Dennis Hansen: Social engineering

1. Social Engineering
TheHumanFactorofCyberSecurity

2. O u r W o r k
Danish Institute of Fire and Security Technology
S O C I A L
E N G I N E E R I N G
C Y B E R
I N V E S T I G A T I O N
I T F O R E N S I C S
P HY S I C A L &
E L E C T R O N I C
S E C U R I T Y

3. Future of Social Engineering
Current trends and future expectations on the
phenomenon of Social Engineering.
Dogana
3-year EU project with the aim of developing
next generation Social Engineering attacks and
mitigation methods.
Project SAVE
National R&D project for The Royal Danish
Defence College (FAK) on Social Engineering
2.0.
Overview
Presentation
01 02 03

4. I n t r o d u c t i o n t o
S o c i a l E n g i n e e r i n g

5. Social Engineering
”Social Engineering is the art of getting
someone to do something, they would not
otherwise do – using psychological
manipulation ,,
DEFINITION

6. Social Engineering Attack Cycle
SE Attack Cycle
SE
Cycle
Execute attack by requiring the target
to conduct an action, the target would
not otherwise do.
3. Attack
Employing an exit strategy is typically
only required if the target is to be left
unsuspecious or if the attackers expect
additional contact with the target in
the future.
4. Exit
Conduct the necessary research to
understand the target at hand.
1. Reconnaissance
Initiate contact with the target based
on the insights gained from the
reconnaissance phase.
2. Contact

7. Social Engineering 2.0
Social Engineering has evolved from the physical domain as
a platform for elication of information to employing
cyberspace as the new battleground. With new means of
communications between individuals comes new attack
vectors for the social engineer, including: phishing emails,
smishing, CEO Fraud, Ransomware, etc.
NEW METHODS

8. P r o j e c t S A V E :
Social Vulnerability &
Assessment Framework
R&D for The Royal Danish Defence College

9. P r o j e c t S A V E
National Project
National project developed for the Royal Danish
Defence College with the purpose of uncovering the
threat of Social Engineering against critical national
infrastructure (CNI) in Denmark.
• Development of advanced OSINT methods,
deception planning and SE 2.0 attacks.
• Execution of simulated attacks against three
companies that are directly part of, or supports,
critical national infrastructre.
• The purpose is to uncover how vulnerable CNI is
to Social Engineering 2.0 attacks and disseminate
the results of the study.

10. SAVE: Reconnaissance
• Crawling of email addresses
• Social media personality profiling (sentiment analysis)
• Social Network Analysis (SNA)
• Systemic network footprinting (Maltego, metadata)
• Darknet investigation for leaked/sold information

11. Reconnaissance
Project SAVE
• Crawled from the companies’ own websites
• Crawled from open sources
• Indexed results from Google
• Indexed documents
Email crawling:

12. Reconnaissance
Project SAVE
• Crawled content targets’ facebook profiles
• Coded a script
• Emulated human browsing with Selenium to avoid crawling
countermeasures
• Conducted sentiment analyses of the content using a
‘bag of words’ approach
• Based on the sentiment analyses we categorized the
users’ in the ‘Big Five’ personality framework
Sentiment Analysis & Personality Profiling:

13. Reconnaissance
Project SAVE
IP Network footprinting and Metadata Analysis:

14. Reconnaissance
Project SAVE
• Systematic analysis of information sold on
Darknet
• Correlated sold information on +45 darknet
markets for the involved companies in the
study
• We could not request information
Darknet Investigation Methods:

15. Reconnaissance Results
Project SAVE
• ID layout for business deals
• ID of stakeholders and voting rights within the organisation
• ID of critical database system and how to access it
• ID of complete guide to the database
• ID of users with access to the database
• Full list of emails and phone numbers
Critical Results from the Recon Phase:

16. Reconnaissance Results
Project SAVE
• ID of useful information from metadata, incl. long list of
software in use
• Design of Guest ID Card
• Social network analysis revealed critical nodes within the
company network, which were highly interconnected, making
them ideal targets for a SE attack
Critical Results from the Recon Phase:

17. • Phishing emails
• Spear-phishing emails
• Credential harvesting
• Whaling
• Smishing
• Evil USB
• PDF attack
SAVE: Attack Vectors

18. Executed Attacks
Project SAVE
Three companies that are either directly, or
support, critical infrastructure in Denmark
participated.
Objective is to target CNI
Complete cyber reconnaissance of the
companies and select employees.
Conduct Cyber Reconnaissance
A total of 185 SE 2.0 attacks were executed as
part of the field trial testing.
185 social engineering 2.0 attacks
Vector
Target #1
Target #2
Target #3
Spear-
Phishing
3
1
3
Whaling
1
1
3
Conventional
Phishing
2
4
146
Smishing
3
5
9
USB Attack
0
0
3
PDF attack
(follow-up)
1
2 (3)
0

19. Aggregated Results
Project SAVE
47 pct. of all executed SE 2.0 attacks were successful
in convincing the targets to click on phishing links or
execute a file. Criteria for success was dependent on
the registration of the attempt on our web server log.
Successful Attacks
A little more than half of all executed attacks were
unsuccessful in the study. From qualitative interviews
with some of the targets, we can conclude that minor
details in the wording, the sender spoofed, and/or lack
of information (e.g. a phone number in the email) were
the reasons behind their lack of trust in the email.
Failed Attempts
47%
53%
47%
53%
Success Rate of
SE 2.0 Attacks

20. D o g a n a :
Advanced Social Engineering and
Vulnerability Assessment Framework
R&D For The EU Commission

21. The Dogana Consortium
The Dogana Project
18 partners from 11 countries in a 3-year Horizon 2020
project about advanced Social Engineering 2.0.
Partners
http://www.dogana-project.eu

22. The Dogana Project
Developing a next generation platform for social
vulnerability assessment via simulated attacks.
Next Generation SE Attacks
Using innovative awareness methods to mitigate the
risk of social engineering.
Innovative Awareness Methods
Full scale field trial testing of the platform, testing
+1,000 of employees to evaluate the recon, attack and
awareness phases.
Full Scale Field Trials
http://www.dogana-project.eu
Overview of Dogana

23. Dogana Platform
The Dogana Project
End2End platform, which embodies both advanced
reconnaissance methods for uncovering the digital
shadow of targets as well as psychological profiling.
End-to-End SE Platform
The advanced recon methods are integrated into a
one-stop platform where full assessment of targets can
be conducted.
Adv. Recon and Assessment of Targets
The platform integrates social engineering 2.0 attack
vectors, thus becoming a holistic attack solution for
conducting socially driven vulnerability assessments of
companies.
Integrated SE 2.0 attacks
http://www.dogana-project.eu

24. Innovative Awareness Methods
The Dogana Project
Gamification is the concept of using serious games as
a delivery method for improving the security
consciousness of the recipients.
Gamification
Serious games are interactive and can be either single-
or multi-player. Serious games can prove to be more
effective than conventional learning methods.
Interactive learning
2 min. of playing a game every day for six months
contra spending 6 hours at a frontal lecture once every
sixth month. Which has the greatest impact in
maintaining security consciousness for the recipient
over time?
Less is more
http://www.dogana-project.eu

25. F u t u r e o f
S o c i a l E n g i n e e r i n g

26. Introducing SNAP_R
Future of SE
SNAP_R auto-analyses and selects targets, and
generates proper and relevant responses to tweets,
which inclulde a phishing link.
Aut. E2E Spear Phishing on Twitter
It utilizes deep learning for analysing data from users
and data about users, in order to select the most
susceptible targets to spear phishing attacks.
Neural Network / Deep Learning
Given that grammatical errors are widely accepted on
twitter, that the tweet is limited to 140-characters and
that URLs are almost always shortened, the SNAP_R
gets away with most of the obstacles of machine
learning for automated spear phishing attacks.
Deception through Obfuscation

27. Introducing SNAP_R
Future of SE
SNAP_R is up to five times as effective compared to other
automated spear phishing bots, which typically has a success
rate ranging from 5% to 14%. However, SNAP_R reports
success rates ranging from 30% and 66%. Manually
constructed spear phishing attacks has an average success rate
of 45%.
5x More Effective
SNAP_R is open source and available for everyone to
test. The script can be found on Github:
https://github.com/getzerofox/SNAP_R
Open Source
Example

28. IoT Ransomware
Future of SE
IoT ransomware is no longer hypothetical. We foresee a
development in ransomware attacks moving to IoT as soon as
more standards are implemented in the making of IoT devices.
Internet of Things Ransomware
When all of your devices become connected to the Internet,
ransomware attacks will be able to move from focusing on
locking access to data to locking access to your actual devices.
From Digital to Physical Lockdown
• Your Smart Car
• Your Smart Home
• Pacemakers
• Hospital Equipment
• Real Examples: Smart Thermostat & Smart TV
Examples

29. T h a n k y o u
Dennis Hansen
Email: deh@dbi-net.dk
Tel.: +45 31 53 43 44