Levers of Human DeceptionThe Science and Methodology Behind Social Engineering

Erich KronSecurity Awareness Advocate, KnowBe4, Inc.

• CISSP, CISSP-ISSAP, MCITP, ITIL v3, etc…

• Former Security Manager for the US Army 2nd Regional Cyber Center – Western Hemisphere

• Former Director of Member Relations and Services for (ISC)2

• A veteran of IT and Security since the mid 1990’s in manufacturing, healthcare and DoD environmentsErich Kron

Security Awareness Advocate

About Erich Kron

About Us• The world’s most popular integrated Security Awareness

Training and Simulated Phishing platform

• Based in Tampa Bay, Florida, founded in 2010

• CEO & employees are ex-antivirus, IT Security pros

• Former Gartner Research Analyst, Perry Carpenter is our Chief Evangelist and Strategy Officer

• 200% growth year over year

1

23,000Over

Customers• We help thousands of

organizations manage the problem of social engineering

4

“All warfare is based on deception.” - Sun Tzu, The Art of War

5

98% of Attacks Rely on Social Engineering

Attackers go for the low-hanging fruit:

humans

6

Agenda

• The Perception vs. Reality dilemma• Understanding the OODA (Observe, Orient, Decide,

Act) Loop• How social engineers and scam artists achieve their

goals by subverting its different components• How we can defend ourselves and our

organizations

7

Agenda

• The Perception vs. Reality dilemma• Understanding the OODA (Observe, Orient, Decide,

Act) Loop• How social engineers and scam artists achieve their

goals by subverting its different components• How we can defend ourselves and our

organizations

88

Pick a card!

99

Is it gone now?

10

How did we identify and remove your card?

Here’s what we started with:

And here’s what we ended with:

Yeah: These are two completely different sets of cards.But, by rushing you through the process, you probably didn’t notice!

11

Our brains’ jobto filter,

interpret, and present

‘reality’

Understanding the root of deception

12

Agenda

• The Perception vs. Reality dilemma• Understanding the OODA (Observe, Orient, Decide,

Act) Loop• How social engineers and scam artists achieve their

goals by subverting its different components• How we can defend ourselves and our

organizations

13

An Interesting History

http://ciamagic.com/

Using our brain’s strengths against us

14

An Interesting History Using our brain’s strengths against us

http://ciamagic.com/

Spies, Magicians, Pickpockets, Con-artists and Cybercriminals all use the principles

we are about to discuss

OODA-----------

A Model for Decision Making

17

What is an OODA Loop and how do I mess with it?

Observe

Orient

Decide

Act

“In order to win, we should operate at a faster tempo or rhythm than our adversaries—or, better yet, get inside [the] adversary's Observation-Orientation-Decision-Action time cycle or loop ... Such activity will make us appear ambiguous (unpredictable) thereby generate confusion and disorder among our adversaries—since our adversaries will be unable to generate mental images or pictures that agree with the menacing, as well as faster transient rhythm or patterns, they are competing against.”

-- John Boyd (creator of the OODA Loop)

18

Agenda

• The Perception vs. Reality dilemma• Understanding the OODA (Observe, Orient, Decide,

Act) Loop• How social engineers and scam artists achieve their

goals by subverting its different components• How we can defend ourselves and our

organizations

Social Engineering

The ideal situation for a social engineer is to hijack the OODA loop by creating a

knee-jerk action that effectively bypasses the first three steps and results in the

attacker’s intended Action.

21

Attackers will do anything to bypass critical thinking• Spoofs a campus-wide security

alert for a community college (confidential information blocked out) in Florida.

• Exploits current concerns over active shooters on education campuses

• Crafted to generate a reflexive click.• Directs to credential capture site.• Other variants seen:

• “IT DESK: Security Alert Reported on Campus”

• “IT DESK: Campus Emergency Scare”

• “IT DESK: Security Concern on Campus Earlier”

22

Example: Business Email Compromise (The Phish Evolved)• a.k.a. CEO Fraud• No payload• Low volume email targeting high value

individuals• Personalized• Few to no ‘traditional’ spam/phishing

tells (such as poor grammar, egregious misspellings, etc.)

23

Example: W2-Fraud

24

The Invoice/P.O. Phish

• The most common phishing genre in the emails reported to us via the Phish Alert Button (PAB)

• This type of phish easily blends into the deluge of emails that employees in many positions deal with on a daily basis.

25

The Package or Parcel Delivery Phish

• Companies and organizations in the business of delivering packages and parcels now email customers and users on a daily basis.

• Once again, the bad guys regularly seek to capitalize and exploit this kind of business-to-business communication by crafting phishing emails that mimic those sent by recognized organizations like USPS, UPS, FedEx, and DHL.

26

Example: Gift Card Scams

Source: BEC-international Slack Channel

27

Example: Payroll Redirection

Source: BEC-international Slack Channel

28

Example: Wire Transfer Fraud

Step 1: Starts Simple

Step 2:Moves to the attack

Source: BEC-international Slack Channel

29

Clickbait: It’s More Science Than You Think

• Leverages “pattern interruption” to create curiosity often based on the "information-gap" theory

• “Such information gaps produce the feeling of deprivation labeled curiosity. The curious individual is motivated to obtain the missing information to reduce or eliminate the feeling of deprivation.” -George Loewenstein, Carnegie Mellon

• Also leverages outrage and anger, which drives us to take action

30

Agenda

• The Perception vs. Reality dilemma• Understanding the OODA (Observe, Orient, Decide,

Act) Loop• How social engineers and scam artists achieve their

goals by subverting its different components• How we can defend ourselves and our

organizations

3131

32

Are You Being Manipulated?-- understand the lures --

Greed

Urgency

Curiosity

Fear

Self Interest

Helpfulness

Where are you distracted?

34

35

Through combined security awareness and behavior training

Arm Your Organization

Security awareness, coupled with frequent simulated phishing training, will help

employees make smarter security decisions, everyday

36

Benchmark Phish Prone Percentage by IndustryBaseline Phish Prone Percentage (B-PPP)

Industry 1 – 249 employees

250 – 999 employees

1000+ employees

Energy & Utilities 31.56 29.34 22.77

Financial Services 27.41 28.47 23.00

Business Services 29.80 31.01 19.40

Technology 30.68 30.67 28.92

Manufacturing 33.21 31.06 28.71

Government 29.32 25.12 20.84

Healthcare & Pharmaceuticals 29.80 27.85 25.60

Insurance 35.46 33.32 29.19

Not For Profit 32.63 25.94 30.97

Education 29.20 26.23 26.05

Retail & Wholesale 31.58 30.91 21.93

Other 30.41 28.90 22.85

27%Avg. Initial

Baseline PPP across all industries and sizes

_______________

Average PPP by Size of Organization

Org Size Initial PPP1 - 249 30.1 %

250 - 999 28.5 %

1000+ 25.06 %

37

Results after 1 Quarter of CBT and Phishing TestingBaseline Phish Prone Percentage (B-PPP)

Industry 1 – 249 employees

250 – 999 employees

1000+ employees

Energy & Utilities 12.53 13.31 13.40

Financial Services 10.01 9.09 14.53

Business Services 12.89 13.99 13.86

Technology 14.12 16.93 19.83

Manufacturing 13.87 14.24 9.88

Government 13.13 12.76 7.90

Healthcare & Pharmaceuticals 16.81 11.02 15.79

Insurance 13.39 16.49 13.23

Not For Profit 16.01 17.28 17.07

Education 16.95 17.16 22.56

Retail & Wholesale 13.39 10.47 10.49

Other 14.86 16.37 19.97

13.3%Avg.

90 Day PPP across all industries and sizes

_______________

Average PPP by Size of Organization

Org Size Initial PPP

1 - 249 13.11 %

250 - 999 13.20 %

1000+ 14.10 %

38

Results after 12 Months of CBT and Phishing TestingBaseline Phish Prone Percentage (B-PPP)

Industry 1 – 249 employees

250 – 999 employees

1000+ employees

Energy & Utilities 2.83 1.87 5.56

Financial Services 1.54 2.22 5.81

Business Services 1.89 3.09 1.27

Technology 2.02 2.42 2.69

Manufacturing 2.16 3.13 2.47

Government 1.87 1.46 1.52

Healthcare & Pharmaceuticals 2.00 1.65 2.17

Insurance 2.23 2.68 5.26

Not For Profit 2.47 2.24 3.01

Education 2.80 1.91 5.31

Retail & Wholesale 2.14 1.87 2.68

Other 1.82 3.18 4.21

2.17%Avg.

One Year PPP across all industries and sizes

_______________

Average PPP by Size of Organization

Org Size Initial PPP

1 - 249 1.94 %

250 - 999 2.21 %

1000+ 3.04 %

Percentages are calculated for users who experienced a combination of CBT *and* at least 10 phishing tests.

39

Build engagement and decrease behavior-related risk

Baseline TestingWe provide baseline testing to assess the Phish-prone™ percentage of your users through a free simulated phishing attack.

Train Your UsersOn-demand, interactive, engaging training with common traps, live hacking demos and new scenario-based Danger Zone exercises and educate with ongoing security hints and tips emails.

Phish Your UsersFully automated simulated phishing attacks, hundreds of templates with unlimited usage, and community phishing templates.

See the ResultsEnterprise-strength reporting, showing stats and graphs for both training and phishing, ready for management. Show the great ROI!

Thank You!

Tel: 855-KNOWBE4 (566-9234) | www.KnowBe4.com | Sales@KnowBe4.com