Tuesday, October 18, 2011

A study in social engineering

I've been reading a series of blogs recently from a website dedicated to "hacking the human."  I firmly believe that we must understand offensive tactics in order to mount an effective defense, whether in sporting events or in cyber intelligence.  These blogs are written by Robin Dreeke, a former US Marine Corps Officer and expert on behavioral analysis.  In them, he walks through a rather lengthy scenario setting up a social engineering attack against a sales rep for a well-known defense contractor, on his way to make a pitch. 

The most eye-opening thing is, at the end of the exercise, the attacker has gained every bit of information he set out to obtain, and the salesman is completely unaware that he has divulged sensitive information.


Among the tactics described are:

  • Giving gifts - not major gifts, but little things, such as hand sanitizer, a compliment, gum.  Human nature is to want to repay a kindness; the social engineer creates a desire in the mark to reciprocate.
     
  • Non-threatening behavior - the social engineer goes out of his way to appear non-threatening, in attire, in personality, and in facial expressions.  He guides conversation to stay mostly on benign topics, so as to not arouse suspicion.  After gleaning a piece of information, he quickly steers conversation back to an unrelated topic.
     
  • Creating connections - real or manufactured.  The attacker may learn about the mark's background (or more likely, has done some homework in advance), and then claim to have a similar background.  He may "discover" that he is staying at the same hotel or attending the same conference.  He searches for common ground on which to build an apparent connection between himself and the victim.
     
  • Intentional misstatements - the attacker may make intentionally wrong guesses about the victim's job, salary, to whom he is making a presentation, or which software his company uses.  For many people, the natural inclination is to correct such a statement, thereby revealing sensitive information.  The attacker may say "I heard you are bringing such and such to market next month" to which the reflexive reply might be "no, actually we are doing this."

    I personally experienced this at a recent conference.  A sales leader started talking about a conference call she had had with a manager from my company, on a topic I was familiar with, but could not recall the person's name.  I had to catch myself before instinctively naming off a few possible names and divulging key decision-makers.
     
  • Stacking - using multiple tactics to piece together information.  In the blog example, the attacker talkes with the victim about his family, birthday gift ideas, how long he had been married, etc., and is able to piece together very  specific personally identifying information such as birthdate and wedding date -- items that could potentially be used in identity theft.

I write this because, to many of us, social engineering is an abstract thing.  We read about SE being used to spread malware (poisoning search results for major events, impersonating a friend to defraud us), but we forget that the first goal of a social engineer is to get our guard down.  They will stay as far away from their actual objective as possible, and instead build an apparent relationship upon which to elicit information.  And when they are done, we may not realize how much we have divulged.


Take a look at these blogs to follow the scenario through three episodes - you may have your eyes opened.


October 2014 update:

When I originally wrote this, Social-Engineer was the only major blog dedicated to the topic. Since then, a second informative blog has come onto the scene, run by security training and certification organization SANS. Both of the below are excellent resources for learning the tactics scammers like to use, and the steps we can take to defend ourselves. Securing the Human tends to be a bit more through the lens of businesses, while Social-Engineer tends to focus a bit more on techniques, but both are excellent sources.


One final remark: social engineering, like every other aspect of security, is not in and of itself evil. These two blogs do an excellent job of teaching tactics, and noting how they can be used in a positive sense. In many cases, the positive application is showing businesses and individuals how they may unknowingly be at risk. Social-Engineer.org's October 2014 newsletter discusses how one could pursue gainful (and legal) employment as a social engineer, contracting with organizations to test their security practices and recommend improvements.