CS406: Information Security

Human-based attacks are sophisticated and hard to detect, making their mitigation necessary. Mitigating techniques for social engineering attacks aim at decreasing the attacks’ impact on the individuals or the companies. They aim at saving what can be saved after a human is already attacked or a company’s system is already hacked. The cyber security entity needs to minimize the loss as much as possible by defining security actions in case of emergency. For instance, building a corporate security culture among the company’s employees is a mitigation technique against the attacks targeting companies or groups of individuals. This positive culture helps the attack’s victim not feel ashamed of being manipulated as the social engineer exploits the misplaced trust and not because the victim is unintelligent or foolish.

Being aware of this culture enhances the security responsibilities by reporting all the attacks to the technical staff as soon as possible in order to prevent more damage. This mitigation technique saves valuable time in responding to an attack and stopping the spread of the attack into the company’s network. Another mitigation technique for attacks related to calls or emails informing someone of a lottery win is spreading awareness about the psychological triggers of social engineering attacks. If individuals receive this kind of information, they should be aware that they cannot win a lottery or prize they did never entered, and no one gives away a fortune to them by an email or as a donation. Recognizing that can stop people from replying to the attacker with the requested data.

For attacks related to emails or link clicks, software vendors become more aware of the social engineering treats by building strong products with security measures. These software products are very challenging for cyber criminals to penetrate them. Due to these implemented security measures, the attacker cannot get enough data even if a victim is fooled by the attack. The human-based mitigation techniques are based on human judgments in determining if an activity is legitimate or malicious. They involve two approaches: (1) auditing and policy; (2) education, training, and awareness (ETA). The auditing and policy approach refers to a number of security rules and procedures implemented in companies to help employees detect social engineering attacks. These security rules are controlled by policies in order to guide employees to decide about the state of a suspected activity. The policy approach can be considered as a defense strategy to control the employee’s reaction while under social engineering attack. The education, training, and awareness approaches refer to the effective application of the auditing and policy approach. They aim at ensuring the deployment of the defined security policies and procedures by the organization. In "Social engineering in social networking sites: Affect-based model", the authors proposed to introduce these ETA techniques to new employees as a security orientation in order to provide them with the organization prerequisites toward a secure company.

Human-based mitigation techniques are a must for companies to mitigate the social engineering attacks and minimize their impacts in exploiting employees’ weaknesses and vulnerabilities. They are mainly related to the effective in decision making and acting to classify an activity as malicious and act as necessary. However, human decisions are relative and thus not efficient as the human judgment is subjective even with strong awareness of social engineering attacks. Technology-based mitigation techniques are required to enhance the accuracy of the human-based mitigation techniques. There are four technology-based mitigation techniques: biometrics, sensors, artificial intelligence, and social honeypot. Biometrics-based techniques aim at counteracting physical impersonation attacks, which refer to impersonating a company’s employee by creating a fake profile with his/her identity.

Biometrics distinguish real employees from fake profiles through their biological traits. These unique traits can be fingerprint, facial recognition, eye print, and voice. Biometrics-based techniques can be effective only if the malicious user is subjected to biometric tests. Sensor-based technique entails using sensors to identify individuals. For instance, the authors of "Scoping the Cyber security body of knowledge" proposed a prototype based on inter-body communication to check employees using door systems or specific uniforms. The prototype checks the transmitted signal from the system and compares it to the signal used by the genuine uniform. Artificial intelligence-based techniques aim at enhancing the human-based mitigation strategies by adding an additional security layer. As adaptive learning systems, artificial intelligence systems are able to learn, adapt, and change their parameters according to the situation. In "A new method for detection of phishing websites: Url detection", a multitier phishing detection and filtering technique was proposed to extract and analyze email features in order to filter them. In "Dissecting and detecting mobile ransomware", the authors proposed a neuro-fuzzy-based technique to mitigate phishing attacks in real time and protect online transactions.

As previously mentioned, ransomware attacks are one of the security risks a company or a user can face. They consider the human as the main target instead of devices or systems, which makes them hard to identify. In "Scoping the Cyber security body of knowledge", the authors focused on mobile ransomware by proposing a new detection technique called HelDroid. According to the authors, this technique efficiently detects any possible ransom activity even if it was never previously experienced. HelDroid was integrated in the cellphones to monitor all the used applications. The technique verifies and scans their activities before proceeding with the utilization or even before the application’s installation starts. The authors of "From intrusion detection to an intrusion response system: Fundamentals, requirements, and future directions" focused on designing advanced operation systems and devices resistant to ransomware as a great future interest to deal with these attacks. In "Stopping ransomware attacks on user data", the authors proposed an early warning detection system called CryptoDrop that is able to alert the employee in case of suspicious activity on the user data. The CryptoDrop system analyzes several common behavior indicators related to ransomware attacks. It detects the attack rapidly and stops the malicious software with a low data loss.

In "Detection, prevention and cure", the authors proposed several steps to follow to mitigate and handle ransomware attacks. These steps are: (1) preparation; (2) detection; (3) containment; (4) eradication; and (5) recovery. In the preparation step, a company’s security staff must eliminate all the vulnerabilities so that the hacker cannot penetrate the company’s system. This step is considered as a defense strategy to stop the ransomware from spreading throughout the system and taking sensitive data. The preparation step requires frequent synchronization to protect the company’s backups as the hacker destroys all the files (regular files and backup files) before asking for ransom to put the company at risk. These backups must be stored somewhere else than in the company’s data centers (cloud and network shared storage), such as offline storage. Moreover, the preparation step requires an incident response to be developed for when an attack occurs. The incident response plan specifies what everyone needs to do when an attack is underway in order to effectively and quickly react to an attack. This plan can be ensured by regular trainings to the employees that teach them how to effectively respond to these attacks.

In the detection step, a ransomware attack is detected and blocked using CryptoWall and Locky traffic. When a ransomware is detected earlier, the user can stop it or at least minimize its damage. The quick detection of the ransomware allows companies and individuals contain the situation and act accordingly when the attack is already running. The CryptoWall and Locky traffic are tools integrated in the intrusion detection systems (IDS) and used by companies to limit the attack’s propagation over the company’s network. The containment step aims at containing the attack on only few devices that are already affected by the attack in order to limit locally the attack. It is mainly based on an endpoint protection system, which is able to kill the process of the attack’s execution and deactivate the network connectivity. As a result, the attacker is not able to encrypt the files. The eradication step consists of cleaning the damage resulted once the ransomware attack is contained and identified. It performs by eradicating the attack from the network and replacing infected machines and devices instead of cleaning them in order to get away of any hidden malicious files on the devices.

The last step consists of recovering any damaged or lost files and restoring them from backups after replacing systems and machines. It requires some downtime to run the backup processes and to investigate how the ransomware penetrated the system. These five mitigation steps can be used to handle any other social engineering attacks. They represent the very essential stages a company must have. Moreover, the defense success against any type of social engineering attacks depends on how the individual or the company is prepared. The level to preparation determines the ability to prevent, detect, mitigate, and contain any suspicious activity.