The attack-phases

The general phases of attacks with an element of social engineering are sought to be presented in here. This section can be used as specific guidance on the threat modeling-phase of a risk assessment or pen-test (see Sec. 2.1.3).

An attack is typically modeled as a number of phases (3-7 depending on the source like certification bodies or standardization organs): Reconnaissance/survey, weaponization/customization, delivery, penetration/breach/break-in, enumeration/installation/maintaining access, data export and

“covering the tracks”. Some of the papers already examined here describing attack phases are

51All parts will be available here: http://justitsministeriet.dk/nyt-og-presse/pressemeddelelser/2017/

nye-regler-styrker-beskyttelsen-af-persondata-i-europa

52Seehttps://www.kromannreumert.com/Nyheder/2017/05/Betaenkning-om-persondataforordningen

53A couple of citations from companies, that think it is way too short time to react is found in this arti-cle:

https://www.bdo.dk/da-dk/faglig-info/advisory-publikationer/forensic-[20, 7, 37, 24].

One specific model used in some official US publications is the “Lockheed Martin kill chain”

(depicted in Figure 2.10). The figure both depicts the phases of an attack (noticeable similar to CFCS’s used in e.g. [7]) and the phases of disruption (quite similar to the one used by CPNI in [11]). Sources describing fewer phases can still encompass into this model using synonyms as e.g.

the ones above. The attacker will use various tools to reconnoiter his target before the actual

Figure 2.10: The “Lockheed Martin kill chain”, from https://countuponsecurity.com/tag/kill-chain/after [24].

attack; social engineering plays a large role in this phase, but the techniques can definitely also be utilized during the exploitation phase to gain further information, access etc.; techniques are described in Section 2.4.2.

The goal of the reconnaissance phase is “[. . . ] to obtain enough detailed information and get sufficient certainty about the reliability of this information to inform their modus operandi [‘habits of working’] and be sure of success.”[11].

Specifically for a social engineer, we find in [35] “The Social Engineering Cycle” which describes the steps the social engineer will repeatedly cycle during an engagement (the same steps are used in [27]):

Research OSINT gathered from government sources, commercials, news sources, web content and even physical acquisition (like “dumpster diving”).

Developing trust Using information from the research, insider information from previous steps, misrepresentation, citing need for help, citing people known to the target or authority.

Exploiting trust Asking for information or an action from the target (or manipulate the target to ask the attacker for help).

Utilize information Repeat the cycle if necessary.

The cycle can be seen as both an alternative to the reconnaissance, attack and exploitation phases of e.g. the kill chain (Figure 2.10) and as a specification of the exploitation phase of the same, as “The Social Engineering Cycle” is the specific method to exploit the target.

Another entrance to understanding the attacker’s reconnoitring methods is to look at his mindset.

It can be characterized by intent, capability and culture [11]⁵⁶:

Intent This is what the hostile wants to achieve. Think about their overall aim as this will help identify the effect the hostile wants the particular attack to have.

Capability This is about the resources at the hostile’s disposal. Think about equipment, time, personnel, skills and training, financial backing and geographic location.

Culture This is the hostile’s personal motivations and appetite for risk.

Even though not all dimensions of the attacker can be defined, the organization will have gained further insight and are able to determine likely attack scenarios. With this in hand, the organiza-tion can move to the actual threat modeling (see Sec. 2.1.3) for a framework to build the scenarios.

Bear in mind, that while most attackers are outsiders, as many as 30 % of attacks may come from insiders with prior organizational knowledge [29]. Insiders may be required to gather far less information to deploy a successful attack. These should be covered when performing threat modeling, as intent often vary from the outsider; in [29] the motive was most often sabotage, while many current attacks (at least the ones reported in media) seeks a monetary gain or access to intellectual property/espionage. Insiders can however be harder to profile; [29] finds that no

“demographic profile” exists of a malicious insider.

Having build them, it is important to revisit and update them often to their maintain usefulness [11]. Attackers (especially highly motivated ones, e.g. APT-groups) will find new ways and changes in the organization may have gone unregistered.

In [35] p. 332 a list of “common social engineering methods” are shown; it is reproduced below.

Several has already been covered from other sources’ examples of attacks (especially in Sec. 2.3), but these are made by an experienced social engineer. In Section 2.4.2 we will also see how many of these methods relate to specific psychological weaknesses to exploit.

The list can be helpful both in modeling attack scenarios and for awareness programmes.

• Posing as a fellow employee.

• Posing as an employee of a vendor, partner company, or law enforcement.

56Descriptions of the three characterizations are also from [11].

• Posing as someone in authority.

• Posing as a new employee requesting help.

• Posing as a vendor or systems manufacturer calling to offer a system patch/update.

• Offering help if a problem occurs, then making the problem occur, thereby manipulating the victim to call them for hellp.

• Sending free software or a patch for victim to install.

• Sending malware as an e-mail attachment.

• Using a false pop-up window asking the user to log in again or sign on with password.

• Capturing victim keystrokes with expendable computer system or program.

• Leaving a CD/USB around the workplace with malicious software on it.

• Using insider lingo and terminology to gain trust.

• Offering a prize for registering at a web site with username and password.

• Dropping a document or a file at company mail room for intraoffice delivery.

• Modifying fax machine heading to appear to come from an internal location.

• Asking receptionist to receive the forward a fax.

• Asking for a file to be transferred to an apparently internal location.

• Getting a voice mailbox set up so callbacks perceive attacker as internal.

• Pretending to be from remote office and asking for e-mail access locally.

We call these actions pretexting⁵⁷, as the social engineer proposes some of the above reasons to perform his malicious requests or actions. [35] contains several more examples of stories of attacks performed by both Mitnick himself and “not-Mitnick”; he has also published several books on this (and so has a lot of other people).