Remember the time you received a phone call from a disgruntled customer or employee that couldn’t get into their account and you had to walk them through getting back in, reset their password for them, and maybe even give them their login info? They likely sounded very upset, made it an urgent matter, and perhaps even threatened to bring in a supervisor if you didn’t help right away. You might’ve been nervous and even questioned the interaction, but you didn’t want to get in trouble so you did what was asked.
Or perhaps it was a really nice person who just needed a little help with something; their hands were full, or they forgot their badge and were late for work, and they needed you to hold the door open for them. Maybe it was a contractor onsite to do some work and just needed to know where to go to find so-and-so–a name that sounds familiar. They’re in a uniform and look official, so no harm, right? Oh the server room? Yes, it’s on the third floor, that’s where so-and-so’s office is as well. (And let’s hope so-and-so doesn’t have his password written on a sticky note left under his keyboard.)
Most of these sound legitimate and can be perfectly innocent situations. Things happen, right? People are forgetful. People are inherently good. Why would someone lie about that stuff? The answer is because humans are the weakest link when it comes to exploiting cybersecurity. These situations are all examples of effective social engineering techniques that are carried out successfully every day on unsuspecting people.
The latest exploiter of social engineering is the group Lapsus$, a gang responsible for breaking into the networks of giants like Microsoft, Okta, Nvidia, and others. It is reported that their efforts are all spearheaded by a teenager, with the help of a few others, in different parts of the world. Most of their success is attributed to social engineering tactics the likes of which even Kevin Mitnick would be impressed by.
So how do we as a society combat social engineering? How do we know who to trust?
Simple. Trust no one. Zero Trust Policy.
Ina blog put out by Microsoftt regarding Lapsus$, they recommended, “raising and improving awareness of social engineering tactics to protect your organization. Educate members of your technical team to watch out for and report any unusual contacts with colleagues. IT help desks should be hypervigilant about suspicious users and ensure that they are tracked and reported immediately. We recommend reviewing help desk policies for password resets for highly privileged users and executives to take social engineering into consideration. Embed a culture of security awareness in your organization by educating employees about help desk verification practices. Encourage them to report suspicious or unusual contacts from the help desk. Education is the number one defense against social engineering attacks such as this one and it is important to make sure that all employees are aware of the risks and known tactics.” We at CyberGRX feel this is solid advice.
In addition to the advice for your own company, it’s critical to understand how your third parties measure up to social engineering attempts and what controls are in place to combat these efforts. Being able to view their controls in relation to tactics and techniques used by a group, e.g.s social engineering (among others), is an additional tool in your toolkit against groups such as Lapsus$. CyberGRX has created the first Group Threat Profile based on Lapsus$. Available in the Framework Mapper, the Known Lapsus$ Techniques Group Profile covers the extortion techniques used by this cyber gang.
Social engineering and security awareness training should be performed with EVERY employee, with refreshers as often as necessary. It’s easy to get comfortable in one’s environment and forget the training. We start recognizing faces, people talk to us like they know us, and we assume maybe they do. Humans want to help. We want to be kind. We want to believe the best of everyone. While that’s a noble concept, in today’s cyber landscape it is no longer plausible.
Social engineering doesn’t end at in-person interactions either, it also occurs: over email with phishing, spear phishing, and whaling; over text with smishing; and over the phone with vishing. If there is a way to scam someone, please believe it will be discovered and carried out regardless of the method. We MUST choose to be skeptical over trusting, as hard as it might be. It isn’t personal, it’s security.