DeepSec 2016 Talk: Social Engineering The Most Underestimated APT – Hacking the Human Operating System – Dominique C. Brack
Social Engineering is an accepted Advanced Persistent Threat (APT) and is going to stay according to Dominique C. Brack of the Reputelligence, Social Engineering Engagement Framework (SEEF).
Most of the high-value hacking attacks include components of social engineering. Understanding the behind the scene methods and approaches of social engineering will help you make the world a safer place. Or make your attack plans more successful! Social Engineering is a topic that does not really fit into technical hacking and is also underestimated by security professionals. There are no tools or hardware you can buy to prevent Social Engineering attacks.
But Social Engineering is an APT to be taken seriously, because most attacks consist partly of it and its attack execution and prevention needs training and skills. Social Engineering has progressed and professionalized more than you think. It is disastrously effective. Prior to his talk we asked Dominique C. Brack some questions about the threats of SE.
Please tell us the top 5 facts about your talk.
My talk will provide the skills to detect, defend and assess Social Engineering attacks and describe the associated risks that go along with it. You will learn about the motivations and methods used by social engineers, to enable you to better protect yourself and your organization.
Especially you will learn about:
- Assessing Social Engineering threats
- Thinking like a social engineer
- Considering attack frameworks (SEEF)
- Reviewing the methods of manipulation
- Identifying the countermeasures against Social Engineering
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
As a senior security professional I am working with many clients. International, local, governmental, defence clients in highly sensitive settings (political or regulatory). For my clients I am always going the extra mile or two. Some of them experienced highly sophisticated spear phishing attacks and attempts of industrial espionage. In order to address these type of attacks I started to collect best practices and methods for dealing with Social Engineering in its many facets, and eventually I wrote a book about it. I realized I couldn’t address all my clients at the same time and I also felt that the problem of Social Engineering is systemic and grossly underrated even by security professionals. Out of this I decided, with my partner in Germany, to write the Social Engineering Engagement Framework (SEEF) – FIRST CUT book, which is available as paperback and ebook. With this book we want to raise awareness among all stakeholders who have to deal with it, for Social Engineering is one of the most dangerous APTs. We will give away free ebooks to the participants of DeepSec 2016.
Why do you think this is an important topic?
Let me try to explain the importance of the threat of Social Engineering with an analogy. Think about this asymmetry for a second:
Machines like personal computers, devices and mobile technology have their established defense mechanisms, ranging from the standard mechanisms like user ID and Password to role based access and highly sophisticated security technology like intrusion detection systems, malware detection, data leakage prevention, etc.
Of course, as we all know, these mechanisms are not perfect by far. At conferences like DeepSec we continually get reminded of their failings and possibilities to circumvent those security mechanisms.
But, people like you and me have no sophisticated security technology whatsoever readily available to help to protect themselves from being hacked.
If you think about this analogy, what do you think how important this topic is?
For me this is the reason why I believe Social Engineering is one the top subjects to work on. Of course working on the technical side to improve your security posture is unquestionably important. But when it comes to Social Engineering there’s a vast security gap yawning all through the corporate world and its high time to deal with it.
Is there something you want everybody to know – Some good advice for our readers maybe? Except for “Come to my talk.”
Of course “Come to my talk”. I mean not just “Come to my talk” – If you just come to my talk and treat it as a filler then you better go out and have a coffee, talk to your partner, or write some e- mails. If you are not convinced you will learn something, then have a piece of Sacher cake at the Hotel Sacher. It’s delicious. But join my talk if you want to learn, cause even as a pro you might learn something, in the worst case just about the crowd joining social engineering talks ;-).
From my side I will give everything. I love information security and Social Engineering.
Come and join me if:
- You are a Social Engineering nerd and want to get insights on some of the latest concepts and developments in Social Engineering.
- You have to integrate SE into your risk framework.
- You are seeking advice from Social Engineering consultants and you want a more robust risk framework for scoping.
- You are curious about Social Engineering.
- You want to become a professional social engineer.
Don’t join me if:
- You are looking for one-to-one instructions.
- You expect a totally finished and polished, politically correct speech.
I am rough, it will be incomplete and probably biased.
- You are a superstar social engineer and resistant to learning or advice.
- You are a know-it-all.
A prediction for the future – What do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?
Unlike in the past, Social Engineering has become an engineering discipline with precise tools, selected dynamic approaches and execution plans. This makes it also so damn hard to define counter-measures against SE attacks on the receiving end. You really never know where you could get hit next.
Based on this my prediction for the future (I am already working on this) is the combination of the Internet of Things (IoT) and Social Engineering.
I’m thinking of IoT and the whole advancements in technology. Wearables and insideables combined with Social Engineering offer endless potential for very serious even life threatening scenarios.
In the hyper connected future, we already have seen a proof of concept for this type of attacks. I am referring to the attacks based on the augmented reality app Pokémon GO. Pokémon GO is not only about searching for Pokemon, it includes also PokeStops and is basically one big hunting game.
PokeStops are places of interest or other hotspots located in your actual community. They can be buildings, monuments, public art, etc. You must walk about your town or city, find these PokeStops, and pick up the special items they spit out in order to advance in the game.
As you can imagine the Game, respectively the hunt based on your mobile phone has already linked to injuries, bad driving and opportunistic robberies. People don’t watch where they go, the drive into other cars, overlook traffic lights or fall down stairs.
And there have been reported cases where this so called PokeStops have been hacked and misused in order to steal Pokemons or change rankings of players. With fake or hijacked PokeStops you can practically ‘lure’ your victims into traps and direct them wherever you want them to go. It appears the safeguards of the players are completely off when playing Pokémon GO.
This is a current example.
If you now extrapolate this to the world of IoT, where millions of actors, sensors and devices are communicating over low security networks then you can imagine what could happen in the future.
Just imagine your insulin is low and your wearable will detect this. It will also inform you about the nearest location of a pharmacy, hospital or doctor where you could get some insulin. As a diabetic, for a while you might just endanger yourself a little and reset the respective alarm, but at some point you have to go and fetch it. Just imagine that Insulin has become rare and expensive. The organ transplant mafia has gone cyber. They create a business model for selling original medication to rich people. Hackers installed malware on IoT endpoints and collect the communication of health wearables. Within minutes your location is determined and a capture team will rob you of your insulin. Far fetched I know…
What will be connected to IoT?
- Check on the baby
- Remembering taking the medicine
- Activity tracking
- Smart home (heating, cooling, electricity, treating your water)
- Intelligent traffic management systems
- Waste management systems
- Smart parking-space management
- Internet-managed assembly lines
- Snow Level Monitoring
- Forest Fire Detection
- Chemical leakage detection
Are this all topics where you don’t mind low-level security?
Dominique C. Brack is a recognized expert in information security, including identity theft, social media exposure, data breach, cyber security, human manipulation and online reputation management. He is a highly qualified, top-performing professional with outstanding experience and achievements within key IT security, risk and project management roles, confirming expertise in delivering innovative, customer-responsive projects and services in highly sensitive environments on an international scale. Mr. Brack is accessible, real, professional, and provides topical, timely and cutting edge information. Dominique’s direct and to-the-point tone of voice can be counted on to capture attention, and – most importantly – inspire and empower action.
Dominique C. Brack on Linkedin
Dominique C. Brack on Xing.com
Dominique C. Brack on Slideshare