By Kiersten Putnam | Trace3 Innovation Researcher
The front lines of cybersecurity are shifting. In today's hyper-connected, AI driven world, attackers no longer need to break through firewalls or exploit vulnerabilities to breach an organization. Rather they are targeting the most unpredictable and, in most cases, most vulnerable part of your organization: your people.
Gone are the days where phishing attempts were mass-sent emails that were often poorly written, or phone calls from unknown numbers that were easy enough to ignore. We have since been trained to watch for typos or unknown senders, and therefore these outreaches aren’t successful. Now, attackers are evolving their techniques to appear more real, making it difficult to determine a genuine outreach. How do they do this? For starters, no typos – their messages are grammatically perfect and styled to match company tone. Next, they are getting crafty, aligning the context of the outreach to something relevant for the recipient and adding emotional triggers to ignite an urgent response. As these attacks evolve, it is important to remain educated on the characteristics and emerging tactics driving the next-gen social engineering attacks. This will ensure your organization can evolve defenses and keep employees vigilant. So let’s dive in.
Emerging Characteristics of Social Engineering Attacks
1. Personalization is key
While generic email campaigns are still used, targeted campaigns are becoming more common. Attackers are now personalizing them to their target through OSINT gathering. They scrape information from open sources, such as social media and company bios, to gather information such as roles, promotions, connections, etc. They also use information from past data breaches to include compromised credentials or even seemingly benign data about target users (name, location, employer, etc.) to create more convincing pretexts.
With all this data collected, they can build a profile on you and understand your typical behaviors, like which links you click on, tone of communication, and how you post or engage with others online. This helps them identify the right context and time to reach out. For example, fake onboarding training will be more successful for new employees being onboarded, than an employee that has been at the company for a long time. Whereas a message from your CEO asking for an urgent wire would make sense for an employee that works in finance vs IT. This strategic and clever context gathering makes their attacks appear highly realistic and personalized, therefore making it harder to detect.
2. Authenticity is the cherry on top
If a random number claimed to be your CEO and asked for a wire, it would raise suspicion. But, if the voice and tone matched your CEO’s, that hesitation would likely disappear. To do this, attackers are leveraging emerging technology in both the text and tone of the message, and how it is presented visually and audibly, to make it look and sound more realistic.
With text and tone, attackers collect large datasets of text-based conversations from social media, messaging apps, customer service interactions, etc. and use language models to generate human-like prompts. This helps them create personalized messages that mimic specific personas or language patterns.
For audio, video, and image, attackers collect vast amounts of data and use deepfake software to map one face to another, or mimic someone’s voice with uncanny accuracy, including facial expressions, mannerisms, and vocal patterns. There are many uses for this, including the CEO wire example, but also joining virtual meetings, developing fake training videos, creating fake employee profiles, impersonating call centers, etc.
3. Multichannel takes it to the next level
If personalization is key and authenticity is the cherry on top, then multichannel takes this to the next level. Attackers recognize that employees use multiple channels for communication – email, text messaging, phone calls, browsers, endpoint devices, etc. Attackers are now meeting employees across all these channels. While enterprises are hoping to secure their employees in as many ways possible, some of these channels sit outside of the bounds of an organization, creating a grey area between protection and employee privacy.
Within the trust bounds of an organization primarily lies email and endpoint (depending on BYOD policy). Employees are trained to be vigilant inside enterprise systems and see security awareness as part of their job. However, these channels are evolving. With email, GenAI and advanced techniques allow personalized and authentic-looking emails to fly under the radar of rule-based email security systems. With endpoint, these attacks come from different sources, such as malicious browser extensions, malvertising, compromised or fake applications, or local redirectors.
For outside the trust boundary, employees may not be as vigilant, as they switch between work and personal devices to scroll or instant message. That said, attackers are targeting these channels. SMS/mobile is a popular way to lure users to share personal information, and click on phishing links or QR codes. Social media becomes less about a direct outreach and more about account hijacking, creating fake profiles or personas, and fabricating fake news or job scams.
This growing use of multichannel highlights the need to 1) adapt security controls to meet evolving attack techniques within already protected channels and, 2) provide awareness and protection for all channels, both inside and outside the trust boundaries.
The Pillars of Protection
The evolving tactics used in social engineering attacks require new approaches for keeping employees safe. Emerging solutions can be broken down into three approaches.
Raising the Bar: The Next Frontier of AI in the SOC
While triage, investigation, and basic response are table stakes for AI SOC Analysts, many solutions are expanding their capabilities into other areas important for SOC analysts.
Securing the Channels: There are solutions specializing in each channel – email, browser, mobile, social media. From inside the trust boundary, next-gen email security solutions, such as StrongestLayer and Fortyx, are moving away from static rules and into dynamic analysis of each email received, understanding an employee’s typical behavior and recognize a change in tone, and business context. From an endpoint perspective, as organizations are moving from managed endpoints to BYOD, browser security provides an opportunity to detect and block social engineering attacks at the point of user interaction. Solutions, such as Pixm, LayerX, SquareX, analyze browser behavior, page visuals, and session content to intercept attempts of user engagement with malicious content. While protecting outside the trust boundary is more difficult due to lack of enterprise control, there are solutions extending control to those channels. Smishing and mobile security solutions, such as, Iverfiy, Corrata, and AB Handshake, specialize in on-device detection of phishing links, QR codes, malicious applications, etc. When it comes to social media, it is key to protecting employees against fake personas, impersonations, and narrative manipulation before they lead to exploitation or breaches. To solve this, solutions such as Cyabra and LetsData, are analyzing identity authenticity and bot behavior to identify targeted campaigns.
Detecting Advanced Deception: Another emerging approach is to defend against the techniques themselves, primarily tackling deepfake detection and protection. These solutions have advanced technologies for detecting synthetic voices, videos, and images by meticulously analyzing characteristics such as manipulated movements, video signal manipulation, facial inconsistencies, background anomalies, synthetic voice. Most solutions, including GetReal, Resemble AI, RealityDefender, are spanning across different mediums. The differences lie in the techniques for detecting the deepfakes and specialized use cases. Other solutions are more niche, focusing on employee onboarding (Clarity), fake media (Gretchen AI), and finally, specializing in voice detection (Modulate, ValidSoft). While these solutions are all detecting deepfakes, there are also solutions, like Label4, digital watermarking content to secure authenticity and detect deepfakes this way.
Strengthening Employee Awareness: As social engineering techniques evolve, so should employee training. While large, established platforms have been instrumental in educating on the traditional social engineering techniques, the next-gen attacks require platforms that are training against these specific attack techniques. While some of these are specialized training platforms, like Jericho Security and Adaptive Security, others are emerging solutions defending against social engineering that add training in as part of their larger platforms, (StrongestLayer, Resemble AI, AB Handshake).
Summary
We always said- “don’t trust emails from strangers”, but now it’s “don’t trust anything you weren’t expecting.” As illustrated above, social engineering techniques are rapidly evolving and outpacing both traditional defenses and vigilant employees. While there are a variety of traditional use cases that provide protection (ex. Email Security platforms, EDR, DRPS, email security training, exposure management), the emerging approaches mentioned above are directly focused on defending against the next evolutions of attacks. Depending on your environment, this provides a great complement to an existing social engineering landscape. While today many of these emerging approaches are found in emerging technology, as these next-gen attacks continue expanding, it is likely these approaches will be folded into existing platforms as well.
If you’re curious to learn more or want to stay on top of the latest enhancements in this space, feel free to reach out to us at innovation@trace3.com.
Kiersten Putnam is a Senior Innovation Researcher at Trace3. She is passionate about new innovative approaches that challenge traditional processes across the enterprise. As a member of the Innovation Team, she delivers research content on emerging trends and solutions across enterprise cloud, security, data, and infrastructure. When she's not researching, she is either exploring the surrounding areas of Denver, Colorado where she lives, or planning her next trip abroad.