Abstract
Cyber attacks are often initiated with a social engineering attack to penetrate a network, which we call Cyber Social Engineering (CSE) attacks. Despite many studies, our understanding of CSE attacks is inadequate in explaining why these attacks are prevalent and why humans are still the weakest link in cybersecurity. This paper aims to deepen our understanding of CSE attacks and help design effective defenses against them. Specifically, we propose a framework, dubbed CSE Kill Chain, for systematically modeling and characterizing CSE attacks. To demonstrate the usefulness of the framework, we perform a case study in which we apply it to analyze a real-world CSE attack.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Allodi, L., Chotza, T., Panina, E., Zannone, N.: The need for new antiphishing measures against spear-phishing attacks. IEEE Secur. Priv. 18(2), 23–34 (2019)
Anderson, R.: Security Engineering: a Guide to Building Dependable Distributed Systems. John Wiley & Sons (2020)
Applegate, S.D.: Social engineering: hacking the wetware! Inf. Secur. J. a Glob. Perspect. 18(1), 40–46 (2009)
Barrett, N.: Penetration testing and social engineering-hacking the weakest link. Inf. Secur. Tech. Rep. 4(8), 56–64 (2003)
Buller, D.B., Burgoon, J.K.: Interpersonal deception theory. Commun. Theory 6(3), 203–242 (1996)
Center, V.T.R.A.: 2021 data breach investigation report. Tech. rep, Verizon Threat Research Advisory Center (2021)
Chen, S., Chaiken, S.: The heuristic-systematic model in its broader context. In: Dual-process theories in social psychology, pp. 73–96. The Guilford Press (1999)
Cho, J., Hurley, P., Xu, S.: Metrics and measurement of trustworthy systems. In: Proceedings IEEE MILCOM (2016)
Cho, J., Xu, S., Hurley, P., Mackay, M., Benjamin, T., Beaumont, M.: STRAM: measuring the trustworthiness of computer-based systems. ACM Comput. Surv. 51(6), 1–47 (2019)
Cialdini, R.B., Cialdini, R.B.: Influence: the psychology of persuasion, vol. 55. Collins New York (2007)
Deutsch, M.: Trust and suspicion. J. Conflict Resolut. 2(4), 265–279 (1958)
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI conference on Human Factors in computing systems, pp. 581–590 (2006)
Freedman, J.L., Fraser, S.C.: Compliance without pressure: the foot-in-the-door technique. J. Pers. Soc. Psychol. 4(2), 195 (1966)
Gavett, B.E., Zhao, R., John, S.E., Bussell, C.A., Roberts, J.R., Yue, C.: Phishing suspiciousness in older and younger adults: the role of executive functioning. PLoS ONE 12(2), e0171620 (2017)
Gragg, D.: A multi-level defense against social engineering. SANS Reading Room 13, 1–21 (2003)
Greenlees, C.: An intruder’s tale - [it security]. Engineering & Technology, pp. 55–57 (2009)
Han, Y., Lu, W., Xu, S.: Preventive and reactive cyber defense dynamics with ergodic time-dependent parameters is globally attractive. IEEE TNSE 8(3), 2517–2532 (2021)
Hechler Baer, M.: Corporate policing and corporate governance: what can we learn from Hewlett-Packard’s pretexting scandal. Univ. Cincinnati Law Rev. 77, 523 (2008)
Herley, C.: Why do Nigerian scammers say they are from Nigeria? In: WEIS (2012)
Hirsh, J.B., Kang, S.K., Bodenhausen, G.V.: Personalized persuasion: tailoring persuasive appeals to recipients’ personality traits. Psychol. Sci. 23(6), 578–581 (2012)
Hutchins, E.M., Cloppert, M.J., Amin, R.M., et al.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues Inf. Warfare Secur. Res. 1(1), 80 (2011)
Junger, M., Wang, V., Schlömer, M.: Fraud against businesses both online and offline: crime scripts, business characteristics, efforts, and benefits. Crime Sci. 9(1), 1–15 (2020). https://doi.org/10.1186/s40163-020-00119-4
Kahneman, D.: Thinking, fast and slow. Macmillan (2011)
Kirmani, A., Zhu, R.: Vigilant against manipulation: the effect of regulatory focus on the use of persuasion knowledge. J. Mark. Res. 44(4), 688–701 (2007)
Langenderfer, J., Shimp, T.A.: Consumer vulnerability to scams, swindles, and fraud: a new theory of visceral influences on persuasion. Psychol. Marketin. 18(7), 763–783 (2001)
Lea, S.E., Fischer, P., Evans, K.M.: The Psychology of Scams: Provoking and Committing Errors of Judgement. Tech. rep, Office of Fair Trading (2009)
Li, X., Parker, P., Xu, S.: Towards quantifying the (in) security of networked systems. In: 21st IEEE International Conference on Advanced Information Networking and Applications (AINA2007), pp. 420–427 (2007)
Li, X., Parker, P., Xu, S.: A stochastic model for quantitative security analyses of networked systems. IEEE TDSC 8(1), 28–43 (2011)
Lin, Z., Lu, W., Xu, S.: Unified preventive and reactive cyber defense dynamics is still globally convergent. IEEE/ACM ToN 27(3), 1098–1111 (2019)
Longtchi, T., Rodriguez, R.M., Al-Shawaf, L., Atyabi, A., Xu, S.: Internet-based social engineering attacks, defenses and psychology: a survey. arXiv preprint arXiv:2203.08302 (2022)
McAllister, D.J.: Affect-and cognition-based trust as foundations for interpersonal cooperation in organizations. Acad. Manag. J. 38(1), 24–59 (1995)
Mireles, J., Ficke, E., Cho, J., Hurley, P., Xu, S.: Metrics towards measuring cyber agility. IEEE T-IFS 14(12), 3217–3232 (2019)
Mitnick, K.D., Simon, W.L.: The art of deception: controlling the human element of security. John Wiley & Sons (2003)
Montañez, R., Atyabi, A., Xu, S.: Social engineering attacks and defenses in the physical world vs. cyberspace: a contrast study. In: Cybersecurity and Cognitive Science, pp. 3–41. Elsevier (2022)
Montañez, R., Golob, E., Xu, S.: Human cognition through the lens of social engineering cyberattacks. Front. Psychol. 11, 1755 (2020)
Mouton, F., Malan, M.M., Leenen, L., Venter, H.S.: Social engineering attack framework. In: 2014 Information Security for South Africa, pp. 1–9. IEEE (2014)
Nelms, T., Perdisci, R., Antonakakis, M., Ahamad, M.: Towards measuring and mitigating social engineering software download attacks. In: 25th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 16), pp. 773–789 (2016)
Nohlberg, M., Kowalski, S.: The cycle of deception - a model of social engineering attacks, defenses and victims. In: HAISA (2008)
Pastor-Galindo, J., Nespoli, P., Gómez Mármol, F., Martínez Pérez, G.: The not yet exploited goldmine of OSINT: opportunities, open challenges and future trends. IEEE Access 8, 10282–10304 (2020). https://doi.org/10.1109/ACCESS.2020.2965257
Pendleton, M., Garcia-Lebron, R., Cho, J., Xu, S.: A survey on systems security metrics. ACM Comput. Surv. 49(4), 1–35 (2016)
Pennycook, G., Fugelsang, J.A., Koehler, D.J.: What makes us think? a three-stage dual-process model of analytic engagement. Cogn. Psychol. 80, 34–72 (2015)
Petty, R.E., Cacioppo, J.T.: The elaboration likelihood model of persuasion. In: Communication and Persuasion: Central and Peripheral Routes to Attitude Change, pp. 1–24. Springer, New York (1986). https://doi.org/10.1007/978-1-4612-4964-1_1
Pritom, M., Schweitzer, K., Bateman, R., Xu, M., Xu, S.: Characterizing the landscape of COVID-19 themed cyberattacks and defenses. In: IEEE ISI’2020 (2020)
Pritom, M., Schweitzer, K., Bateman, R., Xu, M., Xu, S.: Data-driven characterization and detection of COVID-19 themed malicious websites. In: IEEE ISI’2020 (2020)
Rege, A.: What’s love got to do with it? exploring online dating scams and identity fraud. Int. J. Cyber Criminol. 3(2) (2009)
Riegelsberger, J., Sasse, M.A., McCarthy, J.D.: The researcher’s dilemma: evaluating trust in computer-mediated communication. Int. J. Hum.-Comput. Stud. 58(6) (2003)
Robinson, S.W.: Corporate espionage 101. https://www.giac.org/paper/gsec/1587/corporate-espionage-101/102941 (2003). Accessed 19 Jun 2021
Social Engineer, L.: The attack cycle. https://www.social-engineer.org/framework/attack-vectors/attack-cycle/. Accessed 22 June 2021
Stajano, F., Wilson, P.: Understanding Scam Victims: Seven Principles For Systems Security. University of Cambridge, Computer Laboratory, Tech. rep. (2009)
Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Commun. ACM 54(3), 70–75 (2011)
Strom, B.E., Applebaum, A., Miller, D.P., Nickels, K.C., Pennington, A.G., Thomas, C.B.: Mitre att &ck design and philosophy. Tech. rep., MITRE (2020). Accessed 25 June 2021
Van Der Heijden, A., Allodi, L.: Cognitive triaging of phishing attacks. In: 28th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 19), pp. 1309–1326 (2019)
Vishwanath, A., Harrison, B., Ng, Y.J.: Suspicion, cognition, and automaticity model of phishing susceptibility. Commun. Res. 45(8), 1146–1166 (2018)
Vishwanath, A., Herath, T., Chen, R., Wang, J., Rao, H.R.: Why do people get phished? testing individual differences in phishing vulnerability within an integrated, information processing model. Decis. Support Syst. 51(3), 576–586 (2011)
Wang, J., Chen, R., Herath, T., Rao, H.R.: An exploration of the design features of phishing attacks. Inf. Assur. Secur. Priv. Serv. 4(29), 178–199 (2009)
Wathen, C.N., Burkell, J.: Believe it or not: factors influencing credibility on the web. J. Am. Soc. Inform. Sci. Technol. 53(2), 134–144 (2002)
Wogalter, M.S.: Communication-human information processing (c-hip) model. In: Forensic Human Factors and Ergonomics, pp. 33–49. CRC Press (2018)
Wright, R.T., Marett, K.: The influence of experiential and dispositional factors in phishing: An empirical investigation of the deceived. J. Manag. Inf. Syst. 27(1) (2010)
Xu, L., Zhan, Z., Xu, S., Ye, K.: An evasion and counter-evasion study in malicious websites detection. In: IEEE CNS, pp. 265–273 (2014)
Xu, L., Zhan, Z., Xu, S., Ye, K.: Cross-layer detection of malicious websites. In: Third ACM Conference on Data and Application Security and Privacy (CODASPY’13), pp. 141–152 (2013)
Xu, M., Da, G., Xu, S.: Cyber epidemic models with dependences. Internet Math. 11(1), 62–92 (2015)
Xu, M., Xu, S.: An extended stochastic model for quantitative security analysis of networked systems. Internet Math. 8(3), 288–320 (2012)
Xu, S.: Emergent behavior in cybersecurity. In: HotSoS 2014: Proceedings of the 2014 Symposium and Bootcamp on the Science of Security, pp. 1–2 (2014)
Xu, S.: Cybersecurity dynamics: a foundation for the science of cybersecurity. In: In: Wang, C., Lu, Z. (eds.) Proactive and Dynamic Network Defense. AIS, vol 74. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-10597-6_1
Xu, S.: The cybersecurity dynamics way of thinking and landscape (invited paper). In: ACM Workshop on Moving Target Defense (2020)
Xu, S.: SARR: a cybersecurity metrics and quantification framework (keynote). In: Proceedings of the 2021 International Conference on Science of Cyber Security (2021)
Xu, S., Lu, W., Xu, L.: Push- and pull-based epidemic spreading in networks: thresholds and deeper insights. ACM Trans. Auton. Adapt. Syst. 7(3), 1–26 (2012)
Xu, S., Lu, W., Xu, L., Zhan, Z.: Adaptive epidemic dynamics in networks: thresholds and control. ACM Trans. Auton. Adapt. Syst. 8(4), 1–19 (2014)
Xu, S., Lu, W., Zhan, Z.: A stochastic model of multivirus dynamics. IEEE Trans. Dependable Secure Comput. 9(1), 30–45 (2012)
Xu, S.: Cybersecurity dynamics. In: Proc. HotSoS’14, pp. 1–2 (2014)
Zheng, R., Lu, W., Xu, S.: Preventive and reactive cyber defense dynamics is globally stable. IEEE TNSE 5(2), 156–170 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Montanẽz Rodriguez, R., Xu, S. (2022). Cyber Social Engineering Kill Chain. In: Su, C., Sakurai, K., Liu, F. (eds) Science of Cyber Security. SciSec 2022. Lecture Notes in Computer Science, vol 13580. Springer, Cham. https://doi.org/10.1007/978-3-031-17551-0_32
Download citation
DOI: https://doi.org/10.1007/978-3-031-17551-0_32
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17550-3
Online ISBN: 978-3-031-17551-0
eBook Packages: Computer ScienceComputer Science (R0)