The Social Engineer's Playbook Read online

  The key to this tactic is to include details and greatly exaggerate the scenario. For example, if the objective is to learn about the number of cameras in the lobby, be sure to grossly exaggerate the number. Do not simply say that there are several cameras in the lobby. The goal is to get the target to correct you by stating the correct number. If someone is spouting off incorrect information, such as the number of cameras, when all the while we know the undeniable truth, it’s part of human nature to want to educate that person. It is that human behavioral characteristic that sits at the core of this tactic and is exactly what we want to tease out.

  It’s worth mentioning that if the false statements are too close to reality, the target may not feel obligated to correct you. Again, the key is to overstate with detail so that the target feels compelled to correct you with detail.

  Artificial Ignorance

  As described in the previous section, false and grandiose statements play on human behavior triggering a reaction to correct incorrect statements. Much in the same manner, humans have an intrinsic desire to teach and educate others. Social engineers use artificial ignorance to pretend to be inexperienced on a topic in order to instigate a reaction by the target to educate them. A useful statement might be, “I don’t know anything about motion detectors, but I’ll bet the cops are here often. I heard they go off all the time due to shadows from the trees.” The intrinsic desire to teach is especially notable where the “teacher” has an affinity toward the subject matter or works in the industry. Leveraging subject matter the target has an affinity toward will increase the chances he or she will feel compelled to educate you.

  Blending elicitation tactics increases the opportunity for success. From my own personal experience, conjoining flattery tactics with artificial ignorance has been proven to be very effective. The two accompany each other extremely well as elicitation strategies. For example, playing dumb about the function of motion cameras while responding to the target with flattering comments. Boosting egos tends to open people up to conversation much easier. A chatty target is a good target. It also creates a likeness between the social engineer and the target. As we mentioned in an earlier chapter, likeness is a powerful tool for influencing others.

  The Sounding Board

  The sounding board takes advantage of the human behavior to brag or grumble about their feelings. An immediate kinship is created transparently when a person confides their feelings in another individual, even perfect strangers. He or she will likely give up more information as a result. The key to successfully leveraging the sounding board tactic is to listen intently, patiently and validate his or her feelings.

  A well-executed sounding board tactic is one of the most effective elicitation techniques. It is often difficult to get targets to speak at-length. So, to keep the target talking, do not interject too often and allow for moments of silence. Silence is uncomfortable for most people, so they have a tendency to keep talking to avoid awkward silence.

  Social engineers frequently play on the instinct to brag or share exploitable information with complete strangers. A good social engineer can create a “safe” environment for the victim to brag or complain. One way to do this is by validating all of the target’s feelings, positive or negative. This creates a connection between the engineer and the victim. By the social engineer depicting himself as a person they will never ever meet again also creates a safe environment. As a result, it lessens the potential for negative judgment from the stranger and in turn, increases the chances for additional disclosure by the target. In essence, it sends a signal that no negative sharing is off the table and opens up the floodgates.

  At the root of the sounding board tactic is being a good listener. This is easier said than done. The social engineer must make frequent eye contact with body language that says, I’m interested in what you’re saying. Secondly, agreeing with what the target’s thoughts and validating them by sharing some of your own similar experiences or fabricating them.

  Bracketing

  This technique is used is used by social engineers to elicit more precise information from a target. To accomplish this, a very high or very low approximation is given in an effort to entice the victim to respond with a more specific number. For example, if the goal is to learn about the number of motion detectors in the lobby. The social engineer might say to the target, “I’d guess their security is pretty tight. I would assume they have fifteen motion detectors in their lobby.”

  From a personal angle, I make heavy use of bracketing tactics specifically when trying to learn about the physical security makeup of a building or room. Most security guards I’ve encountered rather enjoy opportunities to either complain or brag about the environments they protect. I will say that most of them have a tendency to have pride in the environments they protect. As a result, they like to talk about how secure they are. If the objective is to learn about the number of motion detectors from security guards, be sure to pump their egos a bit. However, intentionally lowball the number of motion detectors. This will likely trigger them to correct you with a glimmer of pride in their eye when they reveal there are actually ten motion detectors! Now that you’ve pumped up their ego, they are primed for other elicitation techniques.

  Confidential Baiting

  Confidential baiting involves the development of a conversation where the social engineer pretends to divulge confidential information to the victim. This is done in the hopes that the victim will reciprocate with sensitive information of their own.

  An example of confidential baiting might resemble a scenario where the social engineer says to the target, “You didn’t hear this from me…but Company XYZ’s security cameras don’t actually record anything.” Confiding sensitive information to another person usually triggers reciprocation. It is sort of a natural occurring quid pro quo situation. Once again, the objective is for the target to reciprocate with sensitive information in return.

  When confidential baiting is used, it is important to bait the target with information as close to the kind of information you are seeking from the client.

  One important consideration to remember is that the nature of the sensitive information being divulged to the target must be similar to the nature of the information being sought out by the victim. This offers the best chance the target will reciprocate with something about their company’s security cameras. Of course, the bait must be of some interest the target for it to have any value. Selecting the right bait will come with a little research.

  No matter what the objective, as social engineers we may use any opportunity to elicit information from victims, at conferences, on the street or over the phone. However, the key to an effective elicitation attempt involves a little bit of planning while being able read and respond to the target skillfully.

  I’m going to pause for a moment to recommend additional reading material on the topic elicitation. An author by the name of Frank Stopa wrote a book titled, The Human Skills: Elicitation and Interviewing. The book does a great job covering elicitation strategies and I highly recommend some of the tactics described. According to the book’s introduction, the techniques have been used to extract valid admissions from hardened criminals and individuals in the business world as well.

  The author is a former intelligence officer with years of elicitationexperience, domestic and abroad. I should also mention that the bookseems to target the law enforcement industry. This is especially notedin the interviewing area of the book. However, many of the principlesdescribed can be applied toward the business world and social engineering.

  It’s Not All About Me: The Top Ten Techniques for Building Quick Rapport with Anyone, by Robin Dreeke

  Find Out Anything From Anyone, Anytime: Secrets of Calculated Questioning From a Veteran Interrogator, by James Pyle

  The Human Skills: Elicitation and Interviewing, by Frank Stopa

  Chapter 4:

  Pretexting

  Due to its creative element and limitless opportunities,
pretexting is one of the most fascinating forms of social engineering. Many of the tactics and theories discussed in this book may be considered unethical in certain situations. For that reason, the tactics examined here should be used for ethical purposes only.

  In this chapter, we’ll examine several tactics used by social engineers to manipulate targets through the fabrication of invented scenarios known as pretexts. We’ll cover some of the most common pretexting tactics and learn through research and planning exercises.

  The following topics will be covered in this chapter:

  Research and planning

  Legal considerations

  Body language

  Expression

  As previously mentioned, social engineering is an exploitation of trust between the social engineer and the target. During live social engineering attacks, there usually isn’t much time to build trust. Part of the process to establish trust quickly is done by leveraging pretexting techniques.

  Pretexting involves fabricating invented scenarios and stories in order to persuade a target to divulge information or do something. It may sound like that’s what we’ve been discussing all along in this chapter. But pretexting, within the context of social engineering, goes far beyond flattery or pretending to be ignorant on a subject. Instead, it may involve elaborate planning, identity impersonation and even disguises. Generally speaking, all of this work is designed to quickly establish trust with the target in the hopes he or she will comply. A social engineering attack is doomed without a well-planned pretext that establishes trust with the target.

  Pretexting is used by different industries with different goals in mind. Skip Tracers use pretexts to create fabricated scenarios in an attempt to locate the whereabouts of individuals. Law enforcement officers use pretexts during interrogations while trying to get suspects to confess or divulge certain information.

  Pretexting equipment: radio, fake badge, fake work order, work shirt, pinhole camera and IT tool bag

  Pretexts don’t have to be complex to be successful. One example might involve a social engineer purporting to be a copier repairperson who needs physical access into the mailroom. What is ultimately going to convince the target that he or she is there on official business comes down to three primary goals: acting the part, looking the part and believing they are the part. The latter goal is what requires the most practice.

  What is also important to know about pretexting is that there are no one-size fits all scenarios. As the saying goes, “There is more than one way to skin a cat.” Social engineers may leverage a handful of pretexts with which they are comfortable. However, it is imperative he/she not become too comfortable with carrying out only a few pretexts. That kind of behavior stints development and is counterproductive to successful pretexting.

  The foundation for all successful social engineering attempts is research. By research, I don’t mean just researching the target. That is of great importance, no doubt. I mean that a social engineer must continually invent new and innovative pretexts to stay ahead of the targets. Some security-savvy organizations train their users about social engineering topics frequently and consistently. Thus, it is crucial to push the envelope in terms of creativity and innovation.

  The following is a list of pretexting ideologies that you can leverage during testing. This is definitely not an exhaustive list, but it’s enough to communicate the spirit of what pretexting is about.

  Research & Planning

  Research should be the longest and most involved leg of the social engineering planning process. If it isn’t, you’re probably doing something wrong. Nowhere else is there a more direct correlation between success and the amount of research performed when preparing for a social engineering attempt. This point simply cannot be underscored enough.

  So far we’ve established that pretexting can be very powerful and a relatively quick way to obtain valuable information from a target. But before we can start off and begin researching, we must first consider the following:

  What is/are the objective(s)?

  What information am I after?

  What issues and questions am I trying to raise?

  What do I already know about my target(s)?

  What are the rules of engagement (RoE)?

  When performing a social engineering test for clients, the aforementioned bullet points must be addressed and answered for each assessment. There could be more, but this list represents a decent foundation from which to expand upon.

  First and foremost, a social engineering attempt’s objective must be clearly stated in a few clearly defined, short sentences.

  A sample objective might look like the following example:

  Objective: to assess the staff’s adherence to the visitor policy and efficacy of routine rogue device/bug sweeps.

  Once the objective has been defined and agreed upon, it’s important to briefly state the general approach in which the objective will be carried out. This could change during the course of the actual test and social engineers must be prepared for it. However, the “plan A” methodology must be documented from a high level.

  In order to identify the approach, some basic information gathering is necessary. Information gathering itself, depending upon the objective, can amount to be a fairly complex process. Consequently, information gathering will be covered in a later chapter. For the purposes of the planning phase exercise, let’s assume that preliminary work has been completed and that we have a high level approach planned.

  A sample approach might look like the following example:

  Approach: access he executive boardroom via covert/overt means and plant both an audio listening device and a PlugBot network listening device.

  Once the objective and approach have been identified the next step should involve what kind of information that is to be gathered. Using our example, the data we might want to gather would include audio captures of confidential board meetings. Another dataset we might want to capture is any network traffic acquired by the PlugBot device.

  So far we’ve identified our objective, planned an approach and identified the type of data that we’re after. High level planning of this kind keeps the mission at-hand focused and efficient from the start. Latter phases of the social engineering process will benefit from this kind of work done early on. Progressing further in the planning phase, we are ready to begin the drafting process for a test plan.

  A tactical outline for accomplishing the objective is the next logical step in the planning process. Not only is the test plan a project work paper, but also more importantly it serves as an outline of the steps to be carried out by the social engineer(s). If conducting this assessment for a client, it is important to note that the action steps in the test plan must be commensurate with the estimated level of threat against the organization. In other words, the test plan should include the actions that an actual attacker might take in terms of complexity, cost, tools and approach.

  A sample test plan might look like the following example:

  TEST PLAN - TAP THE DATA CENTER

  Arrive at location during lunch

  Park vehicle hidden from lobby and other windows

  Enter the premises through the front lobby

  Engage the lobby receptionist, flash work order and request IT dept staffer for access to data center for maintenance issue

  Establish maintenance issue pretext with IT staffer and persuade him/her to grant access to data center

  oUse pre-recorded phone call “last resort” to embellish urgency if IT staffer isn’t cooperating

  Obtain access to data center

  Visually scan the data center for the target computer and an ideal location for the Plug-Bot

  Remove electronics equipment from bag and stall for no longer than ten minutes

  oIf still escorted, ask escort to borrow a piece of equipment likely not located in the vicinity

  Install keylogger on target system

  Remove PlugBot from bag and install it
/>
  Indicate the issue has been contained

  Exit

  Equipment list: driver’s license, utility uniform, utility tool bag, hardware keylogger, PlugBot, Ethernet cable, radio, phony ID badge, clipboard, phony work order, radio and cell phone with *pre-recorded audio

  By now it should be evident what sort of questions we aim to address as a result of the test. Borrowing from the sample objective earlier in this chapter, the questions we aim to address might look like the following example:

  1) How well does staff observe their company’s visitor policy?

  2) Does staff challenge unknown/unescorted visitors?

  3) How effective is the company’s security awareness program?

  4) How easy is it to covertly infiltrate the premises?

  5) How effective is the organization’s rogue device-sweeping program?

  6) How trivial was it to capture audio from the boardroom?

  At the end of the social engineering test, these and other questions may be answered. Ultimately, they will provide the client with valuable information about the measured vulnerabilities within their organization.

  Legal Considerations

  Some areas of information security tend to fall into grey areas. For example, some technologists may argue that software bug hunting and the concept of full disclosure lies within the fringes of ethical behavior. I’ve even spoken with some application developers who consider application penetration testing to be disrespectful and unethical. Whatever your stance on the debate, when it comes to social engineering, one thing is true. Without rules of engagement and an agreed-upon approach, social engineering certainly has potential to step on the big toe of ethical hacking. For example, pretending to be a police officer or damaging property. Therefore, it is absolutely imperative that social engineers establish boundaries with clients and stay well within the law.