Page 48 - index
P. 48
Social Engineering Tactics: Reporting from the Front Line of
Breach Defense
By Michael Buratowski, Vice President of Cybersecurity Services, General Dynamics Fidelis
Cybersecurity Solutions
Social engineering is all about presenting information that causes someone to take action. This
may mean getting a victim to open an email attachment, click a link or even plug in a USB that
appears to be misplaced. Unfortunately, some companies are making it even easier for social
engineers to target their employees by having proprietary information, such as staff listings
featuring personally identifiable information (PII), who employees report to, and job
responsibilities, easily accessible online. This kind of personalized information is exactly what is
needed to piece together a believable story that causes the victim to engage.
Social engineering tactics can take many different forms. Outlined below are some common
scenarios that companies are running into and tips for preventing damage when encountering
them.
Scenario: An attacker loads a PDF with malware that will deploy when opened. Through a
spear phishing tactic, the attacker spoofs the sender’s email address to look like a legitimate
contracting firm and sends the email to a contact in business development. Because business
development departments are used to seeing and opening documents like contracts and RFPs,
the attachment gets opened and the malware is deployed.
When people consider phishing attacks, the “your friend is stuck abroad and in need of a wire
transfer, please send banking information” types of emails may come to mind. However, today’s
attackers are smarter – they’ll do a bit of research and figure out exactly who their target is, who
would be most likely to send that target an email and exactly what to send them to get them to
do what the attacker wants.
Lesson: Don’t limit cybersecurity training to the IT team. Providing basic training to all
employees is absolutely critical, as threat actors will often target non-IT employees, assuming
they are the least experienced with recognizing these attacks.
Scenario: An attacker infiltrates a company using very advanced malware. While the company
is in the process of shutting down their attack vectors, a non-IT employee receives a call from
someone identifying themselves as working with CISO on a new project – the breach – and
asks for the names of all the outside contractors working on the project.
Attackers don’t always sit behind a curtain, sometimes they’ll be forward in the steps they take
to confirm whether their breach has been recognized and to determine the level of breach
defense and remediation they are up against.
48 Cyber Warnings E-Magazine – May 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
