cognitive approach for social engineering
play

Cognitive approach for social engineering How to force smart people - PowerPoint PPT Presentation

Mar 10, 2023 •579 likes •970 views

Cognitive approach for social engineering How to force smart people to do dumb things. Enrico Frumento , CEFRIEL, Politecnico di Milano (IT) Claudio Lucchiari, Gabriella Pravettoni, Mario Andrea Valori , IRIDe (Interdisciplinary Research and

  1. Cognitive approach for social engineering How to force smart people to do dumb things. Enrico Frumento , CEFRIEL, Politecnico di Milano (IT) Claudio Lucchiari, Gabriella Pravettoni, Mario Andrea Valori , IRIDe (Interdisciplinary Research and Intervention on Decision), Center Università di Milano (IT) www.cefriel.it

  2. AIM AND MAIN CONTRIBUTION OF THIS PAPER  Understand the importance of Cognitive Sciences for the study of Social Engineering  Perform a real and controlled phishing vulnerability assessment with real business users  Address countermeasures 2 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  3. STRUCTURE OF THE PRESENTATION  How psychology contributes to security – malware 2.0 – Memetics what else?  Our view of Social Engineering – Social engineering 2.0 – Cognitive approach  An early study: Mobile World and SMSishing – Results – So far.. – What’s to come.. 3 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  4. STRUCTURE OF THE PRESENTATION  How psychology contributes to security – malware 2.0 – Memetics what else?  Our view of Social Engineering – Social engineering 2.0 – Cognitive approach  An early study: Mobile World and SMSishing – Results – So far.. – What’s to come.. 4 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  5. HOW PSYCHOLOGY CONTRIBUTES TO SECURITY ATTACKER Which psychological models are really used (if any) by attackers of  an informatics system to fool its users? How extensively is psychological modeling used?  Social Engineering: Memetics, Cognitive Sciences 5 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  6. WHERE ARE VIRUS ANYWAY? Malware 2.0 6 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  7. MALWARE 2.0 The Malware 2.0 model is characterized as follows:  – the absence of a single command and control center for networks of infected computers – the active use of methods to combat the analysis of malicious code and attempts to gain control over a botnet – short-lived mass mailings of malicious code – Effective use of Social Engineering – the use of a range of methods to spread malicious programs and a gradual move away from the use of methods (e.g. email) which attract attention – using a range of modules (rather than a single one) in order to deliver a range of malicious payloads – Malware as-a-service Source: Kaspersky Labs 7 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  8. TROJANS, TROJANS AND AGAIN TROJANS.. Source: Kaspersky Labs 8 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  9. ANOTHER WAY TO VIEW THIS TREND. MALWARE & PUP UNIQUE FAMILIES FROM 1997 TO 2007 ..AND THIS TREND FROM 2008 TO 2009 IS EVEN WORST.. Source: McAfee Journal 9 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  10. WHY THIS UNDISPUTED DOMAIN OF TROJANS? Trojans are not (usually) able to infect the machine on their own, the  user must be convinced to follow the hook and perform an attack task (click on a link or execute an attachment). User (or victim) must be convinced to do an action   The hook must be good enough  The message must be convincing The cognitive models of any person could be (ab)used.  Social Engineering is the science needed to do this important task:   The dawn of Social Engineering 2.0  SPAM and modern phishing (eg. Spear Phishing)  Strong contextualization of hooks (eg. Using social networks or linked-data) 10 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  11. EARLY EVIDENCES HOW DO HACKERS BYPASS SECURITY? Take advantage of common weaknesses People don’t understand the technology  – Online Viewer Exploits People caught off guard  – Phishing – Snail mail phishing People trust other people  – Hijack domain: typosquatting People trust the system  – Hacking RFID, telefonia People in a hurry  – ATM scam People get careless  – Social engineering, easier than it sounds… Source: Forgotten, sorry! But was taken from a two years ago conference 11 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  12. THE HUMAN ELEMENT OF SECURITY The essential change with modern malware is that the human element could be exploited even for automated attacks 12 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  13. How can we model and handle the human problem? Which approaches have been tried so far? 13 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  14. AN EARLY APPROACH: MEMETICS Memetics is a science that studies how memes (ideas) spread and  evolves . "Meme" is an abbreviation of "mimeme" a greek word that means  «imitation», it is the cultural equivalent of gene for biologists. It do exists a powerful analogy between the transmission and evolution  of memes and the transmission and evolution of genes. The memetics is a «science» that applies the Darwinian evolution law  (Universal Darwinism) to ideas transmission and evolution. This idea is really useful to model Social Engineering attacks:  – Virus of the mind, R. Brodie – Why Phishing Works, J.D. Tygar – “Whatever Happened to the Unlikely Lads? A Hoaxing Mmetamorphosis”, D. Harley, R. Abrams, Virus Bulletin Conference, Sept 2009 14 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  15. MEMETICS WHAT ELSE? BUT.. Memetics is still not widely accepted by psychologists and cognitive scientists “Darwinizing Culture: The Status of  Memetics as a Science” R. Aunger “The Meme Machine”, S. Blackmore  Memetics is handy and easy • to understand Cognitive Science is a better • methodological approach 15 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  16. ANOTHER APPROACH: CYBERSKEPTICISM  « Cyberskepticism: The Mind’s Firewall ” – It is taught to US Army – Quite effective way of thinking – Good for your own mind shaping process – Needs a previously well performed motivation phase – Almost a technique (a mental framework) rather than a theory

  17. STRUCTURE OF THE PRESENTATION  How psychology contributes to security – malware 2.0 – Memetics what else?  Our approach to Social Engineering – Social engineering 2.0 – Cognitive approach  An early study: Mobile World and SMSishing – Results – So far.. – What’s to come.. 17 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  18. INTO MODERN SOCIAL ENGINEERING STATUS OF DETECTED ATTACKS  “Complex” attacks, or innovative evolution of attacks techniques are seldom observed – Spear phishing, smishing, complex social attack are techniques rarely detected at the moment – All the recent reports state that this is going to change soon  It’s the right moment to study them and develop countermeasures! 18 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  19. INTO MODERN SOCIAL ENGINEERING PHASES OF AN ATTACK Execution Exploitation Relations Development Information gathering 19 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

  20. INTO MODERN SOCIAL ENGINEERING WHAT MAKES SE 2.0 DIFFERENT FROM SE 1.0 Malware Ecosystem 2.0 •SE is a fundamental part of the malware 2.0 spread policies and tactics Automatic Social Engineering Attacks (ASE) •Automation of SE attacks is now possible thanks to mining and gathering spiders on Social Networks and Automatic Sentiment Analysis tools (semantic analysis of data) Chat-bot • Chat-bot are already used since years with IM systems, but social engineering attacks give them a second youth. For example for ASE attacks to create relations into mass social engineering attacks. Predominance of Mail attack vector • Predominance of mail above all the other attack vectors (presence, phone, fax,…). The advantage is that less “personal” talent is required and more victims are available and automation is easy Abuse of linked-data •Several Public Bodies (Web of Data vs Web of Documents) is rapidly moving toward the free and shared widespread diffusion of data. This is happening thanks to semantics and the Linked-Data. These information if abused are an huge source for social engineering attacks (for the information gathering phase); Psychology (ab)use of personality profiling and cognitive models •Professional and less pioneering use of memetics and, most of all, of psychological models of the attack victims Economic Drivers •Like Malware before, Social Engineering is out of its romantic phase and is now a professional tool for cybercrime

  21. STRUCTURE OF THE PRESENTATION  How psychology contributes to security – malware 2.0 – Memetics what else?  Our view of Social Engineering – Social engineering 2.0 – Cognitive approach  An early study: Mobile World and SMSishing – Results – So far.. – What’s to come.. 21 Vienna, DeepSec 2010 (C) 2010 CEFRIEL & Università Statale Milano

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Social Forensication A Multidisciplinary Approach to Successful Social Engineering Joe Gray,

Social Forensication A Multidisciplinary Approach to Successful Social Engineering Joe Gray,

Social Forensication A Multidisciplinary Approach to Successful Social Engineering Joe Gray, CISSP-ISSMP, GSNA, GCIH, OSWP Hack in Paris 2019 The thoughts and opinions in this presentation do not The thoughts and opinions in this presentation

408 views • 37 slides
Panel 2: Cognitive Health THE ROLE OF COGNITIVE DECLINE ON EARLY RETIREMENT: A MENDELIAN APPROACH

Panel 2: Cognitive Health THE ROLE OF COGNITIVE DECLINE ON EARLY RETIREMENT: A MENDELIAN APPROACH

Panel 2: Cognitive Health THE ROLE OF COGNITIVE DECLINE ON EARLY RETIREMENT: A MENDELIAN APPROACH Amal Harrati, PhD Mark R. Cullen, MD August 4, 2016 Research Aims Estimate the causal role of cognitive decline on early retirement decisions.

932 views • 92 slides
Living with Social Robots Luca Iocchi RoCoCo (Cognitive Cooperating Robots) Lab Dept. of

Living with Social Robots Luca Iocchi RoCoCo (Cognitive Cooperating Robots) Lab Dept. of

Living with Social Robots Luca Iocchi RoCoCo (Cognitive Cooperating Robots) Lab Dept. of Computer Control and Management Engineering Sapienza University of Rome Italy Overview What is needed for a Social Robots to "live" in an

577 views • 14 slides
Understanding Player Interpretation An Embodied Approach Jonne Arjoranta University of

Understanding Player Interpretation An Embodied Approach Jonne Arjoranta University of

Understanding Player Interpretation An Embodied Approach Jonne Arjoranta University of Jyvskyl Embodied Cognition Also known as the embodied mind thesis Studied by cognitive and social psychology, cognitive linguistics and

426 views • 17 slides
1 PSYC530 wk01 handouts Cognitive Engineering Cognitive Science Applied to Human Factors

1 PSYC530 wk01 handouts Cognitive Engineering Cognitive Science Applied to Human Factors

1 PSYC530 wk01 handouts Cognitive Engineering Cognitive Science Applied to Human Factors Covers cognitive theory from an applied perspective to understand and predict the interactions among human cognition, artifact (i.e., tools), and task.

386 views • 15 slides
Assessment of Social Engagement and Cognitive Function for Studying Aging Izhak Shafran Center

Assessment of Social Engagement and Cognitive Function for Studying Aging Izhak Shafran Center

Social Engagement, Cognitive Decline and Measurements Assessing Social Engagement Assessing Cognitive Function Conclusion Assessment of Social Engagement and Cognitive Function for Studying Aging Izhak Shafran Center for Spoken Language

704 views • 58 slides
Key Areas of Children's Development Cognitive Language Motor Social- Emotional Cognitive

Key Areas of Children's Development Cognitive Language Motor Social- Emotional Cognitive

8/30/2012 Assessing Children's Developmental Strengths and PCIT Melanie Nelson, Ph.D. September 2012 Key Areas of Children's Development Cognitive Language Motor Social- Emotional Cognitive Development Verbal problem solving

81 views • 4 slides
Mechanisms of Age-Related Cognitive Change/Targets for Intervention: Social Interactions/Stress

Mechanisms of Age-Related Cognitive Change/Targets for Intervention: Social Interactions/Stress

Mechanisms of Age-Related Cognitive Change/Targets for Intervention: Social Interactions/Stress Margie E. Lachman Brandeis University No Conflicts Discussion Cognitive Aging Summit II FNIH/NIA/McKnight Foundation Washington DC, October 4-5,

369 views • 14 slides
SOCIAL ENGINEERING Jake Johnson Sixto Bernal AGENDA What is social engineering? Current events

SOCIAL ENGINEERING Jake Johnson Sixto Bernal AGENDA What is social engineering? Current events

SOCIAL ENGINEERING Jake Johnson Sixto Bernal AGENDA What is social engineering? Current events Social engineering risks Mitigation Strategies Q&A WHAT IS SOCIAL ENGINEERING? The Art of Deception, Kevin Mitnick: "Social

449 views • 19 slides
Software Engineering 2012 All Projects Donnerstag, 19. April 12 Cognitive Load: Data

Software Engineering 2012 All Projects Donnerstag, 19. April 12 Cognitive Load: Data

Software Engineering 2012 All Projects Donnerstag, 19. April 12 Cognitive Load: Data composition Organization: CoLi Contact: Asad Sayeed, Vera Demberg Our overall agenda is to study the influence of language on cognitive overload: if the

1.15k views • 90 slides
Reverse-engineering human intelligence, and engineering more human-like AI Josh Tenenbaum MIT

Reverse-engineering human intelligence, and engineering more human-like AI Josh Tenenbaum MIT

Reverse-engineering human intelligence, and engineering more human-like AI Josh Tenenbaum MIT Computational Cognitive Science Group CSAIL Department of Brain and Cognitive Sciences March 2013 A success story: Intelligence as statistics

379 views • 5 slides
Cognitive Interviewing Debbie Collins What is cognitive interviewing? Cognitive interviewing

Cognitive Interviewing Debbie Collins What is cognitive interviewing? Cognitive interviewing

Cognitive Interviewing Debbie Collins What is cognitive interviewing? Cognitive interviewing techniques Think aloud Probing Observation Response latency Vignettes/ card sorts Cognitive Interviewing Process Comprehension

511 views • 20 slides
Improved Bootstrapping Approach in Multichannel Cognitive Radio Ad Hoc Networks The 4th Workshop

Improved Bootstrapping Approach in Multichannel Cognitive Radio Ad Hoc Networks The 4th Workshop

Improved Bootstrapping Approach in Multichannel Cognitive Radio Ad Hoc Networks The 4th Workshop of COST Action IC0902 October 9-11, 2013 Oleksandr (Alex) Artemenko, Paulo M. R. dos Santos Improved Bootstrapping Approach in Multichannel

287 views • 16 slides
Computable cognitive model based on based on Computable cognitive model social evidence and

Computable cognitive model based on based on Computable cognitive model social evidence and

Computable cognitive model based on based on Computable cognitive model social evidence and restricted by resources social evidence and restricted by resources Applications for personalized search and social media Applications for personalized

479 views • 19 slides
Becker Meets Ricardo: Multisector Matching with Social and Cognitive Skills Robert J. McCann

Becker Meets Ricardo: Multisector Matching with Social and Cognitive Skills Robert J. McCann

Becker Meets Ricardo: Multisector Matching with Social and Cognitive Skills Robert J. McCann Xianwen Shi Aloysius Siow Ronald Wolthoff University of Toronto June 2012 Introduction social skills are important in education, labor and marriage

649 views • 21 slides
Engineering Approach to Engineering Approach to Healthcare Delivery Predictive Modeling Team

Engineering Approach to Engineering Approach to Healthcare Delivery Predictive Modeling Team

Massachusetts Institute of Technology Engineering Approach to Engineering Approach to Healthcare Delivery Predictive Modeling Team Suhail Ahmad, Terry Hu, Kangse Kim, Jeongyeon Shim, Sungmin You Seminar on Healthcare System Innovation

426 views • 29 slides
Computational Scientific Discovery and Cognitive Science Theories Peter D Sozou University of

Computational Scientific Discovery and Cognitive Science Theories Peter D Sozou University of

Computational Scientific Discovery and Cognitive Science Theories Peter D Sozou University of Liverpool and LSE Joint work with: Mark Addis Birmingham City University and LSE Fernand Gobet University of Liverpool and LSE Peter C.R. Lane

459 views • 23 slides
COGS 105 Research Methods for Cognitive Scientists Week 1, Class 2: More Background

COGS 105 Research Methods for Cognitive Scientists Week 1, Class 2: More Background

COGS 105 Research Methods for Cognitive Scientists Week 1, Class 2: More Background Multi-Methodological Today... Representations Philosophy Linguist Computations Psychology Mathematician CRUM

449 views • 10 slides
COGS 105 Research Methods for Cognitive Scientists Week 1, Class 1: Introduction to the Course;

COGS 105 Research Methods for Cognitive Scientists Week 1, Class 1: Introduction to the Course;

COGS 105 Research Methods for Cognitive Scientists Week 1, Class 1: Introduction to the Course; Preliminaries Cognitive Science Important: Course Site Cognitive science is the scientific study of intelligent cognaction.org/cogs105 behavior

380 views • 8 slides
CS325 ARTIFICIAL INTELLIGENCE Introduction: Chapter 1 Outline Course overview What is

CS325 ARTIFICIAL INTELLIGENCE Introduction: Chapter 1 Outline Course overview What is

CS325 ARTIFICIAL INTELLIGENCE Introduction: Chapter 1 Outline Course overview What is AI? A brief history The state of the art Course overview Int. Agents and Problem Solving (ch 1-3) Probabilistic Reasoning (chs

234 views • 19 slides
Welcome! CS5811 - Advanced Artificial Intelligence Nilufer Onder Department of Computer Science

Welcome! CS5811 - Advanced Artificial Intelligence Nilufer Onder Department of Computer Science

Welcome! CS5811 - Advanced Artificial Intelligence Nilufer Onder Department of Computer Science Michigan Technological University Outline Information about me and you Course logistics Lecture topics What is AI? (Chapter 1 - Introduction)

384 views • 12 slides
understanding the mind Naomi Feldman University of Maryland December 4, 2014 Language in the

understanding the mind Naomi Feldman University of Maryland December 4, 2014 Language in the

Toward a goal of understanding the mind Naomi Feldman University of Maryland December 4, 2014 Language in the mind How to learners acquire speech sound categories? How do listeners perceive speech in noisy situations? How do

366 views • 22 slides
15-780 - graduate artificial intelligence ai and education i . Shayan Doroudi April 24, 2017 1

15-780 - graduate artificial intelligence ai and education i . Shayan Doroudi April 24, 2017 1

15-780 - graduate artificial intelligence ai and education i . Shayan Doroudi April 24, 2017 1 Machine Learning + Search Machine Learning + Mechanism Design Multi-Armed Bandits overview Lecture Application AI Topics Series on

595 views • 46 slides
THE QUANTUM CHALLENGE IN COGNITIVE SCIENCE AND DECISION THEORY SCIENCE AND DECISION THEORY

THE QUANTUM CHALLENGE IN COGNITIVE SCIENCE AND DECISION THEORY SCIENCE AND DECISION THEORY

Brussels, Belgium, November 30, 2013 WHITHER QUANTUM STRUCTURES? QUANTUM LOGIC IN THE 21TH CENTURY THE QUANTUM CHALLENGE IN COGNITIVE SCIENCE AND DECISION THEORY SCIENCE AND DECISION THEORY SANDRO SOZZO (WITH D. AERTS) CENTER LEO APOSTEL

612 views • 28 slides

More recommend