Social Engineering – The Mental Game, Part I.

The first thing that all organizations need to understand is why social engineering works. In many cases organizations, security professionals, and people understand what the attacks are, phishing, physical impersonations, etc. But why does this work and why is it so successful when it is used?

In its simplest form, social engineering is an attack that focuses on the human element in the security context. The attacks attempt to gain access to data, systems, information, money, or a variety of other things. These can be executed by very simple questions of “Can I have X” or they can be very involved with months, if not years, of planning. The ultimate goal of a social engineering attack is to get information from someone without their knowledge of disclosure. The most successful attacks are those that make the victim not even realize anything had happened.

There are a few inherently human qualities that social engineers leverage as part of their attack.

First, is the human desire to be helpful. We as humans naturally want to help other people. Whether that is holding a door for someone with hands full of boxes or providing help when someone can’t accomplish a task. The next, is the inherent subconscious desire to trust other people. Most people will give other people some level of trust if they have no history not to trust the person.  And lastly, is the fear of being in trouble. Social engineers will project the idea that if whatever task they are requesting the victim to do, if not done, will result in them being in some form of trouble. This can be a loss of job or something even more sever.

Humans will always be the weakest link in the security model. This being said, it is also the fastest way to gain access to most environments.  With all of the millions of dollars that organizations spend on technical security, why would an attacker spend time banging their heads against this versus taking an easier and faster route of going through a less secure battlefront?

Social engineering attacks are the hardest form of attack any person or organization can protect against. This is because most people do not expect a direct attack against them every day. These attacks happen so very fast and in most cases are only caught after the victim realizes what just happened. Ensuring a victim know what to do in the event they suspect themselves of such, is imperative to the success of mitigation and protection. Documented policies and procedures will make this step of an attack easier and faster for both the organization and the victim.

Now, let’s begin by understanding how a social engineering attack is constructed.

These will focus on the psychology and mentality that a social engineer uses to create the depth of an attack and why they are so successful.

Persuasion, simply the ability to have someone do something without them realizing or objecting to the action. A social engineer will use two different types of persuasion during their attack. These are direct attacks and peripheral attacks.

Direct attacks are systematic and express logic or good ideas to the victim. These attacks focus all the effort at the victim making them believe they are doing something that they should be doing, something they are going to get a benefit from doing, and eliciting the exact information the attacker needs.

Peripheral attacks use mental sleight of hand to execute their attacks. These in many cases will utilize multiple attack vectors each playing a small piece of the whole attack. These are subconscious cues that the brain interjects a combination of emotion and intellect ultimately making the person perform whatever the task is.

Social engineers prey on the most inherent human feelings and emotions. The greatest being excitement, fear, uncertainty, and doubt. The attacker leverages these because the effect or response by the human mind is fairly static. In that, the response from fear of something is either to do or not do the action, based on the perception of the best outcome of the victim.

Perception is important, if the social engineering victim does not believe what they are being told, they will not successfully execute the attacker’s request. The human mind wants to find a connection with people, they also want to believe that people are good. This inherent trait can allow an attacker to create a subconscious connection to a victim allowing them to execute very successful long-term attack scenarios.

In general, a social engineering attack will take on two battlefields. The first is the human-to-human battle. This includes things like impersonating someone to gain access to a facility or contacting a help desk via the phone. These attacks focus on integrating body language, subconscious cues, micro facial movements, and much more to successfully execute the attack. The next is the technical or computer based attacks. These are the much more common types of attacks, phishing attacks, spam, website hijacking. These techniques integrate the perception and ideas that whatever the attack vector is, it appears to be normal to the victim.

Impersonation, this is a core idea of the social engineer. Pretending to be someone that should have access to the environment. This information can be gained from social media or the company’s website. But, the attacker will attempt to leverage their depth of knowledge about the person they are impersonating and attempt to gain information or access from the victim. How many of our help desk staff would deny a board member from resetting his password? Would a security officer stop a board member from entering the building if they did not have their badge?

Most may say maybe, but if the attacker has enough information about that person, their personal or professional life, perhaps looks similar to the person, would those people risk upsetting someone that could hold their livelihoods in their hands?

The successful social engineer will have knowledge about any third-party vendors. These assist greatly in the success of a proxy attack through connected networks or may allow an attacker to portray someone that is “supposed to be” onsite. Tech support is a great place for successful social engineering attacks. First, in most cases as techie as most support people are, they don’t expect to be the target of a social engineering attack. They are under the guise that they are too technical to fall victim and their cockiness can get the best of them.

In person attacks are both the most risky, but in most cases execute with a high level of success. An attacker that is going to execute an in person attack in many cases is very skilled, they are at a Professional level. These attackers have done their homework and know as much about the organization, the location, the people, and the environment as possible. They will know who and what they are representing and will do so nearly flawlessly.

Why? Because they only have one shot at a successful attack. If they are burned on site all of the planning, all of the expense of time and energy is lost. These are the hardest attacks to protect against in most organizations.

Dumpster diving is still a valid vector of gaining information. In most cases a business’ garbage is not like your home garbage, no dirty diapers, not a lot of food in the trash, but what they do throw away is paper. Sometimes there may be client information, other times perhaps memos, this information can give an attacker insight into the internal workings of an organization Shoulder surfing, how many people take their laptop to Starbucks or just sit outside in a public space? How many of them are aware of their surroundings?

It is fairly easy to walk past someone and watch their screen, it is simply timing that makes it successful.