In light of a barrage of high-profile breaches, it’s clear adversaries have embraced social engineering attacks as a low-risk, high-reward method for intrusion. The old playbook has been updated with multi-channel campaigns that target the modern ways in which workforces communicate. Of late, the social engineering wave has left a devastating wake. Hundreds of millions in cryptocurrency stolen, millions stolen in invoice fraud, the total takeover of corporate systems, and exfiltration of valuable IP -- just to name the most recent damages. Indeed the new wave of social engineering has occupied a larger share of headlines than years past: Nvidia, Okta, Microsoft, Samsung, Ubisoft, Axie Infinity, Uber, Take-Two Interactive, 2K Games, and a bevy of healthcare payment processors.
“Social engineering” as an attack strategy has been around for more than 30 years, so three critical questions are facing security teams. We will address them in this post:
- What can be learned from this resurgence?
- Why is it proving so effective?
- What can companies do today to shore up their social engineering defenses?
We’ll end with a focus on what companies can do now to move beyond just awareness training and on to establishing technical controls to stop the language-based attacks that lead to account takeovers, credential theft, insider threats and more.
The New Social Engineering Kill Chain
Looking at the TTPs of these recent social engineering attacks, a modification to an old kill chain emerges:
- Targets employees, typically contractors or the workforce of third-parties
- NEW: Exploits targets by stringing messages across multi-channel campaigns (vishing/email, SMS/WhatsApp, phone/Slack, etc.)
- Tricks employees into compromising credentials or MFA tokens
- Executes intrusion to corporate systems - typically digital workspace platforms including Slack and MS Teams
- Moves laterally into connected systems containing data, intellectual property, or other business critical assets
This kill chain has been embraced by both nation state threat actors like Lazarus Group and APT 42, and cybercriminal collectives like the prolific Lapsus$ group-- on a fresh tear after a so-called “vacation” following the arrests of alleged members in London in March.
Why has social engineering resurfaced as a popular vector?
- With the world shifting to hybrid work and cloud-based platforms to communicate, there are more ways to reach employees and more ways to pose as legitimate insiders within digital workspaces.
- The business communications technologies that are helping organizations work more efficiently are also the channels that integrate with critical areas like code repositories and data systems.
“In the current threat landscape the predominant tactic is to compromise the weakest link in any organization, personnel.”
Head of IT & Security
Why Is Social Engineering Succeeding?
The proliferation of cloud communication channels has enabled new forms of work and greater business agility. It has also expanded the attack surface to include any organization’s business communications infrastructure. Indeed, early this year VMware noted a full third of attacks in its Global Threat Incident Response Report constituted “business communications compromise” or BCC:
New platforms are also increasingly being leveraged for such attacks, including third-party meeting applications (31 percent) and business collaboration tools (27 percent), in the form of business communication compromises (BCCs).
Hear more about VMware's findings with Principal Cybersecurity
Strategist, Rick McElroy, on First Watch
The application of “BCC” is vital to expanding the aperture through which security leaders assess organizational risk. BCC also points to one reason why organizations are falling victim to multi-channel social engineering attacks: the limitations of security awareness training. These programs have historically been the answer to social engineering defense. Training is cited as the remediation in both the MITRE ATT&CK framework (see Mitigation 1017) and the Verizon Data Breach Investigations Report. While training is a necessary component of any risk management strategy, there are serious limitations to this approach:
- Most awareness programs are designed around phishing simulations mimicking inbound email
- Most programs do not address new workspace channels like Slack, Teams, etc. where there is higher implicit trust among employees
- Finally and most crucially, training is not a control that can be acted upon by defenders
Social Engineering Defense-in-Depth
In addition to adapting awareness training, it’s vital that technology be brought to bear on securing business communications environments spanning email, collaboration, conferencing, and chat channels. These channels comprise the primary layer at which adversaries can reach and compromise or manipulate any employee.
The human mind and eye are not equipped to spot social engineering, especially under any sort of confusion or duress. Security teams can now layer in technical controls to close gaps where training either falls short or employees succumb to a lure.
Technology is also a necessary component to meet the staggering scale of digital workspace communications. For one of our customers, we found that across Microsoft 365 email and Teams, just eight employees in a sample set of data produced over 24,000 messages in one month, across the two channels. Within that small sample set, our patented Social Engineering Detection technology found serious business risks like malware that slipped through native email controls and wire transfer information in clear text within Teams. The organization has a total of 800 employees, so the magnitude of communications risk becomes startlingly clear.
Cross-Channel Detection of Social Engineering Risks
Advances in Natural Language Processing coupled with cloud-scale compute power means NLP has evolved beyond simple recognition toward Natural Language Understanding (NLU). The critical difference between the two is NLU’s ability to discern context and intent.
With contextual analysis of communications, it’s now possible to detect and alert on social engineering indicators earlier in the kill chain, such as false urgency, coercive language, persuasion techniques, etc. This analysis adds a crucial layer where defenders can act when training falls short.
That said, if you don't have these controls in place today, what is something you do now? The first step is assessing the risk of your communications environment. It’s nearly impossible to protect something if you don’t know where the gaps are.
What is Your Business Communications Risk Profile?
“Communications are a blind spot for most organizations.”
Head of IT & Security
All too often, we hear from leaders who admit to not having the level of visibility they need to accurately manage risk across business communications. They may have logs, but they don’t have a way to quantify the risk within the whole of their communications environment outside of email. Nor do they have visibility into the communications themselves.
Here’s a quick way security leaders can start the process of understanding and quantifying their organization’s communications risk and outline protection from cyberattacks and social engineering defense. We’ve provided a free checklist resource below.
- INVENTORY your business communications channels
Understand what every line of business is using to collaborate and communicate internally and externally.
- QUANTIFY any visibility gaps by understanding monthly communication volume
On average, 45% of business communications occur outside of email. Some companies we’ve worked with found they lacked any visibility into fully 1/3 of inbound and outbound communications.
- USE METRICS THAT MATTER to continuously assess risk with leadership and stakeholders
Stack rank the risks that matter to your team. For example, do you consider volume of outbound attachments more important than volume of internal links?
Download: Checklist for Communication Risk Assessment
New Social Engineering Attacks are Focused on Business Communications
Security awareness training alone is failing. Securing business communication channels should be at the top of the to-do list for any organization, especially with many of these channels now being integrated into other collaboration applications such as Jira, GitHub, and Google Drive.
Within these platforms, it’s easier than ever to target employees and contractors using these channels since there is usually trust built up within them, which means one compromised account is all it takes to breach an organization.
It’s time for organizations to treat the entirety of their business communications environment as a critical part of their attack surface. A risk assessment will help you identify the gaps and where existing tooling falls short.
If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.