Michael Bird: Hello and welcome to explain IT brought to you by Softcat, this is a show for I.T professionals that aims to simplify the complex and often overcomplicated bits of enterprise IT, of course, without compromising on detail. I'm Michael Bird, and over the next 20 or so minutes, I will be challenging our panel of experts to take a different area of the IT ecosystem and, of course, explain it. In this episode we are going to be talking about social engineering, what exactly it is, who is behind it, how an organisation might protect themselves against it and what we expect to see in the future. With me to help delve into this rather large subject matter is Adam Louca, Softcat's chief technologist for security and Darren Thompson who is CTO of the EMEA region at Symantec.
So Darren, I guess the first question to ask is what is Social Engineering?
Darren Thompson: Well very importantly social engineering is not a new topic, you know it is somewhat new in the context of IT and security but it is not new, it is almost as old as human beings themselves. Many people would of heard the expression ''confidence trickery,'' that's social engineering. This is really about using some of the natural cognitive biases that exist in all of our brains to manipulate us into doing something we wouldn't ordinarily do. In the context of cyber security that's ordinarily manipulating us into giving up information of some kind whether that be some personal information like a credit card number, or a password, or something along those lines so it has become a very important part of a cyber criminal's armoury.
Michael Bird: So what about in the world of IT, specifically, how do we view social engineering or how do we define social engineering?
Adam Louca: So social engineering is really the digital application of those techniques described earlier so they are those different confidence tricks used within a digital context. Typically I think when most people think about social engineering in an IT context they think about phishing, so phishing is the application of social engineering techniques to an email. Interestingly, phishing is generally known as a broad-brush technique so it is not targeted, it will have some level of hook that they're looking to achieve but it is not specifically targeted at you. It is the mass market version of social engineering in a digital context. As you then start to think about how that becomes I guess more effective but probably more targeted is when you move up into spear phishing so this is where you have profiled or you have tried to understand the person you are attacking and you are using specific indicators or queues to get them to buy into your social engineering techniques or your attack. Interestingly, this is often now seen to be focussing towards whaling, which is, I love the term, I love how a lot of this sort of sits around various fishing terminologies. But yeah, whaling. Michael what do you think whaling is?
Michael Bird: Probably, it's a big fish isn't it, so getting the big boys in your organisation.
Adam Louca: Yeah 100 percent. So whaling is, if you think about fishing, if you go fishing you throw a rod into, well you don't throw the rod in that wouldn't be very good but you throw the hook into the river or in the sea, you can tell I go fishing often, and you don't really know what you are going to catch. Spearfishing is your going fishing but you're holding it and you're going to throw it at a fish or a target, so you've targeted it. The last one whaling is you go for the big fish. So actually it's like spearfishing but you are spearfishing for whales. Whaling is really attached to the CEO fraud and there are other terminologies for this but generally a line to C-level, I guess C-level members of your organisation because they often have power, they have influence, they have the ability to get things done quickly. Often to do with financial processes.
Darren Thompson: I think there is another important analogy there, whaling is quite a good expression for the targeting of the senior executives because again I am not a fisherman so I am stretching my knowledge here but when we go to catch a whale it is a spearfishing attack we are going after one creature but very importantly it can take hours and sometimes days to land that whale. What we have seen at Symantec when people are targeted in that way, in a spearfishing attack sometimes it is months before the criminal reaches their objective but they are very persistent they will try and try and try and try lots of different avenues and vectors and attack surfaces and social engineering techniques to reach that goal, and that is like a whaling fish.
Adam Louca: That is quite an interesting thought isn't it? Multiple boats, multiple actors, multiple avenues.
Darren Thompson: Yeah absolutely.
Adam Louca: I think interestingly the CEO fraud piece is particularly useful or particularly effective and actually it's a little sad as to why it is effective. Have you got any ideas Michael why you think it would be effective?
Michael Bird: Is it because the CEOs tend to not be quite so savvy but have all the power?
Adam Louca: No interestingly not, interestingly the CEO fraud relies on the fact that in most organisations sadly CEOs aren't that visible and that you don't expect to question them so you don't challenge a CEO if you receive an email you genuinely believe to be from your CEO or your CFO, you may of never met that person in your life, you may have met them once at a company do, and your only communication that you have with them is via email, you have no pattern for their typical behaviour or their mannerisms, the way they may interact with you because for want of a better term they are in the ivory tower. For a lot of traditional organisations you get an email from the CFO that says make this payment are you going to email back and say ''excuse me but could you validate that you are the CFO?''
Michael Bird: You just do it as quickly as you can.
Adam Louca: Exactly, and that is exactly what they are trying to leverage that pressure and that lack of personal relationship or the lack or the ability to challenge. Interestingly, the other side of this is less to do with email but is more to do with malware and ransomware styles. Think about Trojan Horses and everyone knows the story of the Trojan Horse. To some extent it is a social engineering attack you have presented something as something else that you want to click and download. You want something for free and actually therefore you are going to run a piece of software that otherwise you wouldn't choose to download and run. So again that is another form of social engineering but that is less playing on the pressure of trying to extract information and more playing on your own greed or your own desire to get something that otherwise maybe you shouldn't have.
Darren Thompson: That's bordering on baiting.
Michael Bird: So explain that one a bit more for me then. So how does baiting work?
Darren Thompson: We just continue the fishing analogy so you know the more tasty a morsel that we put on the end of our hook the more likely it is that something, somebody is going to bite it. My favourite baiting example is to do with memory sticks actually, we do vulnerability assessments in organisations and we have been known to do things like put a bucket of memory sticks in a reception with a sign indicating that everyone is free to take one and we know how useful they are so have one branded with the company brand on them and all that kind of stuff. Of course, as soon as these people put the memory sticks in their laptops they find that they have just downloaded some malware and we have control of their keyboards. It's just presenting somebody with something that they want, ideally free of charge, and sometimes that can come in a software form, encouraging them to take the bait so that we can fish them.
Michael Bird: So where does social media fit in with all of this as well?
Adam Louca: So I think social media is the willing form of social engineering, we are choosing to distribute our information out there for potentially an exchange of value back from us. We choose to put the data out there and share our lives but I think interestingly we need to become more aware of where that data is being put and how that data could potentially be used against us. That's ultimately all about digital literacy. But interestingly when you look at a lot of young people and there have been some studies on this, actually they're less bothered about data privacy.
Michael Bird: So who's behind it and what is their motivation?
Darren Thompson: I will let Adam sort of chip in here as well but you know what's interesting from our perspective at Symantec is that we have seen a major maturisation, if that's a word, of the cybercriminal themselves so 10 years ago in this field we were largely talking about individual hackers making a nuisance of themselves, sometimes financially motivated, but fairly small scale. Now we are talking about a plethora of cybercriminal, everything from the teenager messing around in their bedroom right through to very well-funded gangs of cyber criminals who are sometimes politically motivated, sometimes even state-sponsored. Sometimes gangs of criminals, programming teams of upward of 100 people creating these very, very sophisticated attacks. What's interesting is we are starting to see social engineering techniques taken more seriously and those criminal gangs recruiting psychologists as opposed to computer scientists to combine those skills with the computer science skills you'd expect.
Michael Bird: So you're saying that there are kind of two elements for expertise there is the cyber security element and a psychologist element that the criminals or the people who are trying to attack are using those kind of people, what is it that they are going to get from them?
Darren Thompson: It is interesting you know 25 or so years ago when I was early into this industry I was always taught that a good project or a good program would consist of technology, process and people. I think all we are seeing here is that the cybercriminal is starting to understand that recipe as well. So for some time now they have been investigating and investing in technology that's malware and everything else that is utilised in software for example. You know, process is pretty important, they need to know how they are going to go about their attacks and how they can repeat those attacks to best effect. Now what we are seeing is the people piece coming in this is criminology in social science terms. We are dealing with criminals who are attacking other people, other human beings and will do whatever it takes to reach their end. Whether that be to do with process, technology or people so I think this is just a maturing of an industry if you can turn the cybercriminal fraternity as an industry. It is just maturing in the same way that every industry matures but from a cyberdefence perspective that of course makes our job all the more challenging.
Michael Bird: Are Symantec also employing psychologists?
Darren Thompson: We are, actually, so if many of the people listening to the podcast will be aware of the moves in security and IT generally in terms of machine learning for example and artificial intelligence, that's really all about data and it's all about typically data about people and so to do those sorts of things we have to combine the computer science type capabilities that we have with social science capabilities. For me what is really interesting is in our research labs which is the bit of the organisation that is thinking about what software is going to do in 3 to 5 years, a higher and higher percentage of those, of that staff or that group of people are actually now psychologists because they are thinking about how can we defend ourselves from social engineering attacks and to do that you have to understand the psychology of that.
Michael Bird: Ok so what can an organisation do to protect themselves?
Adam Louca: So let's break this apart, we talked about 3 distinct areas through the podcast. We talked about people, we talked about process and we talked about technology. Let's look at them sort of individually, so people first. We need to implement a set of controls that really focus on the human element of this attack, so number 1, get your phishing simulation sorted actually expose your users place them inside realistic looking scenarios, and let them start to understand what an attack looks like, what is the components of it actually you know use those gamification techniques to engage the users to want to take part in these exercises. I think far too often these things are one-way video content delivers content down, it's not particular interesting it's sort of click click click through. Which is exactly the type of behaviour we don't want them to follow in social engineering attacks and its exactly the way our learning platforms typically working so that simulation is really useful.
The other part of the people piece is just the cultural awareness, having signs up, making people aware of the current threat level, make it engaging. Actually, I think a lot of this is now very interesting, it's timely, it's of the moment and people do want to know more about cybersecurity whether that be in their own life but in their day to day working within an organisation. The final thing I think I would say about people is that we want people to understand that failure isn't a bad thing, while we are putting in controls that we want people to fail we need to learn from our failures so actually advertising failure is something that should be undertaken a lot more, I think at the moment, security and potentially security incidents are a backroom sort of thing, they are things that sort of happen behind closed doors and none of that good knowledge is shared with anyone, so sharing that knowledge makes everyone better. You can never take the attack back but you can always learn from it.
So, onto process, process is really looking at how can we engineer into a high-risk activity, checks and measures that stop some of the traditional social engineering attacks. This is going to be looking at number 1 starting by identifying what are my high risk processes and what are the users that take part of those high risk processes. Create a culture of asking people for help, actually, don't make this a thing where people can't ask for help if they have any concerns actually make it very easy for people to reach out and speak to someone and actually just validate what's happening. Actually start to look at what does good look like, there is no point looking at this problem through the lens of an IT security professional, or even an IT professional. Take a normal person, take somebody who isn't particularly IT literate and actually look at how they are going to interact with the systems and processes. Actually say is this acceptable, am I asking them to do something reasonable to make a good decision.
I guess really the last area is technology, for me, I would put this at the back, this is really at the back of the queue so to speak. Technology is a very useful asset but it is only one facet of this problem. We are looking at organisations starting to implement fraud checks on emails so this is a technology that will look at building models of who typically interacts with your organisation, look for typically fraudulent domains, look for things like typo squatting, which is a process where someone has slightly altered the domain, where people abuse Unicode characters, which is actually potentially is very difficult to start to see the difference between those domains even if you bothered to actually look behind the identity.
Also then start to plan for failure, actually start to plan what happens if my users did get phished. If they lost their credentials how can I apply other security controls that will protect against that. Especially when people are using passwords on multiple different sites, password hygiene still isn't as good as it probably should be. So actually how can you use things like multi-factor authentication to implement additional security controls that expects the user to have potentially lost their identity to have lost their password. And probably the last one from a technology perspective is your URL proxying so not just trying to inspect the actual email and the content of the email for potential phishing indicators but also proxying those links that will take them out to sites that will then harvest that information.
Darren Thompson: Yeah, so I think you have covered all 3 bases really well, as I travel around Europe, middle east and Africa engaging with CISOs and security organisations within even the largest, most mature organisations, if I look at the maturity of those 3 pillars if you like, what we have been talking about, you know typically those organisations are typically pretty technology obsessed. They have spent a decade purchasing tools, some are doing a better job than others at integrating those tools and making those tools talk to each other and be useful. But probably more importantly than that there has not been even nearly enough focus on process, and certainly not people.
The second thing back to technology is at Symantec we are encouraging people to build comprehensive platform technologies for cyber defence. People often ask me where do you start, because there is so much out there, and the answer is pretty simple, if I am building security architecture I worry about, again, the weakest links, I worry about where am I most likely to get hit and also where can I do the most good? Where am I most likely to pick up on the fact that something bad is happening. In security architecture there is a concept of what we call termination points, termination points are really just where your data momentarily stops. In security what that means is we can do interesting things with that data, we can mine it, we can do deep packet inspection in networking terminology, and despite all of the changes in security architecture over the last decade or so, there really are still only 3 places where our data can terminate.
The first one is at the messaging gateway, and that talks to email something we have brought up in the context of phishing attacks. The second one is at the web proxy, so where we can terminate inbound and outbound traffic to the web. And the third one is the end-point, where of course, you could argue is the ultimate destination for the criminal themselves. So I would encourage people on that technology piece to really think about building a comprehensive architecture and start with those 3 areas because if you have got those covered you are more than likely going to pick up on a breach, you're more likely to be able to do something prior to the breach, causing major issues, and you are well on your way to building something that's comprehensive, as opposed to very specific and narrow.
Michael Bird: So let's look to the future then so what do we expect to see in the future?
Adam Louca: I think interestingly, I guess a good area for the future to talk about is maybe around how some of the ransomware attacks have migrated. You know one of the key things I think we have seen over the last 12 to 18 months is actually, rather than now charging for access to your data actually they are using social engineering techniques to get you to spread the malware yourself to 2 or 3 of your friends.
Michael Bird: So how is it doing that?
Adam Louca: So literally your PC or your service will become encrypted and actually they will say, ok hey you can pay us $500 or whatever the going rate is for Bitcoin at that point. Or, you can choose to basically send this file to somebody else and get them to install it, and if 2 or 3 people basically sign up via your affiliate link then all of a sudden your PC gets given back to you for free. You know essentially relying on social engineering for you to social engineer your friends to get your data back.
Michael Bird: I mean, they wouldn't be your friend afterwards.
Adam Louca: Well they don't have to know that it came from you. Yeah Michael don't open any emails from me! My computer is locked at the moment so I'm looking for 2 unwilling victims.
Michael Bird: So anything else? What do we expect to see then, so anything else, any other developments from the technology industry or the security industry that we expect to see?
Adam Louca: I guess the other one to consider is that just around the identity barrier as you move to a sort of distributed application model as your services start to run in multiple locations, potentially multiple clouds, different types of services SaaS and PaaS and IaaS or whatever that looks like, you no longer have NAT or you no longer have a firewall you no longer have your Bastian and your home, your castle. So really, all you have left is the ability to say 'I am Adam Louca' and I am allowed to access this system and that identity barrier is very important. So, as that becomes more and more important the amount of effort put into this social engineering and that sort of manipulation will be greater and greater because actually I don't need to compromise your computer anymore, all I need to do is to compromise your identity. Darren I mean you must see that a lot where people are using other people's identity to then gain greater credibility so potentially compromising a low level employee or an administrative employee, or somebody with a relationship and using that to step through an attack, is that something you guys are seeing?
Darren Thompson: Yeah we do see some of that, you know PAs typically although they have a fairly low level of access in some ways in terms of the data sets that they are specifically responsible for they will often be given the password and the credentials of their boss which of course completely mitigates any sort of risk that we are trying to get rid of in the first place so that sort of thing is happening. I think there are a couple of things that I am concerned about moving forward and on both the good guys side and the bad guys side I think what we are going to see on the criminal side on the short term is more and more attacks that are what I would refer to as 'living off the land'. So not particularly sophisticated on the technical side, but quite sophisticated on the social engineering side.
Criminals are starting to understand that whether their attacks are sort of a ransomware paradigm, or they're a bitcoin mining paradigm whatever it might be. They can get the job done with pretty much with the tools that already exist that are out there and with some social engineering they can get the job done. So I think we are going to see in the next year or so, we will see more large scale breaches, and when we dig into them just like with WannaCry, we will see that actually the technical controls, the basic technical controls just weren't in place and that was taken advantage of by the criminal, but actually it was the social engineering that got the job done.
I think in the medium to long term those intersections are going to start to come into play. So, what might be a scenario there so I guess mass social engineering, you know how can fake news for example be propagated across massive amounts of people, leveraging an analytic that has been learned about those people. That's where things start to get quite scary, you know if we are talking about sort of nation state sponsored types of attacks, you know politically motivated, manipulating voters for example, I think we are going to see more of that in the future and again that's really a coming together, potentially of IOT, you know our data showing up everywhere, everything we own is connected, social engineering, how do we get access to the data in the first place? And analytic capability what do we know about half a million people, for example.
Michael Bird: That is super scary isn't it?
Darren Thompson: Yeah that's where I think the world is going. Now that's the negative side. On the positive side it's a very, very exciting and interesting time to work in security right now, because for all of that bad stuff that's going on and actually if I think about those intersections I mentioned; social engineering, IOT analytics, we are doing all of that as well so think about what the Symantec research labs are doing for example in the area of AI and machine learning and deep learning. Think about how we are starting to leverage the huge amount of analytics that we have, the global threat landscape, and mentioned earlier some of the things we are starting to do in psychology, some very, very exciting things that I think are going to shake this industry up, and actually put the criminal on the back foot as well.
Michael Bird: So, to summarise?
Adam Louca: Yeah so, I guess we have covered a wide range of different topics here but I think ultimately what we are really trying to say is that social engineering is really now the key component to most attacks that we are seeing these days. It is always going to be at least a minor component but in most scenarios, actually it is the tip of the spear it is the first point, or the first entry that a threat actor gets in your environment. If you can stop that first entry by a combination of technology as we described, design, and we make sure the processes are good but also making sure that your users are well educated, they understand the threat and that can really act as your human firewalls. Actually what we can start to do is to stop those attacks before they get into the technical landscape, and if we can start to stop them before they get into the technical landscape their chance of succeeding is massively reduced. I think the other thing to consider for everyone listening here is, thinking about how you are using your own data. In your own world, what are you doing, how are you making sure that your life is secured, because as much as this is a show geared towards enterprise IT people actually everyone when they go home takes their hat off is no longer an enterprise IT people. They are a normal person, and these types of data and these types of techniques are being used against us a lot for good, for bad and actually how do we start to give ourselves that level of awareness, that level of street smarts, that level of critical thinking that makes sure that we come at these things with a logical and clear head that we are not manipulated. I guess my challenge to anyone listening is you know, have a think about the digital services you use today and the very old paradigm is you know, if you don't pay for the product, you are the product, are you happy with that and are you happy with the data you are giving up to these organisations.
Michael Bird Darren and Adam thank you so much for your time today. Thanks for coming in it has been really interesting hearing all about social engineering from both of you.
If anything has piqued your interest around social engineering, do check out the show notes, we'll include links about some of the stuff we have talked about today and there is also a link if you want to get in touch with someone directly at Softcat. So you have been listening to Explain IT from Softcat, thanks for listening and goodbye.