The evolution of Social Engineering 2.0 and its role in the modern cybercrime

The evolution of Social Engineering 2.0 and its
role in the modern cybercrime
01/02/2018
Enrico Frumento, CEFRIEL (IT)
Vienna Cyber Security Week 2018
DOGANAProject
Emerging and Future Threats to Digitalized Energy Systems
enricoff

Table of Content
copyright © 2018 Cefriel – All rights reserved 2

What’s cybercrime today?
BOTH TRY TO ENTER, TWEAKING THE PERSON AT THE DOOR..
DOOR-2-DOOR SELLER
==
MODERN CYBERCRIMINAL-SELLER 5

SO WHAT? ANYTHING NEW??
YES, A TOTALLY DIFFERENT APPROACH, USING THE
SAME TECHNIQUES OF MARKETING..
VIRAL,
GUERRILLA,
UNCONVENTIONAL,
… AND OF COURSE SOCIAL ENGINEERING 2.0
6

SELLERS
MARKETING EXPERTS
SN INFLUENCERS
ADVERTISING
“ADVERTISING”
PSYCHOLOGISTS
HCI EXPERTS
SOCIOLOGISTS
DEVELOPERS
…

• The number of successful attacks has risen
the last three years from 62% in 2014, to 71%
in 2015, to 76% in 2016, and to 79% in 2017
with no end in sight. 91% of these attacks
use spear phishing & social engineering
• Source: https://cyber-edge.com/wp-
content/uploads/2017/06/CyberEdge-2017-
CDR-Report.pdf
8copyright © 2018 Cefriel – All rights reserved

• A recent report from FireEye cites
• the average time from an email phishing breach to detection is 146 days
globally, and a colossal 469 days for the EMEA region
• In other words “hackers are undetected for 15 months”
• Source: https://www.fireeye.com/content/dam/fireeye-
www/global/en/current-threats/pdfs/rpt-world-eco-forum.pdf

What happens in the area of energy
• The energy world follows the same trend!
• Mitigation of social engineering is the “kill
switch” of 91% of the successful attacks!

How’s the ideal cybersecurity team?
For example our team @ CEFRIEL includes:
• malware expert
• web designer
• web developer
• psychologist
• expert of HCI interaction
• marketing expert
• SN influencer
• legal advisor

The REAL nature of the problem
• Asset  information space
• The information space must be protected
Humans
specific asset
vulnerabilities,
problems & solutions
Technology
specific asset
vulnerabilities,
Technical countermeasures
<information space>
<uses>
Human countermeasures
users system
trust boundary

Humans
specific asset
vulnerabilities,
<information space>
Human countermeasures
userscopyright © 2018 Cefriel – All rights reserved
trust boundary
• Asset  information space
• The information space must be protected
15

copyright © 2018 Cefriel – All rights reserved
• The Human IS the “system” under attack
• Question, which sciences contribute to model the attacked target?
• A model of the attacked target defines the vulnerabilities, which can be exploited through a threat
• It’s a multidisciplinary problem by definition!
17

Characteristics of SE 2.0
Malware Ecosystem 2.0 Modern OSINT
(ab)use of psychology,
personality profiling
systems, cognitive science
models and human
related sciences
Evolution of the attack
vectors
Automatic Social
Engineering Attacks (ASE)
Economic Drivers
The DOGANA model (D 2.1 “The role of Social Engineering in evolution of attack”):

Malware Ecosystem 2.0
SE became an important part of the malware
2.0 and its main infection strategy
Changes in the infection strategies
Less technical complexity
Userland infections
Ad-hoc malwarecopyright © 2018 Cefriel – All rights reserved 20

Modern SE techniques use data mining
to cave information from net
LoD, SN and people habits are feeding OSINT
Monitoring of the digital footprint is possible,
whilst monitor the digital shadow it is not.
Modern OSINT

Professional use of memetics and personality
models of the attacked users, especially of models
coming from theories of cognitive psychology
(ab)use of cognitive sciences, marketing and cyber-sociology,
and many other human sciences
(Ab)use of Psychology and Cognitive Science

Massive use of social networks and
renewed forms of phishing, also automated
Evolution of the human attack vectors
New forms of phishing
Evolution of the Attack Vectors

Automation of SE attacks through information
collection and data mining and through the sentiment
analysis of Social networks
mass social engineering attacks (e.g. via use of chat-bot)
Automation of most phases of the SE attacks also through A.I.
Automatic Social Engineering (ASE)

SE 2.0 is since the beginning an investment (no ways
doing it for “phun”), all attacks have one common aim:
making money.
Growth of identity thefts, industrial spying, on-demand attacks
Commoditization of SE services in cybercrime and cyberterrorism
Economic Drivers

Summary of SE vs SE 20
Almost totally automated
Based on huge amount of data (OSINT,
digital shadow)
Highly dynamic
Involves many human sciences
Driven by economy
Mass social engineering
Usable on remote targets
28

PROBLEM: IT’S NOT ANYMORE SO ADVANCED.
“ADVANCED” ONLY MEANS THAT THE ATTACKERS HAVE A (DEVILISH) BUSINESS PLAN.
APT == TARGETED ATTACKS 29

Advanced Persistent Threat Model
How can we measure the overall risk?
Data
exfiltration
Attack
expansion
Ad-hoc
tech
attack
OSINT SE
attack
Target
selection
How to test the cyber resilience of a company simulating all
these operations LEGALLY (GDPR)?
How efficient and reliable is the measure?

WWW.DOGANA-PROJECT.EU

DOGANA plan to deliver a complete toolset to perform the SOCIAL DRIVEN VULNERABILITY
ASSESSMENTS :
• technological: an integrated tool-chain to perform SDVA
• legal: supply a legal framework to assist enterprises to perform this type of assessments.
This means GDPR compliant
• education: measure the efficiency of the new awareness methodology vs reduction of
exposure to social engineering
• risk management: measure the risks consistently
• cost-and-benefits: measure the complexity of executing the SDVA in several concrete field-
tests
• test: with the internal end-users
WHAT DOGANA DELIVERS!

Type of phishing: A SDVA Example
70%
DISCOUNT
ACME corpora on established a partnership to
propose discount to all the employees
Lots of discounts
Limited me
Only for Employees
Sign in with your company creden als
SIGN INSIGN IN
Food Fashion Technology Travels
Limited offers only for ACME corpora on employees. Click on the link below and
sign in with your company creden al to obtain the discounts
Attractive
arguments:
Promotions
Company asset
requested
(credentials)
Company name
and colors
Company logo
An example of email for a SDVA test
43

Type of phishing – Example of a website
Refers to the
phishing campaign
70%
DISCOUNT
Lots of discounts
Limited me
Only for Employees
SIGN INSIGN IN
70%
DISCOUNT
Lots of discounts
Limited me
Only for Employees
SIGN INSIGN IN
70%
DISCOUNT
Lots of discounts
Limited me
Only for Employees
SIGN INSIGN IN
70%
DISCOUNT
Lots of discounts
Limited me
Only for Employees
SIGN INSIGN IN
70%
DISCOUNT
Lots of discounts
Limited me
Only for Employees
SIGN INSIGN IN
Company asset
requested
(credential)
Both email and website contains clues that allow
to identify the risk
An example of the related phishing website
44

• In the last six years CEFRIEL performed about 21 SDVA (Social Driven
Vulnerability Assessments) in big enterprises with thousands of employees,
involving about 94050 users
CEFRIEL’s experience with SDVAs
70%
DISCOUNT
Lots of discounts
Limited me
Only for Employees
SIGN INSIGN IN
Given an example of
a possible test email
In your opinion,
which are overall
the results
?

Overall results
39%
visit the
website
24%
also insert the
credentials
Employees
receive the
email

Benchmarking
Click on email link
(% of sample)
Credentialinsertion
(%ofsample)

Benchmarking
Click on email link
(% of sample)
Credentialinsertion
(%ofsample)
39%
24%
Energy sector
33% click on email
17% insert credentials

Benchmarking
Click on email link
(% of sample)
Credentialinsertion
(%ofsample)
Up to
44%
Up to
59%
3 emails
to obtain one
click
5 emails
to obtain a valid
credential
59%
conversion rate
click/insertion

Benchmarking
Source: Knowbe4 (Jan.2018)

Comparison with other studies
40%
30%
20%
10%
0%
Success ratio
(% of overall success)
2% Average click rate in Marketing
10% Average click rate in modern phishing
0,1% Average success in “traditional” phishing
38% Average click rate in our experience

The real question is why not a 100% successful rate
• Due to legal and ethical reasons we cannot push the pedal to the metal and deeply
contextualize our SDVAs, wrapping them around each single victims. In other words an SDVA
shouldn’t simulate context aware phishing
• It’s all about the semantic distance among real emails and phishing. The lower this distance
is, the higher the percentage of victims.
• If we are able to build 100% contextualized email then phishing would be almost 100%
Semantic
relevance
Real email
Context aware phishing
Spear phishing
SPAM
phishing
SDVA results

Time analysis - Visits
We measure relative effectiveness per campaign
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
0 20 40 60 80 100 120
Successratio
(%ofoverallsuccess)
41%
success in
10 minutes
50%
success in
20 minutes
High
effectiveness
in the first
minutes
10 min
41%
20 min
50%
53

COMPANIES ARE EXPOSED TO SOCIAL ENGINEERING RISKS AND
OFTEN THERE IS NO PERCEPTION OF HOW EXTENDED THE RISK IS

TARGETED ATTACKS CAN BE SIMULATED AND THE RISK MEASURED
AND MITIGATED.
DOGANA IS MEANT TO DO THIS LEGALLY, ETHICALLY AND EFFICIENTLY
61

PERFORMING APT ATTACKS IS BECOMING EXTREMELY SIMPLE, IT MAINLY MEANS
HAVING A BUSINESS (DEVILISH) PLAN.. WE ARE BUILDING A RELIABLE+LEGAL
FRAMEWORK TO MEASURE THE SOCIAL ENGINEERING VULNERABILITIES
PS: no chick was harmed during the preparation of these slides.
DOGANAProject
www.dogana-project.eu

The evolution of Social Engineering 2.0 and its role in the modern cybercrime

Recommended

Recommended

More Related Content

Similar to The evolution of Social Engineering 2.0 and its role in the modern cybercrime

Similar to The evolution of Social Engineering 2.0 and its role in the modern cybercrime (20)

Recently uploaded

Recently uploaded (20)

The evolution of Social Engineering 2.0 and its role in the modern cybercrime

Editor's Notes