How to recover from a social engineering breach

Social engineering remains a key tool in the cyber criminal's arsenal: encouraging employees to unwittingly grant access is still one of the easiest ways of gaining entry to a company's network. We look at what a business should do if it falls victim to such an attack and what measures it can put in place to prevent the same strategy working again.

By Shirley Siluk

Mon 2 Oct 2017 @ 12:29

The use of social engineering has been around almost as long as cybercrime itself. Social engineering, the practice of getting employees to give up protected information by deception, is still one of the most effective techniques for malicious actors to gain access to company networks.

Phishing and social engineering are thought to be behind at least half of security breaches, and recent research found that over two-thirds of organisations said they have fallen victim to social engineering attacks.

The complexity of social engineering varies from scam to scam. Some are simple: like a phishing email sent to the finance department which asks them to open a malicious attachment disguised as an invoice. Equally, they can be far more elaborate, involving cyber criminals spending weeks gathering intelligence on a high-profile target and crafting a strategy before they act.

Social engineering can also be costly: one bank lost €70m after its CEO was targeted by such an attack.

Social engineering's enduring popularity among criminals is largely due to the fact it remains the path of least resistance. Security companies are continually developing new technologies and processes to prevent threat actors from gaining unauthorised access to organisations' systems, but all their good work can be undone by just one careless employee who clicks on a link they shouldn't have.

In an ideal world, organisations should have a plan in place for dealing with a successful social engineering incident, with set protocols that can be followed in the event of a breach.

While the exact details will depend on the systems and individuals affected, the plan should detail how organisations investigate the extent of the problem, stop any further data and systems becoming compromised, and determine whether the breach has led them to contravene any regulatory or compliance obligations, and what actions should be taken as a result.

Once the initial clean-up procedure has been completed and affected systems restored, organisations will need to begin working out what went wrong and what procedures need to be put in place to prevent a reoccurrence.

Generally, businesses fall victim to social engineering for two reasons: a weakness in their technology set-up or in their human processes. To be successful, strategies to prevent attacks need to take into account both elements.

Clearly, one way to prevent attackers' emails fooling unwary employees into divulging their credentials or downloading ransomware is to prevent such emails reaching staff in the first place.

Solid anti-phishing, anti-spam, and anti-malware products should go a long way to helping with this. Locking down end-user devices appropriately and ensuring sensitive data and systems can be accessed only by the minimum number of users necessary are also basic steps that can help contain the fallout from a breach.

Of course, well-protected organisations need to use far more sophisticated technology tools too: for example, UEBA (user and entity behaviour analytics) can help spot abnormal events and patterns that suggest systems have been compromised.

The human side of the business can also be key in preventing a social engineering attack happening again. Considering how vital employees are in maintaining an organisation's security posture, many businesses are guilty of not putting enough resources into helping staff identify, and avoid, the threats that may confront them in their day-to-day work.

With a relatively small proportion of employees given security awareness and prevention education, it's perhaps surprising more social engineering attacks aren't successful.

Putting in place a security training programme that's appropriate to the job grade, industry, and technology set-up is one relatively easy way for organisations to lower their risk profile.

Making sure employees regularly review their security training – with no exceptions – will also be beneficial.