Using Attack Graphs to Analyze Social Engineering Threats

Using Attack Graphs to Analyze Social Engineering Threats

Kristian Beckers (The Ruhr Institute for Software Technology, University of Duisburg-Essen, Duisburg, Germany), Leanid Krautsevich (Instituto di Informatica e Telematica, Consiglio Nazionale delle Richerche, Pisa, Italy) and Artsiom Yautsiukhin (Instituto di Informatica e Telematica, Consiglio Nazionale delle Richerche, Pisa, Italy)
Copyright: © 2015 |Pages: 23
DOI: 10.4018/IJSSE.2015040103


The acquisition of information about computer systems by mostly non-technical means is called social engineering. Most critical systems are vulnerable to social threats, even when technical security is high. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap, (iv) almost impossible to eliminate completely. The integration of social engineering attackers with other attackers, such as software or network ones, is missing so far. Existing research focuses on classifying and analyzing social engineering attacks. The authors' contribution is to consider social engineering exploits together with technical vulnerabilities. The authors introduce a method for the integration of social engineering exploits into attack graphs and propose a simple quantitative analysis of the graphs that helps to develop a comprehensive defensive strategy.
Article Preview


A famous hacker, Kevin Mitnick (2002), stated to BBC:

The biggest threat to the security of a company is not a computer virus, an unpatched hole in a key program or a badly installed firewall. In fact, the biggest threat could be you… What I found personally to be true was that it’s easier to manipulate people rather than technology… Most of the time organizations overlook that human element.

This statement made a decade ago is still valid. The Dimensional Research Study on Social Engineering (Check Point, 2011) concluded that: (i) 48% of large companies and 32% of small companies were victims of 25 or more social engineering attacks in the past two years, (ii) an average cost per incident is over $25 000 and (iii) 30% of large companies even cite a per incident cost of over $100 000. Also, a white paper of SANS institute (SANS Institute, 2003) about social engineering reports that cyber attacks cost U.S. companies $266 million every year and that 80% of all attacks are caused by authorized users that are either disgruntled employees or non-employees that have established some form of trust within a company.

There are various techniques for analysis of technical vulnerabilities in IT systems, such as attack graphs (Jha, Sheyner, & Wing, 2002; LeMay, et al., 2011; Noel & Jajodia, 2004; Sheyner, Haines, Jha, Lippmann, & Wing, 2002). These techniques use the information about existing vulnerabilities provided by different scanning tools to create an interdependent model (e.g., a graph) for a comprehensive analysis with little effort. In particular, the attack graphs model the possible hacker attacks as sequences of simple actions (exploits). After successful execution of an exploit the attacker may use acquired privileges in order to start the next step of attack. A similar approach for human-based threats does not exist and we do have serious doubts that this can be achieved in the near future. The reasons are that human behavior is more complex to test and analyze than the one of machines.

There were several attempts to classify and analyze social engineering threats in the past (Peltier, 2006; Algarni, Xu, Chan, & Tian, 2013; Dimkov, van Cleeff, Pieters, & Hartel, 2010; Laribee, Barnes, Rowe, & Martell, 2006). The studies have found, that one of the problems to deal with the social engineering threats is the isolation of social engineering and technical threats analysis (Krombholz, Hobel, Huber, & Weippl, 2013; Dimkov, van Cleeff, Pieters, & Hartel, 2010; Peltier, 2006). Therefore, in our work we focus on this problem and investigate how social engineering exploits may complement or substitute technical vulnerabilities in hacker attacks.

In this work, we provide a semi-automated pattern-based solution for identifying possible social engineering threats analyzing how social engineers can abuse legal behavior of employees. We enhanced our threat analysis methodology (Beckers, Heisel, Krautsevich, Maritnelli, & Yautsiukhin, 2014) with social engineering threat analysis incorporating social exploits into this (previously) purely technical structure. Moreover, after identification of social engineering vulnerabilities and integration them into the overall model the traditional attack graph analysis can be applied without the need for modifications. Furthermore, this approach allows a combined analysis of social engineering and technical attackers together. Such analysis helps to prevent the combined attacks, when an attacker overpasses complex technical protection with a simpler social engineering trick (e.g., stealing a password), while continues her attack from a safer distance (e.g., using remote access). We provided our initial approach in (Beckers, Krautsevich, & Yautsiukhin, 2015). In this work, we refined our approach to a general threat analysis approach for social engineering and technical attacks by providing further formal and descriptive analysis procedures that were not present in the original work. The current work presents a specification of the approach that will form the basis for our future tool supported the semi-automatic analysis framework.

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 10: 4 Issues (2019): Forthcoming, Available for Pre-Order
Volume 9: 4 Issues (2018): Forthcoming, Available for Pre-Order
Volume 8: 4 Issues (2017): 3 Released, 1 Forthcoming
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing