I Got Phished, But I Never Clicked?
• 12/5/2013Steve Williams—Director of Strategic Partnerships
One of the leading misconceptions surrounding social engineering and phishing is that the source of the problem is centered on users clicking on bad links. Make no mistake, a large percentage of social engineering attacks do invite users to click on bad links and this action can definitely have consequences, yet many of the highest profile social engineering attacks have absolutely nothing to do with links and nothing to do with clicking.
Some of the most damaging social engineering attacks often consist of nothing more than the patient accumulation of information which is then leveraged through many different mediums to inflict financial harm or damage a brand’s hard earned reputation. One could successfully argue that the most difficult attack vector to manage and gain visibility into is the stealth based approach in which conversation and information gathering occur very subtly outside the scope of advanced detection tools and beneath the radar of even the best constructed defenses.
Every company now faces a challenging paradigm, which is the balance between effectively promoting their products, brands, and people while still successfully defending against how that very same information can be used against them. There is no magic bullet or cure when it comes to meeting this challenge, but it starts with a fundamental understanding and grasp of what social engineering is at its’ very core. Social engineering is not clicking, it’s not phishing, it’s not even spear-phishing; it’s the exchange of information between individuals and an unauthorized source that is backed by malicious intent by one or more of the individuals involved.
To successfully mitigate risk at the user level in today’s Information Security climate, it requires the application of a risk-based approach at the human layer that explores and answers more than who clicked and who didn’t. The threat landscape as it relates to social engineering is constantly advancing and adapting to perimeter defenses with a focus on how to accomplish more with less effort. The foundation of successful attacks is often built upon building trust, preying on human curiosity, and upgrading from traceable methods such as inviting users to click to a stealth based approach. Attackers know this and it’s the very premise of most “Capture the Flag” contests that are sponsored and run throughout the year within the Information Security community to conclusively demonstrate this.
Impacting change at the human layer starts with an understanding and accurate definition of how the threat landscape has evolved, over simplification or short changing the threat only adds to the problem. There is an enormous difference in the calculated risk between a click-happy user and a dissatisfied, disengaged employee looking to actively inflict harm upon their work environment. To drive change and reduce risk as it relates to social engineering requires a methodology that goes beyond awareness alone and centers its’ efforts on actionable findings that often have nothing to do with a user clicking on a link.