Ingenious Adversaries

Stay ahead of ingenious adversaries

The level of ingenuity and resourcefulness – not to mention technical acumen – that adversaries use to pull off security breaches is on the rise. Attackers are finding new and different ways to gather information, infiltrate organizations and exploit personal proclivities for their own gain. And in many ways, we’re helping them.

Consider the fact that more than half of the 2,000 global organizations we recently surveyed said their employees aren’t fully aware of the security rules they must follow. No matter how well-crafted a security strategy is, if employees aren’t familiar with the rules or don’t implement them the strategy’s effectiveness will be limited. Adversaries know this, and take advantage of it. And they use increasingly sophisticated tactics of social engineering – tricking people into divulging information or security credentials – to get closer to what they want.

Old-school social engineering can be as simple as a stranger convincing you to let him slip into your controlled-access building after you swipe your keycard. (Maybe he told you he was late for a job interview and you sympathized.) But the more resourceful type might take the form of an email purportedly from a friend containing a link to a picture of your child scoring the winning goal at a recent soccer game. Your friend’s name and your child’s accomplishment could have been gleaned from Facebook. And if parental pride wins out over security policy—even just for the moment it takes to click on the link— you may have just granted an adversary access to your organization’s network.

As we share more on social media and the traditional delineation between work and personal lives becomes porous, we’ve made it easier for attackers. With publically available information – not just about you, but about family and friends -- adversaries can weave intricate webs of information, learning about your proclivities and preferences. They can then use beguiling specificity to ingratiate themselves to you, then lie in wait for lax security or human error to present an opportunity. And the convergence of the physical and logical worlds allows adversaries to leverage their skills in both realms to find weak links that bring them closer to their targets.

Social engineering isn’t the only way adversaries get what they want – sometimes it’s sheer ingenuity to find creative ways around obstacles and leapfrog their targets’ precautionary measures. In Romania, truck drivers were being robbed when they stopped for breaks, so they were instructed not to stop on certain routes. But some drivers were still arriving at their destinations without cargo. The use of video, GPS and other technology showed that robbers were chasing trucks in their cars at night with the lights off, crawling out on the hoods, jumping onto the backs of the trucks, and stealing equipment by tossing it back to their accomplices in the moving cars. Further investigation revealed that when the truckers were ordered not to stop, the robbers hired acrobats who could break into moving vehicles.

How can organizations protect themselves from social engineering tactics and ingenious adversaries? They must educate and train employees to the tricks and tactics that attackers use, and employees must share that knowledge with friends and family, as well as the extended social networks they create in the digital age. Organizations must also think of themselves as extended entities, and create secure connections with partners, suppliers, and contractors.