A Framework for Conceptualizing Social Engineering Attacks Jose J. Gonzalez Agder University College, Grimstad, Norway Jose M. Sarriegi, Alazne Gurrutxaga Tecnun (University of Navarra) San Sebastian, Spain CRITIS’06, Samos
Introduction • Social engineering consists of acquiring information about computer systems through non-technical means • While technical security of most critical infrastructure is high… • …it remains vulnerable to attacks from social engineers, whether outsiders or insiders • Recent studies conclude that it is relatively cheap and easy to mount a large scale social engineering attack with a high success rate CRITIS’06, Samos
Objective of the paper • Objective: Classify social engineering attacks according to their dynamic behaviour using system archetypes • This classification would help designing effective multilayered security procedures CRITIS’06, Samos
A feedback view of social engineering • Social engineers often use several small attacks to put them in the position to reach their final goal • The attack is a dynamic process where the outcome of an action is fed back to execute the next action • Organizational defences activate security controls that could by anticipated by the attacker. CRITIS’06, Samos
Behaviour of a “Problem” 600 500 400 300 Tourists 200 100 0 1980 1985 1990 1995 2000 2005 CRITIS’06, Samos
Causal Loop Diagram Advertisements in Tourist international medias density + + + Tourists visiting Samos island R1 B2 + + - Tourists' Income from satisfaction tourism + R3 + Investment in tourism infrastructures CRITIS’06, Samos
Generic System Archetypes action action IC IC outcome outcome SOL SOL boundary boundary delay delay delay delay UC UC organizational reaction organizational reaction CRITIS’06, Samos
The four system archetypes Intended Unintended Archetype consequence loop consequence loop Balancing Balancing Relative Control Reinforcing Balancing Underachievement Reinforcing Reinforcing Relative Achievement Balancing Reinforcing Out of control CRITIS’06, Samos
Hypothesis • Descriptions of social engineering attacks in terms of system archetypes have qualities as strategic patterns. They: – Conceptualize crucial aspects of the attack and defense process – Are cognitively simple – Are fairly easy to recognize and to interpret – Are modular and can be combined CRITIS’06, Samos
External social engineer targeting an explicit goal • An external agent who is trying to achieve a particular goal • As he comes closer to the desired outcome, the level of protection is higher and higher • Hence, the social engineer uses elements from the outcome to gain fake authority CRITIS’06, Samos
External social engineer targeting an explicit goal agent's SOL (B) authorization level + - + desired outcome action - IC (B) + outcome boundary - 'delay' ' delay ' UC (B) + protection level CRITIS’06, Samos
Social engineer targeting a long- term parasitic relationship • A patient malicious insider provides an external party long term access to more and more valuable assets • The organization enacts separation of duties • The social engineer needs to become a star performer to bypass security controls CRITIS’06, Samos
Social engineer targeting a long- term parasitic relationship action + IC (R) ' delay ' + boundary outcome SOL (R) + + 'delay' UC (B) agent organizational performance - outcome accessibility + CRITIS’06, Samos
Disgruntled insider as social engineer • An insider acts against his firm, obtaining escalating “outcomes”. As he is successful his motivation to proceed increases • If precursors are detected the social engineer can be warned or even fired • He should manage to self-control, targeting major outcomes in a covert way CRITIS’06, Samos
Disgruntled insider as social engineer - action + + outcome IC (R) SOL (B) + malicious motivation regulatory action + boundary ' delay ' + + UC (R) warnings precursors + 'delay' CRITIS’06, Samos
A social engineer targeting an ambitious goal • An insider who is determined to launch a massive strike • But he also actives security controls that could compromise his desired outcome • The social engineer should use the obtained outcome not only for generating more actions, but also to weaken security controls CRITIS’06, Samos
A social engineer targeting an ambitious goal + desired outcome action - IC (B) + outcome UC (R) - boundary ' delay ' 'delay' SOL (R) - security controls + CRITIS’06, Samos
Conclusions • System archetypes represent at a high level of abstraction and aggregation the main modes of social engineering attacks • Although they do not do full justice to real cases are a way to conceptualize the most salient aspects of the attack and defence for some time interval • They are helpful to design security controls that provide multilayered feedback against the social engineer’s primary intended consequence and solution loops CRITIS’06, Samos
A Framework for Conceptualizing Social Engineering Attacks Jose J. Gonzalez Agder University College, Grimstad, Norway Jose M. Sarriegi, Alazne Gurrutxaga Tecnun (University of Navarra) San Sebastian, Spain CRITIS’06, Samos
Recommend
More recommend
