Security 360 highlights: Phishing and social engineering

“As with fear, risk cannot be eliminated; it can only be mitigated.” – Unknown

The quote above is a powerful one indeed in the context of cybersecurity. For those that are keenly aware, the fact that the variety of risks that exist isn’t something that can ever be fully eliminated but instead serves to empower IT and Security teams to employ solid security strategies that are as powerful enough to mitigate threats as they are flexible enough to adapt to subtle (and not so subtle) changes introduced when balancing support for multiple device types, user behaviors and unique organizational needs against the backdrop of an evolving threat landscape.

One of the keys to successfully juggling all of these variables at the same time to keeping endpoints, users and company data safe begins with knowing your levels of risk, where they stem from and the different attack vectors that threat actors could leverage to compromise the security posture of your devices and organization.

And that is the aim of this blog series. Drawing directly from Jamf’s Security 360: Annual Threat Trends Report, each blog in this short series will focus on one specific threat trend, discussing amongst other things:

• What are the different forms of each threat
• Why they’re so critical to endpoint security
• How each of the threats evolves over time
• What are the best methods to mitigate them

Let’s start on this path with social engineering and phishing, shall we?

Why social engineering is so effective?

Social engineering requires little in the way of resources, reconnaissance or planning on behalf of the threat actor, yet the payoff is impressively high. Simply put: for the relatively little effort put in, attackers reap a comparatively high level of success.

Also, it doesn’t require expert or even intermediate-level cybersecurity skills. Just a knack for making the threat appear convincing enough so that victims will perform the action(s) being requested of them.

Top social engineering threat: Phishing

Given the choice, who wouldn’t prefer to work less and earn more instead of working harder just to earn the same amount?

Well, the same thought process drives social engineering, meaning that threat actors are going after quantity, looking to cast as wide a net as possible to target as many users as they potentially can. However, therein lies the rub as there are a variety of phishing attack types (more on that a little later) that while similar, exhibit slight variations behind their attacks.

Depending on what attackers are looking to achieve, phishing attacks have been modified to scope targets more granularly. High-profile roles are not just targeted, but also impersonated to get employees to perform certain administrative actions, like executive whaling phishing attacks (also known as CEO Fraud) used to trick users into sending wire transfers from company accounts. Other phishing attack variations may target a member of the IT department; or scope a specific user set, like those on social media, as opposed to the general blanket messages that are often used for targeting bulk users in mass.

Examples of the more common types of phishing attacks are:

1. Email: Email messages are sent to individuals pretending to come from a reputable, trustworthy source.
2. Smishing: SMS messages are paired with links or attachments to compromise mobile device users.
3. Social media: Attackers impersonate customer service staff with fake profile accounts on social media services to target victims requiring assistance.
4. Spear: A granular, more targeted approach to email phishing that focuses on specific individuals within an organization to obtain specific information, data and/or credentials.

Stop social engineering attacks in their tracks

We’ve said it before and will continue to beat the same drum espousing the benefits of a defense-in-depth strategy that relies on multiple security controls to work in conjunction to catch threats and stop a variety of attack types. When it comes to social engineering, an example of the controls that can be used to layer protection are:

• Mobile device management (MDM) to:
  • centrally manage and standardize device configurations
  • automatically keep track of equipment inventory
  • provision devices using zero-touch to get them into the hands to end-users faster
  • secure and track lost/stolen devices, allowing for remote locking/wiping
  • deploy managed apps and harden app/service security settings, like encrypting volumes and configuring Firewall entries
  • carry out patch management to keep all devices, operating systems and apps up-to-date
  • integrate MDM and endpoint security solutions to share device health data securely to develop automated mitigation workflows
  • manage devices holistically through the device and application lifecycles
• Cloud-based Identity Provider (IdP) integration to:
  • provision identities to users alongside permissions to devices and business resources
  • require MFA for verification of authentication attempts and resource requests
  • integrate with endpoint security telemetry data to verify user and device health status before access to requested resources is granted as part of a Zero Trust Network Access (ZTNA) framework
  • align and enforce password and user credential policies to minimize risk from weak passwords or compromised accounts while restricting access to business data
• Endpoint security software that protects devices by:
  • preventing malware and attacks occurring on-device by mapping known threats and vulnerabilities to behavioral analytics
  • securing remote connections through encrypted micro-tunnels over all network connections
  • employing machine learning (ML) to aid in automating incident response and detecting unknown threats via threat hunting
  • actively monitoring of device health
  • generating real-time notifications of changes to devices
  • creating automatic workflows to quarantine, mitigate and remediate threats
  • providing in-network controls to handle threats, like blocking phishing URLs and Man-in-the-Middle attacks
  • gathering telemetry data from endpoints, providing insight into device health statuses in real-time
• Align cybersecurity plans with known frameworks, like NIST, CIS and MITRE, adhering to best practices for all devices and OSs in your infrastructure
• Enforce compliance by leveraging policy-based management to meet your organization’s regulatory requirements
• Limit data leaks or exfiltration by restricting access to categorized data and the mediums allowed to store protected data, such as preventing saving to external drives or requiring they be encrypted
• Mandate that devices used to access business resources meet minimum requirements, including management and enforcement by MDM and the presence of endpoint security
• Flexible MDM solution that can enforce protections to keep data safe across any device ownership model(BYOD/CYOD/COPE)
• Preserve user privacy while routing personal usage directly to the Internet while keeping business data and apps stored in a separate, secure volume and encrypting communications
• Stream logging data to a centralized SIEM solution to sort, categorize and report on health statuses, trends and data necessary to ensure devices and data remain safe
• Establish decommissioning procedures to safely and securely wipe data from devices flagged for removal from the fleet
• Implement and regularly test multi-pronged disaster recovery solutions to backup critical, verify backups are valid and can that data can be restored
• First- and Third-party integrations securely share telemetry data through APIs, allowing all solutions to stay up-to-date with the latest device health data
• Manage data pools on mobile devices utilizing cellular networks to limit liability from illegal or inappropriate content while ensuring all users have access to bandwidth necessary to remain productive
• Ensure that all device, user and data protections extend throughout the infrastructure and are manageable from anywhere, at any time and on every device supported
• Align regulatory requirements with company policies through an Acceptable Use Policy (AUP) that outlines employer expectations of employee behavior when utilizing company-owned equipment and/or while working with company-owned data and resources

And yet, even with a comprehensive security plan, threat actors still find ways to seemingly sidestep protections. The reason is that, as long as users continue to fall prey to social engineering threats and simply hand over their credentials or other sensitive information, these threat types will continue to be a preferred method of threat actors looking to pick the“low-hanging fruit” from countless victims.

Despite its pervasiveness and success as a critical threat to endpoint security, user safety and safeguarding data, social engineering has one glaring, arguably fatal flaw: it relies on the victim to carry out the payload of the attack in order for it to be successful in achieving its aim. Let me say that again, the onus of successfully carrying out a social engineering campaign is on the end-user – not the threat actor.

This, perhaps, is the greatest weakness of social engineering attacks since it requires the victim to be an active participant during the process by carrying out the attacker’s request(s). But what happens when the target is not a victim, i.e., the end-user recognizes the attempt and does nothing but report it to IT?

The attack is effectively stopped cold in its tracks while IT is alerted to its existence, allowing them to deploy compensating controls to mitigate the threat.

“Knowledge itself is power.” – Sir Francis Bacon

It is this ability to identify social engineering attacks, or at least be suspicious enough about them to give targets pause that is the key to defeating social engineering attacks of various types and forms. In a word: training. Security awareness training that serves to inform users about existing threats and evolving ones based on threat intelligence and trends makes serious inroads into empowering users to detect and stop these types of threats before they become full-on attacks that grow into security incidents.