Subscribe
Subscribe
A Successful Security Strategy Is All About Relationships. Here’s How to Build Them.
Security efforts are not limited to security teams. High impact strategies need to engage everyone from employees to the board of execs, DevOps teams and IT. Learn how how to become not just an effective partner but a trusted advisor across an organization.
https://www.humanlayersecurity.com/blog/relationship-framework-for-security-leaders/
Your Legacy Phishing Solution Isn’t Enough to Protect Your Organization
CISO Josh Yavor explains why legacy phishing solutions aren't effective in preventing successful attacks, and what you can do about it.
https://www.humanlayersecurity.com/blog/human-layer-security-vs-legacy-solutions/
9 Things I’ve Learned Writing Phishing Emails
Ethical hacker, Craig Hays, explains why copywriting, timing, and context are all essential "ingredients" in crafting a phishing attack.
https://www.humanlayersecurity.com/blog/9-things-i-learned-writing-phishing-emails/
Employee Burnout Will Probably Cause Your Next Data Breach
Understanding how stress impacts cybersecurity behaviors could significantly reduce the chances of people’s mistakes compromising company’s security.
https://www.humanlayersecurity.com/blog/employee-burnout-causes-breaches/
Stateful Machine Learning is Our Best (And Only) Bet
Traditional machine learning methods that are used to detect threats at the machine layer aren’t equipped to account for the complexities of human relationships and behaviors across businesses over time. There is no concept of “state” — the additional variable that makes human-layer security problems so complex.
https://www.humanlayersecurity.com/blog/stateful-machine-learning/
How Easy Is It to Phish?
You don't have to be tech savvy to become a "hacker". This blog outlines how to create a phishing campaign, and was designed to help security leaders protect their organizations.
https://www.humanlayersecurity.com/blog/how-to-create-a-phishing-campaign/

Read More

Explore Human Layer Security.

Learn About Our Mission
Subscribe to our newsletter
Explore Me
Read More
Podcast Podcast

The Best Defense Against Social Engineering? Knowing How to Execute an Attack

Jenny Radcliffe
11.09.2021
Share

Illustrations by Calum Heath

In a recent Tessian podcast episode, Jenny Radcliffe, world-renowned social engineer, explained how cybercriminals can manipulate employees and revealed what organisations can do to mitigate this risk.

Listen to the full podcast here, or read on for Jenny Radcliffe’s top three takeaways.

The bulk of cybersecurity attacks are planned with humans in mind


There is no typical day in the life of a people hacker, but there are common elements between assignments: 

  • Can I get past the humans?
  • Can I get past the physical security?
  • Why is this the case?

When preparing an attack, I want to know everything about the target organization. This includes how it started, who founded it, whether it is public or private, and how the organization has evolved. You might be surprised by the level of detail, but these details help me uncover the personality of the organization, and let me know what makes it tick. I treat each organization and the people in it as though they were one entity – and I need to know that entity very well if I want to successfully infiltrate it.

I also look at the way people move around the building, where they go to share secrets, and the secret things that the employees do. I need this information to help me identify and get to know my target. Additionally, I look at the teams and where they congregate – officially and unofficially. There are unofficial sources of power and news in every organization, because there will always be someone who knows everything and everyone, and communicates that information freely. As attackers, we are looking to know the organization just as well as a person who works there – possibly even better. 

So, the piece of advice that I always give is to know your organization better than the bad guys. Know your people really well so that if something falls out of sync, you notice.

 

 

Social engineering attacks are often more sophisticated than people think.

I only decide who I am going to target once I have enough background information. This is because I want my attack to hit home. A scattergun approach is not good enough – I need whatever I say, whether in an email or in person, to resonate with the recipient so much that they cannot help but respond.

With a human target, I find out the answers to questions such as: 

  • What do they protect?
  • What do they love/hate?
  • What is the last thing they’d give up?
  • What are they frightened of?

If I then combine this information with local knowledge, establish some trust and authority, and use persuasion techniques, that person is highly vulnerable when I do eventually communicate with them.

So these attacks are very precise, but there are still many people in cybersecurity who don’t understand that. Many think that all I do is put on a cheeky smile and tailgate into buildings – and I do do that! But it is a little more sophisticated, with a lot of preparation, and that’s because the targets that I deal with and the problems I’m given to solve are fairly complicated.

Technical solutions should be implemented in combination with human solutions

We have to work with humans in tandem with technical solutions. Technical solutions can limit access, and track and detect problems. This helps in preventing an attack from getting to a human in the first place, which is great. I think that the problem is that it is easier to buy and implement technical solutions than it is to fix your culture and really understand the way your people work. 

The issue of insider threats and security culture generally isn’t something you can throw money at. It needs time, attention and focus. Again, the answer comes back to knowing your humans better than bad guys do – and this should be the case at line manager level. Because if you do not do that, cyber criminals will find someone who is chatty, unhappy, naive, or new and they will find a way to get to them. 

This is why you have to be able to see when someone is behaving differently, and that person needs to feel like they can come to you if something is not right. You can throw money at the problem, but ultimately you have to understand your people – people are the question, and they are the answer. 

For more from Jenny and the secrets behind social engineering attacks, listen to our Tessian Podcast episode, here, or check out her podcast – Human Factor Security.

Jenny Radcliffe

Social Engineer and Podcast Host
Jenny Radcliffe is a world-renowned social engineer and podcast host who was recognized as one of the Top 25 Women in Cyber in 2020 by IT Security Guru. She's a go-to guest expert on the human element of security, and is a sought after keynote speaker on all things related to scams, cons, and hacks.
Share this Article

Related Content