Using Attack Graphs to Analyze Social Engineering Threats

Introduction

A famous hacker, Kevin Mitnick (2002), stated to BBC:

This statement made a decade ago is still valid. The Dimensional Research Study on Social Engineering (Check Point, 2011) concluded that: (i) 48% of large companies and 32% of small companies were victims of 25 or more social engineering attacks in the past two years, (ii) an average cost per incident is over $25 000 and (iii) 30% of large companies even cite a per incident cost of over $100 000. Also, a white paper of SANS institute (SANS Institute, 2003) about social engineering reports that cyber attacks cost U.S. companies $266 million every year and that 80% of all attacks are caused by authorized users that are either disgruntled employees or non-employees that have established some form of trust within a company.

There are various techniques for analysis of technical vulnerabilities in IT systems, such as attack graphs (Jha, Sheyner, & Wing, 2002; LeMay, et al., 2011; Noel & Jajodia, 2004; Sheyner, Haines, Jha, Lippmann, & Wing, 2002). These techniques use the information about existing vulnerabilities provided by different scanning tools to create an interdependent model (e.g., a graph) for a comprehensive analysis with little effort. In particular, the attack graphs model the possible hacker attacks as sequences of simple actions (exploits). After successful execution of an exploit the attacker may use acquired privileges in order to start the next step of attack. A similar approach for human-based threats does not exist and we do have serious doubts that this can be achieved in the near future. The reasons are that human behavior is more complex to test and analyze than the one of machines.

There were several attempts to classify and analyze social engineering threats in the past (Peltier, 2006; Algarni, Xu, Chan, & Tian, 2013; Dimkov, van Cleeff, Pieters, & Hartel, 2010; Laribee, Barnes, Rowe, & Martell, 2006). The studies have found, that one of the problems to deal with the social engineering threats is the isolation of social engineering and technical threats analysis (Krombholz, Hobel, Huber, & Weippl, 2013; Dimkov, van Cleeff, Pieters, & Hartel, 2010; Peltier, 2006). Therefore, in our work we focus on this problem and investigate how social engineering exploits may complement or substitute technical vulnerabilities in hacker attacks.

In this work, we provide a semi-automated pattern-based solution for identifying possible social engineering threats analyzing how social engineers can abuse legal behavior of employees. We enhanced our threat analysis methodology (Beckers, Heisel, Krautsevich, Maritnelli, & Yautsiukhin, 2014) with social engineering threat analysis incorporating social exploits into this (previously) purely technical structure. Moreover, after identification of social engineering vulnerabilities and integration them into the overall model the traditional attack graph analysis can be applied without the need for modifications. Furthermore, this approach allows a combined analysis of social engineering and technical attackers together. Such analysis helps to prevent the combined attacks, when an attacker overpasses complex technical protection with a simpler social engineering trick (e.g., stealing a password), while continues her attack from a safer distance (e.g., using remote access). We provided our initial approach in (Beckers, Krautsevich, & Yautsiukhin, 2015). In this work, we refined our approach to a general threat analysis approach for social engineering and technical attacks by providing further formal and descriptive analysis procedures that were not present in the original work. The current work presents a specification of the approach that will form the basis for our future tool supported the semi-automatic analysis framework.