Many of the threat variants of today from the Cyber
Threat Landscape are born from some of the oldest ones. In other words, the Cyberattacker does not
want to start from nothing, instead, they would much rather “build a better mousetrap”
as we are seeing today.
A notable example of this is what is known as Social Engineering. It can be technically defined as follows:
“Social
engineering is the term used for a broad range of malicious activities
accomplished through human interactions. It uses psychological manipulation to
trick users into making mistakes or giving away sensitive information.
(SOURCE : https://www.imperva.com/learn/application-security/social-engineering-attack/)
So, as you can see, Social Engineering even predates the
Roman Empire. Because of that, anybody
with a cunning mind and willing to play on the emotions of human beings can
quite easily launch this kind of attack.
When one thinks about it, the thoughts of engaging a victim
by having direct physical contact often come to mind. But given the recent advancements that have
been in Generative AI, launching this
kind of threat vector has become easier and stealthy, and for that matter, does
not even require that the Cyberattacker
even have any kind of prior knowledge about their victim.
Another notable example of this would be
Cyberbullying. In this instance, the Cyberattacker
can literally be thousands of miles away
from their victim, and build a strong, virtual relationship with their victim. Then once they are most vulnerable, that is
when the Cyberattacker will then strike.
But also, Social Engineering does not have to directly impact
on a victim. Rather, it can also be used
to help gather more detailed intelligence about a victim, or an even larger
target.
I came across an article earlier today, that describes how
Generative AI can be used for this very purpose. Here are some examples of it:
1) Being
able to attend a social gathering:
Generative AI was used for the
following:
Ø How
to let themselves crash the event.
Ø How
to collect visual based intelligence about
the security guards.
Ø The
kinds of conversations to be having while
socializing with the other guests to extract intel.
2) What
to wear:
Generative AI was also used
by the Cyberattacker to target a certain business by asking for the kinds of clothing
that the employees typically wear. By
having this, the Cyberattacker would then be able to able to enter in without
hardly ever getting noticed.
3) Faked
documents:
Most of us have heard about
how a Cyberattacker can easily replicate driver’s licenses and even credit cards. This can even be taken to the extreme where
Generative AI can be used to create a
fake employee ID badge and convince the security guard to let them in past the
main point of entry.
4) Finding
assets:
Just as much as you can get
detailed views about houses and buildings on Google, the same can also be said of Generative
AI. But instead, it can be one layer deeper. For instance, it was to be asked by the
Cyberattacker where all the physical access security points lie at (such as
CCTVs, turnstiles, etc.) it will also give that. This will then allow them to covertly
penetrate the business after work hours.
5) Creating
maps:
Most of us have used physical
maps before, but guess what? Generative
AI can also be used by the Cyberattacker and be used to create a detailed map
of a targeted building or office space, by providing the following information
to the Cyberattacker:
Ø Entry
ways into the building
Ø The parking
garages
Ø The freight
elevators
Ø Where
both the digital and physical assets lie at
My Thoughts on This:
It all sounds scary, right? Well you better believe that it is. When it
comes to the above examples, these all relate to how the Cyberattacker can find
vulnerabilities that do not exist in the digital realm. Rather, they are all physical based, and
since the security policies of many organizations focus primarily on digital
assets.
But guess what: The
physical assets are just as prone to, or even more so to a security breach.
What is the best way to mitigate this risk from
happening? Conduct a Penetration Test, just
on the physical aspects of your business.
For example, this can include the main points of security, and to even the
lengths that security guards should go through when trying to confirm the
identity of an individual that is trying to gain entry.
This is also known more technically as “Red Teaming”, and
while doing these kinds of tests may not be the cheapest, and at the end of the
day, you will know just how Social Engineering Attacks, especially those powered
by Generative AI, can successfully launched against your business. If you engage in this kind of exercise, you
will be completely startled by just how weak your lines of defenses are.
But this will give you the ammunition to beef them up, and
to mitigate the risk of a Cyberattacker from physically walking into your business
and engaging in conversations with your employees.
The bottom line: It is not just your digital assets that are
vulnerable, even the physical ones are also!!!