Institute for Human & Machine Cognition, Pensacola, FL
Over the summer, I worked under the supervision of lead associate researcher, Larry Bunch, on a big research project with multiple groups—SUNY Albany, UNCC, and IHMC. The project, titled as “Crafting ‘counter attack’ strategies for social engineering defense,” is the end point of the research that the different groups are working on. The other groups are working on building Natural Language Processing (NLP) model to decipher the content of an online interaction between two people. This is then used to distinguish whether an interaction is safe for both parties involved or one party is using social engineering techniques to exploit the other party. The former is usually a victim in this sort of interactions, while the latter is an attacker who for the most part disguises their identity.
Once an interaction is flagged as an exploitative attempt to steal sensitive user information, the NLP model, using artificial intelligence techniques, will deduce what an attacker is specifically asking for, which for the most part comes down to monetary gain or sensitive information that they are not authorized to have. My project involved building pieces of software that would look like and serve what an attacker is asking for, but at the same time probe into the attacker’s system to get as much information as possible on the identity of the attacker. The end goal of the research is to have the NLP model work in disguise and interact with an attacker as though it is the victim. In this manner, a potential victim would be removed from the otherwise unsafe interaction with an attacker, and we at the same would get to know the identity of the attacker. The data gathered on attackers would then be used to improve cyber security measures aimed at preventing social engineering attacks.
With the increased prevalence of social engineering attacks, cyber security experts always try to come up with ways to counter such activities. There are various ways of counteracting exploitative interaction on the internet. One such is blocking attackers on a network. Our group, however, decided to counteract social engineering attacks by engaging attackers in a long, multiple phased interactions. As such, we are walking a fine line between what is ethical and unethical. At the very basic sense, we write software that does not modify the computer state of an attacker. The whole point is to go unnoticed. However, getting to know an attacker usually involves unauthorized execution of scripts on a host machine. And as such, we are able to access private information that we should not be accessing, an ethical tradeoff that we think is worth it at the end.
Besides learning about the fine line between ethical and unethical hacking, I learned a lot of skills in the field of cybersecurity. The first lesson emphasizes the fact that humans are the weakest link in cybersecurity. Computer security experts have universally accepted the fact that vulnerabilities will always be present in computer systems, and as such skilled individuals will always find ways to find such loopholes. However, the use of defense by attacking, as organizations hire white hat hackers to penetrate their system, critical vulnerabilities are usually discovered and patched quickly. So, the bad guys are rarely in the lead for discovering vulnerabilities in systems. This is where social engineering comes into play; it is quite easy to use deception on humans, and this proves to be much more effective than merely studying a system to find vulnerabilities. Therefore, it becomes the responsibility of cybersecurity experts to make sure that the general public is aware of how they may easily be compromised.
There are various case studies of social engineering that I had to consider in my project. A very good example is spear-phishing. In this case, an attacker will pose as a known, trusted individual and ask for sensitive information from an individual working at an organization. That sensitive information may simply be login information on one of the computers at the organization. A simple login information on one computer in a system grants a hefty unauthorized access to attackers. I made programs that will deliver an alternative (sometimes useless) login information to such attackers, which when executed will display the login information but also run a background process to retrieve information on the identity of the attacker.
Although there’s not a lot we can learn about the personal lives of phishers and online scammers, we can at least learn about their online presence and systems. This is the basis for construing an attacker’s identity. The embedded programs we wrote gives us a quite accurate online activity of a machine. We get the basic information of location, IP address, and sometimes names of attackers. In addition to that, we get all the registered user accounts, installed programs, browser history, and IP addresses of all connected machines. This information in the future will be fed to a program to screen out attackers from scamming and phishing people online.
I appreciated the challenge I was given this summer to write for different platforms and learn the ins and outs of cybersecurity. It was an opportunity to develop something that will have a significant contribution to better internet interactions. I hope in the near future I will be doing something related to this internship experience. Thank you.