Cyber adversaries have increasingly leveraged social engineering attacks to
breach large organizations and threaten the well-being of today's online users.
One clever technique, the "watering hole" attack, compromises a legitimate
website to execute drive-by download attacks by redirecting users to another
malicious domain. We introduce a game-theoretic model that captures the salient
aspects for an organization protecting itself from a watering hole attack by
altering the environment information in web traffic so as to deceive the
attackers. Our main contributions are (1) a novel Social Engineering Deception
(SED) game model that features a continuous action set for the attacker, (2) an
in-depth analysis of the SED model to identify computationally feasible
real-world cases, and (3) the CyberTWEAK algorithm which solves for the optimal
protection policy. To illustrate the potential use of our framework, we built a
browser extension based on our algorithms which is now publicly available
online. The CyberTWEAK extension will be vital to the continued development and
deployment of countermeasures for social engineering.Comment: IAAI-20, AICS-2020 Worksho