TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

The Human Element in Cybersecurity: Understanding Trust and Social Engineering

BHIS · 2024-04-05 · Read original ↗

ATT&CK techniques detected

14 predictions
T1566.002Spearphishing Link
99%
“that i was a representative from the it department that was trying to track down a possible threat. i asked the secretary to proceed to my website and click on a link embedded in it. the secretary obliged, and i got a log entry that contained her ip address, showing proof that sh…”
T1566.002Spearphishing Link
93%
“to the company ’ s benefits package which provided a link to view document ( this ruse had been highly successful during other engagements ). when they clicked on the link, they were redirected to a microsoft login page and after inputting their credentials, a document about bene…”
T1566.002Spearphishing Link
91%
“##ist ). in addition, some ruses, like device code abuse, are more complicated, requiring a user to submit a code on a legitimate site, granting the attacker access. social engineering real world examples as a penetration tester, i have had the opportunity to conduct social engin…”
T1566.002Spearphishing Link
86%
“together. - phishing : this attack is associated with electronic mail. an email is sent with the goal of appearing to be legitimate communication that will entice a user to complete the activity desired by the attacker ( like clicking on a malicious link ). the outcome is based o…”
T1566.002Spearphishing Link
82%
“clicking a link or downloading malware. - urgency : the attacker creates a sense of urgency or fear in the target, to convince the target to perform the attacker ’ s desired activities. - honeytrap : an attack which specifically targets individuals looking for love on online dati…”
T1204.001Malicious Link
77%
“to lure them into clicking on a link. ( get a free sandwich if you take the survey at the following link ). - quid pro quo : this is a variation of baiting where the attacker gives “ something for something. ” example would be getting a free software download if you click a malic…”
T1598Phishing for Information
75%
“corporation ’ s reputation. training yourself and employees about what social engineering is, and how to handle situations when they suspect that they are getting social engineered, is essential. my favorite customer quote after we conducted a physical security test is : “ we hav…”
T1189Drive-by Compromise
65%
“to lure them into clicking on a link. ( get a free sandwich if you take the survey at the following link ). - quid pro quo : this is a variation of baiting where the attacker gives “ something for something. ” example would be getting a free software download if you click a malic…”
T1598Phishing for Information
61%
“- contact the originator out - of - band using internal corporate resources ( email, phone, chat, etc. ) urgency : if you get a sense of urgency, do not act in haste. - take the time to understand if it is urgent and verify the source by calling or going directly to the website. …”
T1598Phishing for Information
58%
“of the authority. trust in familiarity : trusting someone due to existing or prior relationships is often exploited by hackers by impersonating acquaintances or using information gathered from social media to appear trustworthy. trust in urgency : pressure coming from a sense of …”
T1586.002Email Accounts
40%
“of the authority. trust in familiarity : trusting someone due to existing or prior relationships is often exploited by hackers by impersonating acquaintances or using information gathered from social media to appear trustworthy. trust in urgency : pressure coming from a sense of …”
T1566.002Spearphishing Link
40%
“with any physical assessment, you have to be able to think on your feet. since you hardly ever know what you will run into or what type of situation you will be presented with, the ability to rehearse all situations is not feasible or possible. this is also true when conducting d…”
T1566.002Spearphishing Link
37%
“timing ). the lessons learned from the social engineering calls and physical engagements prompted the customers to review and edit their policies and procedures. this included training requirements for identifying social engineering tactics. from the examples above, you can see h…”
T1598Phishing for Information
35%
“together. - phishing : this attack is associated with electronic mail. an email is sent with the goal of appearing to be legitimate communication that will entice a user to complete the activity desired by the attacker ( like clicking on a malicious link ). the outcome is based o…”

Summary

Human Trust  Most people associated with information technology roles understand the application of technical controls like the use of firewalls, encryption, and security products for defenses against digital threats. Proper […]

The post The Human Element in Cybersecurity: Understanding Trust and Social Engineering  appeared first on Black Hills Information Security, Inc..