Social engineering awareness training is great, but it isn’t enough. Business Reporter’s resident U.S. blogger Keil Hubert argues that dedicated cyber criminals are changing their tactics to take advantage of our companies’ weakest defensive element: the human resources department.
The best way to attack an organisation is always to attack the target organisation’s employees. Professional soldiers have argued for millennia that striking a target’s weakest defensive element is the surest path to victory. The same principle holds true for professional criminals: why waste resources and effort assailing a well-defended bulwark when you can you can get the target’s defenders to simply let you in the front door?
The Register’s Darren Pauli brought this up last Thursday in an article titled Ransomware Scum: “I Believe I’m a good fit. See attachments.” In it, Pauli relates how criminals have started subverting corporate PCs with ransomware by way of emailing fake job applications to their targets’ HR departments. One attachment in the application email is a realistic-looking cover letter. The accompanying CV attachment is actually a nasty piece of malware which encrypts the victim’s hard drive(s). The surprised HR tech then needs to pay the crims about a thousand pounds’ worth of Bitcoin in order to get the passkey to decrypt their scrambled files.
It’s a logical move on the crims’ part: corporate email server defences are often less sophisticated than mass-market email service providers’ defences (like Yahoo, Google, etc.). By going after a weaker target, their toxic payload is less likely to get filtered out before reaching a viable human victim. They take advantage of an easy camouflage scheme – masquerading as a routine job application – to trick a screener into opening an infected attachment. Then… boom.
You can’t fault the baddies for how they’re selecting their targets or the technique they’re using to hide their payload. It’s a darned effective tactic. Spies, saboteurs and criminals throughout history have appreciated the value of concealment. A clever disguise gives your target the absolute minimum opportunity to employ countermeasures before the attack commences. If you don’t mind a campy example, consider 1977’s The Spy Who Loved Me, wherein a nuclear submarine get swallowed by a hollow ship-hunter disguised as an oil tanker the way an unsuspecting prawn might be swallowed by a passing whale. 
So give the baddies credit. People are – and always have been – the weakest element in a cyber defence plan. People get stressed and distracted. People are vulnerable to biases and snap judgments. People have empathy that can be exploited, and dependencies that can be threatened. No matter how much you train and prepare your people, they’re always the target of choice for enemies who want to breach your organisation’s defences. We’ve known this for decades, and we’ve adapted to address the threat. We’re well-situated to defend against it… right?
Well, no. Not really. Yes, we have adapted to make our people tougher to exploit, but… we’re still not preparing our people for the full range of possible enemy activity. At least, not the way many organisations are employing contemporary security training coursework.
It’s taken 20 years to standardise people’s understanding of ‘social engineering’. Back when Kevin Mitnick was tricking corporate employees into giving him access to critical information systems, most people outside of the defence sector weren’t aware of the tactics that spies and criminals used to trick their marks into giving up important data. ‘Spy stuff’ happened in fiction, not in boring, everyday corporate life. Mr Mitnick explained in his 2002 autobiography The Art of Deception that he routinely took advantage of people’s natural desire to help an innocent stranger to get anything he needed to carry out a breach. Mitnick understood that you attack people first, and they’ll then bypass most of their own company’s defences for you. 
Then Mitnick got caught and gave lots of interviews. We learned from his adventures and adapted. Many companies now mandate recurring social engineering awareness training in order to better recognize things like phishing emails, fake internal phone calls, secure area tailgating and the like. It’s taken far too long to get here, but we’ve finally succeeded in raising awareness of people-focused cyber crime techniques… and that heightened awareness is paying off. Everyone’s a little bit tougher. Not impregnable, mind you – just an incrementally better prepared. That’s a good thing.
On the other hand, the bad guys aren’t sitting still either. Just like the way the ransomware crims decided to change their targeting methodologies, so too have social engineers started adapting their organisational penetration approach in order to strike their targets where they’re least defended… from the next cubicle, wearing a legitimate company security badge. Infiltration, not penetration.
I’ve discussed this with a bunch of clients recently, more so since the Manning and Snowden espionage cases were made public. The single most effective way to get secrets out of an organisation is to get them from the inside. I don’t mean penetrating a network – I mean taking a real day-in-day-out job with the company whose secrets you want to plunder. Get the legitimate ID card. Get authorized systems access. Earn your fellow employees’ trust. Get invited to all the secret meetings and cocktail parties. Let the company fall all over itself handing you the secrets that you want because you’re a trusted insider. Your enemy thinks that you’re one of the good guys… because you are one of the good guys (for all practical purposes).
But it’s so much more rewarding if you’re willing to put in the effort to work your target… slowly. Becoming a ‘mole’ gives cyber criminals an opportunity that few hackers ever have: the opportunity to be in the right place at the right time to stumble into something important, like a passing hallway conversation or an after-hours pub crawl. Be where the conversation is taking place when time-sensitive secrets get revealed, and then seize the moment to do… whatever it is that you do.
I used the James Bond film earlier to illustrate my first point (i.e. disguises help you sneak up on your prey). I want to build on that for my second point (i.e. proximity to unfolding events is the key to serendipitous exploitation). If you go back to Ian Fleming’s original novelization of The Spy Who Loved Me, it was nothing at all like the campy ’70s movie. In the original, a random flat tyre causes Bond to stop at a motel right as a couple of arsonists initiate an insurance fraud scheme. Bond saves the motel’s only employee, romances her and leaves. There weren’t any Soviet spies. No submarine-swallowing super-tankers. No underwater lairs. No nuclear blackmail. Just a character study where an amoral secret agent takes advantage of a vulnerable and attractive woman.
What’s important about the story – for our purposes – is that the ‘hero’ of the story was just passing by at the time. He wasn’t interested in the people, the place or their drama – he stumbled into something sinister, and then acted according to his nature. He would never have been able to reap those rewards if he hadn’t been physically present when the unexpected opportunity presented itself.
That’s they key: presence produces opportunities. It’s the crucial advantage that insider threats have over almost any other type of cyber crime: by masquerading as a trusted insider, the infiltrator is fully immersed in the moment-to-moment drama. That gives them unparalleled ability to react to events as they unfold. Yes, the consequences of getting caught exfiltrating data or implementing sabotage are exponentially greater than they are for traditional (that is, at-a-distance) cyber crime, but the potential payoff is commensurately greater as well, making the risk worth it.
I’m describing this under the umbrella of cyber crime, not traditional spycraft. That’s because I write about IT issues, not general criminology. I also tend to look at cyber crime the way the military looks at Information Operations doctrine: as something that starts and ends with people. The fiddly small computer bits are only one small element of a comprehensive information protection programme.
I’ve been stressing this with clients for years. Back in Kevin Mitnick’s heyday, telephone-based social engineering was sufficient to win a crim access to crucial, protected information systems. Ten years ago, email-based social engineering became the most effective way to get that same sort of access. Now, as we’ve collectively gotten better at blocking the bad guys’ techniques, their focus seems to have shifted to catch us unawares once again. It’s what they do.
There will always be baddies trying to break in from afar – that threat isn’t going away. The truly dedicated crims, however, are taking things a step further: they’re Snowdening  more and more often. That is, they’re getting themselves hired on with their target in order to get crucial, protected systems access handed to them with a smile. It’s brilliant in a way; the bad guys get paid by their adversary to handle the organisations’ sensitive data until they accomplish their objectives.
I’ve also been stressing with my clients that they’re underutilising some of the strongest assets that they have in detecting these sorts of threats, because they don’t realise the value of what they already have. The human resources arm of an organisation is uniquely positioned to catch bad actors because of their organisation-wide reach and atypical perspective. A good personnelist knows how to conduct and interpret the results of deep background check. Good techs don’t just rely on a simple criminal records search when hiring new talent – they validate former employers and dig into past misconduct. They build profiles of employees and actively look for potential inconsistencies. They craft behaviour-based flags and triggers for internal security to search for. A strong HR team is a vital part of a company’s cyber security apparatus – a force-multiplier that can do things for internal security that the security techs usually can’t do because of their own narrow remit.
That is to say, HR can play a significant role in continuous profiling of employee behaviour. If that sounds like something that exists in the squiffy legal grey area where lawsuits are conceived, well… yes. It is. If you don’t set your programme up correctly, you’ll open your organisation up to nasty lawsuits. On the other hand, there’s a clear and present danger that needs to be addressed. Shying away from thorny legal decisions isn’t protecting the company. Your HR specialists are have the knowledge, experience, perspective and proper access to watch how employees behave in order to identify potential infiltrators before they complete their nefarious objectives. Atypical or inexplicable conduct, decisions, activities and/or associations all might warrant closer scrutiny. Good HR techs can spot things that an IT-focused security admin might miss.
That’s the other thing that I keep arguing with my clients: a comprehensive cyber security programme is not and cannot be focused solely on technology. PCs and networks are only a fraction of the elements that go into effectively blocking, neutralizing and thwarting adversaries. A responsible security programme manager needs to understand and accept all of the ways that the enemy is likely to engage the company. A strong security programme, in turn, needs to encompass all of the different specialists and support staff that can be brought to bear. Put another way, use all of the arrows in your allegorical quiver, not just the one you’re most comfortable with.
The bad guys are clever. Don’t sell them short. They’re motivated, and they’re willing to take daring risks to come after you. If you hold any sort of a leadership role, then you need to be just as daring in thwarting the bad guys.
Sometimes, the most effective spyware is the kind that walks and talks – the charming guy in the next cubicle, who can absolutely be trusted with company secrets. The most effective countermeasure to thwart that charming guy is the personnel specialist who knows how to spot suspicious behaviour and who’s empowered to sound the alarm.
 I couldn’t find a clip of the scene on YouTube, so give yourself a treat and watch the film.
 If you haven’t already read it, you really should. It’s an excellent primer on social engineering tactics – and you can use Mitnick’s techniques to train your most vulnerable employees how to recognize when they’re being conned.
 Yes, that’s a verb now. I don’t necessarily approve of it, but… it is what it is.
Title Allusion: Ian Fleming, The Spy Who Loved Me (1962 book and 1977 Film)
POC is Keil Hubert, email@example.com
Follow him on Twitter at @keilhubert.
You can buy his books on IT leadership, IT interviewing, horrible bosses and understanding workplace culture at the Amazon Kindle Store.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.