Guest Contributor: Chiheb Chebbi
Abstract
Days ago, I bought some used books, by the way, it was a great deal indeed. While I was arranging them on the shelf I saw a book called “In-Depth Security proceedings of the DeepSec conferences Volume 2.” At that moment I remembered two important things; First I forgot to send my paper to DeepSec to be added to the Volume 3 edition. The second thing, I remembered that I read an amazing Article called “Social engineering-The most underestimated APT: Hacking the human Operating System” by Dominique C.Brack and I wanted to share it someday as an article. So i am taking this opportunity to share with you some useful pieces of knowledge from that amazing research.
In this article we will discover:
- Social Engineering
- Social Engineering Engagement Framework (SEEF)
- Attack vector Development (AVD)
- Cialdini’s 6 Principles of Influence
- Neuro Linguistic Language (NLP)
- Maslow’s hierarchy of needs (Maslow)
- Social and emotional relationship (SER) maps
- Interpersonal Distance – The concept of Space
- Target Selection
The article includes a useful excel sheet to help you identify and manage the different intensity levels of social engineeringengagement framework.
You can download it from here: Social engineering Engagement Framework Intensity Levels
Social Engineering
By Definition: “Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.
The term “social engineering” as an act of psychological manipulation of a human, is also associated with the social sciences, but its usage has caught-on among computer and information security professionals. [Source: Wikipedia ]
Social Engineering Engagement Framework (SEEF)
The Social engineering Engagement framework (SEEF) was developed by Dominique C.Brack and Alexander Bahram. It summarizes years of working experience in information security especially in social engineering.The two experts collected best practices based on real world cases to help improving social engineering as a discipline. They defined social engineering as “The elicitation of information from systems, networks or human beings through methods and tools” . The Social Engineering Engagement Framework is focusing on the human side.
The SEEF addresses three types of stakeholders:
- Professionals (Ps): such as Chief Info security officers, Risk managers, Freelancers, Consultants
- Organizations (Os): such as Info-sec organizations, Consulting firms
- Governments (Gs): such as Intelligence organizations, Military
Engagement management
The social engineering engagement management is comprised of three core processes:
- Pre-engagement process Group: it contains all the requirements before performing the engagement.
- During-engagement Process Group
- Post-engagement Process Group: called PosE phase delivers the results of the engagement.
If you want to adopt the SEEF engagement management process at least you need to include the following steps:
- Client Selection and acquisition
- Client and job Risk assessment (scope, method, approach)
- Scoping and approach selection (method, tools and skills)
- Deliverables and approach monitoring
Governance
Social engineering has some specific requirements in terms of risk management and execution.The SEEF engagement management offers a detailed view on those processes. For some projects, you can adopt the SEEF engagement management processes into the risk/project management framework. A SEEF exists not only to protect the individual who is working on social engineering engagement but to protect the company that is engaging in such activities because SE engagement is carrying too much risk and uncertainty. The purpose of GRC in the SE engagement is answering questions like: Have I applied the right tools and methods? Have I managed risk appropriately? Am I in compliance with laws and regulations? SEEF exeperts are considering an enhanced version of GRC called GRC++.
By definition:
“Governance, Risk and Compliance, or GRC for short, refers to a company’s coordinated strategy for managing the broad issues of corporate governance, enterprise risk management (ERM) and corporate compliance with regard to regulatory requirements.
Specifically, the three pillars of GRC are:
- Governance – The effective, ethical management of a company by its executives and managerial levels.
- Risk – The ability to effectively and cost-efficiently mitigate risks that can hinder an organization’s operations or ability to remain competitive in its market.
- Compliance – A company’s conformance with regulatory requirements for business operations, data retention and other business practices” [Source : webopedia ]
That is why they felt that they need to come with the GRC++ standard. The added “++” refers to adding what we call “Intensity levels (1 to 12)” to create a risk based view between the engagement parties. Also, they added some risk gates to monitor the risk during every change. In addition of two other aspects like culture and ethics.
Approach selection method (ASM)
The approach selection method (ASM) consist of selecting the suitable method to achieve your goal in a efficient and economical way based on many metrics (time, money, skill levels, intensity level and many other parameters). For example, if you want to distribute a malicious memory stick you can: place it in the employee parking lot, or drop it in the cafeteria. As you noticed the goal is the same but the vectors are different so you need to make sure that you are selecting the suitable method for you based on the metrics discussed before.
Attack vector Development (AVD)
By definition, an attack vector is “An attack vector is a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including the human element.”
Selecting the most efficient attack vector is a key factor for the success of the social engineering engagement. In most cases, the attack vector is developed based on the target in a specified way. You need to customize your attack vector. Attack vector development depends on intelligence and pre-defined data to ensure that the attack will be highly successful. You can use a lot of information gathering techniques. For more information you can take a look at my articles:
Article 1: Intelligence Gathering Methodologies: https://www.peerlyst.com/posts/how-to-perform-open-source-intelligence-osint-collection-and-analysis-part1-chiheb-chebbi
Article 2: How to perform Open-Source Intelligence (OSINT): https://www.peerlyst.com/posts/how-to-perform-open-source-intelligence-osint-chiheb-chebbi?trk=user_notification
There are a lot of Social engineering attacks.Generally, they can be divided into two major categories:
- Person-based social engineering attacks
- Computer-based social engineering attacks
The following are some of the most used engineering attacks:
- Baiting: is in many ways similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or good that hackers use to entice victims
- Impersonation: is an act of pretending to be another person for the purpose of entertainment or fraud.
- Tailgating: a common type of tailgating attack, a person impersonates a delivery driver and waits outside a building. When an employee gains security’s approval and opens their door,
- Dumpster Diving: is searching through the trash for obvious treasures like access codes or passwords written down on sticky notes.
- Phishing: Phishing scams might be the most common types of social engineering attacks used today
- Shoulder surfing: is the practice of spying on the user of a cash-dispensing machine or other electronic device in order to obtain their personal identification number, password, etc.
Cialdini’s 6 Principles of Influence:
The Cialdini’s 6 principles of influence were developed by Dr. Robert Cialdini..These principles can be exploited while performing the engagement. The principles are:
- Reciprocity: we pay back what we received from others.
- Commitment & Consistency: We tend to stick with whatever we’ve already chosen.
- Social Proof : We tend to have more trust in things that are popular or endorsed by people that we trust.
- Liking We are more likely to comply with requests made by people we like.
- Authority: We follow people who look like they know what they’re doing.
- Scarcity: We are always drawn to things that are exclusive and hard to come by.
For more information, I recommend reading: “Influence: The psychology of persuasion”
Neuro Linguistic Language (NLP)
Neuro-linguistic programming (NLP) is an approach to communication, personal development, and psychotherapy created by Richard Bandler and John Grinder in California, United States in the 1970s. NLP can be used while performing the social engineering engagement especially during selecting the attack vector phase.It can be used to watch and mirror the target using three major aspects:
- Posture
- Physiology
- Speech pattern
Maslow’s hierarchy of needs (Maslow)
Everyone knows the Maslow’s hierarchy of needs. It is very implemented in the framework while attack vectors can be based on it. By having a fair understanding of its needs attackers can exploit them to perform social engineering attacks
Social and emotional relationship (SER) maps
Social and emotional relationship mapping is a great way to highlight a target (it can be a person or an organization ) social and emotional relationships maps. The highlight can be done by a graphical representation. Once you have the required information you can use them to determine many attributes like: Emotionally loaded areas, Strong developed areas, weak or underdeveloped areas and so on.All the previous information could be useful in attack vector development.The following graph illustrates an example of a Social and emotional relationship map:
Interpersonal Distance – The concept of Space
The concept of distance is playing a huge role in social engineering engagement. Space and distance are a core components in every social engineering attack. Attack vector development depends hugely on the concept of space and mapping. According to the research, people react to other people or the surroundings depending on the distance between them.In other words trust for example depends on the distance between two people. In that situation, if you want someone to trust you for example don’t get too close to him.Space can be presented as the following:
- Intimate space
- Personal space
- Reaction zone
- Social zone
- Public space
In order to succeed your social engineering you need to follow the following based on zones of approach:
When you interact with a target try to use the Observe, Mirror, Adopt Model (OMA model).
Target Selection
Selecting the target is a crucial process.Target selection can be done by collecting information using communication skills from a various number of sources such as Transportations, Coffee Shops, public places, conferences, public offices and so on. During a target selection, you will try to find out movements of your target, activities, or prefered company airlines if the target is an organization.
Recommended readings:
To learn more about social engineering i highly recommend the following books and resources:
- The Art of Deception Book by Kevin Mitnick and William L. Simon
- The Art of Intrusion Book by Kevin Mitnick
- Social engineering the Art of human hacking Book by Christopher Hadnagy
Summary
In this article, we learned the fundamentals of social engineering by giving a new perspective and i tried to give a new insight to avoid the casual social engineering tutorials and articles based on the DeepSec 2017 paper of Dominiq C.Brack. The article was a walk-through to take the reader to a learning experience when they can discover the required steps to perform an efficient social engineering attacks based on researches and long years of experience observations and daily basis defending social engineering attacks
References
[1] SEEF definition of Social Engineering:“The elicitation of information from systems, networks or human beings through methods and tools” : https://seef.reputelligence.com/
[2] What Is Governance, Risk, and Compliance (GRC)? https://www.webopedia.com/TERM/G/grc-governance-risk-compliance.html
[3] What is attack vector? – Definition from WhatIs.com: http://searchsecurity.techtarget.com/definition/attack-vector
[4]Dr. Robert Cialdini’s 6 Principles of Persuasion (Over 60+ Examples Inside!): https://www.referralcandy.com/blog/persuasion-marketing-examples/
[5] 5 Social Engineering Attacks to Watch Out For: https://www.tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/
[6] Neuro-linguistic programming (NLP): https://en.wikipedia.org/wiki/Neuro-linguistic_programming
[7] SEEF Framework Intensity Levels (English)
This article was originally posted on Peerlyst.