The question of how to prevent social engineering has gained many column inches in recent years. Social engineering is the practice of deceiving and manipulating individuals into sharing sensitive information used to infiltrate or compromise an organisation or network or further an espionage operation.
However, the question is, how to prevent social engineering in instances where the attackers may not even hack any accounts themselves?
Not all perpetrators of social engineering are hackers
A famous example of such a case, reported extensively between 2015 and 2017, concerned Crackas with Attitude (CWA). The group illegally accessed the email and social media accounts of then-CIA Director John Brennan and other senior government officials. Then leaked sensitive information and made personal threats.
However, according to a filed affidavit, group members did not hack into any of the restricted accounts that they accessed. They instead used social engineering, impersonating their targets and various IT support staff, purporting to aid the victims.
As reported by Ars Technica and other sources, one suspect allegedly accessed Brennan’s account by pretending to be a Verizon technician. They then duped another Verizon staffer into resetting the password for Brennan’s Internet service. The crew allegedly gained subsequent access to a Brennan AOL account.
Attackers are developing ever-more sophisticated approaches
While traditional phishing and social engineering attack methods do still frequently succeed, a greater awareness and understanding of them has helped to blunt their impact. However, it also means attackers are turning to progressively sophisticated and longer-term alternative techniques.
Efforts may include credible false personae, self-referencing synthetic networks and highly targeted and detailed reconnaissance. This approach is effectively a variant of catfishing, dubbed ROSE or ‘Remote Online Social Engineering’.
ROSE aims to compromise organisations’ networks by first building rapport with targeted victims. It then uses this to elicit sensitive details, collect material for distortion and persuade users to take actions that make compromises possible.
What can your firm do to guard against ROSE attacks?
With its use of long-term and highly customised social engineering identities, consisting of believable characters with crafted back-stories, a ROSE attack can be highly deceiving, and therefore effective.
However, various techniques can also be helpful in circumventing such efforts to infiltrate a network. You could conduct background verification checks, for example, or request an in-person meeting, as an evasive response to the latter can be very revealing. You should also consider the age of the profile – including the earliest trace – and report suspicious behaviour to the authorities.
So, how to prevent social engineering of this nature? By training your organisation’s staff to stop, look and think, you can lessen the risk of even the most sophisticated ROSE attacks succeeding.
Any organisation can theoretically be subject to such an attack from individuals posing as internal employees, clients, suppliers or vendors. It is therefore vital to educate your employees on how to recognise potential ROSE attacks and make smarter security decisions.
It may only require one staff member to open an attachment, click on a link or hand out sensitive information carelessly for a successful attack to begin to unfold.
SmilePass is a leading authority on how to prevent social engineering and provides innovative solutions for this purpose. Contact our team today to learn more about our services.