Sunday night has the must-see TV again this spring — and I’m not just talking about “Game of Thrones.” While the HBO juggernaut may contain some cybersecurity examples if you look hard enough, BBC America’s “Killing Eve” is packed with lessons we can all take away about security, especially with regard to social engineering.
“Killing Eve” isn’t necessarily a show about cybersecurity. It centers on an MI6 spy and the cunning hitwoman she’s tracking down. The thriller does make use of cyber tropes, but what really makes this series applicable to the cybersecurity industry are the consistently clever ways that both of the women leverage their expertise in human behavior to exploit those who possess what they want.
Sure, it’s all fiction, but you could easily see every scenario play out in real life, and you may think to yourself: “Is it really that easy?” For threat actors, it often is.
To help us along the way, I’ve enlisted the guidance of the father of social engineering, Frank Abagnale. The techniques employed by Abagnale 50 years ago and made famous by the film “Catch Me If You Can” are as relevant today as they were then. Before we begin, here’s a quick word of caution from Abagnale that everyone must understand.
“There is no technology that can defeat social engineering, including artificial intelligence (AI),” he told me. “You can only defeat social engineering through education.”
With this in mind, let’s go through a few scenes from the show, draw parallels to real-world examples and extract some takeaways to prevent social engineering attacks.
Don’t Fall for Common Excuses
In the beginning of season two, episode one, our protagonist, Eve, is about to board a plane in Paris, but her plans are derailed when she forgets that she has a bloody knife in her pocket as she stands in the security line. Oops — hate it when that happens. She has to think fast, and when it’s her turn to face the security agent, she says, “I had a bad oyster,” and makes a beeline for the bathroom.
If you’re the security agent, there’s a good chance this line could disarm you. A carefully thought out excuse can work even greater wonders in an email or phone call. What if your IT support department gets a password reset call and the bad actor uses some form of illness as an excuse for forgetting?
The consequences could be disastrous. Remember, the social engineer would have access to your network. If the user they’re pretending to be has elevated or far-ranging access rights, the social engineer could steal data, connect to other systems and even use the access to commit more social engineering hacks. These threats are exponentiated if the original user has the same password for other resources.
“Remember, people are basically honest, and because they are honest, they do not have a deceptive mind,” Abagnale explained.
Social Engineering Attacks Happen IRL Too
Meanwhile, the hired killer and social engineer extraordinaire Villanelle recovers from surgery in the hospital after she is stabbed. When the doctor arrives for the post-op visit, she persuades him to leave her out of the system by insisting that her police officer husband committed the stabbing. If you’re the physician, your sense of compassion may win out — especially when the patient is as convincing as Villanelle.
Perhaps over the phone or in an email, a serious request like this may not be enough to convince a professional to break the rules. But in person? Social engineering isn’t just about emails, texts and phone calls. If a threat actor is good at what they do, an in-person social hack could be extremely effective.
What if one of your executives is traveling on a plane with his or her laptop and sitting beside a bad actor? Perhaps the adversary eyeballs some information about your company on the computer screen and starts asking questions. Can you be entirely confident that the executive won’t divulge any sensitive information? The threat actor may disembark with enough corporate information to initiate a targeted attack campaign.
Physical Security Risks
Still working her way through the hospital, Villanelle steals an ID and lab coat with assistance from another party. This grants her access to even more hospital goodies. Once she looked the part, she could roam around the hospital as if she were an employee. This is an example of a simple yet effective strategy for social engineers: Pretend to be someone you are not or use credentials that aren’t yours to get what you want.
“When I did it 50 years ago to convince Pan Am Purchasing as to where I could obtain a uniform, I only had the use of a telephone,” said Abagnale. “Today, social engineers have the use of many other forms of communications, such as emails, the internet, social media, etc.”
Physical security is just as important as any cybersecurity mechanism. Consider the ramifications of an incident where one of your employees is followed into your business by an attacker tailing a few feet behind, skipping the badge swipe. If the bad actor looks innocent enough and is, in fact, a good “actor,” they may be able to convince your employees to divulge secrets or equipment.
But What Does This Mean for the Enterprise?
As Abagnale said, there’s no way to prevent social engineering fully with technology. So how can we decrease the threat of social engineering at work — or even at home? Is there a mindset we can adopt that would help?
According to Abagnale, there is. “Ask yourself this question when you are asked to do something: Is this request ordinary, or is it not? If you are asked to do something for the first time, pause to see if it’s a legitimate request.”
For example, if you receive a request from someone to send a file right away with information on your company’s employees because an M&A transaction is being discussed, it may be legitimate, but you ought to verify it before complying. “If you are asked for something, in a rushed way, for the first time — you should develop the mindset to trust, but verify,” Abagnale advises.
He also notes that the two greatest social engineering threats to an enterprise are email phishing and curiosity: “If I [drove] by the employee parking lot with a thumb drive that says ‘confidential,’ many employees would be curious to know what is on this drive. Phishing emails and phone calls are exposing many organizations to simple and honest mistakes — which leads to data breaches.”
Consider the ease with which emails can be spoofed. Most email clients allow you to type the name of any person as the display name for an email address. Anyone can send an email from “Bill Gates,” but the email address may be “[email protected]” Most employees do not check the actual email address but go by the name, allowing attackers the potential to masquerade as an executive and fool the recipient.
Combating Social Engineering Is a True Team Effort
This brings us back to training. When I was in charge of corporate security training, no matter how often we taught employees to watch out for certain situations, humanity always took over and someone would mess up. Is there anything an enterprise can do?
Having a consistent process for carrying out mock attacks against your employees as a part of awareness and training efforts tends to be fairly effective.
“But while training and awareness are crucial elements in preventing breaches, ultimately the burden lies with cybersecurity professionals to continuously work to decrease the overall attack surface of their organization,” Abagnale added. Passwordless authentication, for example, can help to eliminate the risk of social engineering attacks since an attacker can’t compromise something the victim doesn’t have or know about.
I get where Abagnale is coming from; the buck stops with the cybersecurity team. But there are still a few more specific steps IT can take to prevent social engineering attacks. Implementing zero-trust networks is always a good idea, as this limits the amount of access an attacker would have should they find their way in. You can also ensure that your organization has a robust mobile device management (MDM) or unified endpoint management (UEM) system in place. In today’s bring-your-own-device (BYOD) landscape — and with endpoints everywhere — an MDM or UEM tool is a critical piece of the security puzzle.
Social engineering will always be one of the easiest ways for threat actors to get what they want. The social engineers attacking a business may not be as convincing as Villanelle, but they don’t have to be, do they? Keep a watchful eye.