The term social engineering, also known as “human hacking” or “social hacking”, originally had a horizon of meaning in the context of political science, before its more negative connotation in the context of information security today.
Karl Popper first introduced the term in 1945 in his work “The Open Society and its Enemies”. Here it stands for “applied social science”, which is translated literally from English, which summarizes the efforts to create or improve social structures.
Its principle is based on the fact that a person can be improved like a machine. So the goal here wasn’t something negative like scams, data theft, or information stealing. With the terminology it was important to “optimize” people as part of society and thus to lead to better coexistence and health awareness.
In the context of information security and the topic of hacking, people who make use of this type of attack or the possibility of obtaining information are also referred to as so-called “social engineers”, a term that is rarely used compared to the term “hacker” or “cybercriminal”.
The historical background
If one tries to classify social engineering in a clear history, this is difficult to the extent that it is also related to the exact definition of the technology as such. Specifically, it means that if one considers social engineering not only in a strictly technical and information technology context, but rather includes the component of the targeted manipulation of an individual to achieve one’s own interests or in the political environment to influence entire societies, it is almost as old as humanity. Already in ancient works, like the defense speech of Socrates (Apology), the Plato’s teachers in 399 BC. BC held before the Athenian People’s Court, it was all about using rhetorical skill to achieve a certain goal – an acquittal and thus nothing less than his life. Even here it quickly becomes clear that the entire topic of social engineering cannot be reduced to hackers, phishing mails and bad links alone, and that it knows many facets of communication and thus also attack paths.
If we come back to social engineering in the modern socio-technical security context, one of the early forms was probably the so-called phreaking in the 1980s, in which a kind of subculture of hackers tried to use manipulative calls, e.g. to telephone companies, and to play a system administrator with identity passwords for to steal free modem connections.
At the latest, people like Kevin Mitnick, Thomas Ryan or the fraud artist Frank Abagnale helped the genre to become widely known in society. On the one hand, since this z. B. morally purified made a metamorphosis from gangster to respected white hat hacker and z. Some of them still sit today as experts in government circles or important advisory positions, but on the other hand they were also filmed in Hollywood classics such as “Catch me if you can”.
These examples make it clear once again how closely “online attacks” and attacks from the supposedly real world (telephone calls, role games, etc.) are closely related. It also becomes clear that the further you look back in history, it doesn’t always have to be technologically complex hacks to a) manipulate people and / or b) steal information.
What actually is social engineering?
In general, social engineering is understood to mean people as the central attack vector and gateway for the perpetrator, hacker, fraudster, whatever the attacker is called. Often attempts are made to manipulate the victim by deliberately deceiving or concealing one’s own identity.
Usually without suspicion or even premonition, the victim is tricked into giving out information or installing malware on the respective system.
Risks for companies and employees, but also for private individuals and each and every one of us, are, among other things, that account information, e-mail accounts and passwords or other login information can be stolen. In the private environment, for example, involuntary bank transfers are also made; In the corporate environment, a single click of the mouse on a defective link is often enough that malicious software, Trojans or malware can enter the corporate network unnoticed at first. The consequences then range from minor incidents and partial loss of data to complete production downtimes, industrial espionage or sabotage, indirect factors such as the associated possible loss of reputation.
At the turn of 2020, the information security expert Linus Neumann as part of the largest European hacker conference, the 36th Chaos Communication Congress – 36C3 for short, in his lecture ” Hacking brains “ impressively addresses the current challenges, dangers and opportunities of social engineering. He also painfully demonstrates that not only current attack mechanisms play a role, but that the “old classics” such as B. Markoviruses, which are often part of an attack in the context of phishing and malicious Office attachments to e-mails, have existed since 1999 at the latest and are still one of the top attack vectors, for example when transporting ransomware or crypto trojans. The genus Macro Virus gained notoriety through the virus called “MELISSA”; At that time, as it is today, it was a fake Word file disguised as an alleged invoice.
In summary, the central feature of social engineering is often the deception of identity with the intent of the perpetrator in the form of a technician, craftsman or support employee of a company such as Amazon, Facebook, Paypal or one of the large Internet service providers to target his victim To induce the release of this valuable information or to entice them to click on infected links and thus to install further malware. Particularly perfidious in this context is z. B. a scam that software or tools that are supposed to help with the search and defense against malicious software or with cleaning the hard drive then turn out to be malware themselves.
Good further general explanations can also be found on the BSI website as part of the campaign “BSI for citizens”
Classification in IT security
If you now take a closer look at the different fields of IT security, there are also several different perspectives here when classifying social engineering. From the point of view z. B. a white hat hacker in the role of a penetration tester, whose job it is to simulate a real hacking attack as part of a Penetration Test or a Weak Point Analysis Uncovering security gaps and weak points in IT systems, applications and companies can be viewed as a possible test field together with 3 others: technical security, physical security and the often underestimated organizational one Security.
As in all areas of IT security, you should ask yourself the two basic questions in social engineering: “What do I want to protect?” “Who do I want to protect myself from?” Regardless of whether as a private person, company or even as a state entity and on the basis of this, to leave out the non-technical areas such as fraud, imposture, rhetorical manipulation & Co.
With the second question “from whom ..?” It is important to try to subdivide the types of possible attacker classes into groups according to the degree of danger, intention and objective.
The figure below quickly shows that social engineering i. d. Usually only plays a role in more sophisticated attack groups, rather seldom in the now increasingly popular class of so-called script kiddies. Of course, at the level of industrial espionage, complex attacks (APTs – Advanced Persistent Threads), targeted attempts at sabotage or even attacks at the government level, social hacking is very often a piece of the mosaic in the entire attack.
In addition to the classic examples of a social engineering attack, such as phishing or spear phishing by e-mail, there are also some scenarios that not only describe pure interaction between people via a wide variety of communication channels, but also the combination with attacks from the field of physical access. This is often the case in the first step of the attack on a victim, the information gathering. For example, the rubbish is systematically rummaged through (dumpster diving) on the train while the person is typing (shoulder surfing) or they even gain physical access to the building / apartment by specifically overcoming a door by following a target person with the appropriate authorization .
|“bad” USB stick||Infected USB stick|
|“bad” USB cable||Infected USB cable|
|“bad” USB devices||Input / display USB devices < / td>|
|“bad” Office document attachment </ b >||Malicious Macros Document </ td >|
What makes social engineering so successful?
To understand why social engineering and hacking the “human firewall” is by far one of the most successful tactics then and now, and will probably remain so as long as people interact with IT and digital as well as analog means of communication, we should also look in part at the way our own human psyche works. If we understand the characteristics of our minds and their attack vectors, it also quickly becomes clear what has made social hacking the evergreen of hacking.
Individual psychological approach
If you take the approach of the two psychologists Heather Goudey and Myles Jordan, who looked at a number of successful social engineering attacks from 2001 to 2004 as part of a study, we quickly see that there is always an important basis for a successful attack that the person is attacked in such a way that the mind only has a minimal share in its decisions and that the emotional, fast and instinctive side of his being and brain takes over the helm. Perfect conditions for opening malicious e-mails or giving out information! 12 factors were filtered out.
Among other things: curiosity, greed, longing for love, authority, trust, rush, pressure
System 1 and System 2
According to the Israeli-US psychologist and Nobel laureate in economics Daniel Kahneman, the basic principle of human and cognitive thinking can be divided into System1 and System2 (see illustration).
At the 36C3 (36th Chaos Communication Congress) in Leipzig, the German psychologist and press spokesman for the Chaos Computer Club presented ” Hacking brains “ the Kahneman´ system s into the reality of human hacking and shows where the weaknesses of the human factor lie from an individual psychological point of view.
The System1 works automatically, quickly and intuitively and supports us humans in all recurring tasks of the daily routine, such as the almost subconscious driving to work, motor skills in the cyclist or the Lock our front door. Unfortunately, the system1 always becomes active when we a) are afraid or b) carry out a boring activity that is more of a routine. This is exactly what attackers take advantage of and try to manipulate us in such a way that our actions are inconsiderate and rational.
In the case of a phishing email that seems illogical to us or a mysterious caller who wants our password, our System2 would actually know exactly what to do. However, this does not help us much if System1 is already at the wheel with a corresponding “psycho-trigger”.
Organizational psychological approach
That this problem has not really been yet solved explain themselves according to Neumann in terms of organizational psychology. Often the areas of technical security or physical security already mentioned above are implemented relatively well, at least in comparison to the layer that works with them – the employees and administrators!
So why, as a hacker or attacker, not choose the path of least resistance and not use complex, purely technical attacks, which also require more know-how than hackers, but rather directly Using the human factor via social engineering as by far the simplest attack vector. In addition, it is not just humans who are the weakest link in the chain. The protective measures in this area through training or user awareness are on such a bad and catastrophic level that the difficulty for the attacker is very low. Furthermore, in the areas of user awareness and employee training, there are no really clearly defined standards or measurable metrics for private individuals or companies.
According to Neumann, all of this leads to the 3 areas of fraud (e.g. CEO fraud), the subject of authentication & passwords (e.g. Collection # 1 to Collection # 5) and the area of potential malware (Office macro viruses since 1999) as areas of attack in human hacking, along with many other scenarios, will unfortunately continue to exist for a long time.
If you dare to look into the future of social engineering attacks, which are increasingly supported by AI and more and more computing power, as well as more and more sophisticated technologies, we can only hope that we will slowly become aware of the actually existing ones in the private environment as well as in companies Think about countermeasures and possibilities.
Let us take the alleged example of a new class of CEO fraud over the phone (vishing) in which a British energy supplier suffered damage of the equivalent of € 220,000 in March 2019. The sophisticated thing about this was that no one had tried to imitate the boss with the supposed instruction to transfer a sum of money; this was taken over by a machine with AI support that was too deceptively real for the victim at the other end of the line it was hardly possible to hear the difference. The fact that this incident actually occurred with the described proportion of the use of AI has not yet been clearly confirmed or refuted.
As in every area of information security, we actually also know in the area of human hacking what effective countermeasures are – train, train and train again.
It is crucial that the training concepts are geared precisely to the employee, the company and the actual protection requirements in a practical “hands-on” mentality. Simply introducing a standardized training platform with theoretical examples to “click through” is neither didactically sensible nor does it result in an effective increase in IT security. Anyone who knows a corresponding standardized model from their own employer knows how tiring and even demotivating such a thing can be.
As an internationally operating penetration testing team, we have unfortunately had a break-in success rate of 100% since the company was founded, which, frankly, is also due to the fact that a break-in succeeds at the latest when we target the human firewall.
By carrying out actual attacks together with the employees regularly and in changing scenarios, you can achieve the goal – living off information security, also for the human factor!
|Only theoretical training platforms|| learning through e.g. active attack simulation via social engineering attack
as part of a Pentetration Test
|Abstract guidelines & amp; Concepts||Didactics, by first getting enthusiastic about the topic, then training|
- BSI for citizens ” Social engineering – humans as weak points “
- Linus Neumann – lecture “Hacking brains” 36C3
- Wikipedia – Social Engineering.
- Kevin Mitnick book title: Art of Deception
- Joe Navarro: People Read
- Karl Popper: “The Open Society and its Enemies”
- Daniel Kahneman: “Thinking, Fast and Slow”