Social engineering training

"While we focus the vast majority of our security efforts on protecting computers and networks, more than 80% of cyber attacks and over 70% of those from nation states are initiated by exploiting humans rather than computer or network security flaws."

The Active Social Engineering Defense (ASED) program, DARPA.

Cybersecurity is not only a technical challenge

It is also a behavioral challenge. As long as managers and employees can provide access to systems and data, cybersecurity depends on them too.

Employees that have access to critical assets of an organization, become targets. Those that have access to technology and organizational assets are also responsible for the protection of those assets. Are they fit and proper to handle this responsibility? Do they have the awareness and skills necessary to meet these expectations?

A major challenge in today's cyber security efforts is the lack of awareness and training. Many organizations and companies of the public and the private sector continue to believe that cyber security is a technical, not a strategic discipline. They believe that cyber security involves only the protection of systems from threats like unauthorized access, not the awareness and training of persons that have authorized access to systems and information.

That becomes an exploitable organizational vulnerability. Hackers prefer attacking humans, because it is simpler. While technology keeps advancing and security systems become stronger and more complicated to compromise, human psychology has remained the same over centuries and is thus easier to exploit.

The stimulus-response effect in human vulnerabilities is consistent, and exploiting these vulnerabilities is consistently successful. In addition, it is often a low-cost, low-risk, and high-reward approach.

While computer hacking does involve the manipulation of technology as a means of enabling illegal activity, social engineering involves the manipulation of humans and other non-technical elements as a means of breaching organizational security.

Social engineering is the art and science of skillfully manipulating other people into taking specific actions that assist an attacker in successfully initiating and completing an attack.

Social engineering tactics can be as simple as convincing someone to click on a URL, or as advanced as convincing someone to provide information, or to take action that will enable a breach.

The most exploited factor in social engineering, is ignorance. A person that does not know the tactics and methods used from social engineers, is defenseless against them. Understanding how social engineers achieve their objectives is the strongest counter-measure against social engineering attacks.

In this website, we will make available information that will assist managers and employees in developing and strengthening their knowledge against social engineering. They will find articles:

- explaining social engineering tactics and strategies,

- discussing cases of successful attacks, and understanding how they could have been prevented,

- suggesting social engineering counter-measures,

- providing news commentary, and more.

However, as every organization is unique, we kindly request each person to apply critical thinking while reading our material, to decipher whether and how the knowledge available can be applied to serve their organization’s needs.

Our ultimate goal is to develop and strengthen an essential layer of organizational security, the human one (or as commonly called “the human firewall”), that will support and protect the assets of a company or organization.


First instructor-led training program

Social Engineering: Awareness and Defense

In this course, managers and employees learn to understand, identify and respond to social engineering attacks. The program provides with the knowledge necessary to recognize the most typical and frequently used types of attacks, and explains how to respond. During the course, attendees learn why security should supersede convenience at all times, and why policy needs to be diligently followed. Defense mechanisms and countermeasures are included in each section. We can tailor the course to meet specific requirements. No previous knowledge is required.

Target Audience

The program is beneficial to managers and employees working in companies and organizations of the public and the private sector.

Language

English

Course Synopsis:

Introduction.

1. Security is not a technical issue alone.

2. The importance of cultivating and maintaining security habits.

3. Non-technical means that protect your infrastructure.

4. Having multiple layers of security.

Social Engineering.

1. What is social engineering.

2. Why social engineering is a primary attack vector – and why it is likely you will encounter it, too.

3. How does social engineering work?

4. What do attackers prey upon?

5. The numbers game vs. highly tailored and targeted attacks.

Who is the attacker?

1. Possible adversaries: competitors, employees, individuals, small groups, insiders, service providers, criminal organizations, nation states.

2. Social engineering is a business, and a full-time profession.

The Social Engineering Kill-chain.

1. Reconnaissance: The research phase used to identify and select targets.

2. Targeting: Who is the most vulnerable person to attack? What is the biggest vulnerability of the target?

3. Pretexting: The attacker’s cover story.

4. Establishing trust with the target.

5. Manipulating, exploiting and victimizing .

6. Case studies.

Typical Social Engineering Attacks from a Distance.

1. Phishing Emails.

2. Spear Phishing.

3. Vishing.

4. Smishing.

5. Watering Holes.

6. Spoofing.

7. Baiting.

8. Whaling phishing.

9. Emotional triggers that will make you want to respond - but you shouldn’t.

10. Case studies.

11. Defense.

Is your social media content making you a target?

1. Social media is a primary source of information for attackers.

2. How your social media content can be used against you.

3. Cybersecurity hygiene advice for social media.

4. Attacks through social media.

5. Examples.

6. Defense.

In- Person attacks and manipulation techniques.

1. USB traps.

2. Emotional elicitation & exploitation.

3. Time pressure.

4. Authority.

5. Likeability.

6. Intimidation .

7. Reciprocity.

8. Impersonation.

9. Pity & Helpfulness.

10. Commitment & Consistency.

11. Reverse Social Engineering.

12. Examples & Case Studies.

13. Defense.

Physical security.

1. Why social engineers will try to enter your establishment.

2. What assets can be stolen/ compromised?

3. Gaining unauthorized access to physical spaces.

4. Tailgating and bypassing physical security measures.

5. Locked does NOT mean secure - lockpicking capabilities.

6. Defense.

Identifying a social engineering attack.

1. Identifying manipulation and deceit.

2. Emotional triggers, emotional exploitation & what to do about it.

3. Verifying intentions - subtly.

4. Case studies.

5. Responding to and deterring a social engineering attack.

Policies & Procedures.

1. Convenience vs security.

2. What policies? What procedures? Why?

3. Using & applying policy to your advantage: escaping manipulation and uncomfortable situations.

4. Visitor policy best practices.

5. Disgruntled employees.

6. Best practices for third party vendors entering the establishment.

Developing information security habits.

1. Developing and internalizing everyday security habits.

2. Maintaining helpfulness without compromising security.

3. Establishing healthy boundaries in communication.

Concluding Remarks. Our ultimate goal is to develop and strengthen an essential layer of organizational security, the human one (or as commonly called “the human firewall”), that will support and protect the assets of a company or organization.


Second instructor-led training program

Practical Social Engineering Defense: Protection of Sensitive Information

This course is important for governmental or non-governmental organizations and companies handling sensitive or classified information - a powerful, high-value asset that attracts many attackers. Are the managers and employees handling this information ready to protect it and to respond to potential threats and attacks? This program offers attendees the skills and knowledge necessary to identify potential threats and respond to them.

Target Audience

The program is beneficial to managers and employees working in companies and organizations of the public and the private sector.

No previous knowledge is required. We can tailor the course to meet specific requirements. This program can include exercises and role playing.

Language

English

Course Synopsis:

What Is Considered Sensitive Information?
1. What the organization vs. what the attacker considers to be valuable information.
2. Personal information.
3. Classified Information.
4. Information about the organization.

Who is the Attacker and why?
1. Possible adversaries: criminal organizations, nation states, activists, individuals, small groups, insiders.
2. Social engineering is a business, a full-time profession.
3. Selling information in the dark web.
4. Using information to sabotage operations, for reputational damage, for destruction, and more.

Social Engineering Methods for Information Harvesting.
1. Building a personal relationship with the target.
2. Human Intelligence (HUMINT).
3. Open Source Intelligence (OSINT).
4. Geospatial Intelligence (GEOINT).
5. Communications Intelligence (COMINT).
6. Special Issue: the surprising quality of intelligence gathered from inference espionage.
7. Threading them together.

Long term vs short term attack efforts.
1. Short term efforts.
2. Long term efforts: overt and covert asset cultivation.

Social Engineering (SE) Modus Operandi.
Step 1: Reconnaissance.
1. Information Harvesting.
2. In-depth OSINT: Everything that can be found about you.
3. Turning information into intelligence: how even seemingly innocent and irrelevant pieces of information are puzzled together.
4. Profiling targets.
5. Selecting targets.
6. Identifying objectives.
7. Defense.

SE Modus Operandi Step 2: Pretexting.
1. Crafting a strategy based on the target’s profile.
2. Constructing the attacker’s persona.
3. Mirroring or complementing the target’s personality.
4. Cover story.
5. Tailoring the attack.
6. Defense.

SE Modus Operandi Step 3: Building a Relationship.
1. Identifying potential occasions for initiating contact.
2. Getting into the circle of awareness.
3. Initiating contact and hooking the target.
4. Building trust and credibility.
5. Their personality will match yours… almost perfectly.
6. “What are the chances! To meet someone like you…”.
7. Frequent high-value contact.
8. Privilege escalation.
9. Study cases.
10. Defense.

SE Modus Operandi Step 4: Exploitation.
1. Stretching the boundaries: escalating from obtaining slightly significant pieces of information to increasingly more important ones.
2. Links, attachments and USBs with malicious code.
3. Obtaining information for other high-value targets.
4. Launching specific attacks (variety of possibilities).
5. Study Cases.
6. Defense.

Frequently Used Influence Tactics.
1. Situational reframing.
2. Satisfying the target’s personal motives and interests.
3. Satisfying the target’s unmet needs.
4. Seduction techniques.
5. Mystery.
6. Familiarity and likeability.
7. The “Feel good” influence factor.
8. The “Halo Effect”.
9. Defense.

Frequently used Information Extortion Techniques.
1. Elicitation.
2. Putting the target in a trance.
3. The magnet effect: how using one piece of information can elicit more.
4. Covertly cultivating a sense of obligation to answering questions.
5. Exploiting compliance.
6. Defense.

The Social Engineer’s Target Management.
1. Targets (assets) that respond and deliver a high ROI – are to be maintained.
2. Targets that hold highly valuable information – are to be cultivated.
3. Targets that do not respond, do not deliver or are suspicious – are to be abandoned.
4. You want to be in the third category.

Frequently Used Scenarios.
1. The “Damsel in Distress”.
2. Romance Fraudsters.
3. The Rescuer.
4. Direct approach with value proposition.

Defense: Know Thyself.
1. The tendency to verify your wished-for scenario and self-induced blindness.
2. The tendency to justify your guilty actions.
3. Know your weaknesses.
4. Believing it will not happen to you.
5. We are inherently bad at detecting deceit.

Defense: Further Countermeasures.
1. Lessons from the field of counterintelligence.
2. The biggest weakness of a social engineer.
3. Using their toolkit against them.
4. Verifying claims.
5. Maintaining boundaries in communication.
6. Handling emotional triggers.
7. “The need to know” principle.
8. New hiring standards.

Attacker Detection Checklist.

Concluding Remarks.