Targeted attacks and the human vulnerability How to assess susceptibility to targeted cyber attacks exploiting human vulnerabilities

(1)

I

Targeted attacks and the human vulnerability

How to assess susceptibility to targeted cyber attacks exploiting human vulnerabilities

Master Thesis –

MSc in Cyber Security

Cyber Security Academy, The Hague

Author: Derk-Jan van Mourik, student# 1728024 Supervisor: Prof dr Jan van den Berg MSc

Second reader: Renato Kuiper BSc

(2)

II

Abstract

Banks have been the target of cyber attackers ever since banking systems were connected to the internet. Banks have become accustomed to attacks aimed at the client side, compromising systems of banking customers, and have taken measures to mitigate those risks. However, in recent years new threats have emerged: attackers target the internal systems of the banking organizations themselves. A striking fact concerning these targeted attacks is that they rely heavily on human vulnerabilities within the targeted organization in order to be successful. Since the capacity and equipment of cyber attackers is increasing and the impact of compromised banking systems can be large, it is imperative to be able to assess this risk.

Although the focus of this research is on banks, the risk of targeted attacks and the vulnerability of human behaviour also affects other types of organizations. The aim of this research is to discuss the methods behind targeted attacks, human vulnerabilities, mitigating measures and to formulate a generic method to assess susceptibility to this risk in order to keep it within the limits of the organisation’s risk appetite.

The research intends to answer the questions: what are the methods behind targeted attacks exploiting human vulnerabilities, which measures exist to mitigate this risk, which factors contribute to susceptibility of a successful attack, and how to assess this risk in order to sufficiently mitigate it? For this research to be more profound, techniques used in targeted attacks are discussed and human vulnerabilities are analysed.

It was found that:

 The human factor has been and still is an important vulnerability factor in targeted attacks.

 Security awareness training is not likely to reduce this vulnerability to zero.

 Therefor technical and administrative security measures also need to be taken into account in assessments of attacks targeting human vulnerabilities.

(3)

III

Acknowledgment

This thesis forms the completion of the academic executive master Cyber Security. It has been a joy to follow this very diverse and interesting programme for the last two years.

This thesis would not have been in this state without the help of some people.

I would first like to thank my thesis advisor Professor Dr Jan van den Berg MSc and the second reader Renato Kuiper BSc of the Cyber Security Academy at Leiden University. They both motivated, criticised and advised me throughout this final work. I am gratefully indebted to them for their very valuable comments on this thesis and am honoured to have worked with them.

I would also like to thank two experts, Fred Streefland MSc BBA and Michael de Rijk, who were involved in the review of this research paper.

Furthermore I thank my manager Rob Bank for facilitating me to take some days off to process the obtained feedback at the end of this project.

Last but not least I would like to thank my partner Jacob-Jan for his patience and supporting me in the process of forming this thesis.

(4)

IV

1. Introduction

1.1 Topic

In recent decades banks have become increasingly dependent of IT-systems that store their assets in the form of information, compared to traditional banking in which physical money and securities were stored in physical safes and secured buildings. Since banking systems are connected to networks with desktops of banking employees and connected to the internet for servicing web based applications, banks are part of cyberspace. Protecting these banking processes, systems and their valuable data is a true challenge, due to a whole range of threats and vulnerabilities, both technical and human.

Ever since online banking exists criminals have targeted clients’ banking accounts by attacking the systems of those bank customers. The sheer number of customers’ computer systems constitutes a vast attack surface. Also, since these systems are not under the control of banking organizations themselves and therefore security is hard to enforce, they might contain vulnerabilities that attackers can exploit.

Banking Trojans, malware that hijacks the identity of bank customers to make fraudulent transactions, are of important concern to banks. However, “Banks have become more resilient against banking malware, as the police have noticed. Man-in-the-browser attacks targeted at end users no longer work as well, thanks to fraud detection by banks. Logically, cybercriminals have therefore gone looking for other work methods, tools and targets. This could explain why the use of banking Trojans continues to decrease and the use of ransomware and RATs (Remote Access Tools) continues to increase. For example, we now see attacks on banking systems themselves rather than on the account holders (NCSC 2016, 18)”.

(8)

2 appropriately dubbed the “Advanced Persistent Threat” (APT), represents well-resourced and trained adversaries that conduct multi-year intrusion campaigns targeting highly sensitive economic, proprietary, or national security information” (Hutchins 2011, 1). In APTs like the Swift hacks and Carbanak spear phishing is used to intrude the organization. In both scenarios spear phishing emails were aimed at the internal banking environment to insert malware in order to submit fraudulent payment instructions.

But targeted attacks not only include APTs using malware. Another example of actual exploitation of human vulnerability by spear phishing is CEO fraud, in which the attacker enforces a fraudulent financial transaction by just asking an internal employee.

At the time of writing human behaviour of bank employees constitutes an important vulnerability factor of these cyber risks. Several forms of cyber attacks on the internal banking environment can only be successful if vulnerability of a human actor is exploited. For instance, the three most

prevalent vectors for the delivery stage in APTs are email attachments, websites and USB removable media (Hutchins 2011, 4). People within the targeted organization play a crucial role in the delivery of malware in such an attack.

In these documented cases control measures have failed. How to assess these big impact risks if the human vulnerability factor is of such importance? Which factors contribute to susceptibility to these attacks? And does security awareness training for staff have any effect on preventing these risks?

(9)

3

1.2 Goal

The goal of the research is to investigate which common factors determine susceptibility to risks posed by targeted social engineering attacks. Assessing susceptibility implicates that the focus is on identifying and analysing vulnerabilities that might lead to such a targeted attack being successful. The research question is:

“How can susceptibility to targeted cyber attacks exploiting the human vulnerability be assessed?”

Targeted attacks are aimed at achieving a certain malicious goal. Different targeted organizations have different valuable data, or ‘crown jewels’, to protect. The end goal of the attacker can vary from stealing sensitive information to executing fraudulent payments.

The focus of this research is on targeted attacks aimed at banks to execute a fraudulent financial transaction.

In order for the main research question to be answered the following sub questions need to be answered:

 What factors contribute to risk posed by targeted cyber attacks exploiting human vulnerabilities?

o Which points of entry can be identified that contribute to susceptibility to this risk? o What are targeted cyber attacks?

o What techniques are used in targeted attacks?

 How does human vulnerability contribute to this risk? o Which human vulnerabilities can be identified? o How does Human-Computer Interaction (HCI) work? o How is human behaviour influenced by the attacker?

 Which mitigation techniques are available that influence susceptibility to this risk?

The deliverables of the research are:

 A risk analysis of documented cases

 An assessment of available mitigation approaches and techniques for targeted cyber attacks exploiting human vulnerabilities

(10)

4

1.3 Scope

The focus of the research is on assessing susceptibility to targeted social engineering attacks by analysing vulnerabilities that might lead to such an attack being successful.

The scope consists of attacks that use human actions in users (both end users and system administrators) within an organization acting as a vector for such attacks. It does not focus on attacks that exploit only technical vulnerabilities; although technical vulnerabilities can be indirectly caused by human behaviour (e.g. insecure configuration of computer systems by personnel) no human interaction is required in such an attack.

The research focuses on targeted cyber attacks aimed at banking employees in order to execute fraudulent financial transactions (the ‘crown jewels’ of a bank) by abusing the systems of the bank in a stealthy manner. It does not include risks that might lead to a financial transaction by extortion or blackmailing, like ransomware and DDoS.

The focus is on identifying the factors that contribute to susceptibility of this risk, i.e. it is not focused on assessing the consequences of this risk.

It includes a case study on the human vulnerability within a medium-sized bank in the Netherlands.

1.4 Related work

“Securing information assets: Understanding, measuring and protecting against social engineering attacks” by Marcus Nohlberg (Nohlberg 2008) discusses the risk of social engineering in a broader way, not focused on targeted attacks against banks. Furthermore it focuses only on susceptibility of human actors, irrespective of which technical and administrative measures are in place, which makes it less applicable to use for effective risk assessment.

“Methods and mitigations of targeted social engineering attacks” by Joseph Costa (Costa 2015) discusses how targeted attacks exploiting the human vulnerability work and can be mitigated. It also does not focus on attacks aimed at banks in order to compromise financial transactions, but

describes the risk in a broader way. It does not pay attention to the balance between technical security measures and behavioural measures that is important to assess susceptibility to the risk of such attacks.

(11)

(12)

6

1.5 Approach

Different viewpoints are used in order to analyse which common factors determine susceptibility to risks posed by targeted social engineering attacks.

First the attacker’s end goal, the ‘crown jewels’, in this case the payment process, is described from within an organization’s context to identify points of entry. A short description is given about the target, banks in the Netherlands, identifying possible points of entry exploiting human

vulnerabilities. This approach offers insight in the risk from the perspective of the targeted organization.

Then, the risk is explored from the perspective of the attacker. Desk research is performed to identify generic techniques used in different targeted attack scenarios exploiting human

vulnerabilities. Documented cases of quite different types of attacks on banks are then analysed by mapping the attack steps to vulnerabilities, using attack tree modelling. By these analyses the generic factors are identified that contribute to susceptibility for a successful targeted social engineering attack. These identified factors can be used to assess susceptibility.

Thereafter, the nature of human vulnerabilities is explored in relation to targeted attacks, using theories on human-computer interaction and on persuasion, in order to gain insight in how it contributes to this risk.

Possible mitigation measures for preventing an attacker from successfully achieving his end goal are then identified. This is done based on desk research in combination with the identified success factors of attack techniques. Gaining insight in measures is important to determine vulnerabilities and net risk.

An approach to determine susceptibility to the risk is then formulated, based on the identified vulnerabilities used in these attacks in combination with measures implemented.

This research presents an analysis based on desk research. It also contains a design science topic, since it will deliver an artefact (assessment approach), and a case study on human behaviour. In the case study the efficacy of awareness education is evaluated by comparing the results of a phishing test with attendance lists of the training.

(13)

7

1.6 Definition of terms

Term Explanation

4-eyes principle Requirement that two individuals are needed to approve an action before it is executed

Administrative measures Policies and procedures

APT Advanced Persistent Threat

Banking Trojan

A malicious computer program designed to gain access to confidential information stored or processed through online banking systems, appearing as a legitimate piece of software

BEC Business Email Compromise

Botnet A number of computers that are in control of a botnet master, although their owners are unaware of it

C2 Command & Control; a C2 server is the centralized computer that communicates with a botnet

CEO fraud Email scam in which attacker spoofs a CEO, a type of BEC

Crown jewels The most precious things to protect; in this research: execution of financial transactions

Cyberspace The environment in which communication over computer networks occurs

DDoS Distributed Denial of Service

Drive-by download

Attack in which the attacker coerces a target user to visit a compromised website, infected with malware, to download malware directly into the system

End user The person that uses an application

Exfiltrate The transfer of data outside from a computer

HCI Human-Computer Interaction

HSM Hardware Security Module, physical device that safeguards cryptographic keys and provides cryptoprocessing

HTTP HyperText Transfer Protocol; protocol for communication between web client/browser and web server

Key logger

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard,

typically covertly, so that the person using the keyboard is unaware that their actions are being monitored

Malware Malicious software

Man-in-the-browser attack

Interception and manipulation of data that is transmitted over a secure communication channel between a user and a web application, by using a Trojan that is embedded in the user’s browser application

Money mule A person who transfers stolen money on behalf of others Payload Data that is transmitted, without headers and metadata

Pentesting Penetration testing, the practice of trying to gain access to a computer system by looking for security weaknesses

Phishing An e-mail fraud attempt in which the sender is spoofed

Ransomware Malware that encrypts data on a victim’s computer and demands ransom money to decrypt it

RAR Roshal ARchive; file format that supports data compression, error recovery and file spanning

(14)

8 Red teaming The practice of viewing a problem from an adversary's perspective Segregation

Separation of domains in order to limit impact if a trusted element within the domain is compromised, e.g. by means of separate networks or restricted permissions

Shoulder surfing Acquiring sensitive information by observing, e.g. by looking over someone's shoulder

SNL SwiftNet Link

Social engineering A hacker’s clever manipulation of the natural human tendency to trust Spear phishing An e-mail spoofing fraud attempt that targets a specific organization,

seeking unauthorized access to confidential data Spoofing Falsifying an identity

STP Straight Through Processing, automated direct processing of transactions Strong authentication Identity verification by a minimal two different types of authentication

factors, i.e. not only a username and password

Swift Society for Worldwide Interbank Financial Telecommunication

System administrator A user that has permissions to manage and configure a computer system Tailgating Entering a restricted area by closely following someone who is authorized

to enter

Trojan Malware that misleads users by posing as legitimate software

Trusted system A computer system that is authorized to execute specific commands on the target system

Trusted user A user account that is authorized to execute specific commands on the target system

User credentials Attestation of authority issued to an individual in order to proof his identity and authorization, such as username and password

VPN Virtual Private Network

Water holing

Attack in which the attacker determines which websites are regularly used by a specific group of users, infects these websites with malware and lurks until the target falls prey

Worm Malware that propagates itself

Zero-day vulnerability A vulnerability that has not been disclosed publicly

(15)

9

1.7 Structure

Every chapter in this paper is introduced with a short description of its purpose and the methodology and theory used. The chapters end with a concise conclusion in relation to the research objective.

Several terms and abbreviations are used in this paper that might be considered as jargon for a layman. They are explained in paragraph 1.6.

Chapter 2 describes the targets: banks. An overview is given about information security

requirements of supervisors in the Netherlands, about financial transaction systems and points of entry that an attacker might use.

To gain an understanding of the risk in scope of this research, targeted cyber attacks on banks are described in chapter 3. Scenarios of several documented cases are analysed by mapping the attack steps to vulnerabilities using attack tree modelling. The result is an overview of the factors that contribute to susceptibility for such an attack, the prerequisites for a successful attack.

Chapter 4 delineates in more detail how human behaviour acts as a vulnerability for this risk. To gain insight in this phenomenon, a description of Human-Computer Interaction (HCI) is given, including the way human thinking works. Furthermore the influence of human behaviour by the attacker is explained.

Mitigation approaches of risks posed by targeted attacks are examined in chapter 5. These include both technical, administrative and behavioural measures.

In chapter 6 the findings of the research are discussed.

The answer to the research question, including an approach to assess susceptibility by identifying vulnerability factors, is written in chapter 7.

Reflection on of the research is performed and documented in chapter 8. Chapter 9 contains the bibliography of the literature used.

Appendix A contains a list of requirements by the Dutch supervisor of banks addressing human vulnerabilities.

Appendix B describes in more detail the different elements in the attack tree model analysis of APT-style attacks.

(16)

10

2. Banks in the Netherlands

The research domain is presented in this chapter, describing supervision and the crown jewels of banks that are at stake in targeted attacks. The information is based on desk research.

2.1 Supervision

A bank is a credit institution, involving an enterprise whose activities consist of receiving deposits or other repayable funds from the public and grant credits for its own account (DNB 2016).

The Netherlands Authority for the Financial Markets (AFM) is responsible for supervising the operation of the financial markets. This means that AFM supervises the conduct of the entire financial market sector: savings, investment, insurance and loans. By supervising the conduct of the financial markets, AFM aims to make a contribution to the efficient operation of these markets (AFM, about, 2016).

In the Law for financial supervision (Wet op het financieel toezicht or Wft) a big number of rules and regulations for financial markets and their supervision have been assembled (AFM, Wft, 2016).

Wft states that standards are set for banks to guarantee a good operation of payments. These standards provide at least a secure settlement of payment transactions and operating of the necessary infrastructure at these enterprises (overheid.nl 2016, article 3:17, 2a).

These norms are further specified by the Dutch supervisor of banks, De Nederlandsche Bank (DNB). The mission of DNB is to seek to safeguard financial stability and thus contribute to sustainable prosperity in the Netherlands (DNB 2016).

DNB uses an assessment framework for information security that is imposed on financial

organizations in the Netherlands (DNB 2014). This framework is based on 54 control objectives of Cobit 4.1 (ISACA 2007). Banks ought to have these control objectives functioning at maturity level 3, that is: documented, formalized, structured and provable execution. Furthermore, the three control objectives for risk management ought to be functioning at maturity level 4, that is: the effectiveness of the control is periodically assessed and improved when necessary, this assessment is

(17)

11 The control objectives are categorized per domain: Strategy & Policies, Organization, People,

Processes and Technology. The People and Processes domain contain several control objectives applicable to assessing human vulnerabilities and risk in general. These are presented in Appendix A. Observable is the fact that control objectives focus on vulnerabilities of two different groups of human actors: end users on the one hand and operations and technical support staff on the other.

2.2 Process for executing financial transactions

Processes for financial transactions within banks usually run on servers that cannot be accessed directly from the internet. In the past these back-end systems were only accessible via internal stand-alone terminals, but since approximately the beginning of this millennium these terminals have been replaced by workstations that also have internet connection. Most banks use robust mainframe computers to do the processing of payments. Financial instructions can either be entered by customers via web application servers, by automated financial processing (straight through processing or STP) between trusted parties or manually by internal banking employees. The actual financial transactions are either applicable to accounts that are hosted by the bank itself or sent as an instruction to another bank if the account is hosted there. The Society for Worldwide Interbank Financial Telecommunication (SWIFT) provides a network that enables financial transactions

between banks. Figure 1 shows that typically only the secure connection (VPN) is managed by Swift; the infrastructure components that host the financial processes are managed within the banking organization (customer premises). This implies that bank employees that interact with these infrastructure components might influence the output that is sent to the secure connection.

(18)

12 Financial transactions that are initiated by internal banking employees or internal trusted systems are the ‘crown jewels’ that attackers aim at. They can be either entered directly into a back-end payment system or SWIFT, or indirectly by sending a payment instruction (for instance by internal email) to another employee who enters it.

The process for financial instructions is illustrated in a simplified manner in figure 2 on the next page. It represents a so-called ‘clean payment’. A clean payment is a payment of cash for which there is no directly associated counter value. Clean payments are the most broadly used medium for paying a client’s account receivable or payable in a foreign currency (Financial Advisory 2011). Because there is no counter value directly associated with this type of payment, it is an attractive target for criminals. Financial instructions in which a correlation is done before the transaction is settled are much harder to forge, because it involves two parties that need to deliver associated information simultaneously. ‘Delivery versus payment’ is an example of such an instruction, which is commonly used for settlement of securities. Figure 2 is also applicable for these kind of transactions, but there are extra applicative measures in the broader process that enforce reconciliation before a transaction is actually settled.

Note that the final financial transaction can either be credited to an internal account holder or to an account of a different bank by means of an interbank financial transaction (e.g. via Swift). Banks in the Netherlands are required to identify their account holders, thus facilitating attribution of transactions to an accountable (AFM, Wft, 2016, Wet ter voorkoming van witwassen en financieren van terrorisme, article 5, 1c).

(19)

13 Manual entry by

customer Input from trusted system Web server Web application interface Automated process on server Internal Payment system Mainframe Interface for trusted external systems Workstation Back-office employee with access to internal payment system

Manual entry by employee Internal beneficiary? Yes No Workstation Back-office employee with access to system for interbank transactions

Manual entry by employee

Application server for financial instructions to other banks Workstations & Servers Employees Instruction via internal process (e.g. email) Instruction via internal process (e.g. email) Internal trusted environment

Client instruction via a variety of media

(e.g. email, fax, phone)

Execute internal financial transaction for internal account

holder

Execute interbank financial transaction

(e.g. via Swift) Incoming instruction Incoming instruction Incoming instruction _{Authorisation} check Database with financial information Database with financial information Authorisation check Database with financial information Database with financial information Authorisation check Authorisation check Update balance Update balance

(20)

14

2.3 Points of entry

There are several points in the process that are susceptible to manipulation by means of a human actor serving as a point of entry. These are possible causes for fraudulent instructions.

Persuasion of end user; the human end users depicted in figure 2 have the ability to initiate a

financial instruction. These people themselves are prone to manipulation. This can be done by pretexting, by providing a false motive, in order to persuade an end user to execute a transaction.

Identity theft of end user account; the attacker can also aim at acquiring the user credentials

(username and password) of these human actors in order to get access to an internal application without them knowing.

Compromising an operating system; an attacker might also aim at obtaining access to an operating

system within the internal environment, either server or workstation, as depicted in figure 2. If he can execute code on the operating system he might be able to move laterally within the internal environment. Administrative access to a computer system might be obtained by hacking an account of an administrator user or a trusted system user or by using an exploit that is executed by a trusted user. Compromising the right operating system allows him to insert a fraudulent transaction via a trusted machine.

Compromising a database server; data about financial transactions and balances are stored and

retrieved in databases, as depicted in figure 2. These data can be manipulated by hacking an account of a database administrator user or a trusted system user or by using an exploit that is executed by a trusted user.

Physical access; physical access to a computer system within the trusted environment, as depicted in

figure 2 , can also be used to acquire user credentials or to compromise an internal computer system. Physical access may be gained by persuading a person that has legitimate access or a security guard.

2.4 Conclusion

(21)

15 operational/technical support staff should be considered, and risk assessments should be done on a recurring basis. Different points of entry exist in the financial transaction process wherein

(22)

16

3. Targeted cyber attacks

In this chapter the risk of targeted attacks exploiting human vulnerabilities is explained in more detail in terms of chance and impact. Different strategies of targeted attacks are presented, and the points of entry they use. The information is based on desk research and documented cases.

3.1 Introduction

According to the Cyber Security Assessment Netherlands 2016 multiple organizations are being faced with much more targeted and advanced social-engineering attacks. Professional criminals and state actors are still the greatest threat to Dutch digital security (NCSC 2016, 25). Also, the main actors targeting private organizations for theft are professional criminals and internal actors. Manipulation of information is mostly done by professional criminals (NCSC 2016, 12).

Sood & Enbody define a targeted attack as, “a class of dedicated attacks that aim at a specific user, company, or organization to gain access to the critical data in a stealthy manner” (Sood 2014, 2).

The general risk of targeted attacks is described in terms of chance and impact in paragraph 3.2.

In order to achieve the overall goal, executing a fraudulent transaction, an attacker can use a variety of scenarios using human actors as point of entry. The techniques used, and the vulnerabilities they exploit, are described in paragraphs 3.3 and 3.4.

APTs can be considered to be a general subset of targeted attacks (Sood 2013, 55) and are featured by an arsenal of sophisticated methods, large capacity and persistence. APTs use different phases in their attempt to reach their goal. These phases are described by Lockheed Martin as “the intrusion kill chain”. The intrusion kill chain consists of reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives (Hutchins 2011, 4-5). Paragraph 3.3 describes APTs by explaining these steps.

(23)

17

3.2 Risk of targeted attacks

The specific risk of targeted attacks that this research focuses on is defined as: The undesirable event of executing a fraudulent financial transaction caused by a targeted cyber-attack aimed at banking employees by abusing the internal systems of the bank in a stealthy manner leading to financial loss.

In the subparagraphs chance and impact of this risk are discussed.

3.2.1 Chance

Three conditions must be present in order for an attacker (also known as a threat agent) to carry out an attack against a defender’s organisation. “First, the defender must have vulnerabilities or

weaknesses in their system. Second, the threat agent must have sufficient resources available to exploit the defender’s vulnerabilities. This is known as capability. The last condition is that the threat agent must believe they will benefit by performing the attack. The expectation of benefit drives motivation” (Ingoldsby 2013, 3).

Capability is dependent on the actor. Criminal organizations and state actors have sufficient resources. Also, for malicious parties (without specific knowledge and skills) it is becoming increasingly easier to carry out digital attacks. They can make use of low-threshold tools and affordable forms of cybercrime-as-a-service (NCSC 2016, 25).

Motivation is often determined by financial gain. This is why banks are an obvious target of attacks.

So with capability and motivation being present, attacks on banks are likely to occur if vulnerabilities are present.

Reconnaissance is the first step in a targeted attack. Although information about the target might not be considered a vulnerability on its own, it is indispensable for the attacker to perform pretexting. This increases the chance on a successful attack.

Furthermore, the probability of a successful attack is depending upon a variety of vulnerabilities, both technical and human behavioural. APTs for instance need to exploit a sum of different

(24)

18

3.2.2 Impact

The business impact of a targeted attack is determined by the system authorization level of the targeted (user or computer) account and the degree of (network) segregation. For instance: if the hacked account does not have (system or network) access to the payment system the impact is less than if the hacked account does have access to such a system. However, if a less-critical system is compromised the attacker may move laterally within the network to get to his target.

As with chance being dependent on vulnerabilities and implemented preventive measures, impact is determined by measures of repression and detection. If a fraudulent financial transaction is

detected before it is irrevocably executed, it might be stopped in time. Also, when the value of a financial transaction is restricted, the impact can be kept low. Furthermore, as explained in paragraph 2.2, attribution of financial transactions to a beneficiary limits the possibility of an attacker to get away with the booty unpunished.

3.3 APTs: The kill chain

Lockheed Martin explains that “the concept of the kill chain is based on the U.S. military targeting doctrine to target and engage an adversary to create desired effects. It considers an integrated, end-to-end process described as a “chain” because any one deficiency will interrupt the entire process” (Hutchins 2011, 4). This is a useful concept to assess

susceptibility to targeted attacks because success of such an attack is dependent on a combination of vulnerabilities.

The steps in APTs are explained in the following subparagraphs.

(25)

19

3.3.1 Reconnaissance

“Research, identification and selection of targets, often represented as crawling Internet websites such as conference proceedings and mailing lists for email addresses, social relationships, or information on specific technologies” (Hutchins 2011, 4).

“Reconnaissance can be thought of as spying on a person or group of people and it has been

occurring way before computers were even invented. The adversary can go about reconnaissance in many ways, but when it comes to targeted attacks that will be using employees as the main exploit; they may choose to use certain avenues. Some information about a target can be accessed easily by use of the internet. A quick Google search of an organization could find their website, which may contain contact information for certain employees, such as name, email, department, etc. Employee email addresses can be used as the recipients for a well-crafted spear-phishing email. The attacker would use their name and department to “personalize” the email to increase the likelihood of it being opened. An attacker may also visit social media website such as Facebook to gather information on the specific employees. Knowledge of an employee’s internet use could help an attacker figure out popular websites that the employees may visit, which is necessary to attempt a water holing attack” (Costa 2015, 16).

There are different other ways in which attackers can get a hold on email addresses, like leaked account databases, clicking links in spam emails, scraping the web or buying lists of addresses (Hoffman 2014). Since the extension of the email addresses (@...) of internal banking employees are usually the same as the domain name of the corporate website, these can easily be determined by the attacker. Profiles on social media like LinkedIn can provide them more information about a potential target. This means that the chance of occurrence of a spear phishing attack is severely depending on the attacker’s goal: if an attacker wants to target a certain bank it is relatively easy for him to find a valid email address of a victim.

Success of reconnaissance is determined by the extent to which useful information is disclosed and available to the attacker.

3.3.2 Weaponization

(26)

20 The exploits are used to compromise an IT-component like an operating system, database server or specific application. Since the weaponized deliverable is disguised as a client application file, they can be delivered to unsuspicious end users. Banking employees typically have such client

applications at their disposal in order to perform their job tasks.

3.3.3 Delivery

“Transmission of the weapon to the targeted environment. The three most prevalent delivery vectors for weaponized payloads by APT actors, are email attachments, websites, and USB removable media” (Hutchins 2011, 4).

Delivery is the phase in which human actors function as a point of entry.

Financial transactions are always initiated by an account that is authorized to do so. This account can be either a human user (end user within the application or system administrator) or a system user (for instance a trusted system that sends input). Attackers can attempt to send malware to an end user in order to intercept user credentials.

APTs like the Swift hacks aim directly at stealing the user credentials of an employee with access to the crown jewels. The Carbanak APT is known to also steal user credentials of other users to gain a foothold within the internal network and move laterally within it towards an end target. The targets of such attacks are illustrated in figure 4.

(27)

21

Figure 4: Targets of an attack aimed at compromising user accounts by human vulnerabilities; indirect human targets are

encircled with a dashed red line

Other means of delivery are via infected websites.

“Drive-by downloads are used by the attacker to get the target to download malware from the Internet. To do this, the user is coerced to visit a compromised website,” … “that redirects the user’s browser to yet another malicious domain running a browser exploit pack that exploits vulnerabilities in the user’s browser or plugins to download malware directly into the system” (Sood 2013, 56). Instead of forcing a target to visit a compromised website, the attacker can also choose to use the technique of water holing. “Water holing describes a targeted attack where the attackers

compromise a website that is likely to be of interest to the chosen victim. The attackers then wait at the waterhole for their victim” (Krombholz 2015, 117). An attacker can use their reconnaissance techniques to extract information about a target’s internet activity. If the attacker can successfully compromise a certain website, they only need to wait for the target to visit the site and then unknowingly download malware to their system. An attacker may choose to compromise a website that is frequently visited by members of the targeted organization, in case of banking employees this might be for instance a financial news web site.

(28)

22

3.3.4 Exploitation

“After the weapon is delivered to victim host, exploitation triggers intruders’ code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code” (Hutchins 2011, 4).

Known technical vulnerabilities can be exploited on systems that have not been updated with security patches.

Also zero-day vulnerabilities may be used by an attacker to exploit a system in a targeted attack. According to Bilge, & Dumitras: “A zero-day attack is a cyber attack exploiting a vulnerability that has not been disclosed publicly. There is almost no defense against a zero-day attack: while the

vulnerability remains unknown, the software affected cannot be patched and anti-virus products cannot detect the attack through signature-based scanning” (Bilge 2012, 833).

“This zero-day threat is dangerous for many obvious reasons. If anti-virus software cannot detect the attack, then it can go unnoticed until a patch is developed for the specific vulnerability. This is a common way that a targeted social engineering attack is physically able to infect the system. Although an end user may be responsible for opening a malicious email attachment, clicking on a malicious link or inserting an infected USB drive, the malware still needs to be able to exploit the software and zero-day vulnerabilities may prove to be the most susceptible. An attacker can find, with their technical skills, these holes in software and package it with a malicious payload to be delivered using a social engineering tactic” (Costa 2015, 19).

There is a brisk trade in zero-day exploits. Andy Greenberg says that “a six-figure price for a single hacking technique may sound extravagant, but it's hardly unique”. He assembled a rough price list for zero-day exploits, shown in the table below.

Adobe reader $5,000-$30,000

Mac OSX $20,000-$50,000

Android $30,000-$60,000

Flash or Java browser plug-ins $40,000-$100,000

Microsoft Word $50,000-$100,000

Windows $60,000-$120,000

Firefox or Safari $60,000-$150,000

Chrome or Internet Explorer $80,000-$200,000

IOS $100,000-$250,000

(29)

23 “Each price assumes an exclusive sale, the most modern version of the software, and, of course, not alerting the software's vendor. Some fees might even be paid in installments, with each subsequent payment depending on the vendor not patching the security vulnerabilities used by the exploit. In some cases the techniques would need to be used in combination to be effective” (Greenberg 2012). Success of exploitation depends on the patch level and of available zero-day exploits of the target system.

3.3.5 Installation

“Installation of a remote access Trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment” (Hutchins 2011, 5).

Installing malware implicates that vulnerabilities must exist on the network and the workstation: the possibility to download, install and execute malware.

3.3.6 Command and Control (C2)

“Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C2 channel. APT malware especially requires manual interaction rather than conduct activity automatically. Once the C2 channel establishes, intruders have “hands on the keyboard” access inside the target environment” (Hutchins 2011, 5).

The attacker can now control a compromised host remotely and proceed to actions on his objectives.

3.3.7 Actions on Objectives

“Only now, after progressing through the first six phases, can intruders take actions to achieve their

original objectives. Typically, this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment; violations of data integrity or availability are potential objectives as well. Alternatively, the intruders may only desire access to the initial victim box for use as a hop point to compromise additional systems and move laterally inside the network” (Hutchins 2011, 5).

(30)

24 organization has tight security but according to Carr, “today’s sophisticated malware takes

excruciating steps to hide its communication and intentions. Encrypted commands, communications over HTTP and decentralized command and control, and exfiltration of data through covert means are the norm” (Carr 2012, 157). If an attacker had already compromised a system through the use of a targeted attack carrying a malicious payload that exploits a zero-day vulnerability, they will want to continue the theme of stealth. With the sophistication seen today, attackers have the capability to remain undetected while they move through networks and exfiltrate the data they came for (Costa 2015, 24).

Lateral movement within the network implicates that other systems are compromised via the component that was used as point of entry. This implies that the impact of one compromised system is not limited to that system only.

By exfiltrating data the attacker acquires information about how to execute a financial transaction.

Controlling a compromised host within the internal banking environment remotely, the attacker can use the hacked user credentials of internal users to submit a fraudulent transaction.

3.4 Other techniques used in targeted attacks

Apart from typical APTs, various other techniques to exploit human vulnerabilities are available in the arsenal of the attacker. These are discussed in this paragraph.

3.4.1 Identity theft: phishing for user credentials

(31)

25

3.4.2 Persuasion of end user

Another type of attack that does not require malware is to send an instruction directly to an end user enticing him to initiate a financial transaction. This requires a pretext to persuade the end user to do so.

This can easily be done by sending an email to a user posing as a legitimate requestor and convincing him to execute an action.

Figure 5 depicts how such an attack is performed. Persuasion of the human actor is described in more detail in chapter 4.3.

Figure 5: Insertion of fraudulent instruction by persuasion of end user

Manipulation of the internal actor by other types of communication, like phone or instant

messaging, is another means in the arsenal of the attacker. A combination of techniques, like phone and email, can also be used.

(32)

26 which the human target has influence on the internal environment for the attacker to reach his end goal.

3.4.3 Physical access

Physical access to an internal computer might compromise security by means of physically inserting malware (delivery), taking advantage of an unlocked computer or shoulder surfing (which can lead directly to actions on objectives of the attacker). Flaws in physical security or social engineering techniques like tailgating can be used to get access.

An example of malware that was in all probability delivered physically is the Stuxnet case. In the Stuxnet APT “over fifteen Iranian facilities were attacked and infiltrated by the Stuxnet worm. It is believed that this attack was initiated by a random worker's USB drive. One of the affected industrial facilities was the Natanz nuclear facility” (Holloway 2015).

“Rather than trying to infiltrate directly by crawling through 15 firewalls, three data diodes, and an intrusion detection system, the attackers acted indirectly by infecting soft targets with legitimate access to ground zero: contractors. However seriously these contractors took their cybersecurity, it certainly was not on par with the protections at the Natanz fuel-enrichment facility. Getting the malware on the contractors' mobile devices and USB sticks proved good enough, as sooner or later they physically carried those on-site and connected them to Natanz's most critical systems,

unchallenged by any guards” (Schneier 2013).

This example shows that physical access to computer systems can also be a vector to insert malware.

3.5 Analysis of documented cases of targeted attacks

In this paragraph two types of targeted attacks aiming at executing fraudulent payments are presented and analysed, based on documented cases.

(33)

27

3.5.1 Risk identification

“Risk identification is the process of finding, recognizing and recording risks” (ISO 2009, 12). The risk that this research focuses on has already been identified: the undesirable event of executing a fraudulent financial transaction caused by a targeted cyber-attack aimed at banking employees by abusing the internal systems of the bank in a stealthy manner leading to financial loss. This risk can occur due to a number of different attacks. The techniques used have been identified in paragraphs 3.3 and 3.4. Furthermore vulnerabilities to such attacks have been identified by analysing points of entry in the payment process in paragraph 2.3. In the following subparagraphs two different types of documented cases of such attacks are analysed.

3.5.2 Risk analysis

“Risk analysis is about developing an understanding of the risk. It provides an input to risk

assessment and to decisions about whether risks need to be treated and about the most appropriate treatment strategies and methods” (ISO 2009, 13). A risk analysis of targeted attacks exploiting human vulnerabilities in order to execute a fraudulent financial transaction will be presented in the following paragraphs.

Each step of an attack needs a vulnerability it can exploit. These vulnerabilities can be either

technical or human behavioural. Only if all steps are taken the attack will be successful, achieving the top event (execution of a fraudulent transaction). Since the top event is known and vulnerabilities leading to this top event are assessed, a model needs to be used to assess the preamble of this risk. This is why attack tree-based risk analysis is applicable to assess vulnerability to targeted attacks. Attack trees provide a formal, methodical way of describing the security of systems, based on varying attacks (Schneier 1999). Attack tree modelling is based on fault tree analysis. Fault tree analysis is applicable to analysing targeted attacks because (ISO 2009, 50-51):

 It is a scenario analysis type of assessment of which the outcome is known.

 It affords a disciplined approach which is highly systematic, but at the same time sufficiently flexible to allow analysis of a variety of factors, including human interactions and physical phenomena.

 The application of the "top-down" approach, implicit in the technique, focuses attention on those effects of failure which are directly related to the top event. The top event is determined: execution of a fraudulent transaction.

(34)

28

 The pictorial representation leads to an easy understanding of the system behaviour and the factors included.

 Logic analysis of the fault trees and the identification of cut sets is useful in identifying simple failure pathways in a very complex system where particular combinations of events which lead to the top event could be overlooked.

In order to assess the risk of targeted cyber attacks it is imperative to know which steps are performed by the attacker.

An attack tree model analysis is made for two divergent types of documented cases of targeted attacks aiming at executing a fraudulent financial transaction. Subparagraph 3.5.3 covers APT-style attacks using malware, typically requiring many different steps to reach the end goal. In

subparagraph 3.5.4 an attack using solely persuasion of an end user is analysed, requiring less steps to be performed.

3.5.3 APTs using malware

Two examples of similar documented APTs using malware are described: Carbanak and the Swift hacks.

3.5.3.1 Carbanak

The Carbanak APT is the term used among cyber security organizations for the recent attacks on banks and financial institutions, which may have caused financial damage up to $ 1 billion in two years. Kaspersky Lab mentions in their report that of the 100 banking organizations that were impacted at that moment, “.. at least half suffered (significant) financial losses” (Kaspersky 2015, 4). The term Carbanak is a combination of ‘Carberp’, banking malware which has been around for a few years, and ‘Anunak’ which is the name the attackers themselves gave the new incarnation of this

malware (Bluecoat 2015).

Kaspersky Lab reports that all the cases started with spear phishing attacks utilizing exploited

(35)

29

After obtaining control over the compromised machine, cybercriminals used it as an entry point;

they probed the bank’s intranet and infected other PCs to find out which of them could be used to

access critical financial systems.

Once the attackers had access to the critical systems in the victim’s infrastructure they modified or

installed additional software. The criminals spied on and studied the financial tools used by the

banks, using key loggers and stealth screenshot capabilities. The main internal targets were the

money processing services. These services were then abused by impersonating legitimate local

users, allowing the attackers to perform privileged actions of bank employees. Figure 6 visualizes the

way Carbanak works.

Figure 6: How Carbanak works (Kaspersky 2015)

The hackers withdrew funds using different methods, defining the most convenient methods on a case-by-case basis, whether using online-banking services or electronic payment systems (such as SWIFT) or even to collect cash money by creating false bank accounts with cash withdrawn by ‘money mules’ or via a remote command to an ATM.

Both Fox-IT and Kaspersky Lab emphasize the fact that the Anunak or Carbanak developments “ .. mark a new step in cybercrime ..” (Fox-IT 2015) because of the attack methods which are similar to those used in sophisticated cyber-espionage APTs. “As such, they represent a new and disturbing trend in the cybercrime market of increasing attack sophistication” (Kaspersky 2015).

(36)

30 delivery/installation/execution of malware, unauthorized outgoing network traffic and remote access tool traffic. It started, however, with a human end user falling for the phishing mail.

3.5.3.2 Swift hacks

More recent targeted attacks on banks specifically aim at sending fraudulent financial transaction via Swift. “SWIFT is used by more than 11,000 banks globally to process 25 million communications daily that collectively account for billions of dollars' worth of transfers” (Bank info security 2016).

Symantec has found evidence that attacks are mounted on SWIFT users, “using malware to hide customers’ own records of SWIFT messages relating to fraudulent transactions. The tools used are designed to monitor customers’ local message logs for keywords relating to certain transactions. They will then move these logs out of customers’ local SWIFT software environment”. There is no indication that the SWIFT network was itself compromised (Symantec, Odinaff, 2016).

Table 3 shows some documented cases of this type of attack (Bloomberg 2016).

When What Where

January 2015 $ 12 million stolen Ecuador

December 2015 $ 1 million attempt, retained Vietnam

February 2016 $ 81 million stolen Bangladesh

December 2016 $ 4 million stolen Turkey (Reuters 2016)

Table 3: Swift hacks

As shown in paragraph 2.2 the infrastructure that processes financial instructions in order to be sent to Swift is typically within control of the banking organization itself.

(37)

31 installer was downloaded from the official website, which has been targeted repeatedly in recent times to spread a number of different malware families” (Symantec, Odinaff, 2016).

Like with Carbanak, malware is installed on a computer within the internal banking environment by means of an internal end user opening an infected file via email or internet access. The malware takes care of remote access by the attacker. The attacker monitors behaviour on the system in order to get information for an attack, including stealing user credentials of an internal Swift user. In order to circumvent the so-called ‘4-eyes principle’, a security measure to assure that at least two different user accounts are needed for a transaction to be executed, the attacker will harvest user credentials of multiple Swift user accounts. The intercepted user credentials are then used for sending a

fraudulent financial transaction to the Swift interface, using remote access to the compromised internal system. Furthermore, malware takes care of hiding the fraudulent messages by modifying the audit trail in the database and altering correct display of message sent.

3.5.3.3 Analysis of APT-style attack

A diagram to illustrate the vulnerabilities per step in APT-attacks using malware (like Carbanak and the Swift hacks) is shown in figure 7 on the next page. The steps in blue colour are dependent on a human actor. See Appendix B for details about the steps and the identified prerequisites/

(38)

32

Figure 7: Attack tree Swift- type APT using malware; the blue conditions are depending on human actions; see Appendix B

(39)

33 According to the threat model of an APT-style attack both technical and human behavioural

vulnerabilities are needed for a targeted attack. In order to prevent a successful attack measures need to be taken. Since human vulnerabilities cannot be fixed for hundred percent, technical measures should be taken into account.

Observable is the fact that prerequisite 4 (possibility to use compromised user credentials)

ultimately determines success of an attack, independent of which path was taken. The intercepted user credentials can only be used to access the crown jewels if the password has not been changed since interception and strong authentication is not implemented.

3.5.4 Business Email compromise

“Another scheme that has become more prevalent among criminals is the business email

compromise (BEC) scam, whereby the financial department of a company is convinced to carry out a transaction in favour of the attacker. These BEC attacks do not involve malware and do not tamper with the online banking service, but instead rely solely on social engineering” (Symantec, Financial threats, 2016).

CEO fraud are e-mail scams in which the attacker spoofs a message from the boss and tricks

someone at the organization into wiring funds to the fraudsters (Krebs 2016). It is a type of Business Email Compromise in which the attacker needs to have information about the target

(reconnaissance). He also needs to have a pretext to convince the target. In CEO fraud an email is sent to convince staff that a senior executive prompts for a financial transaction to make urgently. Tendency to obey and time constraint are the human vulnerabilities that are exploited here.

Banks are also amongst the victims of such scams. A Belgian bank lost approximately € 70 million due to such a scam (De Standaard 2016). CEO fraud differs from the typical APT in that no malware is delivered, but that ‘Command and Control’ is enforced just by simply asking an internal actor.

The only limitations for BEC to be successful, besides manipulating behaviour of the human target, are the information that is available about the human target to create a pretext and the

(40)

34

3.5.4.1 Analysis of BEC-style attack

A diagram to illustrate the vulnerabilities per step in a BEC attack, CEO fraud, is shown in figure 8. The steps in blue colour are dependent on a human actor. See Appendix C for details about the steps.

Figure 8: Attack tree CEO-fraud; the blue conditions are depending on human actions; see Appendix C for details about the

steps

For the BEC attack the technical ‘vulnerability’ merely exists of an employee being able to receive an email. This delivery could also have happened by a phone call or speaking to the attacker in person. This explains why BEC attacks can be successful: they circumvent technical security measures by taking advantage of the authorisation of the employee that is trusted within the internal

(41)

35 The only limitations for BEC to be successful, besides manipulating behaviour of the human target, are the information that is available about the human target to create a pretext and the

authorization level of that target.

3.5.5 Risk evaluation

“Risk evaluation involves comparing estimated levels of risk with risk criteria defined when the context was established, in order to determine the significance of the level and type of risk” (ISO 2009, 16).

Because the focus of this research is on assessing susceptibility to successful targeted social

engineering attacks, the analysis is predominantly aimed at risk identification and risk analysis. Risk evaluation is dependent on risk criteria that can vary between organizations.

However, the attack tree model analysis provides useable information for evaluating risk. Given the fact that human actors might fail, it is particularly important to understand what measures are left if they do.

According to the threat model of an APT-style attack both technical and human behavioural vulnerabilities are needed for a targeted attack. In order to prevent a successful attack measures need to be taken. Since human vulnerabilities cannot be fixed for hundred percent, technical measures should be taken into account. If these technical vulnerabilities are absent the attack is doomed to fail.

However, for the BEC attack the technical ‘vulnerability’ merely exists of an employee being able to receive an email. Other than that, there is no technical measure that can prevent the attacker from achieving his goal if all human actors fail, except applicative/administrative measures after the fact. This is important to take into account when evaluating this risk.

(42)

36

3.6 Conclusion

(43)

37

4. Vulnerabilities of human behaviour

The human vulnerability factor is explained in this chapter, describing human-computer interaction and manipulation of behaviour. The information is based on theories of human thinking by Daniel Kahneman and of persuasion by Robert Cialdini.

4.1 Relation to risk

Internal actors can contribute to a successful targeted attack in different ways. They can function as an entry point in the malware delivery phase of an attack, or even be executing the actions on objectives for the attacker themselves. They might also unwillingly provide the attacker with reconnaissance information.

Within organizations human users interact with computer systems that are part of the internal, trusted, network. These users have valid and authorized user accounts with access to data, in order to perform their job tasks. This legitimate access can be abused by a malicious actor, either by taking over the system remotely, by influencing/instructing the end user or by executing malware. Human actors can be used by the malicious actor as a vector for attack, a way to achieve the end goal. Employees with access to the payment system are of special concern because they provide direct access to the crown jewels if their user credentials or workstations get compromised.

Several researches have been conducted to assess the extent to which people are prone to attacks like phishing. They state that a significant percentage of people is susceptible to these attacks, thus posing a serious vulnerability.

Karakasiliotis et al performed an assessment of user awareness in the form of email phishing attacks. The experiment “used a webbased survey, which presented a mix of 20 legitimate and illegitimate emails, and asked participants to classify them and explain the rationale for their decisions. This assessment shows that the 179 participants were 36% successful in identifying legitimate emails, versus 45% successful in illegitimate ones. Additionally, in many cases, the participants who identified illegitimate emails correctly could not provide convincing reasons for their selections.” (Karakasiliotis 2006, 1). The study shows that a significant number of people, more than half, is not able to recognize a phishing email.

(44)

38 The external web site, to which the link was pointing, was intentionally badly designed in the hope of raising the users' suspicions. They found that 23 percent of the recipients were fooled by the attack (Bakhshi, Papadaki and Furnell 2009).

More recently, the Verizon 2016 data breach investigations report shows that 12 % of users fall for a phishing attack. Verizon investigated over eight million results of sanctioned phishing tests in 2015. 30% of phishing messages were opened by the target. About 12% went on to click the malicious attachment or link and thus enabled the attack to succeed. That indicates a significant rise from the report of 2014 in the number of people who opened the email (23% in the 2014 dataset) and a minimal increase in the number who clicked on the attachment (11% in the 2014 dataset) (Verizon 2016, 18).

These studies have found that human actors constitute a significant vulnerability for organizations.

4.2 Human-Computer Interaction

Human-computer interaction (HCI) can be described as an information processing loop, existing of two information processing units (the human being and the computer), in which output of the one is input for the other and vice versa (Nardi 1996, 105). This means that HCI can be influenced by addressing either the human or the computer processing units, or both. Nardi distinguishes “ ‘skilled performance,’ implying a kind of mental ease and access to certain cognitive resources peculiar to experts who have become very good at something.” and “ ‘Novices,’ on the other hand, consciously labor to perform actions that will later become automatic, requiring little conscious awareness. Their less able performance is attributable to their need to focus deliberate attention on task actions while at the same time working with fewer cognitive resources than they will have available later as they gain expertise and experience in their tasks” (Nardi 1996, 6).

Decision-making in human-computer interaction can be explained by studies on human thinking. Daniel Kahneman characterizes human thinking by describing two systems: the ‘Automatic System’ and the ‘Reflective System’ (Kahneman 2011). The Automatic System is "rapid and is or feels

(45)

39 But not all human decisions are rational. Kahneman also offers an explanation for human biases, based on principles of anchoring, availability, substitution, loss aversion, framing and sunk-cost. Some of those principles are particularly relevant when trying to understand human weaknesses in HCI.

 Anchoring; the anchoring effect deals with the tendency to be influenced by numbers. If higher

numbers are presented to people if they were to guess a certain number, they will guess a higher score then if they were presented lower numbers.

 Availability; the availability principle tells us that people tend to determine a higher probability

of an event if they can think of examples. For instance, if the media exaggerate reporting about bomb attacks, people will estimate the chance of occurrence of such attack higher than if they were not/less reported about them. Also, the easier it is to recall the consequences of

something, the greater these consequences are perceived. In other words: if no information on occurred phishing attacks are communicated to staff, they will less likely consider a phishing email to be suspicious.

 Substitution; the Automatic System is prone to substituting a difficult question with a simpler

one. In the experiment ‘the Linda problem’ subjects were told about an imaginary Linda, young, single, outspoken, and very bright, who, as a student, was deeply concerned with discrimination and social justice. They asked whether it was more probable that Linda is a bank teller or that she is a bank teller and an active feminist. The overwhelming response was that ‘feminist bank teller’ was more likely than ‘bank teller’, violating the laws of probability (Every feminist bank teller is a bank teller). The reason behind this bias is not yet completely understood. It might suggest a correlation with the availability principle: if people have more associations with a bank teller as not being particularly social, they tend to discern the social feminist side of Linda as being the distinctive feature. In relation to HCI: people might be fooled by messages that contain legitimate features, compared to those that don’t. Then the Automatic System might override the Reflective System.

 Loss aversion; this bias is about risk aversion when people evaluate an outcome comprising

similar gains and losses, since people prefer avoiding losses to making gains. This principle might be of use for security awareness: if people realize that are negative consequences for them, they will less likely visit, for instance, a suspicious website.

 Framing; framing concerns the context in which choices are presented. People are more likely to

Targeted attacks and the human vulnerability How to assess susceptibility to targeted cyber attacks exploiting human vulnerabilities