Why Social Engineering Works And How To Arm Yourself Against "Human Hacking"
Let me share some observations after 7 years of building KnowBe4 from scratch into a 100 million dollar company.
We train your employees to recognize social engineering attacks and not fall for hacker tactics that attempt to manipulate them into doing something against their and your interest. In short, we enable your employees to make smarter security decisions, every day.
But what is the basic mechanism behind social engineering? Why exactly does it work? How do you arm yourself against it?
Over the last 15 years, a lot of books have been written about this, and many experts have voiced their opinions. However, here is some hard-won experience from the trenches.
We all know that the bad guys go after your users—the weak link in IT security—because hacking humans is easier and faster than hacking software or hardware. Hacking the wetware can often be done in less than a minute.
OK, so exactly WHY is it so easy to hack the wetware?
Let's have a look at people's behavior in general for a moment and paint a picture in your mind. Two extremes: fully rational on the left and fully irrational on the right. In a business environment, which ideally is driven by both reason and competition, there is of course no pure black or white, these two extremes are really a gray scale and employees operate hopefully left from the middle.
How do the bad guys manipulate behavior? They attempt to influence—essentially bypass—rational behavior ("I'm not clicking that!") and force the user to the right into more irrational behavior ("I'm clicking that now!")
In other words, they are pushing your users from rational behavior that's based on a cycle of observation, deciding, and acting, into a more irrational short circuit that's a knee-jerk reaction consisting of only observation -> action without the decision step.
Here is an example of this in real-life battle
Since the 1950s, U.S. Navy fighter pilots have been trained to understand and follow the OODA Loop: Observe, Orient, Decide and Act.
From Wikipedia: The OODA loop is the decision cycle of observe, orient, decide, and act, developed by military strategist and United States Air Force Colonel John Boyd. Boyd applied the concept to the combat operations process, often at the operational level during military campaigns.
Top Guns use the OODA loop in dogfights, and use a series of them in very short succession. Here is how that looks, Check out the US Navy's Blue Angels in action:
But the OODA loop can be applied in a number of ways, including business in general and here is how it applies to social engineering:
1. Observation Your end user is active in your organization getting their tasks done. Suddenly the end user observes something that seemingly they need to do something about, either to prevent a negative consequence or benefit from an opportunity. (The attacker's first attack vector).
2. Orientation in business refers to human judgement to put this into context with past experience and business understanding, to quickly predict what to do next. ("Hmm, I see phishing red flags here...")
3. Decide using the data and orientation toward rational, productive behavior. ("I'm not clicking that!")
4. Action putting that decision in motion. (User clicks on the Phish Alert Button instead)
Even without the heart-pounding thrill of barrel rolls and live-ammo contact with the enemy, the OODA Loop is a powerful weapon for everyone if they apply it correctly.
The exact anatomy of social engineering
The game for the bad guys is to get inside the OODA Loop and cut out the decide step. That is the exact anatomy of social engineering: subversion of the decision-making process.
The bad guy wants your user to react without much (or any) rational thought. The click, or the opening of the attachment, is action based on emotion, a good example is the attacker artificially creating shock (Celebrity Death!) in the mind of your user.
In the past, some people have tried to describe this process with terms like "influencing or activating the subconscious" which contains a hard-wired series of behavior patterns, like yanking your hand off a hot stove.
What they really tried to describe was the omission of the "decide" step in the OODA Loop.
So, how to arm your users against human hacking?
Educate them about social engineering. Show them how it works. Train them how the bad guys try to manipulate employees. Explain the exact mechanism so that they actually understand it, and are able to apply what they learned in their work environment.
A trained employee is much harder to fool, and dramatically less gullible when they are confronted with attack vectors that try to social engineer them. Step your users through new-school security awareness training.
Get a quote and find out how surprisingly affordable this is for your organization.