Introduction
Social engineering is an insidious way of getting “insider access” into an organization’s network and data. Threat actors use it to gain sweeping access to carry out sophisticated attacks while evading detection. This “insider” leeway of social engineering makes it an alarming threat that cybercriminals are routinely exploiting now more than ever.
Social engineering is on the rise
According to recent research, in 2020, phishing attacks affected 75% of organizations worldwide. 74% of attacks targeting US businesses were successful. Verizon’s 2020 DBIR reported phishing attacks behind 22% of breaches, thus flagging it as one of the top threats.
The kill chains in some of the recent high-profile breaches trace back to social engineering. In the ransomware attacks targeting Kaseya and global meat supplier JBS, attackers gained a foothold inside the respective organizations using tacit social engineering tactics.
Today, attackers can deceive even the most astute users into handing over valuable company data using sophisticated social engineering methods. According to the US Worker Cyber Risk-Aversion and Threat Preparedness survey, 64 percent of employees polled failed to identify suspicious links – a key indicator of phishing emails. Fifty-five percent admitted to clicking on links they didn’t recognize. Though 95% of organizations claim to deliver phishing awareness training to their employees, that isn’t making any noticeable dent in the effectiveness of phishing campaigns.
The increased sophistry of attackers combined with the high success rate of social engineering tactics are imperatives for organizations to address this alarming insider threat sooner than later.
Looking deeper into social engineering threats
Social engineering attacks ultimately lead to a type of insider threat known as user error. User errors seen most commonly in these attacks occur when someone unknowingly clicks a malicious link in a phishing email or in a text message. The consequences range from credential thefts to costly data breaches like ransomware attacks and data exfiltration.
While disgruntled employees could potentially launch a social engineering attack, more commonly, these threats exploit the negligence or lack of security awareness of employees who otherwise have no malicious intent.
Social engineering attacks targeting credentials involve two different types of insider threats. The first is where an employee unknowingly clicks on a phishing link and exposes the organization’s system to some malicious tool or malware. This provides attackers inroads to infiltrate the corporate network. The cyber-attack in New Orleans is a classic example of this type of threat. It made city authorities declare a state of emergency. The city had to shut down its entire network to investigate and resolve the problem.
In the second type of attack, the attacker’s goal is to steal credentials. In such attacks, the user, after clicking the malicious link, is redirected to a highly convincing but fake website masquerading as a familiar website. There, the user is thus tricked into providing their credentials which the hackers use to hijack the account and gain insider access. These threats are hard to detect through traditional security mechanisms. The insidious mechanisms of social engineering allow hackers to evade detection for weeks if not months and carry out major breaches like espionage, exfiltration, etc.
Key challenges in addressing social engineering
Facing off social engineering threats is an uphill task for most organizations. The threat had assumed even worse proportions in the post-pandemic times. The challenges in mitigating these threats involve both humans and technology.
Remote Employees
Hybrid work environments are here to stay. Organizations now have to allow more employees (than that in the pre-pandemic era) to work remotely. Remote work introduces both behavioral and oversight challenges. Nowadays, most of the workforce opts to work from homes, at least partially if not fully. When remote, they often use unmanaged devices. Even with security awareness training in place, not all employees are equal when detecting phishing emails on their own. Supervisory oversight is difficult when your employees are working remotely. This introduces visibility challenges and increases the risks of both intentional and unintentional insider threats.
User and behavior monitoring
Monitoring employees irrespective of whether they are on campus or remote introduces the additional challenges of ensuring it’s done in a way that doesn’t violate any privacy regulations. You need the right employee monitoring tools to address these challenges.
Shortage of expertise
Even organizations with a SOC team face the challenge of not having the right skillset to detect and respond to sophisticated social engineering threats. Finding behavioral scientists who understand behavior-based threats is a different challenge from what the typical SOC analyst faces. As a result, organizations often struggle to find the right people to help manage insider threats.
Outdated, Inaccurate tooling
Many organizations use traditional perimeter-based, device-centric solutions that fail to keep up with modern, sophisticated social engineering campaigns. The result is more false positives and negatives, making detection even harder for the already overburdened security staff.
Conclusion
Social engineering is a fast-growing threat. The increasingly sophisticated nature of these attacks makes them hard to detect and combat with traditional security mechanisms. Additionally, the human element plays a significant role in the effectiveness of these attacks making social engineering one of the top insider threats today. This calls for modern security technologies. Many organizations are yet to have a strategy to prevent these threats from coming to fruition. In an age where social engineering attacks are increasingly sophisticated and effective, it is imperative for organizations to have an insider threat program. It needs to utilize technology solutions alongside security awareness programs to maximize the chances of detecting and preventing social engineering attacks at their core.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.