A Framework for Conceptualizing Social Engineering Attacks Jose J. - - PowerPoint PPT Presentation

CRITIS’06, Samos

A Framework for Conceptualizing Social Engineering Attacks

Jose J. Gonzalez

Agder University College, Grimstad, Norway

Jose M. Sarriegi, Alazne Gurrutxaga

Tecnun (University of Navarra) San Sebastian, Spain

CRITIS’06, Samos

Introduction

• Social engineering consists of acquiring information

about computer systems through non-technical means

• While technical security of most critical

infrastructure is high…

• …it remains vulnerable to attacks from social

engineers, whether outsiders or insiders

• Recent studies conclude that it is relatively cheap

and easy to mount a large scale social engineering attack with a high success rate

CRITIS’06, Samos

Objective of the paper

• Objective: Classify social engineering attacks

according to their dynamic behaviour using system archetypes

• This classification would help designing effective

multilayered security procedures

CRITIS’06, Samos

A feedback view of social engineering

• Social engineers often use several small attacks

to put them in the position to reach their final goal

• The attack is a dynamic process where the
• utcome of an action is fed back to execute the

next action

• Organizational defences activate security

controls that could by anticipated by the attacker.

CRITIS’06, Samos

Behaviour of a “Problem”

100 200 300 400 500 600 1980 1985 1990 1995 2000 2005 Tourists

CRITIS’06, Samos

Causal Loop Diagram

Tourists visiting Samos island Income from tourism Advertisements in international medias + + + R1 Tourist density Tourists' satisfaction +

• +

B2 Investment in tourism infrastructures + + R3

CRITIS’06, Samos

Generic System Archetypes

action

• utcome
• rganizational reaction

IC UC SOL boundary delay delay action

• utcome
• rganizational reaction

IC UC SOL boundary delay delay

CRITIS’06, Samos

The four system archetypes

Out of control Reinforcing Balancing Relative Achievement Reinforcing Reinforcing Underachievement Balancing Reinforcing Relative Control Balancing Balancing Archetype Unintended consequence loop Intended consequence loop

CRITIS’06, Samos

Hypothesis

• Descriptions of social engineering attacks in

terms of system archetypes have qualities as strategic patterns. They:

– Conceptualize crucial aspects of the attack and defense process – Are cognitively simple – Are fairly easy to recognize and to interpret – Are modular and can be combined

CRITIS’06, Samos

External social engineer targeting an explicit goal

• An external agent who is trying to achieve a

particular goal

• As he comes closer to the desired outcome, the

level of protection is higher and higher

• Hence, the social engineer uses elements from

the outcome to gain fake authority

CRITIS’06, Samos

External social engineer targeting an explicit goal

desired outcome action

• utcome

+ +

• IC (B)

protection level

+

• UC (B)

agent's authorization level

+

• SOL (B)

boundary 'delay' ' delay '

CRITIS’06, Samos

Social engineer targeting a long- term parasitic relationship

• A patient malicious insider provides an external

party long term access to more and more valuable assets

• The organization enacts separation of duties
• The social engineer needs to become a star

performer to bypass security controls

CRITIS’06, Samos

Social engineer targeting a long- term parasitic relationship

action

• utcome

+ +

IC (R)

• utcome accessibility
• +

UC (B) agent

• rganizational

performance

+ +

SOL (R) boundary 'delay' ' delay '

CRITIS’06, Samos

Disgruntled insider as social engineer

• An insider acts against his firm, obtaining

escalating “outcomes”. As he is successful his motivation to proceed increases

• If precursors are detected the social engineer

can be warned or even fired

• He should manage to self-control, targeting

major outcomes in a covert way

CRITIS’06, Samos

Disgruntled insider as social engineer

action

• utcome

malicious motivation + + + IC (R) precursors warnings + + + UC (R) regulatory action +

• SOL (B)

boundary 'delay' ' delay '

CRITIS’06, Samos

A social engineer targeting an ambitious goal

• An insider who is determined to launch a

massive strike

• But he also actives security controls that could

compromise his desired outcome

• The social engineer should use the obtained
• utcome not only for generating more actions,

but also to weaken security controls

CRITIS’06, Samos

A social engineer targeting an ambitious goal

action

• utcome

security controls

+

• IC (B)

UC (R)

+

desired outcome +

• SOL (R)

boundary 'delay' ' delay '

CRITIS’06, Samos

Conclusions

• System archetypes represent at a high level of

abstraction and aggregation the main modes of social engineering attacks

• Although they do not do full justice to real cases

are a way to conceptualize the most salient aspects

• f the attack and defence for some time interval
• They are helpful to design security controls that

provide multilayered feedback against the social engineer’s primary intended consequence and solution loops

CRITIS’06, Samos

A Framework for Conceptualizing Social Engineering Attacks

Jose J. Gonzalez

Agder University College, Grimstad, Norway

Jose M. Sarriegi, Alazne Gurrutxaga

Tecnun (University of Navarra) San Sebastian, Spain