Why develop SE?

[Hacker]

1.) With the help of SE, you can get what you want from a person, of course, if your skill in this matter is much higher. You can divorce any girl for sex, or an oligarch for a Rolls Royce and a house in the Maldives, who will not even guess that you have divorced him.

2.) With the help of SE, you can make your own legal business, create VERY good advertising and sell all sorts of unnecessary junk under the guise of penis enlargement creams, slimming teas, spinners and other rubbish, and if everything is organized well, then in huge batches with million profits, even in a very competitive business with this you can overtake strong competitors. You can become a fortune teller, a sorcerer, or start a new sect by pretending to be a prophet.

3.) With SE, you can find good connections and get a good white job or a gray, black team with experienced people, even if you can't do almost anything. You'll just be a "friend" of one of these guys :Vampire and he'll vouch for you.

4.) With SE, you can get anything, there are no limits. The most important thing is not even to get what you want, for me personally, social engineering is constantly improving your skill with every subject that you get, whether it's money, recognition, or any emotion, but most importantly experience. ("At the very heart of SE lies the potential for selfless self-will, which is rather characteristic of art. Virtuosity, skill, originality, and self-expression are important - and not for any short-term goals like filling your pockets.

5.) With the help of SI, even if this happens and you find yourself at the bottom, once you get to the zone, you can become not the last person and not sleep at the parashas, becoming a homeless person to become their leader and send your "spammers" to drag bottles of vodka and iron to you for metal scrap delivery, or put them to beg and get their % (well, this is too much of a hike, where my imagination has brought me, although everything happens in life. If you fall and you have the skill, you will always get up, even from the deepest pit.

6.) With the help of SE, you can seduce again any girl, even if you are without money, and she will meet with a major or some rich mammoth, who will then throw it herself and give some of his money to you if you want, well, or you can just marry and become a gigolo, it's up to you to decide.

7.) With the help of SE, you can crank out any task, no matter how complex it may be. You can easily sell a plot of land in the sun and say that your mammoth will be hunted there after death(many people are so stupid that they don't even know that the sun is a star. Bespectacled, not a planet), or sell the Eiffel Tower (there have been such cases in history).

8.) With the help of SI, you can become a good politician and move up in power from scratch to the very top (There are enough examples of this in history: the same Hitler, at the age of 24, slept on benches in the streets and sold postage stamps for envelopes that he drew personally, just enough to buy food, but he adored rhetoric and oratory, and it helped him a lot)

9.) With the help of SE..... you can endlessly list all the pros, there is not a single minus.

You can become a hacker and break computers, but hacking a person is several times easier. ("The most vulnerable are people" - a quote from Mitnick like, by the way, he has very good books, beginners can read).

A few tips: learn acting skills, read books on this topic, and practice. If you do not know where to practice and you are a law-abiding person whiter than ever (this is not a joke about racism if that xD), then start at least with the little things. Shoot cigarettes every day at 10 passersby. On the first day, you will be able to shoot at 1, in a week 3 is stable, and then maybe 10 out of 10, the main thing here is confidence and self-confidence.

Personally from myself.

Earlier, about 5 years ago, I was very fond of computer games, I spent days playing them, I wanted to become an esports player, probably many schoolchildren will understand me.

So speaking in the slang of games (those who have played WOW and similar MMORPGs will understand), choose the main branch of development for yourself, I personally chose SE for myself ( programming has always seemed and still seems monotonous to me, although I study it slowly, but I won't become a pro, since it doesn't ignite me and is very routine). Have you chosen your own branch? If yes, then well done, and if not, then sit down and think about what really ignites you and what you want from life. Do you want a Ferrari?

a) to seduce a rich girl (look for these girls in your city, explore their interests, behaviors, what type of men she likes, all the little things, meet her poor friend for example, and gradually she will introduce You to the object, and there You'll look totally her type - beefy blond with blue eyes and swag outfit for example active in dance, as it's a chance to fall in love already more than ten times, there will be only good to ingratiate himself).

b) get a job somewhere in the bank, and part of the money will be saved if you work properly, much more than the cost of a Ferrari)

c) come up with your own business and find good investors, promote your business even without money, or again, shoot everything.

d) introduce yourself as the grandson of some prince who has no relatives, who lives in a nursing home, take care of him and help him, and the good grandfather will probably transfer all his property to you if he doesn't throw off his skates until then.

i.) Get insider information from government employees who accidentally blurt it out, say, during a drinking session or when you are steaming in a sauna, about the law that they are going to adopt. Use this information for yourself and raise your capital several times.

f.) Go down the white track(not heroin), but it will be much longer though...not always.

j.) Think and write the points further, here they can be written endlessly, it all depends on your imagination.

 

[Brother]

Companies often build cyber defense, focusing primarily on technical attack vectors. Such systems can have a high level of maturity and appear reliable, but at the same time remain vulnerable to one of the most dangerous threats - social engineering based on the manipulation of human consciousness. According to statistics, today social engineering is used in one way or another in 97% of targeted attacks, while technical vectors are sometimes not used at all or are used minimally. Gartner also puts social engineering in the first place among the threats to information security, and a number of scientists argue that if social engineering adopts machine learning and artificial intelligence technologies, then humanity will receive a threat comparable to global warming and nuclear weapons.

4 myths about social engineering​

Social engineering - a limited set of techniques - It is generally accepted that social engineering is limited to phishing, planting infected flash drives, tricking on social networks, and phone scams. In reality, we are talking about an almost endless combination of technical and non-technical techniques that form complex strategies.

Sociengineering is part of cyberattacks; on the contrary, a cyberattack can be part of an overall strategy, the main share of which is social engineering.

Social engineering can be encountered by accident . In fact, social engineering is always implemented in a targeted manner. In the simplest cases, its focus is on the organization, in more advanced cases, on a specific person.

Social engineering is possible due to a low level of information security awareness or a low level of maturity of an organization's information security system. In reality, social engineering, by definition, operates on the proven level of information security awareness and the level of maturity of the information security system, for which it always starts with studying the object of the attack. This is often the longest and most laborious phase of a social engineer's job.

Social Engineering: The Limits of Opportunity​

In advanced versions, social engineering is a sophisticated strategy implemented by "professional" teams of fraudsters and technicians of various profiles. To imagine what they are capable of, I recommend that you study not only the well-known cyber incidents associated with the exploitation of human factor problems, but also study the biographies of the most prominent social engineers (including professional swindlers) over the past century ... So, Victor Lustig managed to sell the Eiffel Tower several times to quite intelligent people. Joseph Weil, nicknamed the "yellow thief", earned 400 thousand dollars by creating a fictitious bank (on the site of the building of a legitimate bank). For 5 years of criminal activity, Frank Abagnale has distributed fake checks in the amount of $ 2.5 million in 26 countries of the world, and his biography formed the basis of the film "Catch Me If You Can". The Badir brothers, who were born blind, implemented several major social engineering fraud schemes in Israel in the 1990s, taking advantage of their ability to hear a wider range of sounds and fake voices. And finally, the legendary Kevin Mitnick - a hacker and a cybersecurity specialist at the same time, the author of several books on social engineering and hacking - masterfully used telephone fraud techniques in social engineering.

How does social engineering work? Each strategy involves several, and the higher the level of the attacker, the less he stages will follow any specific scripts of the sequence of actions. An example of the life cycle and framework of such attacks is shown in the figures below.

Each stage contains potentially endless combinations of non-technical measures: initiation techniques, preprocessing, prepositions, information extraction, influence, deception and manipulation, NLP.

Separately, it is necessary to dwell on attacks on the subconscious level. This is critical to understanding the limits of defense against sophisticated social engineering attacks. This is more a theoretical justification "on the fingers", but it is enough to understand the problem. If we consider social engineering as one of the TOP-3 threats to humanity, then first of all we are talking about "hacking" the subconscious of the human brain, ie. when the actions of the attackers are directed not to the level of consciousness, but to the level of the subconscious. A number of the above-mentioned brilliant social engineers, perhaps, did not even imagine that they often influenced the subconscious of a person. It is in it that our computing power is concentrated (according to various estimates, 95-99. 99%) and the processes of cognitive activity (according to various estimates, about 95%), which determines the scale of the problem. Wherein, if consciousness by its nature can block attempts to influence it, then the subconscious mind does not resist them. And this already determines the boundaries of the possibilities of IB-awareness, which operates mainly at the level of consciousness. The most advanced social engineering technique is based on this principle - a system of activations that lead the victim's subconscious mind to the decision necessary for the attacker. And this already determines the boundaries of the possibilities of IB-awareness, which operates mainly at the level of consciousness. The most advanced social engineering technique is based on this principle - a system of activations that lead the victim ' s subconscious mind to the decision necessary for the attacker. And this already determines the boundaries of the possibilities of IB-awareness, which operates mainly at the level of consciousness. The most advanced social engineering technique is based on this principle - a system of activations that lead the victim's subconscious mind to the decision necessary for the attacker.

There are many examples from life (even legitimate ones). Every person faces similar influences at least once a week when visiting a supermarket. Product placement on shelves, shapes and images on packaging are all techniques network marketers use to persuade shoppers to purchase a particular product. A simple example: a bright product with angular shapes of a logo or drawing is deliberately placed on a shop window, which will most likely not be approved by the consumer's subconscious, but will draw his attention to a certain shelf. This is done on purpose so that later he will notice the goods on the same shelf that are more acceptable to his subconscious (in shape and pattern). Likewise, placing the same or different products on the shelves has a very clear and reasonable meaning and fulfills a specific task. In fact, we are dealing with subconscious reactions undeclared for consciousness. I call them “vulnerabilities” of the brain, although by and large these are normal and even necessary reactions formed by evolution in the prehistoric world. To foresee all of them consciously is actually impossible in modern life.

It is curious that the number of such potential "vulnerabilities" of the human brain is orders of magnitude higher than that of any of the most advanced software. This is a rough estimate based on the number of potential brain states and memory sizes compared to the average computer software. We can safely say that the area of protection of consciousness and subconsciousness today is much inferior to traditional cyber defense.

Looking for a solution​

Not finding in open sources a ready-made answer to the question of how to properly (and most importantly, systematically) deal with the threat in information security # 1, we decided to conduct our own research, which was supposed to help us develop a systematic approach against social engineering. First of all, we turned to the best practices: MITER ATT & CK matrices, NIST and SANS standards. First of all, we were interested in methods of detecting and responding to information security incidents, and among preventive measures, despite the importance of other techniques, we singled out increasing information security awareness.

What are the benefits and complexities of MITER matrices?​

MITER matrices decompose attackers' tactics into many separate techniques, categorized by attack stage. This makes it possible to formulate sets of attack detection scenarios that are optimal in terms of coverage and efficiency for specific threat models.

What are the difficulties with social engineering? Take the PRE ATT & CK matrix: although about 40% of the techniques described in it are related to social engineering, it still focuses on the stages of preparing for an attack, within which we have almost no chance of predicting or detecting intentions of compromise ... Of course, there are HUMINT (Human Intelligence) techniques - in fact, an agent network that reveals the intentions of attackers - but this is more about special services. There are also techniques for analyzing the Darknet and specialized hacker resources, which consists in finding traces of preparation for large cyber operations, but this is also a very unwarranted approach, but rather even accidental.

As for the main MITER matrices, for example, Enterprise ATT & CK, here we are already dealing with the stages of the implementation of technical vectors of cyber threats (elements of social engineering are obtained at the Initial Access stage in the form of techniques for throwing removable media - Baiting attacks). It is likely that a skilled attacker will try to evade an organization's detection techniques - and he will be aware of them - through social engineering until the chances of detection are minimal.

Scenario of using social engineering to bypass detection techniques using the example of MITER Enterprise ATT & CK

It should also be borne in mind that MITER is focused on compromising specific assets (operating systems) in the context of targeted threats. Therefore, some of the scenarios outside MITER should be devoted to other information security threats to infrastructures.

Taking into account all the listed difficulties in terms of detecting threats, we came to the conclusion that our approach should take into account two points:
1. Prevent or minimize the chance of evading technical measures to detect cyber threats.
2. Fully implement direct and indirect scenarios for identifying technical and non-technical techniques of social engineering.

How to raise cybersecurity awareness?

Information security awareness remains the main preventive technique for combating social engineering. As a guideline, we can take the Security Awareness SANS maturity model here - it makes sense to consider at least the third level in it. Everything below, means the complete vulnerability of infrastructure and information systems from the point of view of information security, regardless of how the organization implements cyber protection.

Basis of the approach​

In parallel, as the basis of our approach, we chose a three-tier maturity model for monitoring and response centers (corresponding to the 5 levels of CMM maturity at Carnegie Mellon University): ad-hoc (emerging), maturing (maturing) and strategic (strategic). According to our estimates, most of the information security systems both in Russia and abroad can be attributed to the first level of this model. Therefore, it is from him that we will almost always build on when developing centers for monitoring and responding to information security incidents, methodically increasing maturity in all components.

Increasing the maturity of Incident Response

You need to know the attackers "by sight"​

Next, we correlated the attacker's logic and motives with the SOC / CSIRT maturity matrix. Exposure to non-technical methods means for an attacker rather high risks of deanonymization, i.e. to light up and get caught in the process or after the implementation of the threat. For example, when physically entering the office of an attacked organization, it can be tracked using a video surveillance system. Therefore, with a high probability, an attacker will seek to implement an attack with technical vectors. It would seem that this is what we need. However, it is quite difficult to hack more mature systems in a purely technical way, and the cost of 0-day exploits for hacking seriously protected infrastructures and information systems can reach hundreds of thousands, and sometimes even millions of dollars. Here, an attacker is likely to increase his risks in order to simplify and reduce the cost of implementation, and will resort to social engineering. Our task is to "ground" the attacker to the technical level as much as possible, or at least to exclude the implementation of non-technical techniques, thereby increasing the chances of detecting an attacker. How can I do that? Increasing cybersecurity awareness.

Of course, each organization will have its own typical attacker. Therefore, another component that formed the basis of our approach is risk profiling of potential attackers.

Systems approach versus social engineering

The result of our research was an approach, the essence of which is to methodically increase the level of maturity of information security awareness, processes for monitoring and responding to information security incidents, as well as in the implementation of a set of specialized scenarios for identifying social engineering techniques.

How do we do it? The profile of the attacker is studied for each customer. Further, on its basis, a method is developed to increase the level of detection completeness by increasing the number of points of information retrieval, expanding the scenario set (the number of identified threats) and the context with which we fill these scenarios. In this case, the context is divided into 3 planes: users, assets and protected data. All of this is being implemented in parallel with increasing response capabilities and information security awareness.

Let's see how our approach works using event sources as an example. At the first stage, we collect mostly static data and to a lesser extent behavioral data. Some of the latter should be added right away, so that at this stage you will be able to catch an attacker who, when trying to implement a complex targeted attack, will try to bypass all used detection techniques and end up at the final stages of hacking. For example, the same DLP system can be a good compensation measure here. However, many other behavioral mechanisms should be included at a good level of maturity. they can unnecessarily generate false positives. At low maturity levels, this will reduce overall efficiency. At subsequent stages, as maturity increases, we increase the number of sources from which we remove information: system events,

Let's give one more example - from the asset plane, ie context with which we fill our scripts. First we have a basic set, then we look for information to complement it, and so on until full coverage. A natural question arises: why not include all this at once? The reason is that without a commensurate development of processes, such actions can lead to an increased number of false positives, which will have to spend an excessive amount of resources. As a result, this will negatively affect other processes, and the overall efficiency will decrease.

Example. Asset model. Collected context

Increasing the maturity of monitoring processes occurs in a cyclical format, that is, we study the attacker and the threat surface, form a scenario base, fill it with context, write correlation rules - and so on in a cycle.

An important aspect of our approach is the additional focus on social engineering markers when developing scenario logic. These can be both direct scenarios for the technical vectors of social engineering, and indirect (applicable to detect indirect signs of non-technical vectors of social engineering). The former include phishing, infection of malware websites (watering holes), registration of domains consonant with the names of popular company office together with an employee (piggybacking), sending malicious links using short SMS messages (SMiShing), etc. Examples of indirect markers are all sorts of DLP, UBA, and TBA scenarios. The significance of these markers lies in the fact that

For example, in the case of flashed flash drives, you can use infrastructure capabilities, conduct Windows audits, and also try to catch attempts to launch system processes from wearable information sources (Microsoft Windows events ID 4663 and 4688). The same is true for Linux systems. Moreover, if possible, all this should be done with a system audit, so as not to increase the cost of monitoring. Specialized solutions here are an extreme option.

I would like to add that understanding the markers of social engineering is important not only at the monitoring stage, but also in terms of response, post-incident analysis and forensics. And besides, it will not be superfluous to involve in this work an information security specialist, whose main profile is social engineering. In our experience at Jet CSIRT, the interaction of the blue team (defenders) and the red team (ethical hackers) significantly increases the chances of the information security team to repel cybercriminals who build attacks on the human factor.

Author: Alexey Malnev, Head of the Jet CSIRT Information Security Monitoring and Incident Response Center.