Skip to main content
SpringerLink
Log in

Cyber Social Engineering Kill Chain

  • Conference paper
  • First Online:
Book cover Science of Cyber Security (SciSec 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13580))

Included in the following conference series:

Abstract

Cyber attacks are often initiated with a social engineering attack to penetrate a network, which we call Cyber Social Engineering (CSE) attacks. Despite many studies, our understanding of CSE attacks is inadequate in explaining why these attacks are prevalent and why humans are still the weakest link in cybersecurity. This paper aims to deepen our understanding of CSE attacks and help design effective defenses against them. Specifically, we propose a framework, dubbed CSE Kill Chain, for systematically modeling and characterizing CSE attacks. To demonstrate the usefulness of the framework, we perform a case study in which we apply it to analyze a real-world CSE attack.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Allodi, L., Chotza, T., Panina, E., Zannone, N.: The need for new antiphishing measures against spear-phishing attacks. IEEE Secur. Priv. 18(2), 23–34 (2019)

    Article  Google Scholar 

  2. Anderson, R.: Security Engineering: a Guide to Building Dependable Distributed Systems. John Wiley & Sons (2020)

    Google Scholar 

  3. Applegate, S.D.: Social engineering: hacking the wetware! Inf. Secur. J. a Glob. Perspect. 18(1), 40–46 (2009)

    Article  MathSciNet  Google Scholar 

  4. Barrett, N.: Penetration testing and social engineering-hacking the weakest link. Inf. Secur. Tech. Rep. 4(8), 56–64 (2003)

    Article  Google Scholar 

  5. Buller, D.B., Burgoon, J.K.: Interpersonal deception theory. Commun. Theory 6(3), 203–242 (1996)

    Article  Google Scholar 

  6. Center, V.T.R.A.: 2021 data breach investigation report. Tech. rep, Verizon Threat Research Advisory Center (2021)

    Google Scholar 

  7. Chen, S., Chaiken, S.: The heuristic-systematic model in its broader context. In: Dual-process theories in social psychology, pp. 73–96. The Guilford Press (1999)

    Google Scholar 

  8. Cho, J., Hurley, P., Xu, S.: Metrics and measurement of trustworthy systems. In: Proceedings IEEE MILCOM (2016)

    Google Scholar 

  9. Cho, J., Xu, S., Hurley, P., Mackay, M., Benjamin, T., Beaumont, M.: STRAM: measuring the trustworthiness of computer-based systems. ACM Comput. Surv. 51(6), 1–47 (2019)

    Google Scholar 

  10. Cialdini, R.B., Cialdini, R.B.: Influence: the psychology of persuasion, vol. 55. Collins New York (2007)

    Google Scholar 

  11. Deutsch, M.: Trust and suspicion. J. Conflict Resolut. 2(4), 265–279 (1958)

    Article  Google Scholar 

  12. Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI conference on Human Factors in computing systems, pp. 581–590 (2006)

    Google Scholar 

  13. Freedman, J.L., Fraser, S.C.: Compliance without pressure: the foot-in-the-door technique. J. Pers. Soc. Psychol. 4(2), 195 (1966)

    Article  Google Scholar 

  14. Gavett, B.E., Zhao, R., John, S.E., Bussell, C.A., Roberts, J.R., Yue, C.: Phishing suspiciousness in older and younger adults: the role of executive functioning. PLoS ONE 12(2), e0171620 (2017)

    Article  Google Scholar 

  15. Gragg, D.: A multi-level defense against social engineering. SANS Reading Room 13, 1–21 (2003)

    Google Scholar 

  16. Greenlees, C.: An intruder’s tale - [it security]. Engineering & Technology, pp. 55–57 (2009)

    Google Scholar 

  17. Han, Y., Lu, W., Xu, S.: Preventive and reactive cyber defense dynamics with ergodic time-dependent parameters is globally attractive. IEEE TNSE 8(3), 2517–2532 (2021)

    MathSciNet  Google Scholar 

  18. Hechler Baer, M.: Corporate policing and corporate governance: what can we learn from Hewlett-Packard’s pretexting scandal. Univ. Cincinnati Law Rev. 77, 523 (2008)

    Google Scholar 

  19. Herley, C.: Why do Nigerian scammers say they are from Nigeria? In: WEIS (2012)

    Google Scholar 

  20. Hirsh, J.B., Kang, S.K., Bodenhausen, G.V.: Personalized persuasion: tailoring persuasive appeals to recipients’ personality traits. Psychol. Sci. 23(6), 578–581 (2012)

    Article  Google Scholar 

  21. Hutchins, E.M., Cloppert, M.J., Amin, R.M., et al.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues Inf. Warfare Secur. Res. 1(1), 80 (2011)

    Google Scholar 

  22. Junger, M., Wang, V., Schlömer, M.: Fraud against businesses both online and offline: crime scripts, business characteristics, efforts, and benefits. Crime Sci. 9(1), 1–15 (2020). https://doi.org/10.1186/s40163-020-00119-4

    Article  Google Scholar 

  23. Kahneman, D.: Thinking, fast and slow. Macmillan (2011)

    Google Scholar 

  24. Kirmani, A., Zhu, R.: Vigilant against manipulation: the effect of regulatory focus on the use of persuasion knowledge. J. Mark. Res. 44(4), 688–701 (2007)

    Article  Google Scholar 

  25. Langenderfer, J., Shimp, T.A.: Consumer vulnerability to scams, swindles, and fraud: a new theory of visceral influences on persuasion. Psychol. Marketin. 18(7), 763–783 (2001)

    Article  Google Scholar 

  26. Lea, S.E., Fischer, P., Evans, K.M.: The Psychology of Scams: Provoking and Committing Errors of Judgement. Tech. rep, Office of Fair Trading (2009)

    Google Scholar 

  27. Li, X., Parker, P., Xu, S.: Towards quantifying the (in) security of networked systems. In: 21st IEEE International Conference on Advanced Information Networking and Applications (AINA2007), pp. 420–427 (2007)

    Google Scholar 

  28. Li, X., Parker, P., Xu, S.: A stochastic model for quantitative security analyses of networked systems. IEEE TDSC 8(1), 28–43 (2011)

    Google Scholar 

  29. Lin, Z., Lu, W., Xu, S.: Unified preventive and reactive cyber defense dynamics is still globally convergent. IEEE/ACM ToN 27(3), 1098–1111 (2019)

    Article  Google Scholar 

  30. Longtchi, T., Rodriguez, R.M., Al-Shawaf, L., Atyabi, A., Xu, S.: Internet-based social engineering attacks, defenses and psychology: a survey. arXiv preprint arXiv:2203.08302 (2022)

  31. McAllister, D.J.: Affect-and cognition-based trust as foundations for interpersonal cooperation in organizations. Acad. Manag. J. 38(1), 24–59 (1995)

    MathSciNet  Google Scholar 

  32. Mireles, J., Ficke, E., Cho, J., Hurley, P., Xu, S.: Metrics towards measuring cyber agility. IEEE T-IFS 14(12), 3217–3232 (2019)

    Google Scholar 

  33. Mitnick, K.D., Simon, W.L.: The art of deception: controlling the human element of security. John Wiley & Sons (2003)

    Google Scholar 

  34. Montañez, R., Atyabi, A., Xu, S.: Social engineering attacks and defenses in the physical world vs. cyberspace: a contrast study. In: Cybersecurity and Cognitive Science, pp. 3–41. Elsevier (2022)

    Google Scholar 

  35. Montañez, R., Golob, E., Xu, S.: Human cognition through the lens of social engineering cyberattacks. Front. Psychol. 11, 1755 (2020)

    Google Scholar 

  36. Mouton, F., Malan, M.M., Leenen, L., Venter, H.S.: Social engineering attack framework. In: 2014 Information Security for South Africa, pp. 1–9. IEEE (2014)

    Google Scholar 

  37. Nelms, T., Perdisci, R., Antonakakis, M., Ahamad, M.: Towards measuring and mitigating social engineering software download attacks. In: 25th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 16), pp. 773–789 (2016)

    Google Scholar 

  38. Nohlberg, M., Kowalski, S.: The cycle of deception - a model of social engineering attacks, defenses and victims. In: HAISA (2008)

    Google Scholar 

  39. Pastor-Galindo, J., Nespoli, P., Gómez Mármol, F., Martínez Pérez, G.: The not yet exploited goldmine of OSINT: opportunities, open challenges and future trends. IEEE Access 8, 10282–10304 (2020). https://doi.org/10.1109/ACCESS.2020.2965257

    Article  Google Scholar 

  40. Pendleton, M., Garcia-Lebron, R., Cho, J., Xu, S.: A survey on systems security metrics. ACM Comput. Surv. 49(4), 1–35 (2016)

    Google Scholar 

  41. Pennycook, G., Fugelsang, J.A., Koehler, D.J.: What makes us think? a three-stage dual-process model of analytic engagement. Cogn. Psychol. 80, 34–72 (2015)

    Article  Google Scholar 

  42. Petty, R.E., Cacioppo, J.T.: The elaboration likelihood model of persuasion. In: Communication and Persuasion: Central and Peripheral Routes to Attitude Change, pp. 1–24. Springer, New York (1986). https://doi.org/10.1007/978-1-4612-4964-1_1

  43. Pritom, M., Schweitzer, K., Bateman, R., Xu, M., Xu, S.: Characterizing the landscape of COVID-19 themed cyberattacks and defenses. In: IEEE ISI’2020 (2020)

    Google Scholar 

  44. Pritom, M., Schweitzer, K., Bateman, R., Xu, M., Xu, S.: Data-driven characterization and detection of COVID-19 themed malicious websites. In: IEEE ISI’2020 (2020)

    Google Scholar 

  45. Rege, A.: What’s love got to do with it? exploring online dating scams and identity fraud. Int. J. Cyber Criminol. 3(2) (2009)

    Google Scholar 

  46. Riegelsberger, J., Sasse, M.A., McCarthy, J.D.: The researcher’s dilemma: evaluating trust in computer-mediated communication. Int. J. Hum.-Comput. Stud. 58(6) (2003)

    Google Scholar 

  47. Robinson, S.W.: Corporate espionage 101. https://www.giac.org/paper/gsec/1587/corporate-espionage-101/102941 (2003). Accessed 19 Jun 2021

  48. Social Engineer, L.: The attack cycle. https://www.social-engineer.org/framework/attack-vectors/attack-cycle/. Accessed 22 June 2021

  49. Stajano, F., Wilson, P.: Understanding Scam Victims: Seven Principles For Systems Security. University of Cambridge, Computer Laboratory, Tech. rep. (2009)

    Google Scholar 

  50. Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Commun. ACM 54(3), 70–75 (2011)

    Article  Google Scholar 

  51. Strom, B.E., Applebaum, A., Miller, D.P., Nickels, K.C., Pennington, A.G., Thomas, C.B.: Mitre att &ck design and philosophy. Tech. rep., MITRE (2020). Accessed 25 June 2021

    Google Scholar 

  52. Van Der Heijden, A., Allodi, L.: Cognitive triaging of phishing attacks. In: 28th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 19), pp. 1309–1326 (2019)

    Google Scholar 

  53. Vishwanath, A., Harrison, B., Ng, Y.J.: Suspicion, cognition, and automaticity model of phishing susceptibility. Commun. Res. 45(8), 1146–1166 (2018)

    Article  Google Scholar 

  54. Vishwanath, A., Herath, T., Chen, R., Wang, J., Rao, H.R.: Why do people get phished? testing individual differences in phishing vulnerability within an integrated, information processing model. Decis. Support Syst. 51(3), 576–586 (2011)

    Article  Google Scholar 

  55. Wang, J., Chen, R., Herath, T., Rao, H.R.: An exploration of the design features of phishing attacks. Inf. Assur. Secur. Priv. Serv. 4(29), 178–199 (2009)

    Google Scholar 

  56. Wathen, C.N., Burkell, J.: Believe it or not: factors influencing credibility on the web. J. Am. Soc. Inform. Sci. Technol. 53(2), 134–144 (2002)

    Article  Google Scholar 

  57. Wogalter, M.S.: Communication-human information processing (c-hip) model. In: Forensic Human Factors and Ergonomics, pp. 33–49. CRC Press (2018)

    Google Scholar 

  58. Wright, R.T., Marett, K.: The influence of experiential and dispositional factors in phishing: An empirical investigation of the deceived. J. Manag. Inf. Syst. 27(1) (2010)

    Google Scholar 

  59. Xu, L., Zhan, Z., Xu, S., Ye, K.: An evasion and counter-evasion study in malicious websites detection. In: IEEE CNS, pp. 265–273 (2014)

    Google Scholar 

  60. Xu, L., Zhan, Z., Xu, S., Ye, K.: Cross-layer detection of malicious websites. In: Third ACM Conference on Data and Application Security and Privacy (CODASPY’13), pp. 141–152 (2013)

    Google Scholar 

  61. Xu, M., Da, G., Xu, S.: Cyber epidemic models with dependences. Internet Math. 11(1), 62–92 (2015)

    Article  MathSciNet  Google Scholar 

  62. Xu, M., Xu, S.: An extended stochastic model for quantitative security analysis of networked systems. Internet Math. 8(3), 288–320 (2012)

    Article  MathSciNet  Google Scholar 

  63. Xu, S.: Emergent behavior in cybersecurity. In: HotSoS 2014: Proceedings of the 2014 Symposium and Bootcamp on the Science of Security, pp. 1–2 (2014)

    Google Scholar 

  64. Xu, S.: Cybersecurity dynamics: a foundation for the science of cybersecurity. In: In: Wang, C., Lu, Z. (eds.) Proactive and Dynamic Network Defense. AIS, vol 74. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-10597-6_1

  65. Xu, S.: The cybersecurity dynamics way of thinking and landscape (invited paper). In: ACM Workshop on Moving Target Defense (2020)

    Google Scholar 

  66. Xu, S.: SARR: a cybersecurity metrics and quantification framework (keynote). In: Proceedings of the 2021 International Conference on Science of Cyber Security (2021)

    Google Scholar 

  67. Xu, S., Lu, W., Xu, L.: Push- and pull-based epidemic spreading in networks: thresholds and deeper insights. ACM Trans. Auton. Adapt. Syst. 7(3), 1–26 (2012)

    Google Scholar 

  68. Xu, S., Lu, W., Xu, L., Zhan, Z.: Adaptive epidemic dynamics in networks: thresholds and control. ACM Trans. Auton. Adapt. Syst. 8(4), 1–19 (2014)

    Google Scholar 

  69. Xu, S., Lu, W., Zhan, Z.: A stochastic model of multivirus dynamics. IEEE Trans. Dependable Secure Comput. 9(1), 30–45 (2012)

    Article  Google Scholar 

  70. Xu, S.: Cybersecurity dynamics. In: Proc. HotSoS’14, pp. 1–2 (2014)

    Google Scholar 

  71. Zheng, R., Lu, W., Xu, S.: Preventive and reactive cyber defense dynamics is globally stable. IEEE TNSE 5(2), 156–170 (2018)

    MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Texas at San Antonio, San Antonio, TX, 78249, USA

    Rosana Montanẽz Rodriguez

  2. Department of Computer Science, University of Colorado Colorado Springs, Colorado Springs, CO, 80918, USA

    Shouhuai Xu

Authors
  1. Rosana Montanẽz Rodriguez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shouhuai Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shouhuai Xu .

Editor information

Editors and Affiliations

  1. University of Aizu, Aizuwakamatsu, Fukushima, Japan

    Chunhua Su

  2. Kyushu University, Fukuoka, Japan

    Kouichi Sakurai

  3. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Feng Liu

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Montanẽz Rodriguez, R., Xu, S. (2022). Cyber Social Engineering Kill Chain. In: Su, C., Sakurai, K., Liu, F. (eds) Science of Cyber Security. SciSec 2022. Lecture Notes in Computer Science, vol 13580. Springer, Cham. https://doi.org/10.1007/978-3-031-17551-0_32

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17551-0_32

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17550-3

  • Online ISBN: 978-3-031-17551-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation