight them, and how to take part in the defensive mission.
As I wrote on the Welcome page, I see cyber as poetry and intelligence as language. Therefore, I use many analogies when I present my thoughts. Two analogies are very common - comparing cyber security to military or medical protocols. Here I wish to use an example from the medical world. A few years ago, the medical sector emerged with the decentralization of laboratory testing - new technologies enable people to test themselves before seeing a doctor, and the testing is not limited to lab professionals. These types of tests have many advantages. Although they are not the most accurate testing, they offer a tool to detect and prevent further infections, reduce a patient's length of stay, and give them a key to sort themselves instead of overloading the doctors. In this time-saving, the doctors can focus on treating people. Sounds familiar? Think about the things the antigen changed for us during COVID. Our awareness campaign mission is similar - it helps our team members to be the first line of protection, to detect a significant part of the social engineering attacks, prevent them, and reduce overload in the SOC.
Something to put in mind, we must ensure we don't frighten people, decrease collaboration, and give the team members a feeling that if they fell for a phishing campaign, the organization would punish them or break the trust between security people and non-security people.
As expected in the industry, analyzing a cyber attack includes three components, also known as TTP: Tactics, Techniques, and Procedures (Note again that there is no T for tools). The tactic layer answers the 'why' question, the technique layer answers the 'how' question, and the procedures answer the 'what' question.
The differentiation between phishing, spear-phishing, vishing, and smishing is essential for threat intelligence people. It's crucial for detecting, monitoring, and mitigating attacks. These techniques, or operational intelligence, are essential in any awareness campaign, but they are not the central part. In my opinion, when we execute an awareness campaign, the differentiation should come only later. We must focus on the 'Why' question. I feel the same way about preparing an adversary simulation based on threat intelligence (you can check my approach in the following blog post). We should ask ourselves, "Why did the actor use the specific tool" and not only "What tool does the hacker use" simply because it doesn't make the impact we want to achieve. To test security software against a specific tool, you should not do a red team/adversary simulation operation.
Like the Simon Sinek 'golden circle', My agenda, in general, is named 'the era of why', in which I focus on explaining first why threat actors choose to execute the specific techniques, how they do it, and what they do only then. Check the video that explains Sinek's theory to understand better why we should start with the 'Why' question.
The first layer of an effective awareness campaign is the 'why' layer. The main question about phishing from non-security people is, "what can the actor do with my data '' - we should explain to them the motivation. By understanding why the actors will send phishing emails to their private email accounts and how they will utilize it for their needs, or why the actors will urge them to call a call center and install software to review a receipt, the non-security people connect to the awareness mission. That's the time to speak about the Tactic T from the TTP.
The second layer of the campaign should be the 'how' layer. How the actor might execute the attack to achieve the mission we already explained. Here it's the time to differentiate between the different types of social engineering methods, as we spoke before - the Technique T from TTP.
The third layer of the campaign is the 'what' question - what the actor will do. It's better to have actual evidence for the attack by an actor that we would like to use in the campaign. If the actor already attacked us, it's better to show the actual attack by the actor. If the actor attacks others, but we know we might get targeted, let's explain 'why' we assess that. If we don't have any evidence like this, we can create a look-alike attack of the actor - use your red team to do it; they have the malicious mindset you need to tailor a campaign like this. This is the Procedure P from TTP.
Let's take the Cisco attack as an example of an intelligence-based awareness campaign. Start with the why - the hackers that target us wish to breach the organization, steal data, and ransom us. A common tactic to ransom an organization is publishing this data, as they did when they breached Cisco, for example. To breach the organization, the actor most commonly tries to steal information from the organization's team members and then utilize it to get into the organization from the main door. Continue with the how - The hackers did it, in the past, by attacking the organization's team members. They hunted their personal Gmail accounts. After they had access to your personal account, they would steal your passwords, get into the organization, and achieve the mission we explained. Finish with the what - present the most common phishing attack by the group.
Needless to say that it's not that simple, and as we said before, the larger the organization, the bigger the risk. As I wrote here, a paragraph is not enough; it is an educational process. It's part of uniting the team members over the mission of protecting the organization. Your compliance/awareness team should probably use your marketing team to disseminate the message throughout the organization. But if you would focus on why, based on your awareness campaign of intelligence and relevant attack, you might make the organization a safer space from social engineering-based attacks.