Security efforts in both public and private organizations focus on protecting their infrastructure from internal and external adversaries. These organizations spend billions each year on technology defenses. This approach was considered sufficient before the global social media explosion.
- 4.62 billion people globally use social media.
- In 2021 alone, nearly half a billion users worldwide joined social media.
Social media became the primary form of communication and information sharing in the modern world. This is also a vast field of activity for hackers, generating $3 billion in annual revenue for criminal actors.
The digital world continues to be an insider risk blind spot. Bad actors are keenly aware of this and capitalize on it. Today’s bad actors are looking for the path of least resistance to executing an attack, and social media has cleared the path.
The World Wide Web: A Digital Playground
To understand a little more about the weaponization of the digital realm it’s helpful to return to the basics, breaking down the World Wide Web (WWW). The digital playground falls into the Surface Web, Deep Web, and Dark Web — which threat actors are operating.
The Surface Web comprises 4% of the internet and is what most of us are accessing on a day-to-day basis. The data housed here are indexed by search engines and easily accessible unlike in the other layers of the web. This is where Google is housed. There are also news outlets, blogs, and social media on the Surface Web. The Deep Web forms 95% of the internet and involves data that is not indexed by search engines. This content cannot be indexed because they cannot access it without logins, or the content is stored behind firewalls.
Some examples of this can include cloud services, online banking, paid subscription-based online media sites, educational websites, Government websites, medical records, and video-on-demand services (i.e., Netflix, Amazon Prime, HBO Max).
The Dark Web comprises sites hidden from general view that need to be accessed via TOR (The Onion Router). TOR websites have unique, encrypted URLs and afford users anonymity. This area of the web is the nerve cell of the illegal marketplace. It is where you find things like PII, illegal drugs and unregistered weapons for sale, human trafficking, organ harvesting, etc.
The waters between the Deep and Dark Web are often muddied, and the terms are often used incorrectly in place of the other. The basic difference between the two is that the Deep Web can be accessed through credentials and authorization, while the Dark Web needs a special browser and software. Furthermore, data within the Deep Web is not hidden whereas data within the Dark Web is encrypted as its sole purpose is anonymity.
Social Media: A New Attack Vector
The intention behind social media platforms, as they were created, was to share information, foster connection, and creativity amongst users, and allow for the creation and promotion of user-generated content (UGC). Many assume these platforms are safe spaces to communicate and share information.
For a portion of users across social platforms, this is true. Unfortunately, bad actors of varying sophistication continue to weaponized social media, bringing grave harm to not only individuals and organizations but also critical infrastructure.
Perhaps the most notable example of the digital world being weaponized involves the social media war Russia launched against the United States. This multifaceted digital assault on the United States involved everything from targeted misinformation and disinformation campaigns aimed at influencing the 2016 U.S. Presidential Election, to executing a malware attack on 10k+ Twitter users within the U.S. Department of Defense, and a Russian Intelligence official infiltrating a social media group under the guise of a 42-year-old American housewife.
How to hack a human
Before the birth of social media, adversaries meticulously gathered human intelligence (HUMINT) on through travel, articles, public events, and old-fashioned, boots-on-the-ground surveillance. In the digital age, social media has become the primary HUMINT reconnaissance tool.
Individuals take to social media to share details of their personal and professional lives, educational background, political views, location, interests, etc. According to TESSIAN’s How to hack a human study:
- 59% of people post photos/names of children
- 38% of people post about birthday celebration
- 30% of people post names/photos of pets
- 27% of people post names/photos of partner
- 93% of people post employment updates
- 36% of people post information about their company, job, colleagues, boss, etc.
- 32% of people post updates and photos during business trips
- 26% of people post information about clients
This information is often not restricted by privacy settings and is available for public consumption. In fact, around 55% of people do not have any privacy settings activated at all, the study found.
The FBI continues to issue warnings to those who hold (or have held) security clearances about Foreign Intelligence Services targeting the U.S. and its interests via social media reconnaissance efforts that ultimately inform social engineering attacks.
This plays out in practice on multiple occasions. A notable example involves ex-U.S. Army Pilot, and now Ex-Defense Contractor, SHAPOUR MOINIAN plead guilty to selling secrets to China surrounding the United States proprietary aviation technology. MOINIAN was initially contacted by a woman who claimed to work for a technical recruiting company, offering him an opportunity to consult for the aviation industry in China.
The FBI highlights this case as being illustrative of China’s extensive use of social media as a reconnaissance tool to identify those with access to classified information, and ultimately launch a social engineering attack.
Social engineering provides a pathway to gaining insider access into an organization’s network and data. 74% of organizations were targeted with social media-based social engineering attacks in 2021.
In a social engineering attack, bad actors gather breadcrumbs and weaponize them, manipulating someone into sharing sensitive information to gain access to secure networks, physical spaces, etc. They establish fake personas that appeal to their targets, befriend them, and begin to establish trust with the goal of the target divulging confidential information and delivering malware or sophisticated phishing attacks.
The human element of social engineering makes it one of the top forms of insider risk. Organizations can have the most sophisticated technology defenses in place, and at the end of the day, it does not matter. At its core, insider risk is a human behavior problem — a people problem — not a technology problem.
Bottomline, people are oversharers. In broadcasting personal information, and sharing personally identifiable details about others, on social media individuals are effectively creating virtual dossiers on themselves, teeing themselves up to be exploited.
No one is above falling victim to a social engineering attack. A notable example of a social media-based social engineering attack involves U.S. Navy Admiral James Stavridis — NATO’s Supreme Allied Commander — who unwittingly fell victim to a social engineering impersonation attack orchestrated by China. Military Leaders, as well as Intelligence and Government officials throughout the world, received “friend” requests from Stavridis on Facebook and accepted, believing it was Stavridis who was known to use social media both personally and professionally.
In accepting this “friend” request these Global Leaders provided China with access to a myriad of both personal information (i.e., phone numbers, email addresses, photos, names of family and friends, etc.). The U.S. Intelligence Community and NATO assert that China was able to initiate their reconnaissance operation into Stavridis’ life, and subsequent social engineering impersonation attack through information gleaned on social media from Stavridis, his colleagues, his friends, and family. NATO has yet to confirm or deny the successful leak of U.S. or global military intelligence resulting from this attack.
What happens to all those digital breadcrumbs we leave behind? Well, it becomes part of the world of Open-Source Intelligence (OSINT). OSINT is used to gather publicly available information from the Web.
There is immense value in utilizing OSINT, and its younger sibling Social Media Intelligence (SOCMINT), in insider risk identification and prevention.
Ethical and legal considerations surrounding bias, privacy rights, and violations of civil liberties are leading concerns around social media exploitation (SOMEX), sparking controversy in both the public and private sectors. Employers, in principle, are not prohibited from analyzing publicly available, open-source information in support of proactive threat mitigation efforts, as well as predicated investigations.
In fact, it’s already standard practice for Intelligence Analysts and Investigators to gather OSINT from publicly available sources to produce actionable intelligence. Incorporating an analysis and exploitation of overt and publicly available UGC across social media platforms serves as a forced multiplier in identifying those who may be sharing information/content, or forming connections with individuals that put themselves and/or their workplace in a compromising position, opening the door for exploitation by adversaries.
The global social media explosion, and subsequent use of social media as an attack vector, furthers the argument that organizations can no longer avoid SOCMINT analysis as part of their proactive risk mitigation efforts.