By applying a little bit of strategic thinking, you realize that there is a lot more one can do to defend against #SocialEngineering than awareness training alone. Here is a visualization, based on a typical SE attack kill-chain:
(thread 🧵 1/10)
(thread 🧵 1/10)
Phase 1:
🔸SEs gather information & plan the attack scenario/seek entry points.
To prevent them,defenders can:
🔹Seek to understand their public information exposure & its potential consequences(eg. by conducting an OSINT investigation on their org)in order to manage it
2/10
🔸SEs gather information & plan the attack scenario/seek entry points.
To prevent them,defenders can:
🔹Seek to understand their public information exposure & its potential consequences(eg. by conducting an OSINT investigation on their org)in order to manage it
2/10
🔹 Proactively limit/ blur critical information that they publicly have availble on the internet (eg. specific technologies from job postings & descriptions, etc).
3/10
3/10
🔹Identify likely attack scenarios that will play out- and train people on these scenarios; to recognize them and learn to handle manipulation techniques. This is even more important for some people/orgs (eg. the ones handling very sensitive information) than others.
4/10
4/10
🔹Train employees to protect their organizational assets and information by understanding their value and not oversharing or giving access to strangers/info on social media/etc. That goes back to limiting unnecessary information exposure
5/10
5/10
🔶Phase 2: Attack via phishing, vishing, impersonation etc.
🔷At this point, defenders should have already been trained to recognize the most common traits of a SE attack, in order to:
a) detect it
b) subtly verify their suspicion
c) thwart the attack
6/10
🔷At this point, defenders should have already been trained to recognize the most common traits of a SE attack, in order to:
a) detect it
b) subtly verify their suspicion
c) thwart the attack
6/10
🔷 People learn to detect attacks mainly by:
- training
- attack simulations
But detection is not enough. They need to know how to respond and then...
7/10
- training
- attack simulations
But detection is not enough. They need to know how to respond and then...
7/10
🔷...Report it, whether an attack was successful or unsuccessful. In the first case the org. has the chance to contain the attack & in the second, they can notify and alert the rest of the org.Reporting goes a long way, as one person may recognize an attack & another may not
8/10
8/10
***Of course, this is just an outline of recommendations. The point of this thread is mainly to provide some ideas on what can be done about social engineering attacks, both proactively and reactively. Different organizations have different needs.***
9/10
9/10
I know that many perceive Social Engineering as an insurmountable problem due to the fact that they are so subtle and manipulative. However, before throwing in the towel, consider that a lot of things can be done to thwart effectively a good amount of them.
10/10
10/10
