In light of a barrage of high-profile breaches, it’s clear adversaries have embraced social engineering attacks as a low-risk, high-reward method for intrusion. The old playbook has been updated with multi-channel campaigns that target the modern ways in which workforces communicate. Of late, the social engineering wave has left a devastating wake. Hundreds of millions in cryptocurrency stolen, millions stolen in invoice fraud, the total takeover of corporate systems, and exfiltration of valuable IP -- just to name the most recent damages. Indeed the new wave of social engineering has occupied a larger share of headlines than years past: Nvidia, Okta, Microsoft, Samsung, Ubisoft, Axie Infinity, Uber, Take-Two Interactive, 2K Games, and a bevy of healthcare payment processors.
“Social engineering” as an attack strategy has been around for more than 30 years, so three critical questions are facing security teams. We will address them in this post:
We’ll end with a focus on what companies can do now to move beyond just awareness training and on to establishing technical controls to stop the language-based attacks that lead to account takeovers, credential theft, insider threats and more.
Looking at the TTPs of these recent social engineering attacks, a modification to an old kill chain emerges:
This kill chain has been embraced by both nation state threat actors like Lazarus Group and APT 42, and cybercriminal collectives like the prolific Lapsus$ group-- on a fresh tear after a so-called “vacation” following the arrests of alleged members in London in March.
Why has social engineering resurfaced as a popular vector?
Head of IT & Security
Healthcare Organization
The proliferation of cloud communication channels has enabled new forms of work and greater business agility. It has also expanded the attack surface to include any organization’s business communications infrastructure. Indeed, early this year VMware noted a full third of attacks in its Global Threat Incident Response Report constituted “business communications compromise” or BCC:
New platforms are also increasingly being leveraged for such attacks, including third-party meeting applications (31 percent) and business collaboration tools (27 percent), in the form of business communication compromises (BCCs).
Hear more about VMware's findings with Principal Cybersecurity
Strategist, Rick McElroy, on First Watch
The application of “BCC” is vital to expanding the aperture through which security leaders assess organizational risk. BCC also points to one reason why organizations are falling victim to multi-channel social engineering attacks: the limitations of security awareness training. These programs have historically been the answer to social engineering defense. Training is cited as the remediation in both the MITRE ATT&CK framework (see Mitigation 1017) and the Verizon Data Breach Investigations Report. While training is a necessary component of any risk management strategy, there are serious limitations to this approach:
In addition to adapting awareness training, it’s vital that technology be brought to bear on securing business communications environments spanning email, collaboration, conferencing, and chat channels. These channels comprise the primary layer at which adversaries can reach and compromise or manipulate any employee.
The human mind and eye are not equipped to spot social engineering, especially under any sort of confusion or duress. Security teams can now layer in technical controls to close gaps where training either falls short or employees succumb to a lure.
Technology is also a necessary component to meet the staggering scale of digital workspace communications. For one of our customers, we found that across Microsoft 365 email and Teams, just eight employees in a sample set of data produced over 24,000 messages in one month, across the two channels. Within that small sample set, our patented Social Engineering Detection technology found serious business risks like malware that slipped through native email controls and wire transfer information in clear text within Teams. The organization has a total of 800 employees, so the magnitude of communications risk becomes startlingly clear.
Cross-Channel Detection of Social Engineering Risks
Advances in Natural Language Processing coupled with cloud-scale compute power means NLP has evolved beyond simple recognition toward Natural Language Understanding (NLU). The critical difference between the two is NLU’s ability to discern context and intent.
With contextual analysis of communications, it’s now possible to detect and alert on social engineering indicators earlier in the kill chain, such as false urgency, coercive language, persuasion techniques, etc. This analysis adds a crucial layer where defenders can act when training falls short.
That said, if you don't have these controls in place today, what is something you do now? The first step is assessing the risk of your communications environment. It’s nearly impossible to protect something if you don’t know where the gaps are.
Head of IT & Security
Healthcare Organization
All too often, we hear from leaders who admit to not having the level of visibility they need to accurately manage risk across business communications. They may have logs, but they don’t have a way to quantify the risk within the whole of their communications environment outside of email. Nor do they have visibility into the communications themselves.
Here’s a quick way security leaders can start the process of understanding and quantifying their organization’s communications risk and outline protection from cyberattacks and social engineering defense. We’ve provided a free checklist resource below.
Download: Checklist for Communication Risk Assessment
Security awareness training alone is failing. Securing business communication channels should be at the top of the to-do list for any organization, especially with many of these channels now being integrated into other collaboration applications such as Jira, GitHub, and Google Drive.
Within these platforms, it’s easier than ever to target employees and contractors using these channels since there is usually trust built up within them, which means one compromised account is all it takes to breach an organization.
It’s time for organizations to treat the entirety of their business communications environment as a critical part of their attack surface. A risk assessment will help you identify the gaps and where existing tooling falls short.
If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.