22.10.2020

Social engineering: spying before attacking

Security

With GÉANT association and on the occasion of the European Cyber Security Month, the Restena Foundation shares some advice on the "art" of social engineering and, more specifically, the technique of manipulating people facing by all sectors of activity, including research and education.

As every year, October is the European Cyber Security Month, the occasion for numerous awareness-raising initiatives on cybersecurity throughout Europe. With the tagline “Become a Cyber Hero”, the European association GÉANT - which manages the pan-European research network in which Restena is a member - shares practical tips, case studies and articles on four cyber security topics - social engineering, phishing, password security and ransomware. -  each week throughout October 2020. The Restena Foundation, which notably has a CSIRT dedicated to the Luxembourg research and education community and co-organised the CyberDay.lu event with the University of Luxembourg on 6 October 2020, supported this campaign by publishing an article entitled " USURP, MANIPULATE, EXPLOIT"

>>> We invite you to read below, the article published on CONNECT Online, addressing the topic of social engineering:

USURP, MANIPULATE, EXPLOIT

Any company or institution may one day be confronted with so-called social engineering attacks. Searching for waste or for poorly protected access to a building, for example, but above all manipulating people are just a few of the techniques that illustrate social engineering’s complexity and diversity. Social engineering is an art in itself... and the following lines will focus on how people can be manipulated.

An engaging and effective method of espionage

A kind of ground reconnaissance, social engineering is a method of espionage that makes it possible to obtain information deemed to be necessary before moving on to a real attack. This method is not compulsory or systematically used by malicious individuals, but it clearly facilitates the contact with the institution targeted by an attack. 

Humans are indeed much easier to cheat than machines and it is through them that the attacker intends to carry out his malicious attacks. Although effective, this technique is not the most widely used as it requires a strong involvement from the attacker. By using social engineering through the manipulation of people, the attacker seeks to establish a personal link and a feeling of trust with the person he has previously identified or who has best responded to his requests for useful information to conduct their attack.

From trust to deception

With social engineering, attackers have only one goal: to manipulate the person they are holding in their clutches by pretending to be someone they are not. In order to succeed in their identity theft, attackers will do everything possible to make their story credible. First of all, they will find out a minimum amount of information about the institution or person they intend to attack. Once the trust has been established, they will then use subtle techniques to get their prey to spontaneously reveal, more and more information that they will then use either to touch another person in the institution or to subtly redirect their victim to a third person. At this point, the actual attack begins. However, it also happens that attackers directly start an attack, often a phishing one, by asking their prey to perform an action (to pay a bill via an illegitimate account, to click on a link to regenerate a password, etc.) The attackers then infect their victim obtaining a gateway to their company's platforms.

Each attack is unique in its kind and the strategies used are multiple, although the primary ambition of social engineering, like the majority of cyber-attacks, is the misappropriation of money. However, misappropriation of information should not be neglected.

Vulnerability of education and research

Just like private companies and other public institutions, research centres and educational institutions are not immune. In large schools, it is quite easy for an attacker to pretend to be a student and ask questions related to the course, or to register to a student mailing lists and obtain information about the people in the group. These are all useful sources of information for launching attacks, mainly for profit, for example by blocking essential data for the institution, or by trying to divert money from grant budgets dedicated to research and development projects. 

But social engineering can also be used to gain access to systems and obtain useful information. In the world of education, this technique can be used, for example, to gain access to exam questions that the malicious person can either use for its own purpose or resell to third parties.

Checking the request before transmitting any information

Vigilance and critical thinking are essential to guard against social engineering. Prevention and awareness-raising among all employees by the IT teams, or even the Computer Security Incident Response Team (CSIRT) if it exists, remain the best form of defence.

If any doubt exists, even the slightest one, about the veracity of an e-mail, a request for information, or the existence of a person, sufficient time must be devoted to validating the request through a different information channel. Discussing with colleagues, informing superiors regarding the content of the request/email or, more generally, directly asking the person to contact you by another means to ensure that he or she really exists, are just a few small tips that can help to detect social engineering.

Essential cooperation with IT teams

If the doubt is confirmed, it is important for the IT department or the CSIRT team of each institution to be the employee’s privileged interlocutor. Even if no specific action can be taken against the malicious person who has come into contact with one of the employees, the department must at least be informed. It is then up to the department to take the necessary measures on its technical infrastructure and, above all, to inform and raise employees’ awareness.

>> This article, as well as all the initiatives and information disseminated by the GÉANT association in partnership with the national research and education networks, can be read on the GEANT CONNECT Online website.