How to Defend Employees and Data as Social Engineering Evolves

March 22, 2024

From The Front Lines

Adversaries have long used social engineering to trick their victims into providing access or information not available to the public. Social engineering continues to prove effective and will likely be a major factor in breaches throughout 2024. The CrowdStrike Incident Response team has dealt with an anomalously high number of successful breaches that originated with social engineering tactics, and we strongly urge security teams to take precautions against them.

Today’s adversaries are constantly developing new means to make their social engineering campaigns more subtle and effective, as evidenced by their latest methods detailed in the CrowdStrike 2024 Global Threat Report. Phishing, voice phishing (vishing) and SMS phishing (smishing) are among the social engineering techniques that have become more prevalent in the last year, and several threat actors have found success using these methods to target large organizations with mature security programs. 

As social engineering continues to evolve and pose a significant threat, it’s essential for security teams of all maturity levels to prepare to defend against these methods.

Scenario: Social Engineering in Practice

Your IT help desk receives a distressed call from an “employee” who is unable to log into work systems. After initial troubleshooting is unsuccessful, the “employee” applies pressure to the help desk analyst by creating urgency around the situation: “Can’t you just reset my password? I have a deadline and this is putting me behind.” The policy for many organizations would be to ask security questions and verify with the caller’s manager in order to reset the password, but in this case the Help Desk analyst is persuaded to reluctantly reset the password without manager approval.

About an hour later, calls start pouring into the help desk from users reporting that they are unable to access resources on the network. It becomes clear to IT and InfoSec that a ransomware attack is underway.

During incident response, it’s discovered that the user who requested the password reset was not the legitimate user but a threat actor impersonating them. The threat actor then leveraged this illicitly gained network access to deploy ransomware and compromise the network.

This scenario is one of many examples of social engineering. The CrowdStrike Incident Response team has seen an alarming rise in social engineering attempts to gain access to sensitive IT systems and privileged accounts, lowering the overall time and effort required to breach an organization and move laterally. We advise that security teams take precautions against infiltration methods such as those outlined in the above scenario.

Why Is Social Engineering Effective?

Several aspects of social engineering make it appealing for adversaries. A threat actor attempting technical exploitation may face authentication portals, firewalls and other technical obstacles, but social engineering can use emotion, urgency and pretext as leverage to persuade someone to provide their access credentials. Social engineering preys on the human aspect to bypass security processes in place at an organization.           

If an adversary is successful in socially engineering a target to grant access to an environment, the result can be highly lucrative. Because access gained was granted to an “employee,” it looks legitimate and does not draw attention or trigger initial detections. This gives the threat actor time to perform reconnaissance of the environment, collect sensitive information and, in some cases, monitor chat channels to determine whether the activity has been detected.

Once an adversary is able to infiltrate via social engineering, they may have privileged access to admin-level accounts, allowing them to quickly spread & escalate, capture sensitive data, and deploy ransomware that can disrupt the flow of business. Having legitimate privileged credentials reduces the likelihood of detection, giving the adversary additional time for full organizational compromise. 

Phishing

Phishing is the deceitful use of email to collect information, capture credentials or deploy malware to a system. Nation-state threat actors such as HELIX KITTEN have been observed using spear-phishing campaigns, meaning they target specific and sometimes privileged user accounts with emails containing malicious macros in attachments. 

Many times, instead of an attachment, a link is provided to a legitimate-seeming authentication portal for Microsoft O365 or Okta along with an urgent pretext such as “recent suspicious activity” surrounding the account or password expiry. The false login portal captures any entered credentials and can then be used by the adversary to access the targeted account. Some platforms, such as evilginx and modlishka, offer threat actors the ability to bypass two-factor authentication mechanisms.

Vishing

Vishing is the manipulative use of voice communication to coerce a target into granting access to systems or information. In recent months, threat actors such as SCATTERED SPIDER have targeted help desks to trigger password resets and multifactor authentication (MFA) swaps for specific user accounts. This grants the threat actor authenticated access into the target network.

Vishing relies heavily on impersonation, reconnaissance and extensive research prior to the call. For example, a threat actor may create a list of potential targets by searching LinkedIn for a company’s employees. From there, they may look at each profile to see which one volunteers the most information and pivot to other social media sites to collect additional information about the person’s role, longevity at the company, residence and answers to potential security questions.

Reconnaissance also involves becoming familiar with the systems a company is using or how its help desk operates. The threat actor may call the help desk as a different persona to see what questions might be asked for identity confirmation, or scour the organization’s job listings to learn about the  software and infrastructure it uses.

A key element of vishing is delivery. If security processes are weak and the adversary has enough information to convince the help desk assistant that the call is benign, simple pleasantries may suffice. However, sometimes emotion and manipulation are used to try to derail the processes in place and convince the person on the other end of the line that they should deviate from standard procedure to help the employee. Examples include crying, intimidation or feigning difficulty with technology.

Smishing

Smishing is the deceitful use of Short Message Service (SMS) messaging to manipulate a target into providing information or granting access to a system or account. Depending on the objective, smishing can target a wide group of persons or specific individuals. The message itself can sometimes solicit personally identifiable information (PII) from the target or attempt to convince the target to click on a provided link.

In the context of organizational compromise, smishing can take on a variety of forms. If the phone number being targeted is associated with a business device, the sensitive access and information on the device is at risk of compromise if the user clicks a malicious link. 

Regardless of the device, the threat actor may be targeting a specific user to collect information that can later be leveraged to answer security questions in another phase of the social engineering attack.

Safeguarding against Social Engineering

Social engineering, when done effectively, can ease an adversary’s efforts to move through their victim’s environment unnoticed. Follow these tips to protect your organization from common social engineering techniques:

  • Use security questions that are not easily researchable: Prompt the user to provide information that cannot be easily found in open-source research, such as an asset identification number for their workstation.
  • Use MFA: Require all employees to use multifactor authentication to access organizational resources. This adds another layer of security in the event a password becomes compromised.
  • Implement multiple checks for password resets: Create multiple layers of security in the password reset process. For example, require security questions and manager approval or acceptance of a push notification.
  • Train and educate help desk staff: Inform all help desk associates of the security processes in place and the risks associated with not adhering to them.
  • Keep employees informed of viable threats: If the organization becomes aware of a social engineering campaign targeting its employees, notify them immediately and provide a way for them to report suspicious activity.
  • Use allowlists for software installation on systems: Limit what software can be installed on organizational systems. By explicitly delineating the software that is allowed, the organization is implicitly denying the installation and execution of all software not on that list. This can prevent the installation and use of seemingly benign software that can be leveraged for nefarious activity, such as remote monitoring and management tools.

How CrowdStrike Can Help

  • Increase technological capabilities for identity and endpoint monitoring to ensure unified visibility for security teams so there are no gaps or silos where adversaries could take advantage.
  • Conduct red team simulation exercises that include phishing, vishing and smishing. Test and validate response processes and blue team defense capabilities to ensure preparedness against social engineering techniques.
  • Evaluate organizational maturity through a Cybersecurity Maturity Assessment with CrowdStrike Services to assess overall security processes and capabilities, including defense against social engineering attempts by adversaries.

Additional Resources

Related Content
The Anatomy of an ALPHA SPIDER Ransomware Attack
CrowdStrike Services Offers Incident Response Executive Preparation Checklist
Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft