In 2011, Kevin Mitnick released his much-awaited memoir, Ghost in the Wires, which detailed his exploits as “the world’s most wanted hacker.” And while he’s known for being a computer hacker, the truth is that he almost always gained access to target networks through human psychology, using a set of techniques broadly classified as “social engineering.” For example, he talked his way into multiple large telephone companies to heist procedural manuals that provided him access to the companies’ most confidential data. In other words, the notorious Mitnick was actually a social engineer first and a computer hacker second.
Mitnick intuitively understood that social engineering is often the easiest, most direct route to getting access to data. He knew that because humans are more fallible than computers, “the human factor” is the most important vulnerability in any organization.
“Social engineering” as a category usually includes “phishing” (using email or deceptive web advertising to entice the recipient to click a link, enter a password, or download a file). However, in the context of today’s post, we are specifically referring to physical activities that can provide access to coveted data. Once social engineers gain access to the target network, they can move laterally throughout the environment, stealing confidential information, installing cryptomining malware, or compromising critical infrastructure.
The following techniques are a few of the more common tactics that the co-author of this post, Keith Kops, Splunk’s Global Head of Safety and Security, has seen in his years on the job, often as a penetration tester:
- “Classic” social engineering techniques: This category includes things like this renowned phone hack (also known as “vishing,” which is a combination of the words “voice” and “phishing”) that employs a recording of a baby crying in a truly nefarious fashion, as well as in-person manipulation. For example, in a penetration test, one red team contracted an ambulance to go to a physical facility that was well-protected with multiple gates and vehicle controls. Without checking credentials or verifying its mission, corporate security allowed the ambulance through each set of security gates and ushered the fake medics up to the datacenter (whoops!).
In another example, a red team employed a social engineer posing as a jogger to approach the front desk of another organization and ask to use the restroom. After chatting with the security guard, the “jogger” convinced the security guard to invite them back later for a tour of the facilities. Bam!—access to the datacenter.
- Diversion: One red team carried out a masterful diversionary technique by approaching a security kiosk (where officers kept temporary badges for visitors) and creating a commotion, while another team member furtively entered the kiosk and “stole” an access badge. In another scenario, the red teamers flew a noisy drone over a secure facility to create a distraction, while a team member hopped the fence.
- Exfiltration: The word “exfiltration” is often used in the context of someone breaching or logging on to a network in order to gather confidential digital files or other valuable data and remove them from the environment (via email, for example). But exfiltration can also manifest in physical form. For example, an insider might request a key to a shredding bin from corporate security. Although access to these bins is typically well-controlled, there are examples where employees have talked security personnel out of the key to a shred bin, citing an excuse, such as accidentally dropping an important document inside the bin. Once they’ve gained access, the bad actor can collect important documents containing confidential information.
- Brute-force attacks: Whereas in cybersecurity, a brute-force attack involves using a piece of software to crack passwords (by automatically entering password after password until stumbling on the right one), in physical security, a brute-force attack involves breaching a physical barrier, such as a security gate (as in the example of the drone diversion in #2, above). These attacks may be used alone or in combination with one of the other tactics described earlier.
While most large enterprises provide employee training to raise awareness of common social-engineering tactics, the human factor can never fully be eliminated. That’s why the most effective corporate security requires both physical and digital defenses.
While Splunk’s products can’t help you prevent physical social-engineering attacks, they can help you detect, investigate, and remediate cyberthreats. To step up your cyberdefense game, we suggest checking out Splunk Enterprise Security Content Update (ESCU), which maps common attack techniques to the MITRE ATT&CK framework, as well as to kill-chain phases, CIS controls, and more. ESCU contains Analytic Stories that combine a narrative/background on each attack technique (such as ransomware, cryptojacking, WMI abuse, and so on) with pre-configured Splunk Enterprise Security searches. If you don’t have Enterprise Security, you can still use ESCU to read up on the issues and educate yourself on effective detection techniques. And it’s free! Check it out in Splunkbase.
How does your organization address social engineering? Share your ideas in the comments!
Keith Kops, Global Head of Safety and Security, Splunk
Brianna Blacet, Senior Security Researcher/Blogger, Splunk