Social Graph: The Holy Grail of Actionable Intelligence

Attackers harvest email and social networking data to construct organizational social graphs, identifying connectors whose accounts could send social engineering messages, new "clueless" employees vulnerable to manipulation, true influencers regardless of title, and how content spreads internally.

Google and Facebook aren’t the only entities looking to better understand and take advantage of people’s social graphs. Computer attackers are also in pursuit of this holy grail of actionable intelligence.

Starting a Targeted Attack

Recently-announced data breaches act as a reminder that attackers increasingly use focused, nimble tactics for achieving their goals. Targeted attacks often begin with a client-side exploit through the victim’s browser. The next step involves internal reconnaissance to understand how the attacker can expand his scope of influence. A powerful way of accomplishing this is to harvest the data in the victim’s email inbox and archives.

Deriving the Social Graph

The goal of email harvesting to not only locate sensitive information, such as passwords, which may be present in the messages, but also to construct the organization’s social graph. Headers and contents of email messages offer a powerful way of identifying employees’ roles and relationships.

Another way to construct the social graph is to explore victims’ social networking accounts on sites such as LinkedIn and Facebook. Malware such as Koobface relies on such websites for propagation. Malicious software could similarly be used to capture the social graph and report it to the attacker for data mining and follow-up.

Why Attackers Care About the Social Graph

Determining the social graph of the compromised organization helps the attacker to:

Identify people who are connectors: These individuals have ties with numerous people in the organization. Their accounts could be used as a source of social engineering messages.
Enumerate “clueless” employees: Individuals who are new to the organization, or those who ask a lot of questions might be good subjects for social engineering attacks.
Spot the true influencers, regardless of their official titles: Compromising these individuals’ accounts and data might provide the attacker with valuable information even before it spreads within the organization.
Determine how content spreads within the organization: Understanding the data flow can help the attacker in determining how to inject false data or where to capture valuable information.
Map external dependencies of the victim’s business: For instance, understanding the organization’s supply chain could help the attacker identify additional targets outside of the compromised enterprise.

The battle for understanding the organization’s social graph is heating up. Sadly, attackers may be in a better position to understand the relationships between people within the enterprise than some of the legitimate companies.

About the Author

Lenny Zeltser is a cybersecurity leader with deep technical roots and product management experience. He created REMnux, an open-source malware analysis toolkit, and the reverse-engineering course at SANS Institute. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He writes this blog to think out loud and share resources with the community.

Learn more →