About Social Engineering

Today I was featured in IT Security, a Portuguese security magazine that interviewed me on the topic “Social Engineering”.

Here I share my thoughts on it.

Evolution of Social Engineering Attacks

Social engineering is an ancient technique that exploits and manipulates human psychology to gain unauthorized access to sensitive information, systems, or networks. Remember the Trojan Horse, perhaps the oldest and most popular social engineering attack in history, which, under false pretenses, manipulated the Trojans into opening the doors to their security perimeter, thus allowing the Greeks to achieve victory.

Since then, although with the same objective, social engineering attacks have evolved significantly in terms of techniques, sophistication, and scope.

More recently, artificial intelligence (AI) has increased the capabilities of tools, such as impersonating the voices of known individuals to the victim; content, such as perfect translations and intonations in all languages; and the techniques cybercriminals use for these attacks.

This trend is here to stay, and we can expect increasingly sophisticated, convincing attacks with greater impact on businesses.

Main Challenges for Companies

Social engineering poses a significant challenge to companies because attacks of this nature target human vulnerabilities rather than technological ones, which are significantly harder to detect.

For this reason, a strong cybersecurity culture with a robust employee education component is the first line of defense against these attacks.

Another major challenge for companies is their digital exposure, which allows attackers to extract valuable information about organizational hierarchy of businesses. Armed with this information, they can direct the attack towards the most susceptible members with the most privileges to internal information or systems. Therefore, companies’ public information should be regularly reviewed and assessed to minimize the risks of social engineering attacks.

Strategies for Employee Education

Employees trained to recognize social engineering attacks are the first line of defense for any company.

A comprehensive cybersecurity awareness strategy should encompass several practices that familiarize employees with various social engineering methods and how they can be identified. Practices such as phishing campaign simulations, education about the different methods of social engineering, establishment of clear communication channels, recurrent and updated training sessions with emerging tactics, personalized cybersecurity training for executives, and feedback and support, are essential measures that companies can leverage to strengthen this first line of defense.

Company Cybersecurity Culture

A Zero-Tolerance approach to cyber hygiene promotes a healthy and secure culture for both systems and people.

In addition to empowering their employees to detect and prevent social engineering attacks, companies should implement policies that reinforce clear guidelines to enhance this culture. On one hand, indicating the precautions to be taken with data, devices, and corporate identity, and on the other hand, applying technology that helps enforce these same precautions and monitor anomalous behavior of users and systems.

Current Technology

With a first line of defense of educated employees able to recognize these types of attacks, companies’ second line of defense relies on technology.

At the perimeter, email security solutions are crucial for detecting and fighting social engineering attacks, account theft, and data leakage.

Regarding productivity, solutions offering multi-factor authentication, internal document classification, and measures to block contact with social platforms where employees are most vulnerable, help protect their identity and prevent the exposure of privileged information that could be used to mount more personalized attacks.

In terms of security, solutions supported by AI/Machine Learning (e.g., SIEMs, XDR) with capabilities for analyzing human behavior not only enable the identification of unusual user behaviors but also provide automatic responses to phishing attacks, essential for swift detection and mitigation.

The synergy between people and technology provides companies with the best chance of facing these types of attacks.

Warning Signs of these attacks

Identifying social engineering attacks involves substantial effort, as cybercriminals can contact victims through various channels.

Therefore, it’s up to organizations to be vigilant and investigate potential signs that a social engineering campaign is underway. These signs include, among others, an increase in phishing activity detected by technological solutions or reported by employees, patterns of abnormal volume/frequency/source of communication; alerts of unusual human behavior trends, appearance of typosquatting domains related to the company, and patterns of anomalous traffic.

Timely detection is always the best approach.

Collaboration among teams

Promoting a cybersecurity culture that minimizes the risks of social engineering is a collaborative effort among all teams within an organization. From the technical team that identifies and investigates alerts, to the governance team that assesses risks and establishes policies, to the communication and human resources team that raises awareness and integrates employees into this culture, security truly depends on all of us.

And voilá! 😊

This is without a doubt a topic that is widely talked about (maybe the most talked about in cybersecurity?), however, I believe organizations still have ways to go in protecting their users, and consequently, their resources and data, from the real dangers of social engineering.

So, let’s keep talking about it 🕵️‍♀️