In 2023, Cybercriminals Were Still Using Social Engineering to Steal Your Credentials
Over my career as a security professional, I’ve seen firsthand what cyberadversaries can do. From halting business operations to conning business owners out of millions of dollars in ransom, threat actors today have the potential to cause significant reputational and financial damage.
Hollywood cinema typically points to hooded figures looking to crack hundreds of lines of code to penetrate a network — but that’s rare. Adversaries don’t have time (or desire) to review the intricate details of the modern security framework — and they don’t have to.
Even in 2023, despite years of cybersecurity advancements, most threat actors were just logging in. Adversaries were still successfully obtaining employee credentials at an alarming rate. Recently, giant corporations like T-Mobile and Microsoft have fallen victim to compromised credential attacks.
While having plentiful resources like cybersecurity tools helps decrease the impact of attacks, there is one often overlooked factor: People.
Social engineering attacks are some of the most effective ways cybercriminals infiltrate enterprise networks. According to Verizon’s 2023 Data Breach Investigations Report, business email compromise (BEC) attacks make up half of the social engineering attempts, have almost doubled in frequency, and are often the precursor to more sophisticated attacks down the road. Cybercriminals are opportunists, meaning once they’ve tricked someone into giving them easy access inside the business infrastructure, they’ll take full advantage.
One of the top social engineering methods cybercriminals use to sneak inside organization networks is phishing, which is often an attempt to trick employees into providing valuable personal information like credentials through email.
Unfortunately, it’s getting harder to distinguish between social engineering attacks and credible communications. With new advancements in generative artificial intelligence (GenAI), cybercriminals are using tools like ChatGPT to generate human-like communications, like text or audio, and deploy sophisticated social engineering techniques. And to make matters worse, remote work is still a contributing factor to the success of a phishing attack. Not only are these attacks getting harder to pinpoint by the average employee, but the foundation of decentralized workforces heightens security risks by its nature. Security perimeters are no longer solely on-premises – instead, the cloud has enabled employees to work from wherever they need and has made securing against cybercriminals that much harder.
Once they’ve got one foot in the door it’s only a matter of time until they’ve gotten the keys to the kingdom: Administrative credentials.
One of the best investments companies can make to defend against advanced social engineering techniques is employee education. What are the early signs of a phishing attack? How can they differentiate phishing? What are some cybersecurity best practices and hygiene that they can implement?
The Human Element: Competent Criminals’ Best Exploit
The same report by Verizon indicates over half of all data breaches, 74%, include an element of human involvement, and nearly all, 84%, were the result of external actors – cybercriminals.
Human error is a key factor in determining whether a cybercriminal gains access to sensitive information, so what can companies do?
National Cybersecurity Awareness Month reminds us that it’s never too late for companies to begin developing and implementing best practices in cybersecurity. Continually updating your security posture ensures your organization’s security is assured both now and in the future.
Leveling up Threat Detection, Investigation, and Response (TDIR)
Education is a great starting point when it comes to defending against competent criminals, but mistakes still happen. Cybercriminals can always find a way to steal credentials and navigate internal networks. At this point, security leaders need basic knowledge to help guide detection:
● What do normal activity levels look like for each employee within internal networks?
● How can anomalies within this identified behavior then be recognized and subsequently flagged for detection, investigation, and containment to prevent further damage?
By deploying user entity behavioral analytics (UEBA) solutions, companies can establish a baseline of normal behavior for each user and device on a network. If a threat actor manages to be successful in a social engineering attack, UEBA makes it easier to identify, prevents lateral movement, and ultimately streamlines the TDIR process.
Social engineering techniques prey on human error, and while it’s unlikely we will ever truly eliminate the possibility of these threats, the combination of behavioral analytics solutions identifying internal abilities that teams can respond appropriately to and critical security education programs can limit security risks. Cybersecurity is about looking ahead to the future and ensuring protocols are not just quick fixes but long-term solutions that safeguard sensitive information like credentials. It’s time for security professionals to get proactive about their organization’s future so that hopefully we won’t be having the same conversation in 2024.
