Attack Surfaces: People
Part 1 of the Attack Surfaces series
Ask anyone how breaches start and they’ll most likely say: “Phishing” – a form of social engineering. That’s the “people” attack surface, but it goes well beyond phishing.
In our red team practice, we’ve certainly phished targets to gain initial access. We have used the people attack surface to gain higher privileges and stay inside. We ask to turn off endpoint detection and response software (EDR).
We also request special virtual machines.
Sometimes, we seek other permissions. More often than not, those requests are granted (by people!).
The 2024 Verizon DBIR reports that out of 10,069 breaches, 68% involved a human element. This is the highest of the four characteristics they tracked.
Phishing and Social Engineering
Attackers are increasingly leveraging social engineering techniques and phishing emails as an initial access vector. Phishing emails are frequently used to deliver malware or assist in credential capture (including 2FA). These tactics have evolved to target mobile devices through SMS phishing (“smishing”) and malicious voice calls (“vishing”). Attackers also capitalize on real-world events to craft timely and persuasive lures.
The objective of these attacks is often to compromise a single user’s workstation or credentials, which then serves as a foothold for lateral movement and further access. In essence, people serve as a gateway to an organization’s most sensitive data and “crown jewels.”
Exploiting Business Processes
Business processes that rely on human validation or judgement can also be exploited. The “confused deputy” problem arises when attackers manipulate an authorized individual into improperly granting access.
We’ve seen (and used) this technique against external-facing company personnel – notably, sales and accounting. In the article linked, an attacker registered a fake company with a name similar to a legitimate company to which his targets routinely sent millions of dollars. No surprise: he was able to get his victims to wire his fake company $100M+ just by sending emails.
The “people” attack surface goes beyond just a company’s employees—it also includes customers and third parties. When companies allow external marketers or partners to contact customers, it becomes normal for messages to come from outside domains. This makes it harder for customers to spot phishing attempts. The risk grows even more when scammers take control of legitimate-looking email addresses, making their attacks harder to detect.
For example – attackers impersonated legitimate companies like BlockFi through their bankruptcy proceedings to defraud account holders attempting to withdraw their funds.
Managing People-Based Risks
People-based risks can be managed but never eliminated. Technical controls, such as multi-factor authentication, EDR, robust authorization controls, cloud security configurations and network segmentation can all help mitigate the risk and limit the blast radius of a successful phishing attempt, but this remains one of the more difficult attack vectors to control for.
Security awareness training should be simple and clear. Users must learn how to spot common phishing attempts—whether by email, phone, or text—and know how to report them right away.
Perhaps the most critical piece of training is that users must feel comfortable letting internal security personnel know exactly how they interacted with a phishing email as soon as they realize it is fraudulent. Many hours (or days) of incident response (IR) time are routinely wasted based on users not telling the full story because they fear reprisal or punishment for what is usually an honest mistake.
At the organizational level, stakeholders should have fast access to up-to-date IR plans and should be familiar with their roles and responsibilities for any incident. Familiarity can be accomplished through IR tabletop exercises in advance of a real incident. Not only does this help with readiness to cyber-attacks, it can also uncover gaps or pitfalls in the plan itself when the stakes are low. The cost of an IR tabletop exercise is orders of magnitude lower than the cost of cleaning up after a data breach.
Monitoring for anomalous user behavior can also help detect compromised accounts early before significant damage occurs. This may involve using machine learning to establish baseline behavioral patterns and flag deviations in real time.
Stay Vigilant
Our most security mature customers foster a culture of security awareness without blame. Every employee should understand their role in protecting the organization and feel empowered to report potential threats – like phishing attempts or social engineering attacks- without fear of retribution.
Adopting a holistic view of your attack surface that includes people, processes, and technology takes time. By finding and reducing risks from human behavior exploitation, companies can become stronger against advanced social engineering tactics. This helps defend critical systems, applications, and operating systems, and reduces the likelihood of costly data breaches.
