Social engineering attack framework

Mouton, Francois; Malan, Mercia M.; Leenen, Louise; Venter, Hein S.

doi:10.1109/issa.2014.6950510

Cited by 61 publications

(47 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…There are many models and taxonomies for social engineering attacks [1,13,16,17,18,19,20]. The most commonly known model is Kevin Mitnick's social engineering attack cycle as described in his book, The art of deception: controlling the human element of security [8].…”

Section: Defining Social Engineering Attacksmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

“…Due to this shortcoming, the authors developed a social engineering attack framework that expands on Kevin Mitnick's social engineering attack cycle [8,13]. The social engineering attack framework depicts the logical flow of a social engineering attack [13]. This framework refers to the components in the ontological model but focuses on the process flow -starting at the point at which an attacker initially thinks about gaining sensitive information from some target, up to the point of succeeding in the goal of gaining this information [13].…”

Section: Introductionmentioning

confidence: 99%

“…Each step within the social engineering attack framework has been verified using reallife social engineering examples [13]. The researchers found that there are limited practical examples of social engineering in literature.…”

Section: Introductionmentioning

confidence: 99%

“…The researchers found that there are limited practical examples of social engineering in literature. Current literature on social engineering attacks does not depict the full process flow of a social engineering attack and when researchers use these examples, several steps and phases of the attack have to be inferred [13,14,15].…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Social engineering attack examples, templates and scenarios

Mouton

Leenen

Venter

2016

Computers & Security

Self Cite

117

View full text Add to dashboard Cite

The field of information security is a fast-growing discipline. Even though the effectiveness of security measures to protect sensitive information is increasing, people remain susceptible to manipulation and thus the human element remains a weak link. A social engineering attack targets this weakness by using various manipulation techniques to elicit sensitive information. The field of social engineering is still in its early stages with regard to formal definitions, attack frameworks and templates of attacks. This paper proposes detailed social engineering attack templates that are derived from real-world social engineering examples. Current documented examples of social engineering attacks do not include all the attack steps and phases. The proposed social engineering attack templates attempt to alleviate the problem of limited documented literature on social engineering attacks by mapping the real-world examples to the social engineering attack framework. Mapping several similar real-world examples to the social engineering attack framework allows one to establish a detailed flow of the attack whilst abstracting subjects and objects. This mapping is then utilised to propose the generalised social engineering attack templates that are representative of real-world examples, whilst still being general enough to encompass several different real-world examples. The proposed social engineering attack templates cover all three types of communication, namely bidirectional communication, unidirectional communication and indirect communication. In order to perform comparative studies of different social engineering models, processes and frameworks, it is necessary to have a formalised set of social engineering attack scenarios that are fully detailed in every phase and step of the process. The social engineering attack templates are converted to social engineering attack scenarios by populating the template with both subjects and objects from real-world examples whilst still maintaining the detailed flow of the attack as provided in the template. Furthermore, this paper illustrates how the social engineering attack scenarios are applied to verify a social engineering attack detection model. These templates and scenarios can be used by other researchers to either expand on, use for comparative measures, create additional examples or evaluate models for completeness. Additionally, the proposed social engineering attack templates can also be used to develop social engineering awareness material.

show abstract

Section: Defining Social Engineering Attacksmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%