Social Engineering Attack Detection Model
The first step of the model tests whether the receiver is able to
understand the request. One must fully comprehend the entire request before
one can accurately determine whether it involves a social engineering
attack or not. In the case where the receiver does not comprehend the
request in full or where additional information is required to comprehend
the request, the "no" option is selected so that more information
about the request can be asked. The "no" option can be selected
repeatedly if the additional information provided is not yet enough for the
receiver to comprehend the request fully. When the receiver fully
comprehends what the request is, the "yes" option is selected.
This step is provided to allow the receiver to request additional
information about the request from the requester. The receiver now attempts
to ask for more information about the request to better understand the
request. The step can also be repeated if additional information is
required; however, when no additional information about the request can be
obtained, the "no" option is selected. The "no" option
leads the receiver to either defer or refer the request. Every time more
information is obtained, the "yes" option is selected and a test is
once again performed to determine whether the receiver understands what is
requested.
It is very important to determine whether the receiver is knowledgeable
enough to perform the request in full. This step differs from the first
step, because the receiver has to measure whether he/she has the required
knowledgeable to perform the request and not whether the request itself is
understood. The receiver performs this measurement based on the own
capability to understand the procedure required to perform the request. If
the receiver has the necessary knowledge to perform the request, the
"yes" option is chosen and the receiver proceeds to the following
step. In the case where the receiver does not understand how to perform the
request, the "no" option is chosen.
Once the receiver has verified that he/she understands how to perform the
request, it needs to be determined whether the receiver is capable of
performing the request. This step measures whether the receiver has the
means or capability to perform the request, in other words whether he/she
is able to determine which option to choose. If the "no" option is
taken, the request is deferred or referred to another individual.
Otherwise, the "yes" option is selected and the next step involves
the receiver's authority to perform the request.
The receiver needs to measure whether he has the required authority to
perform the request. Even though at this step the receiver may already have
determined that he/she understands how to perform the request and is
capable of performing it, it must still be determined whether the receiver
has the authority to perform the request. This step therefore measures
whether the receiver, as part of his or her duty, has the authority to
provide the requester with the requested action or information. If the
receiver has the necessary authority, the "yes" option is taken,
otherwise the "no" option is selected. This is the last step for
the receiver to measure him- or herself --- the next two steps focus on the
request itself.
This is the first step that may lead to a request being performed, as it is
here determined whether the requested action or information is already
publicly available. In the case where the request involves an action, it
must be determined whether this requested action is available to the public
or whether the requester should possess any level of authority to request
the specific action. In the case where the requested action is available to
everyone, the "yes" option is taken and the request is performed.
If any type of authority is required for the specific action, the
"no" option is chosen and the receiver proceeds to the next step.
The procedure is similar for requested information, since it needs to be
measured whether the information is public or private. The receiver should
have a clear understanding of what information is readily accessible to the
public. For example, information in the public domain for an institution
could include contact details and working hours, which could be available
on the institution's website and may thus be provided to a requester.
The receiver needs to assess the urgency of the request and the
consequences for the requester if the request is not performed. If the
request does not constitute a life-threatening emergency, the "no"
option must be taken. An example of a life-threatening emergency is where
an individual's medical insurance number is required because he/she was
injured in an accident. This is a very difficult step to measure, because a
skilled social engineer can use a life-threatening emergency to get the
receiver to perform an unauthorised request. It should be noted that a
request must be performed when an individual's life could be at risk upon
denial of the request and could potentially cause harm to the individual.
For this specific step, the receiver must be able to clearly determine what
constitutes a life-threatening emergency and which requests may be
performed during a life-threatening emergency. If the list of requests that
may be performed is continually revised, the social engineer will be
limited and thus it can be deemed safe to provide the limited set of
requests during a life-threatening emergency. In the case where it is known
that an organisation does not deal with life-threatening emergencies, this
step can be omitted from the model.
In this step, it is determined whether there are any conditions that can
constitute a refusal to perform the request. Only four conditions are
provided in the model, therefore they do not constitute an exhaustive list.
These conditions can be developed to cater for specific organisations,
depending on where the model is implemented. The four conditions that are
provided are of a very generalised nature to cater for the most probable
conditions without mentioning the specific requirement. If any condition
here constitutes a sufficient reason for refusal, the "yes" option
is taken; otherwise, the request is performed. The following subsections
elaborate on the conditions used in the refusal component of the model.
This condition refers to all the possible administrative reasons that may
constitute a sufficient reason for refusal. For example, the requester may
be required to provide information if there is an administrative process in
place that requires a specific level of authority for requesting the
receiver to perform the request. The term "administrative reason"
is used to refer to a wide variety of reasons and keeps the model more
generic.
This condition refers to all the possible procedural reasons that may
constitute a sufficient reason for refusal. For example, the receiver may
have stumbled on a portable storage medium and wants to return it to its
rightful owner. However, there is a procedural policy in place that forbids
the receiver to plug in any storage medium into a workstation at the
organisation and this will then constitute a valid reason to refuse the
request and take the "yes" option. The term "procedural
reason" is used to refer to a wide variety of reasons and it keeps the
model more generic.
One also needs to consider the case where the type of request has not yet
been defined in an organisation or where the receiver has never before
dealt with such a type of request. In this case, the unusual or novel
nature of the request will be sufficient reason to refuse it and take the
"yes" option to further ascertain the requester's identity. For
example, the receiver may receive a request to perform a password reset for
a colleague; however, the request is received via e-mail and not
telephonically as it is usually done. In this case, it is sufficient reason
for the receiver to refuse the request.
This condition is open-ended as the receiver may feel uneasy with the
request or there may be a reason why the receiver intuitively does not want
to perform the request. Although it is added as an additional safeguard to
the model, this step is not seen as redundant, as it provides the receiver
with an additional means to check out information about the requester.
Because the receiver will have the ability to further verify the requester
in the steps that follow, it may put the receiver at ease to perform the
request.
The receiver now needs to verify the identity of the requester to be able
to make an informed and rational decision about whether the request should
be performed. If at this stage of the model the requester's identity cannot
be verified, the "no" option is taken and the request is either
deferred or referred. In the case where the receiver can perform steps to
identify the requester and the associated roles, authority or additional
details, the "yes" option is chosen to determine the number of
levels on which the requester can be verified.
Depending on the extent to which the requester's identity can be verified,
a different set of states will be examined to determine whether the request
should be performed. Important to remember is that the social engineer may
be portraying him- or herself as an authority figure in the institution; a
computer technician, or any other persona that may elicit compliance. As
people, we are inclined to make quick assumptions regarding others and
their status, sometimes even based on trivialities such as clothing. If
someone is dressed in the proper attire, uses the appropriate institutional
jargon or uses an important individual's name, it does not necessarily
indicate that such individual is trustworthy. The same holds for physical
objects, as individuals are inclined to help other people. If an individual
finds a storage medium lying around and the storage medium is marked to be
important, the individual will likely feel the urge to either return the
storage medium to its rightful owner or curiosity may drive the individual
to examine the contents on the storage medium. If the receiver feels unsure
at any time, a super user should be contacted to obtain the authority to
provide or decline the request.
The following verification requirements should be taken into account and used as a basis for a decision on whether to perform or not perform the request: authority, credibility, previous interaction, and knowledge of the person's existence. The model has only four verification requirements and hence does not constitute an exhaustive list --- additional requirements can be added to cater for specialised environments and specific to particular organisational contexts. The current list of requirements is very broad and only includes the most common verification requirements.
For example, some of the techniques that can aid in the verification of an individual's identity, specifically in a call centre environment, are the following: Caller Identification; Calling back the requester on a predetermined phone number; Requesting an organisational email address; Requesting a secure password; Requesting face-to-face interaction with the individual where proper identification can be provided; Having another employee to vouch for the requester; Contacting the requester's immediate supervisor to verify the former's identity; Using an employee directory. This illustrates how the verification requirements can be changed based on the environment and organisation where the model is implemented.
It is not always possible to verify all of the requirements, so the model has three different outcomes for this specific step. If none of the verification requirements hold, the "none" option is selected and the request is either deferred or referred. In the case where only one to two requirements hold, the path to further verify the information from a third party source is selected. Lastly, if three or more requirements hold, the receiver proceeds to the final step of the model where it is measured whether the requester has the necessary authority to request either the action or the information. The strictness of this step can also be changed depending on the environment or organisation where this model is implemented. The strictness of this step is highly dependent on the verification requirements that are utilised. Each of the verification qualities is addressed in the next subsection.
The following verification requirements should be taken into account and used as a basis for a decision on whether to perform or not perform the request: authority, credibility, previous interaction, and knowledge of the person's existence. The model has only four verification requirements and hence does not constitute an exhaustive list --- additional requirements can be added to cater for specialised environments and specific to particular organisational contexts. The current list of requirements is very broad and only includes the most common verification requirements.
For example, some of the techniques that can aid in the verification of an individual's identity, specifically in a call centre environment, are the following: Caller Identification; Calling back the requester on a predetermined phone number; Requesting an organisational email address; Requesting a secure password; Requesting face-to-face interaction with the individual where proper identification can be provided; Having another employee to vouch for the requester; Contacting the requester's immediate supervisor to verify the former's identity; Using an employee directory. This illustrates how the verification requirements can be changed based on the environment and organisation where the model is implemented.
It is not always possible to verify all of the requirements, so the model has three different outcomes for this specific step. If none of the verification requirements hold, the "none" option is selected and the request is either deferred or referred. In the case where only one to two requirements hold, the path to further verify the information from a third party source is selected. Lastly, if three or more requirements hold, the receiver proceeds to the final step of the model where it is measured whether the requester has the necessary authority to request either the action or the information. The strictness of this step can also be changed depending on the environment or organisation where this model is implemented. The strictness of this step is highly dependent on the verification requirements that are utilised. Each of the verification qualities is addressed in the next subsection.
Authority is an integral part of any institution, with an almost
conditioned response from employees to adhere to an authoritative
requester's wishes and demands, combined with a fear of punishment should
the receiver appear to undermine the requester. For these reasons,
impersonating an authoritative individual is a very effective technique
used by social engineers to obtain privileged information or actions. The
institution needs to provide an environment in which the employee feels
comfortable and is indeed expected to question the authority figure's
identity before disclosing sensitive information. The employee also needs
to know --- with the help of a clear institutional policy --- on what
authorisation level a particular person of authority is rated, in regard to
what privileged information or action can be provided.
The same situation applies in our daily lives, where individuals adhere to rules and regulations put in place by an authoritative figure. Examples of such official procedures are road rules and regulations, and individuals tend to follow these rules and regulations because they create a safe environment for everyone to travel in. Theft is also frowned upon. When a storage medium is found by an individual, the individual will rather want to return this storage medium to its rightful owner, otherwise, it might be considered as stealing the device.
The same situation applies in our daily lives, where individuals adhere to rules and regulations put in place by an authoritative figure. Examples of such official procedures are road rules and regulations, and individuals tend to follow these rules and regulations because they create a safe environment for everyone to travel in. Theft is also frowned upon. When a storage medium is found by an individual, the individual will rather want to return this storage medium to its rightful owner, otherwise, it might be considered as stealing the device.
The employee needs to judge the level of credibility of the requester.
However, this is a challenging task, as establishing credibility is the
first aim that the social engineer tries to achieve, and what the attack
will be based on. If the requester knows the jargon used by a particular
institution, people easily assume that he/she is an employee at their
particular institution. The requester could, for example, be an ex-employee
who is (still) quite knowledgeable about the jargon and procedures. Such an
aggrieved ex-employee may try to seek revenge with the goal of obtaining
particular sensitive information. The credibility of the requester is
measured on the basis of how well or bad he/she responds to a predefined of
set of questions used to determine the credibility of a requester.
Similarly, for objects and items, the credibility of an item has to be measured in terms of whether it conforms to the institution's guidelines. One must examine whether it is the same brand used by the institution or whether the institution's lanyard is attached to it. These are all minor techniques that can be used to ensure that the object or item indeed belongs to or is part of the institution.
Similarly, for objects and items, the credibility of an item has to be measured in terms of whether it conforms to the institution's guidelines. One must examine whether it is the same brand used by the institution or whether the institution's lanyard is attached to it. These are all minor techniques that can be used to ensure that the object or item indeed belongs to or is part of the institution.
If the individual has had previous interaction with the requester,
especially a long-standing history of interaction, the decision whether
information can be provided will be an easier task. However, limited
interactions with the requester, especially by telephone and email alone,
should be taken into account in conjunction with other verification
techniques, to be able to make an informed and safe decision regarding the
request. This test can only be performed on individuals and not on items or
objects that have an inherent request.
This refers to the knowledge that the requester exists in the institution
or the fact that an outside collaborating partner on a project can support
the verification of the requester. However, this should also be used in
conjunction with the other verification techniques, as the requester could
be a social engineer portraying him- or herself to be some well-known
individual in order to get the receiver to perform the request. This
awareness test can only be performed on individuals and not when the
requester is an object that has an inherent request.
When the requester did not adhere to enough verification requirements and
only some of the verification requirements held, this step is reached. It
tests whether it is possible to verify the information obtained from the
requester through an external source. An example of such a case is where
the requester provides information and claims to be part of a specific
organisation, as well as to have been requested by his or her organisation
to ask the receiver to perform a request. If it is possible for the
receiver to contact another individual at this organisation to verify this
information, the "yes" option is chosen, otherwise the "no"
option is taken and the requested is either deferred or referred.
In this step, the receiver will verify all the verification requirements as
obtained from the third party source. Continuing with the previous example,
the receiver will attempt to contact the organisation and verify the
information received from the requester. If the information matches what
has been received from the requester, the "yes" option is taken,
otherwise, the request is either deferred or referred.
With the aid of the previous steps the receiver has acquired the necessary
knowledge regarding the requester's identity and authority level, together
with whether the receiver may perform the request. The receiver can now
determine whether the requester has a level of authority on the same level
or higher than the level of sensitivity of the request. If the requester
has the authorisation on the same authority level as or higher than needed
for the particular request, the request is performed. However, if the
requester does not have the necessary authorisation, the "no"
option is chosen and the request is deferred or referred.
This is the negative result state of the model. In this state the request
can either be deferred or handled at a later stage. Deferring the request
can also lead to the request never being performed and can be considered as
the request having been halted. In the case where the receiver is part of
an organisation, there is the option to refer the request to a more
authoritative person in the same organisation. This will allow someone else
who may have better judgement on whether to perform or halt the request to
actually deal with the request.