The current context of Social Engineering and the role of DOGANA

Details
Category: Social Engineering
Published: Wednesday, 05 October 2016 12:30

Written by Enrico Frumento, CEFRIEL

The DOGANA project focuses on the impact and the remediation of the human factor in security, which is one of the most demanding challenges of today’s security and for which no widely accepted and stable solutions currently exist.
As an example of this type of complexity, the 2015 DEFCON conference organised the sixth edition of a social engineering simulated contest, namely the SECTF (Social Engineering Capture The Flag) contest. The report[1] issued on how the contest was organised and analysing its results contains extremely interesting conclusions, relevant on the one hand to focus the problem that DOGANA is addressing and on the other hand to underline the importance of the problem.

One of the most necessary aspects of security is the social engineering risk assessment and penetration test. When a proper risk assessment is conducted by professionals who truly understand social engineering, real-world vulnerabilities are identified. Leaked information, social media accounts, and other vulnerable aspects of the company are discovered, catalogued, and reported. Potential attack vectors are presented and mitigations are discussed.
A social engineering penetration test increases the intensity and scrutiny; attack vectors are not simply reported, but executed to test a company’s defences. The results are then used to develop awareness training and can truly enhance a company’s ability to be prepared for these types of attacks.

A stable, legal and ethical method to perform Social Engineering vulnerability assessments is one of the most requested things of todays’ security. However, the reason behind such request is the utter increasing relevance of the Targeted Attacks (TAs) as also reported by all nowadays attacks' statistics.
TAs are definitely the most popular and most widely used in today’s attack strategy, also for SMEs. TA are a type of attack which takes advantages of a complex Human Attack Vector (usually performed via Social Engineering) combined with a technological exploit (usually performed via ad-hoc malware) mixed into a unique targeted and specialized ad-hoc attack vector which exploits (deceives) both the humans and the systems.

Targeted Attacks are often confused with APTs (Advanced Persistent Threats), but despite the fact that they share techniques, they do not have the same intent. As a result of commoditization and diffusion of SE techniques they can target anyone[2].

As reported by the “Human Factor” report by ProofPoint, nowadays attackers use people in three progressively controlling ways:

  • Running attackers’ code for them. These attacks comprise mainly high-volume campaigns distributed to large groups of users. They use a variety of ruses to evade technical detection and convince people to disable or ignore security, click links, open documents, or download files that installed malware on laptops, tablets, and smart phones.
  • Handing over credentials to them. These attacks appear frequently in medium-volume campaigns. They target specific people who have valued credentials, such as usernames and passwords providing access to crucial systems or useful services, tricking them into turning over their “keys to the castle.”
  • Directly working for them, transferring funds to them. These attacks are narrow and highly targeted. They are aimed at users with the right job duties and ability to act directly on behalf of attackers.

99.7% of the hooks used in attachment-based campaigns rely on social engineering and macros, rather than automated exploits: this means that a user must not only execute them, but also explicitly disable the security countermeasures enabled by default (e.g., prevent automatic macros execution)[3].

According to the Threat Landscape since 2015[4], TAs are the strategy of choice during the initial phases of infiltration, and their generated revenue is usually ten times higher than that of normal attacks. Therefore, the predominant scenario today is rapidly evolving from indiscriminate massive data breaches or attacks to highly targeted breaches with severe impact on the victims’ businesses. As a direct consequence of this evolution it is today accepted that the measurement of the real impact of incidents in terms of the costs needed for full recovery proves to be quite a challenging task[5].

The aim of DOGANA is exactly this: to fill the gap and develop a reliable and stable social engineering penetration test framework that is also legally and ethically compliant with the European laws[6].
DOGANA will fill this gap by pursing three main goals:

  1. Raise end-user awareness for social engineering attacks by providing adequate techniques
  2. Provide comprehensive risk assessment for companies (including the tool chain needed)
  3. Create a legal reference framework to allow compliant risk assessment

The project is implemented by a consortium of 18 partners, from 11 different countries, including users, technology providers of whom 3 are major world-wide cyber-security solutions market leaders as well as legal and psychological expertise. An extensive field trial plan enables the testing of the DOGANA platform with six users (4 partners and 2 supporting users) operating in the critical areas transport, safety, and public authorities. DOGANA has also created a unique consortium with a world-wide scope and a strong market presence.

 

[1] http://www.social-engineer.org/ctf/the-social-engineering-capture-the-flag-def-con-23-report/

[2] P. Paganini, "The differences between targeted attacks and advanced persistent threats," Security Affairs, 2015. [Online]. Available: http://securityaffairs.co/wordpress/40228/cyber-crime/targeted-attacks-vs-advanced-persistent-threats.html. Accessed: Aug. 17, 2016.

[3] "The Human Factor," ProofPoint, 2016. [Online]. Available: https://www.proofpoint.com/sites/default/files/human-factor-report-2016.pdf. Accessed: Jul. 31, 2016.

[4] "ENISA threat landscape," in ENISA, 2016. [Online]. Available: https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape. Accessed: Aug. 6, 2016.

[5] "The cost of incidents affecting CIIs," in ENISA, 2016. [Online]. Available: https://www.enisa.europa.eu/publications/the-cost-of-incidents-affecting-ciis/. Accessed: Aug. 18, 2016.

[6] It is important to underline that we adopted the more correct term of Social Driven Vulnerability Assessment (SDVA) in spite of the term Social Vulnerability Assessment (SVA), also used in the Description of Work.

 

by Enrico Frumento (CEFRIEL)

 

 




This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618

 

      

 

PHISHING WARS
The DOGANA phishing videogame

Want to try it?
Read more here and contact us

 

DOGANA CARDS GAME
Phishing: awareness through play

Want to try it?
Read more here and contact us

 

Contraband pixels and texts
Read all about our liteary-graphic competition on phishing and social engineering

All the pictures and novels