Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

3 Easy Steps for Foiling Social Engineering Attacks

Not too long ago, one of my fellow penetration testing consultants at Trustwave sent phishing emails to a large number of "targets" - employees who work for an organization that asked us to simulate attacks against its user base to help quantify its insider risk.

After the emails were delivered, the consultant randomly picked targets to call. For this, he spoofed the phone number of the company's IT help desk to add legitimacy to the ruse. Known as a pretext call, the exercise involved the consultant stating: "Hey, we heard people were getting phishing emails and wanted to test if our password policy is in place." The goal of the call was to confuse, rush and pressure the target into doing things they normally wouldn't, namely changing their network password over the phone.

Many did, and few realized they were handing it over to a complete stranger.

As hardware and software security systems have become more effective and agile in responding to intrusion attempts, hackers are increasingly turning toward the human component of the equation, as was perfectly evidenced by a story in the news this week.

I myself have successfully performed penetration-testing engagements against organizations by being nothing more than a smooth talker or by exploiting a user's everyday activities, such as checking email. Don't be static. That is to say, don't assume your information security program covers everything. Last week, a Trustwave Blog post offered nine tips for pumping up your security awareness program. In this post, we are going to drill down specifically into social engineering defenses.

Threat actors are constantly honing their skills against every kind of organization. These skills include how to break down mental defenses of their target to exploit human nature. Pushing back all begins with education.

Awareness

You should first teach users that they are a prime target because they are far easier to attack than a hardened system. Explain why someone would use social engineering to attack them - and make the message personal.

Identification

Next, you must teach them how to identify a social engineering attack. By first establishing and adhering to strict policies regarding what should be transmitted via email, end-users can then identify suspicious solicitations. Requests for credentials, or to just confirm/test if something is working, are indicators of someone trying to sound legitimate. Training and simulating attacks come in quite handy here. For example, users should be conditioned to check for oddities in links they receive.

Reaction

In the case of emails, simply reporting a suspected phishing message to the IT security group is generally sufficient. Phone calls, on the other hand, present an additional immediate high-stress scenario where the caller is generally trying to put the target on the spot. When an untrained user is under such pressure, they often forget what they learned from that one training module on social engineering that they had to complete once upon a time.

If they feel pressured or nervous, they should fall back on a "last-resort checklist" to verify the individual calling on the phone. The checklist would contain a list of best practices. For example, it may remind employees to ask a special code of the day to confirm the caller's legitimacy - or, for the example above, calling back the actual help-desk number to verify the caller's identity. Being able to focus on a checklist with the authority to overrule anyone on the phone gives a user confidence and forces the attacker to scramble, potentially revealing their true motives.

While this checklist is primarily for the high-pressure phone call situation, it can easily be adapted for use when an individual receives email communication. It would contain basic things already in an infosec awareness program, such as never giving out usernames and/or passwords, or not opening emails or attachments from sources you do not explicitly know.

**

Through a combination of receiving education and understanding psychology, your users stand a better chance of resisting social engineering attacks in their purest form - an attack on a person's thoughts and emotions.

Ismail Saifudin is a Trustwave security consultant on the SpiderLabs Network Penetration Testing Team.

  7192_e6a3dad0-5a16-4868-bcbc-4fd15a5bcfb8

 

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo