Social Engineering and Data Breaches | Devastating Duo #2021
The Social Engineering and Data Breaches combination is mostly comprised of Pretexting and Phishing actions. Normally, we see more of the basic type of phishing activities than we do people going to the trouble of inventing a tailored and easy to believe scenario. As a rule, criminals tend to be effective in their efforts and this essentially brings success, so why put in more work than necessary?
Threat Actors of Social Engineering and Data Breaches
- SMB breaches Threat Actors: External (57%), Internal (44%), Multiple (1%)
- Enterprise breaches Threat Actors: External (64%), Internal (36%), Partner (1%), Multiple (1%)
- EMEA breaches Threat Actors: External (83%), Internal (18%)
Regions of Social Engineering and Data Breaches
- EMEA (Europe, Middle East and Africa): North Africa (2), Europe + Northern Asia (150), Western Asia (145).
- NA: Northern America (21), which primarily consists of breaches from U.S. and Canada.
- APAC (Asia and the Pacific): Southern Asia (34), South-eastern Asia (143), Central Asia (143), Eastern Asia (30), Oceania (9).
One possible answer is that the end objective of the Pretexter is not like that of the basicPhisher. Pretext attacks are often an effort to get a direct route to the money: The most typical goal is to influence the target to send them money (under false pretences, obviously). These developed circumstances vary rather, however examples consist of the replacement of banking details or the payment of fictitious invoices. A phisher, on the other hand, maybe choosing data instead of money, and their aim may eventually be either to generate income from the data were taken in the phish (Qualifications) or to gain a foothold into the organisation.
The System Intrusion pattern (likewise newly emerging) usually tells the story of a Hacking action paired with a Malware action. We normally see the exploitation of stolen credentials to gain access, followed by the hacker dropping Malware to further their objectives in the business. In North America, this most typically implies the release of Ransomware. As mentioned in last year’s report, we saw Ransomware groups begin pivoting to take a copy of the information for usage as utilise against their victims before setting off the file encryption.
This started with the Maze Group, and as they enjoyed success, other groups jumped onto the bandwagon. Now it has ended up being commonplace, with a number of the Ransomware groups having established infrastructure particularly to host these data dumps.
All of these Social and Malware actions share one particular characteristic. For the Social attacks, Alter behaviour appears to account for the modification in the behaviour of the victim impacted by the Social action. For the Pretexting attacks that achieved success, you can see the Fraudulent transaction Integrity attribute when the criminal managed to get someone to send them cash or wire money.
Malware, naturally, results in Software installation as a violation, and Misrepresentation is another side effect of “the Phisherman” and “the Pretexter” – both pretending to be somebody they aren’t (like almost everyone else on this planet), and trying to get more victims in the organisation (more followers or believers, if you will).
Given the occurrence of Phishing attacks, this is where the Credentials often come into play. Personal data is a prime target also since that consists of such data elements as Social Security or Insurance numbers paired with other little bits of details that allow criminals to commit further financial fraud.
Looking at the timeline, you can see a considerable portion are discovered in Days or less. However, over half of these cases were discovered by the threat actor disclosing the breach – this is usually the way Ransomware presents itself when the ransom note flashes up on the screen. This happens soon after the encryption is triggered. While we would rather see internal audits to be accountable for finding most of the breaches, t least when that ransom note appears, organisations can start to contain the breach and get the actors out of their network.