Friday, November 19, 2010

Faux-Targeted Attacks and the Magic of Cold Reading

http://blog.zeltser.com/post/1609709966/faux-targeted-attacks

Mass-scale computer attacks are sometimes mistaken for campaigns that target the concerned organization, causing unnecessary stress and expenses. The reason for the confusion is similar to the reason why a fortune teller seems to know so much about the customer whom he just met for the first time.

[...]

People are more aware of targeted computer attacks now than a year ago. This is, in part, the result of the publicity associated with the term Advanced Persistent Threat (APT), which highlighted the existence and success of a particular category of targeted attacks.

Targeted computer attacks are scary. It’s very difficult to resist targeted threats. Moreover, they feel very personal: targeted attack scenarios pierce the shield of emotional detachment that security professionals develop after being exposed to numerous security incidents.

[...]

Fortune tellers practice the magic of cold reading, whereby they seem to know the person’s history, worries and weaknesses by merely looking at him. They often accomplish this by making generalized statements that are true for most people, with the expectation that the subject will find a way to make the statement apply to himself.

This approach to cold reading relies on the Forer effect, which refers to people’s tendency to accept vague “personality descriptions as uniquely applicable to themselves without realizing that the same description could be applied to just about anyone.”

[...]

Computer attackers use a similar approach when social-engineering messages to make them feel personally-relevant to victims. A related phenomenon is people’s tendency to see patterns where none were intended; this is called illusory pattern perception.

Taken together, these psychological factors provide an explanation for why individuals believe they might be victims of targeted attacks, even when they are actually dealing with generic mass-scale incidents.

If you believe your organization is dealing with a targeted attack, you’re right to worry. But keep in mind that some attacks that feel targeted, aren’t. Consider all perspectives on the incident before making the diagnosis.

No comments:

Post a Comment