Social Engineering in an Age of Artificial Intelligence

Jul 27, 2018 11:09:47 AM | By Scott Wightman

As advanced technologies like artificial intelligence and machine learning become more mainstream, it is inevitable that security software will start leveraging these technologies to better learn and adapt to counteract the efforts of those that spread malware. 

This is likely in my view to force them into using some of the more “soft skills” approaches to try and get around the technology. This is commonly called social engineering and has been around in one form or another for as long as mankind has been civilised. One of the most famous acts of social engineering was so effective it is remembered to this day and even has a whole class of malware named after it – Odysseus’ Trojan Horse. Confidence tricksters and con men still use these kinds of techniques to fool people into trusting them with their money today.

 

Some common social approaches that are likely to be used to try and sidestep advanced technology defences are:

 

1. Impersonation

  • It is well known within security circles that there are few effective defenses against an attacker that has physical access to servers or network equipment.
  • This may well lead to people attempting to impersonate authorised IT service staff to gain access. This kind of attack is perhaps more likely in a more remote branch site where staff may be less aware and vigilant.
  • The attacker is bound to behave confidently and sound like they are supposed to be there.
How to mitigate the risk: Staff training is key to make sure they verify the identity of anyone wanting to access IT equipment.

people-305836_1280-040785-edited-285829-edited

2. Support Phone Calls

  • We have all experienced the fake “Microsoft Support” calls that come out of the blue telling us there is something wrong with our PC and we need to let them help us out.
  • This is a surprisingly effective social engineering attack on the unwary and has been used in one form or another for many years. I expect there will be a noticeable rise in this kind of approach in the coming years.
How to mitigate the risk: Staff training is key here to make sure they do not give out any sensitive information to callers that may be leveraged in an attack or allow callers to access their computer without verifying who they are.

StockSnap_IK7HVCGP2Z-286035-edited-253995-edited

3. Tailgating

  • Similar to the first point when getting physical access is the goal, tailgating refers to a method of gaining access to restricted areas by quickly following someone who does have access through a controlled door.
  • These people may be strangers with a gift for talking to people and putting them at ease, appearing to be just another employee, or may even be an actual employee who is up to no good.

How to mitigate the risk: Awareness and a protocol for access. 

cars-congestion-street-7674-222149-edited

4. Quid Pro Quo

  • Another method that we may well see a lot of more is efforts to entice employees on the inside of a company into doing something for the attacker by making them some kind of offer in return.
  • This is most likely to be effective against disgruntled employees but anyone could be fooled into thinking this is some kind of free gift and not realise what they are really doing for the attacker.

How to mitigate the risk: Again, as always it is training and awareness that will be the best defense.

adult-birthday-birthday-gift-360624-530480-edited

If you haven't already analysed the strategies you have for dealing with these kinds of threats, now is a good time to do that. If you have any questions or want to share a recent experience, feel free to get in touch with me.  

 

man-in-the-middle-attacks

Previous Post Next Post
Scott Wightman

ABOUT THE AUTHOR

Scott Wightman

Scott has been involved in computers for most of his life. Originally aiming to be a programmer, he has worked in various IT-related jobs and has been self-employed part time for many years. He’s enjoys learning, as shown by the fact that he not only graduated top of his class at the Computer Power Institute with an A average but, since then, has become experienced in a huge range of computing systems and technologies, software applications and telecommunications. Scott enjoys many hobbies, including martial arts, music and restoring/playing old arcade video games. Scott has been with Designertech since April 2010.

Have a question?

Let's talk