Attacks based on the personality

Written by Enrico Frumento - CEFRIEL

The abuse of the human layer of security is today probably the most used attack strategy (i.e. social engineering) and the one that most of the times decrees the successfulness of a cyber-attack. According to ProofPoint (a leading cybersecurity company), Human Factor Report 2018 “human vulnerabilities are more dangerous to modern organisations than software flaws”.

Recently a new wave of attack strategies started to emerge, thanks to the evolutions of the social engineering 2.0. As published in a recent blog post, among the unique characteristics of the social engineering 2.0 one is special: the high automation of advanced social engineering attacks against a large number of victims. This trend makes the social engineering 2.0 a modern mass targeting attack strategy, able at the same time to focus on and mould the attacks on single victims.

This enormous trend led to the evolution of a novel wave of attacks that makes of the modelling of the victims’ personalities their distinguishing element: the attack based on the personality. However, the attacks based on the personality are not difficult to model, once we move to the domain of humans. The typical sequence of steps, at a very high level, seen from the attacked entity (i.e., the human) is the following.

  • Advanced OSINT and SNA (Social Network Analysis) to start scraping the digital shadow of an enterprise.
  • Perform the segmentation of the Enterprise’s asset dataspace and identification of the most valuable assets or clusters.
  • Analysis of the decisional and behavioural processes internal to the targeted community in order, for example, to acquire the proper linguistic register, to identify the sentiment around specific arguments and its polarisation, etc.
  • Identify the key holders of the most valuable assets.
  • Identify the Super Targets in the Enterprise (Super targets is a term derived from criminology and indicates those elements that are, by their nature, more easily than others, falling into phishing or scams).
  • Personality profiling of the victims to acquire the information of his/her context (e.g., interest).
  • Identification of the cognitive and business processes of the victim(s) to create the correct hook (e.g. language register, hot topics, sentiment analysis, etc.).
  • Creation of the attacks around the personality or emotional status (e.g., find the correct moment in time to launch the attack, also using studies such as the following https://www.weforum.org/agenda/2016/11/why-being-extremely-happy-might-be-a-bad-thing).
  • Setup the hook and the Individual Attack Vector (e.g., an email plus the corresponding landing website in case of phishing). See https://www.researchgate.net/publication/319047936_Victim_Communication_Stack_VCS_A_flexible_model_to_select_the_Human_Attack_Vector
  • Setup the malware forgery for ad-hoc infection process, using known vulnerabilities or zero-day and browser fingerprinting.
  • Setup the operational security (i.e., escape plan of the attacker)

Looking at the above list of actions it seems like a typical activity of a Red Team, but this assertion is arguable. Most, if not all of the steps described, can be automated to execute mass attacks and deliver ad-hoc glocalized threats (e.g. geomalware or, generally speaking, context-aware malware). This list of steps makes such attacks a relevant and important subject for the novel defence strategies. From the list of steps listed emerges, in the attack strategies based on personality, the existence of a pattern that is behavioural and tactical rather than syntactical. In other words, exists one important difference with the classic attack patterns, based on zero days and more or less advanced malware: the repetitive patterns at the technical level are almost inexistent (today ad-hoc malware attacks involves few victims and copies of the malware, the trend is one victim, one malware). The patterns at the attack plan level are instead often similar.

As a matter of facts, zero days are increasingly less important in everyday attack strategies and often not required at all (e.g., https://blog.knowbe4.com/effective-social-engineering-matters-more-than-zero-days)

Therefore, the question is how to create a defence solution able to monitor the patterns in the attack plans automatically. This is still an argument for research.

 

by Enrico Frumento (CEFRIEL)

 




This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618

 

PHISHING WARS
The DOGANA phishing videogame

Want to try it?
Read more here and contact us

 

DOGANA CARDS GAME
Phishing: awareness through play

Want to try it?
Read more here and contact us

 

Contraband pixels and texts
Read all about our liteary-graphic competition on phishing and social engineering

All the pictures and novels