One of the most important things I have tried to communicate to audiences since at least the 1990s is how prevalent a role social engineering plays in cybersecurity attacks. I have written non-stop about this since then in books and no doubt hundreds of articles. I am a broken record. You cannot meet me or attend one of my presentations or webinars without this being the defining lesson I try to teach.
Depending on whose research or report you read, social engineering is responsible for anywhere from 50% to 92% of all malicious data breaches. My own research puts the figure at 70% to 90% of all attacks, but in every case regardless of the figure, social engineering is always the number one most popular method used by hackers and malware to gain initial access to devices and networks. And it has been that way since the beginning of computers (although unpatched software played a far bigger role until the early 2000s).
Although, today, many people know and understand that fact, most people do not. I shock many people when I tell them that if they defeat just one thing…social engineering…then 70% to 90% of their entire cybersecurity risk will be gone. They are shocked. This is true whether I am talking to a non-IT person, an IT-security person, or CIO or CEO. Most people know social engineering is a big problem. They might even know it is the biggest problem. But they do not know exactly how big of a problem it is.
And even if they know it is the biggest problem, almost no organization treats it like it is the biggest cybersecurity threat. Instead, the average organization spends less than 5% of their IT budget to mitigate it. It is this fundamental misalignment between how we are most attacked and how we defend ourselves that lets hackers and malware be so successful all the time. Hackers love that we get distracted and do not concentrate on the number one problem.
When I share all of this, the most common question I get is WHY? Why are IT defenders not better fighting and concentrating on mitigating social engineering if it is the long-time, number one threat we all face?
Well, I wrote about this in detail over a whole chapter in my book, A Data-Driven Computer Defense. In a nutshell, there are a lot of distractions and competition for our attention and resources. It is very easy for defenders to get lost in all the things they are told to do to stop hackers and malware, and they see all the possible cybersecurity threats as “bubbles in a glass of champagne”, more equal than they should be. When instead, all defenders should be taught that one bubble (i.e., social engineering) is far bigger than the rest, and one or two other bubbles (i.e., unpatched software and password issues), are bigger than everything else. These three bubbles are 90% to 99% of the cause of why people are hacked. And how well the defender concentrates on mitigating those threats pretty much determines their odds of success against most attacks. Do it well and your risk of a compromise falls dramatically. Do it poorly and your risk escalates accordingly.
Part of the problem is that nearly every good expert and resource is constantly telling defenders to concentrate on everything or the wrong thing. Looking at any cybersecurity recommendation guide, requirements document or security control framework will reveal hundreds of recommended security controls without a clue telling the defenders who must implement them that just a few of the controls matter more than all the others added up all together. We literally, with our best intentions, teach each other to become distracted and to concentrate on the wrong things. Again, I have written about this for years.
CISA Alert: AAA22-137A: Weak Security Controls and Practices Routinely Exploited for Initial Access
I am constantly looking for new examples. Well, May 17th’s CISA Alert: AAA22-137A: Weak Security Controls and Practices Routinely Exploited for Initial Access is a great example. It is a document covering CISA techniques and best mitigations recommendations released in coordination with many other countries approving of it (e.g., Canada, New Zealand, United Kingdom, Netherlands, etc.). They, along with the U.S., make up the “Five Eye’s” cybersecurity group. The U.S. and its cybersecurity allies are trying to help each other get cybersecurity defense right. So, this is a great document to showcase, applaud and pick issues with.
First, it is overall a great document and following the dozens of things it tells you to do can only make your cybersecurity better. It even mentions using phishing-resistant MFA when you can instead of just MFA. Since I write about using phishing-resistant MFA all the time, I applaud its inclusion. It is the first time I have seen a CISA or Five Eyes document recommend using phishing-resistant MFA.
I want to applaud CISA, the FBI, NSA and all the other Five Eyes agencies for this document. CISA, in particular, continues to impress me. The organization and its leadership are top notch and doing the absolute best job I have ever seen for a government agency in warning and helping us all to be better cybersecurity defenders. They simply, day after day, knock it out of the ballpark. Every government agency could look at what CISA does as a normal course of business and try to follow their example.
Early on, the document includes five major techniques that attackers use to gain initial access to victim environments:
- Exploit Public-Facing Application
- External Remote Services
- Trusted Relationships
- Valid Accounts
I agree that all of these are top root causes of initial exploitation, although I do not think they are in order of an attacker’s popularity and use. Still, I am delighted that phishing is included in the list of initial access techniques. Phishing and social engineering is often missing, so it is great to have it in the primary list of attacker techniques. This is good.
Now the big BUT…
I have one big bone to pick. The Alert document has a total of 2,186 words (I manually counted them all). It is 1,826 words if you leave out the closing footnotes. It covers techniques of attacks and recommended mitigations.
Is 3% Coverage Enough?
Even though social engineering is the number one technique hackers and malware use to break into environments, phishing and social engineering is not mentioned as a cause of attack again until 682 words in. It is mentioned after eight other, less popular initial root access causes. The document then spends 58 good words describing how the most common type of phishing happens (to cause compromises), and then never mentions social engineering again. So, out of over 2,000 words, only 59 in total, explicitly cover phishing. Phishing is THE number one cause for successful hacker and malware exploitation, likely 50% or more of the reason behind all attacks, but it is mentioned in only 3% of the document in total.
Does devoting 3% of a document to cover what is the biggest reason for successful attacks seem like enough?
But it gets worse. After first listing phishing as a main attacker technique at the beginning of the document, and detailing an example of it slightly more later on, none of the recommended mitigations (which is about half the document at 1,051 words) mention how to best mitigate phishing, not even to counteract their 57-word example above. It seems to be a pretty big oversight.
It could say, “Educate your employees to recognize and stop social engineering attacks,” in 10 words, but it simply is not there or anywhere in the document. It is a top cause of attacks, but nowhere in the document does it recommend how to best stop that attack.
To summarize, the number one biggest threat to most environments by a large percentage is social engineering. It is listed third out of five techniques early on, then mentioned again ninth out of 10 attack types in the document, given 58 words, and then never mentioned again or is explained how to mitigate it. Three percent of a document dedicated to mitigating malicious access dedicated to the biggest root cause threat. To compare, 138 words (7% of the document) is dedicated to recommending that admins change factory-default configurations and passwords. That recommendation is a great recommendation, but likely is not involved in 50% of attacks.
Business as Usual?
And this sort of pattern, where fighting social engineering is mentioned weakly or last and not mentioned in mitigations is pretty normal. It is in almost every cybersecurity recommendation document I have read for decades. It is so normal, that it explains part of why we…and other defenders…do not better concentrate on defeating social engineering. If you read and followed any of these otherwise excellent documents, you could be forgiven for thinking that social engineering is not as big of a problem as everything else recommended above it previously or actually recommended as mitigations (since it is skipped all together there).
And I do not want to point fingers at anyone or even this document’s creators. It truly is a great document with this one caveat. It does better than most. I’ll give it a nine out of 10. The problem of not giving enough time to the importance of fighting social engineering is as old as computers themselves. The writers of this document do not see that they are creating an unintentional incongruent. They are writing cybersecurity defense documents as they always have, as their predecessor’s predecessor did before them. And are even improving on past documents. But they do not realize they are accidentally painting cybersecurity risks like bubbles in a glass of champagne.
What is the fix?
First, realize that no one can do 10, 20 or 200 things well all at once. The best humans and teams can only do a few things very well at once. Many studies have shown that most people only take in the first few recommendations of any list before the rest of the items start becoming harder to remember and focus on. This means we need to put the most important stuff with the best potential to put down the most cybersecurity risk first, early and with redundancy. Anything else is building in defense inefficiencies.
Imagine two armies fighting and the evil army is having great success against the good army on the right flank of battle. Imagine if a bunch of responsive orders came to the good army’s commanders in the field instructing them how to win the battle and those instructions began by telling the commanders to focus on everything else, with renewed vigor, before finally telling them to focus on the right flank of battle. Imagine if the order to focus resources on the right flank of battle was the ninth out of 10 things they were told to do. It would be insane, right? Same thing with our cybersecurity defense documents. We are building in defensive inefficiencies.
All authors of cybersecurity defense documents need to step back and take a holistic picture of the document they are creating. Is the document mentioning the biggest cybersecurity threats first? (Note: Even though unpatched software is the second biggest risk in most environments, patch management is mentioned last out of all recommended mitigations in the CISA alert.) And, the number one threat, social engineering, is not mentioned in mitigations at all, and the number two threat, unpatched software, is mentioned last. That should be a pretty stark finding to anyone.
Is the document giving enough airtime to the biggest threats? The number of words and sentences dedicated to a particular defense will never be equitable. Not all subjects need the same number of words, and some subjects simply require more words. But take a look at the space being devoted to smaller threats and ask if enough space is being devoted to the bigger, more consequential, threats. In most documents, this is not nearly the case. We are telling our audience to focus their attention elsewhere.
Most cybersecurity defense documents are not intended to be risk-based, with the biggest risks handled first and best, but they should have some basic semblance or relevance to the best of the author’s ability and recognition. It does not have to be perfect, but we have to stop and take the time to see if our battle plans are concentrating on the right things at the right time, first and best.
Because I have been reading a lot of cybersecurity defense documents for decades and most of them do not come close. And if that is true, and it is, we do not have to ask why defenders are not concentrating on the biggest risks first and best. We do not have to wonder why defenders are concentrating too much on the wrong things and not concentrating enough on the right things. Part of the answer is we are literally training ourselves, and the cybersecurity defenders who follow us, to focus on the wrong bubbles.
Some of these things are not like the others. Shouldn’t we treat them as such? To be clear, I firmly believe what I’m saying is as common sense as it comes, but sometimes it’s not received as common sense until said.