I’ve been digging through both the IBM X-Force Mid-Year 2012 Trend and Risk Report and the Verizon 2012 Data Breach Investigations Report trying to get a sense of how much they agree on attack vectors. I think it’s easy to conclude that both reports’s headline attack vectors are largely in alignment, but there were some trends around social engineering in the Verizon report that particularly caught my attention.
Social engineering attacks by the numbers
Because social engineering takes time and human interaction, it’s a tactic that’s used much more selectively. Even if your social engineering attack is a mass distributed phishing email, someone still has to research an organization well enough to craft credible text for the email. So by their nature, they can’t be used in a scatter shot approach. The Verizon report draws an interesting distinction between opportunistic attacks and targeted attacks. Among smaller organizations, 79% of attacks are “opportunistic” and only 16% of attacks could be considered “targeted” attacks. On the other hand, among large organizations, only 35% of attacks are opportunistic and 50% of attacks are targeted. And the Verizon report further notes that “Finance/Insurance and the Information sectors are targets of choice more often than other industries,”
The number of social engineering attacks overall is about the same as in previous years, but according to the Verizon report they are increasing among large organizations. The Verizon report describes this trend in social engineering attacks:
“Phishing was relatively stable in the past year, edging ever so slightly up from 11% in 2010. It’s quite a bit higher, however, when examining breaches affecting larger organizations. This is fairly interesting, and in line with many recent media reports detailing the use of malware-baited phishing lures cast toward some bigger and well-known enterprises. We believe this is a strategy designed to circumvent the typically more mature security measures in place at larger organizations. Why spend time searching for a way to exploit the specific technologies and weakness of a single company when every company contains people with the same basic vulnerabilities?”
The Verizon report has some additional detail on types of social engineering attacks but the more interesting detail is in the “attack vector.” I’d always been under the impression that most social engineering attacks occur via email. But according to the Verizon report, 46% of social engineering attacks are by phone, 37% are in-person, and only 17% are by email. Further more when you look at the roles of people targeted, the vast majority of social engineering attacks are against “regular employee/end user.
” That’s an ambiguous term but the complete list of targeted roles includes executives, call center staff, finance staff, human resources staff, help desk staff, call center staff, etc. All of these account for relatively low incidents of social engineering attacks. What do they have in common? I suspect that these are roles that are already sensitized on a routine basis that they have access to sensitive data. So the social engineering attacks against “regular employees” are probably successful because these are the people who don’t see themselves as having access to sensitive data. That’s just my guess. But how else do you explain that most successful social engineering attacks are against these types of people.
To connect the dots in the Verizon report, it would appear that social engineering attacks are the result of targeted attack activity against larger organizations, typically in the financial, insurance, and information industries, usually involving phone or in-person attacks against “regular” employees who don’t usually think of themselves as having access to sensitive data.
Of course, everyone should be trained to detect potential social engineering attacks. And yes, social engineering attacks by email do exist, but they are not has high as recent high profile news stories would lead you to think. But the data from the Verizon report suggests that they nature of successful social engineering attacks is very much different than the stereotype we have in our heads. I wish we had some more actual case studies of social engineering attacks that would give us a more accurate picture of what actually happens.