Image
Social Engineering, Human Error and Human Manipulation
Given that the threat which concerns us most is effectively preying on humans, our concern is warranted. And that is why we feel that the biggest problem the power grid faces today is phishing, spear-phishing, and pretexting, all of which we will define in this set of articles. Why these threats? Because these social engineering attacks are designed specifically to circumvent all the expensive defensive technological measures put in place by an enterprise. These tactics manipulate the individual, using them as the vector to attack the network as opposed to going for the organization’s network directly. Social engineering tactics range from the “smash-and-grab” approach (phishing) to taking advantage of the naïve (spear-phishing) to the ultra-sophisticated manipulation (pretexting). Emails that are designed to look like they are coming from your immediate boss or “big boss” (such as a CFO or CEO) get your attention. They create a type of emotional response, usually a sense of urgency (in some cases, even fear, which can be a powerful motivator for “instant action”). And in that emotional moment of urgency, opening a seemingly legitimate attachment may unleash the payload to infect the network with malware, ransomware, or whatever type of digital nastiness you wish. It is worth noting that the top emotional motivators are: curiosity, fear, and urgency. Manipulation does not stop with work-related material, either. If you have been tagged as a high-value target within your organization by a nefarious actor, do not think for a moment that the bad actor has limitations. If the malicious actor feels the best way to get your attention is to pretend to be your spouse or your child’s school principal, they will go that far. In our societal obsession to make information as readily available as possible, we have given up so much of ourselves and our personal lives that all can be used against us. And you would be shocked what is out there, particularly when we lose control of that information. But let us illustrate the point of how you can – quite easily actually – target somebody. One of us, years ago (and for totally legitimate business reasons), was able to stumble across the personal mobile phone number of one of CEOs of one of the biggest companies in the United States. How did we come across this phone number? Because a foundation this person donated to listed the phone number on their organization’s public documentation. See, and that’s the scary thing because once our information goes into somebody else’s hands, what sort of confidence do we have this information will be safeguarded? These days, it’s not feeling too good. This type of deep digging is not new. In political activity, this type of digging is sometimes called opposition research, but do not believe for one moment that a nefarious actor will not conduct this type of digging also. You see, to these actors, this behavior is “all business” and part of their daily routine, particularly if they truly wish to seek out, and exploit, a target. For transparency purposes, especially when there is some public entity involved, we list so much information online (name, title, phone number, email address, work address, and so on). This is very much true for those in position of responsibility and authority. All of this information can be used against us. And once this information is captured by a malicious actor, it is manipulated or used in a manner to exploit. For example, this information reaches the desk of the employee, say, in the form of an email from a superior. More likely than not, within the first hour or two, that email will be opened. In fact, there is an 87% chance that the email will be opened within the same day. There is a simple elegance to email attacks in that they are a proven attack channel, do not rely on technological vulnerabilities for success, and use simple deception to lure victims. And that is the critical moment where everything can fall apart. It is often said that the “person sitting behind his or her computer terminal” is the biggest risk and hazard to the network and data security. We agree. Many others do too, noting that“[h]uman mistakes are inevitable. Yet they can be very costly. For many organizations the risks associated with human error can be more serious than the insider threat. In some cases, it is considered the biggest threat to the ICS system.”
This Type of Attack Works and Works Well
With the effort, skill, and detailed reconnaissance of a determined actor, it has been demonstrated that one successful spear-phish attack, followed quickly by the theft of administrative privileges, could unleash tremendous pain upon the power plant workers and its network, in turn, causing a tremendous inconvenience upon the customers, clients, and businesses dependent upon the grid. Keep in mind that a successful attack on the grid has secondary and tertiary effects, as well. A power grid going down in the dead cold of winter could impact lives, leaving people stranded, and at worst, putting their lives at risk. Similarly, in the middle of a heat wave, in addition to lives at risk, emergency responders will have their resources taxed. This is not a hypothetical scenario. In fact, a horror of this type has already happened – in the Ivano-Frankivsk region of Western Ukraine – during the dead of winter, in December 2015. The regional power company Prykarpattyaoblenergo fell victim to a highly sophisticated cyberattack. How did it all happen? The first myth we wish to dispel with is that hackers are “smash-and-grab” artists or opportunists trying to test out their newest abilities. In our professional experience, we hear this argument far too often and is worthy of putting down. The days of script kiddies and grey hat hackers looking for kicks are likely gone. Sure, there are plenty who enlist “hackers-for-hire” to do their dirty work or just download malware packages to deploy through a network, but for the most part, we prefer to err on the side of caution and assume we are dealing with pros. Let us be honest, there are plenty of black hat hackers out there looking to make a buck, promote an ideology, feed their ego, or serve some national interest (which, surprise, surprise, may be in direct opposition to another national interest). For the most part, we are not scared of the 100 (or thousands) of grey hats out there looking to tickle themselves silly for what they have just done; but we are terrified of the one, or small group of, black hats who have the resources, determination, skill, stealth, and conviction to get what they want. This was the case in the Ukraine. According to details of the investigation the nefarious actors were:- Skilled and stealth strategists;
- Carefully planned an assault over months;
- Conducted reconnaissance and study of the networks;
- Siphoned operator credentials; and
- Launched a synchronized assault in a well-choreographed dance.
“[i]t was brilliant. In terms of sophistication, most people always [focus on the] malware [that’s used in the attack]. To me what makes sophistication is logistics and planning and operations and … what’s going on during the length of it. And this was highly sophisticated.”So this first article of the series was designed to let you know the following: yes, it can happen. It’s time to rid ourselves of the thought that it cannot happen. In the upcoming articles, we are going to give you some clear and easy to remember definitions, a bit more on how manipulation is extremely easy over the Internet, why threats to ICS/SCADA should really worry us, and a very brief walk through of what happened at Prykarpattyaoblenergo. Just as a final note, we want to make note of a specific threat to CI (but one that is not directly linked to social engineering) because it is worth knowing about: APTs. We view APTs as a given happening all the time, almost robotic-like in their existence. With increased use of AI/ML, we believe that APT detection and response rate will improve in the coming years. And we also see APTs like papercuts to a paper handler. You are going to get them in the process of your daily work. The trick, therefore, is not to get killed by them. If you are a power grid member and are not a victim of APTs, you are either doing something absolutely incredible (and we are sure the rest of the industry would love to know more about what you are doing) or you are asleep at the switch. For information on how Tripwire can protect your ICS systems, click here. About the Authors: Paul Ferrillo
Image
Image
