With social engineering and spearphishing becoming mainstream due to hacktivists like the Syrian Electronic Army and Anonymous being in the news almost daily, HackSurfer wanted to get the lowdown on what these hacking collectives may be thinking and how to protect ourselves from becoming their next victim.
We chatted with Christopher Hadnagy, author of Social Engineering: The Art of Human Hacking, to get his thoughts on social engineering, social networks, phishing techniques and training your company’s employees at all levels.
Chris, could you please give me a quick background on yourself, your company and how you got into this?
Social engineering is something I’ve always been interested in, but I didn’t realize it would turn into a career. About six or seven years ago I started developing the social-engineer.org site, which is basically an open source, a free site where we released the first framework that dissected the physiological and psychological aspects to human influence in a security setting. That led into the podcast and newsletter, which both have been around for over 4 years, and each month we either write an article or have a guest who kind of analyzes one aspect of human nature and then see what we can learn about it from there. That was my goal, and that led to a book deal. I wasn’t planning on being an author, but I got asked to write a book on social engineering, so that came out two years ago called, “Social Engineering: The Art of Human Hacking.” And that book led to my business, which now is Social-Engineering Incorporated, and that’s on the social-engineer.com site. So what we do now is help companies learn how the bad guys do what they do using the human infrastructure through different social engineering attacks and try to figure out ways to educate the employee base so that we can mitigate and not be so vulnerable to these types of attacks. That is the shortest version of a long story.
Since social engineering and spearphishing have become almost mainstream now, do you think the techniques are used more now than in the past, or it’s just easier now because of all of the social networks that we’re using?
I think a little bit of both. I think that we are seeing more phishing because it’s easier. You can get free email accounts from thousands of different places, so setting up an email account and then sending a dozen emails out really takes no effort and is very hard to trace back to a real person. In addition, I think because of the way we utilize social media as people, we have so much information out there about ourselves, our personal lives, that it makes it easier to harvest information on our likes, dislikes, hobbies, different things like that, which opens us up to vulnerable different types of attacks from malicious scammers and social engineers.
Switching over to the Syrian Electronic Army – when they first came onto the scene after the Associated Press Twitter hack, some of the victims began sharing the emails that the SEA used in order to fool them. With the recent attacks, we haven’t seen that happening, and we’re back to businesses being more tight-lipped about things. Do you think that’s part of the problem? Sort of a lack of awareness due to the fact that there’s not enough sharing going on?
Well, that’s a hard one because it’s like a double-edged sword. So, on the one hand as a security researcher, I love to see the phishing emails when they come out and see the level of complexity that is used. Not to pick on any one company but to go back in time to an email like HBGary and it was just so simple that you’re like, “Really that worked?” Then you jump ahead a couple of years to some of the most recent phishing emails, like even what happened with Coca-Cola and that was, although maybe not spoofing IPs and URLs and stuff like that, it was a little more complex, it came from the CEO. There was a level of authority there that was utilized in that type of phish. So when we get to see the emails, as a researcher, it definitely helps to say, “Here’s what I need to educate my customers on.” Now the other edge of that sword is that when they release these and they say, “Hey guys, here is an email that works really, really well. So many people clicked on this it’s unbelievable.” Now you’re kind of arming the bad guys to say, “This is what’s working.” As a researcher, I’m more prone to lean toward the first side because I think if we don’t release information about what’s working, then how can we possibly protect against it?
In terms of training the employees – even if you have 1,000 employees or 10,000 employees, a targeted spearphishing attack is going to get through to somebody at the organization, so it’s almost inevitable.
Yes, we use statistics too much. We say like, “I have a 10 percent click ratio.” Well, if you have 1,000 employees a 10 percent click ratio is 100 people. As a pen tester, I only need a small handful of people who will click my email that have admin access and some vulnerabilities on their computer that will give me the rights and the shell that I need on your network. So I don’t need 100 people to click. Now, for training purposes I think those statistics are helpful because now we can use them as metrics to say, “Well a month ago we had this, and now it’s down to this number.” So I do agree the statistics are useful but like you just said, we only need one or two people to click to make a company vulnerable.
What do you think makes someone a prime victim of hacking?
I think there are many different things. First of all it’s human nature. We are trusting, and we are busy. I don’t know how many emails you get in a day but my last count with all of the accounts that I monitor, I’m probably at 100 plus emails a day. Now, that’s not all I do. My job is not to sit here and click refresh on my email so I get busy. As I get busy, emails come in that look important that hit on the emotional nerve that are something I’m interested in, and it’s easier to put aside the security protocols I should have in my mind and look at an email and maybe take an action that I shouldn’t take. So human nature is a big one. That’s something that we don’t want to fix. We want people to act like humans and don’t want to change that.
But on the flip side, I think part of it is also related to what we already talked about with social media. It’s just too easy to harvest information on people today. There’s just too much of it out there. And then I think there’s not enough training for employees to learn A, how to detect if an email’s a phish – what are the steps to do that? And then B, because this is going to happen when I click on a phish, what should I do? We don’t get enough training on that. We get told, if you click on that you better not tell anyone because you’re going to get fired. That is the wrong answer. Companies that promote their employees coming forward and reporting these things, those are the companies that get saved.
So do you think that’s the main thing going forward — businesses to protect themselves via training?
I think it’s a multi-step process. First, you need to train the employees how to detect, find and then mitigate if and when they click on phishing emails. Then I think there also needs to be different systems set up inside the company. I can’t tell you how many companies I work with where I do phishing for them as part of a service that we offer, and we’ll see that they’re still using IE 6 or IE 7, or Adobe Reader 7 or 8, you know, ancient pieces of software that have known public vulnerabilities. We’re not talking hidden zero-days. We’re talking vulnerabilities that any script kiddie can download and run from an exploit database website. So you have these companies that are running major industries in our country, and they’re still using archaic vulnerable software. So those things do need to be fixed in addition to training, so that way when an employee clicks — because I work with companies where I’ve gotten employees to click emails, but their security infrastructure was so strong nothing was happening once they clicked, and that was really helpful.
Where do you see the future of cybersecurity going?
Big question. First of all, we’re going to definitely see more human-based attacks. This year, next year, it’s just going to keep getting more and more. And you just take a look at the last two years where social engineering was part of the attacks that were happening with hacktivist groups. Now what we’re seeing is social engineering is the main portion of the attacks – things like The New York Times, things like Coca Cola, things like WHMCS. These attacks becoming more and more prevalent — where it’s a phone call. It’s a couple emails. It’s a combination of those things, and we’re seeing companies becoming more and more vulnerable because you can throw tons of money into IDS systems, IPS systems, anti-virus, and all sorts of protection, but there’s not a utility that you can plug in that protects your humans. So I think we’re going to see more and more human-based attacks. I think we’re going to see a high increase in phone elicitation attacks, impersonation attacks, in addition to phishing as the time goes on.
To wrap up, is there anything additional that you’d like to add?
One of the things I always tell companies when they ask, “How do we protect?” is I talk about human training, training of people, and changing your infrastructure, but I also talk about something really important, and that’s audits. Just now, in this year, we’re seeing more and more social-engineering auditing or penetration testing picking up. Previous years, people would throw a couple phish in a pen test and say we’re social engineering penetration testers, and that’s not the case because when you look at what the bad guys are doing, they’re using multi-tiered, human-based attacks. We take a look at the attacks that just occurred recently and it would be an email, followed up by a phone call, followed up by another email and maybe even another phone call, and these things are layered to add credibility and trust and also to get people to take the action they shouldn’t take. So we say that if you don’t audit, your first audit is going to be when the bad guys attack your people, and that is the worst type of audit you want because if even one person fails, now you have a cleanup mess. So it’s better to get the audit done by professionals who know what they’re doing and can mimic these attacks and come back to you with mitigating answers to say, “Here’s how we can fix this.” So those three things that I talked about are really essential in trying to fix this problem overall.
So monitoring the situation before it’s too late?
Yes. We use this so much in this industry, but the illustration really fits. It’s just like going to the doctor. You don’t want to wait until you’re so sick you can barely make it. You go for checkups, you know, and as you get older and as you get more mature, you go to doctors for checkups on a routine basis, and a mature company would do the same thing – go to a doctor for checkups to make sure there’s no cancer hidden somewhere that’s going to cause you some serious problems down the road. And getting those checkups could save you from having to deal with a life or death matter later on.
That’s a great analogy. Simplifies it for people like me.
It’s a hard thing to convince people of. At the same time if you don’t have health insurance, let’s say, and you go to a doctor and it’s going to cost you $100, so you’re saying, “Do I spend $100 that I can use on something else to get a checkup when there’s nothing wrong? Or do I wait until there’s a problem and then spend the money?” Too many business owners think that way. They say, “I’ll just get a really cheap pen test, and we’ll put a checkmark next to it saying that we did okay.” And that’s okay. At least they’re going in some direction, but you need to find out where the holes are, where the vulnerabilities are, and the only way to do that is through testing and then fixing it through education and mitigation.
Thanks for your time, Christopher.