The Rise of Social Engineering and How XDR Can Help
What is Social Engineering?
Social engineering is a growing attack vector that heavily relies on human interactions. It typically involves tricking people into breaking standard security policies and best practices. Attackers employ social engineering to gain access to networks, physical locations, and systems. Social engineering is typically utilized for the purpose of achieving some sort of financial gain.
Threat actors use social engineering techniques to hide their true identities and motives and express themselves as trusted individuals or sources of information. The purpose is to influence, manipulate, or trick users into giving up privileged information or access within the organization. Often, social engineering schemes rely on the willingness of people to offer help. For example, an attacker can pretend to be a coworker with an urgent problem that requires access to other network resources.
Social engineering is a popular strategy among hackers because it is generally easier to exploit a user's weaknesses than to find network or software vulnerabilities. Hackers often use social engineering tactics as the first step in large-scale campaigns to break into systems and networks and steal sensitive data or spread malware.
Social Engineering Challenges
Organizations face several important challenges when trying to address the threat of social engineering.
Social engineering can victimize anyone at any organization
The recent Twitter hack proved that even tech giants can be affected by social engineering scams. Attackers can easily deceive victims with compelling stories and falsified credentials by conducting a detailed investigation of the victim. Whether you’re a small business or a multinational corporation, it is very important to be prepared to protect yourself against these threats.
Two-factor authentication may not be enough to protect your data
Two-factor authentication, in which users are asked to provide something they know (such as a password) and present something they have (like a mobile device or authentication token), is important to secure access, but it is not enough to prevent social engineering. A scammer can trick an employee into giving up information directly, bypassing authentication completely. Cybersecurity awareness training is essential to ensuring that employees understand how to minimize the risk of data leaks.
Social engineering schemes are targeting more privileged users
This is the primary goal of cybercriminals as it allows them to access internal systems. Obtaining login credentials from a single user via phishing email can give attackers access to privileged IT resources that they cannot otherwise access. This can lead to catastrophic data breaches.
Social Engineering Trends
The following are some of the important trends experts are seeing in the global practice of social engineering.
Consent Phishing on the Rise
Consent phishing is a type of social engineering that tricks the user into using a malicious application, which seeks permissions to access cloud services. The malicious application offers legitimate access to cloud services and applications, however in the background, it grants the attacker access to the user’s accounts.
These malicious systems are usually deployed as web applications, and because they do not need to be installed on the user’s device, they bypass endpoint security.
Currently, many large enterprises, such as Microsoft, Google, and Facebook, use authentication technologies like OAuth 2.0. The attack on the SANS Institute is an example of an attack employing malicious Office 365 add-ons that automatically forwarded employee email accounts to email addresses of cybercriminals.
Deepfakes Create Deeper Challenges
Deepfakes are fake videos, generated using deep learning techniques, which use the faces, bodies and voices of real people, showing them doing or saying things they never said or did.
Cybercriminals are starting to use deepfakes to manipulate online audiences and impersonate trusted information sources. Already today, deepfakes are being used for scams that cause financial losses for businesses.
The concern is that in the near future, nation-state attacks and activists will use deepfakes to fake political statements, mislead public opinions, and manipulate emotions, possibly leading to violent reactions. Deepfakes could be a new form of cyberterrorism.
Expanding Phishing-as-a-Service Market
From ransomware attacks to malware infections, fake websites, and malicious attachments, phishing is one of the most common and powerful forms of social engineering attacks. The growth of Phishing as a Service has significantly improved the affordability of cybercrime. Phishing kits are now available for under $50 a month.
In fact, sales of phishing kits more than doubled in 2019. In early 2021, a new cybercrime tool called LogoKit was introduced. This tool can generate phishing pages in real time, and its pages have already been detected on over 700 domains.
What is XDR?
Extended detection and response (XDR) technology can automatically detect and repair security issues throughout hybrid systems. These tools can perform detection and response tasks across networks, endpoints, cloud services and applications. Traditional detection and response technologies, like endpoint or network security, are limited to one medium. XDR, on the other hand, can protect the entire hybrid environment.
XDR solutions offer a single system for detecting and responding to security events regardless of the source or origin. It can also be used to simplify detection and remediation by integrating and consolidating detection and response technologies across multiple security silos.
How XDR can Help Against Social Engineering Attacks
XDR implementations include technologies that provide the following capabilities:
Endpoint security—in a broad sense. This includes endpoints such as enterprise PCs and laptops, physical and virtual servers in local or data centers, and virtual servers in the cloud.
Protection against common threat delivery vectors—such as company email accounts, corporate websites, and business portals.
Sandboxing—application sandboxing removes suspicious files to an isolated environment, allowing their investigation without harming the rest of the endpoint.
Threat intelligence—can help identify emails and messages originating from suspicious or known malicious sources.
The driving principle is that the integration of technology and advanced analytics significantly accelerates the speed of threat detection and response. XDR can detect persistent, low-key attacks as easily as it can detect malware and viruses. Many cyber attacks employ long-term remote access, performed covertly. During this time, attackers map the network to perform lateral movement and find sensitive data to steal.
XDR can discover vulnerabilities by performing several tasks, including port scanning, social engineering, probing defenses, or gathering information from previous attacks. It can capture social engineering attacks at several stages of their delivery, from the initial phishing message, to a user’s interaction with malicious sites, to attackers penetrating corporate endpoints and accessing sensitive data.
XDR's promise or vision is an end-to-end integrated solution that closely links security controls and defenses with security operations to detect all stages of the kill chain.
In this article I discussed how social engineering is becoming an increasingly complex and prevalent threat, and how eXtended Detection and Response (XDR) solutions can help address that threat. XDR solutions can help mitigate social engineering by:
Capturing attacks driven by social engineering at several stages of delivery (even after the social engineering attack has succeeded)
Detecting persistent, low-key attacks that may involve social engineering
Preventing lateral movement to limit the damage caused by successive attacks
I hope this will be of help as you consider the use of next-generation security tools to prevent the next generation of social engineering attacks.