Social Engineering Attack Detection Model

Abstract

Information security is a fast-growing discipline, and relies on continued improvement of security measures to protect sensitive information. Human operators are one of the weakest links in the security chain as they are highly susceptible to manipulation. A social engineering attack targets this weakness by using various manipulation techniques to elicit individuals to perform sensitive requests. Social engineering is deeply entrenched in the fields of both computer science and social psychology. Knowledge is required in both these disciplines to perform social engineering based research.

The field of social engineering is still lacking with regards to standardised definitions, ethical concerns, attack frameworks, examples of attacks and detection models. The main focus of this thesis is the proposal of a social engineering attack detection model, however, this thesis also addresses gaps within the field with regards to standardised definitions, ethical concerns, attack frameworks and examples of attacks.

The first step of this journey was to review the existing definitions within the field of social engineering. After the review, this thesis proposed standardised definitions for social engineer, social engineering, social engineered and social engineering attack. It was also established that social engineering can only be performed over bidirectional, unidirectional and indirect communication.

This thesis also identifies a number of concerns regarding social engineering in public communication, penetration testing and social engineering research. It also discusses the identified concerns with regard to three different normative ethics approaches (virtue ethics, utilitarianism and deontology) and provides their corresponding ethical perspectives.

Furthermore, this thesis proposes a social engineering attack framework based on Kevin Mitnick's social engineering attack cycle. The attack framework addresses shortcomings of Mitnick's social engineering attack cycle and focuses on every step of the social engineering attack from determining the goal of an attack up to the successful conclusion of the attack.

The social engineering attack framework is then utilised to derive detailed social engineering attack examples from real-world social engineering attacks within literature. Mapping several similar real-world examples to the social engineering attack framework allows one to establish a detailed flow of the attack whilst abstracting subjects and objects. This mapping is then utilised to propose the generalised social engineering attack examples that are representative of real-world examples, whilst still being general enough to encompass several different real-world examples.

After all of the gaps within the field of social engineering were addressed, attention is shifted back towards the main focus of this thesis which is the social engineering attack detection model. There were three iterations of the social engineering attack detection model proposed throughout this thesis, with each iteration improving upon the limitations on the one prior. The first iteration of the social engineering attack detection model was designed with a call centre environment in mind and is only able to cater for social engineering attacks that use bidirectional communication. The second iteration of the social engineering attack detection model addresses this problem by extending the model to cater for social engineering attacks that use either bidirectional communication, unidirectional communication or indirect communication. The third iteration focuses on the proposal of the underlying finite state machine of the social engineering attack detection model. The third iteration of the social engineering attack detection model provides a more abstract and extensible model that highlights the inter-connections between task categories associated with different scenarios. Furthermore, the third iteration is intended to help facilitate the incorporation of organisation specific extensions by grouping similar activities into distinct categories, subdivided into one or more states. In addition, it facilitates additional analysis on state transitions that are difficult to extract from the second iteration.

Ultimately, this thesis proposes a refined social engineering attack detection model that can be utilised by industry to either implement into their environment or to be used as a social engineering awareness training tool. The social engineering attack detection model is also developed to be extensible so that other researchers can expand upon the proposed model. Lastly, the social engineering attack detection model can also be used as a comparative measure for future social engineering attack detection models.