Social Graph: The Holy Grail of Actionable Intelligence

Google and Facebook aren’t the only entities looking to better understand and take advantage of people’s social graphs. Computer attackers are also in pursuit of this holy grail of actionable intelligence.

Starting a Targeted Attack

Recently-announced data breaches act as a reminder that attackers increasingly use focused, nimble tactics for achieving their goals. Targeted attacks often begin with a client-side exploit through the victim’s browser. The next step involves internal reconnaissance to understand how the attacker can expand his scope of influence. A powerful way of accomplishing this is to harvest the data in the victim’s email inbox and archives.

Deriving the Social Graph

The goal of email harvesting to not only locate sensitive information, such as passwords, which may be present in the messages, but also to construct the organization’s social graph. Headers and contents of email messages offer a powerful way of identifying employees’ roles and relationships.

Another way to construct the social graph is to explore victims’ social networking accounts on sites such as LinkedIn and Facebook. Malware such as Koobface relies on such websites for propagation. Malicious software could similarly be used to capture the social graph and report it to the attacker for data mining and follow-up.

Why Attackers Care About the Social Graph

Determining the social graph of the compromised organization helps the attacker to:

  • Identify people who are connectors: These individuals have ties with numerous people in the organization. Their accounts could be used as a source of social engineering messages.
  • Enumerate “clueless” employees: Individuals who are new to the organization, or those who ask a lot of questions might be good subjects for social engineering attacks.
  • Spot the true influencers, regardless of their official titles: Compromising these individuals’ accounts and data might provide the attacker with valuable information even before it spreads within the organization.
  • Determine how content spreads within the organization: Understanding the data flow can help the attacker in determining how to inject false data or where to capture valuable information.
  • Map external dependencies of the victim’s business: For instance, understanding the organization’s supply chain could help the attacker identify additional targets outside of the compromised enterprise.

The battle for understanding the organization’s social graph is heating up. Sadly, attackers may be in a better position to understand the relationships between people within the enterprise than some of the legitimate companies.

Lenny Zeltser


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more