Question

We are funny creatures, we humans. We have put men on the moon and nearly wiped out polio on the face of the earth, but when faced with the elevator not coming as fast as we like, we press the button over and over thinking it might speed things up a bit. If I am waiting at the elevator with you, I have already made several assumptions about you and your need to get where you're going as quickly as possible. First impressions are very important in social engineering. You have approximately 8 seconds before people will have a solid impression of who you are, and it is difficult to overcome a first impression.

Social engineering is practiced every day by everyone in every walk of life. If you have ever had a job interview, you attempted to social engineer the interviewer into giving you the job. If you have ever had a first date, you were attempting to make someone like you enough to go on a second one. Social engineering is when person A attempts to manipulate person B into doing what person A wants person B to do. It doesn't have to be malicious or evil. It could simply be a marketing company trying to sell you a car you don't really need. It could be a political candidate campaigning for your vote or a magazine telling you what you should wear. Social engineering is using influence by whatever means necessary to get what you want. It could be a vote, a sale, a vacation, or your administrative credentials.

In cybersecurity, this is done through any type of social interaction whether in person, over the phone, or over the Internet. The absolute best defense is training and education. If you can recognize that someone is attempting to influence you, you become hyperaware to the attempt. If you look at the results of the DEFCON Social Engineering Capture the Flag (CTF), it is obvious that the winners employ the “6 Principles of Persuasion” laid out by Professor Robert Caildini. In his research and what he believes to be the science behind getting people to say “yes” are six fundamentals that guide human behavior:

• Reciprocity
• Scarcity
• Authority
• Consistency
• Liking
• Consensus

Reciprocity is defined as being an exchange for mutual benefit. You scratch my back, and I will scratch yours. You may have heard this in Latin as quid pro quo. In IT social engineering, I have seen this as a simple, “Please click this link and fill out this survey for a $5 gift card.” As a pen testing campaign against an organization, it works extremely well unless your end users are aware of attacks like these. If you are the one creating the attack, be the first to make an offer and make sure it is meaningful.

A used car lot is the epitome of social engineering. “Someone was here an hour ago, and they really want this car.” Scarcity creates a sense of urgency. People want more of the things they cannot have. With any type of social engineering, the timing is key, but especially with scarcity. I have seen this used in password reset emails. What do people stand to lose if they do not do as you ask? They lose access to their files, they can't do their job; now they can't pay the rent, and they're homeless. A little extreme, but it does create a sense of urgency.

A few years ago, I was an adjunct instructor teaching a computer class for a nursing school. The chancellor had asked all the professors to wear a white doctor's coat, even if we were not teaching medical classes. At the time, I thought it was a little odd until I went to pick up a prescription for my daughter. Even the pharmacist assumed I was in a position of authority and had me come to the head of the line. Then it clicked. The students had been conditioned to recognize the doctor's coat to be the authority figure. If someone wears a uniform, people will naturally follow the lead of that person. It is important to signal to others what makes you a credible, knowledgeable authority before you try to influence them.

Greg Foss, senior researcher at Carbon Black, told me of a time that he was conducting a penetration test and consistency was the theme of his experiment. He had created a Google phone number, created a voicemail mailbox message, and called his target at a time when he knew the target was not going to be around. He left a message to have that person call him back because he needed to help the individual with a problem that person was having. They played telephone tag a few times, which built a foundation of trust and consistency with the target.

There are three major components to the principle of liking. We like people who are like us—we naturally gravitate to them. We like people who pay us compliments, and we like people who have the same goals as we do. We like them even more if they are willing to help us get us to our goal. One of the fun things to try to do with social engineering is to have someone form a goal of his or her own volition that we have actually orchestrated. The very first thing you should do in a job interview is find some commonality with the interviewer, and in your mind‐set, the interviewer is a friend, not an adversary. Now the goal for that person is to woo you to the organization, and you are now interviewing that person.

One of the best tools we have in social engineering is to smile. Smiling has been shown to be a psychological signal of altruism. Altruism is the concept that you want to help others because of a concern for their happiness, not your own. Smiling even makes you look younger, giving you a mini facelift because it lifts your cheeks, jowls, and neck. Every time you smile, dopamine, endorphins, and serotonin throw a little party in your brain. For most people, smiles are contagious, so they respond to a smile with a smile of their own, having their own little brain party, making you seem likable and competent. Try it. The next time you have to deal with a difficult person, make eye contact and smile.

As for consensus, marketing and politicians do this all the time. Ninety percent of dentists recommend this toothpaste. If you're a good and intelligent person like us, you will vote this way. When individuals don’t have a strong opinion, they can be easily swayed and follow others. In cybersecurity, it can be dangerous for people to trust but not verify.

“Trust, but verify” is an old Russian proverb. The phrase became popular during the late 1980s when U.S. President Ronald Reagan was negotiating nuclear disarmament with the Soviet Union's General Secretary Mikhail Gorbachev. I believe it fits the mind‐set of a cybersecurity professional. When an outcome matters more than a relationship, you have to trust, but verify. In IT, safety and security are of utmost importance with outcome‐critical parameters. If a relationship matters more than an outcome, then this philosophy doesn't fit as well.

To add to Professor Caildini's six principles of persuasion, when you are crafting a social engineering campaign, there are six human truths I have learned over the past 20 years. These have helped me social engineer both professionally and personally.

• Most people want to be helpful.
• Humans want instant gratification.
• Never use the words “obviously” and “but.”
• The brain wants ease and order and dislikes change.
• Most people, including my students, have a limited attention span.
• Humans respond to beauty and emotion.

Men have dominated my cybersecurity classes over the past 20 years. I have not kept up with the numbers, but in my personal experience, I'm lucky to have one female in up to 20 men in a technical class. Men dominate the ranks of developers, administrators, researchers, and hackers. Chris Hadnagy of Social‐Engineer.org and one of my favorite authors says, “Unfortunately, there is a chauvinist consensus that females don't get security. The truth is, as social engineers, women do better. We've seen hacktivists like Anonymous and LulzSec use females as part of their attacks.”

David Kennedy, founder of TrustedSec and DerbyCon, says because of this attitude in our culture, women aren't thought to be technical or disingenuous. He also says it is helpful to have a Southern accent. A Southern accent is synonymous with warmth and hospitality, whereas a New York accent can be fast and harsh. It is my goal one day to participate in the Social Engineering CTF in Vegas. As a technically adequate female who was born and raised in Louisiana, I feel that I have a bit of an advantage, especially if I ask for help. I have had the doors held for me in a secure location because I had my arms full of books, ignoring the RFID badge reader and the mantrap.

Humans want instant gratification. We are hardwired to want what we want without any delay or denial. It's evolutionary. Humans survive when they take the smaller reward but skip the bigger yet delayed reward. If you have children, experiment with them. They can have this one marshmallow now, but if they can wait 5 minutes, they can have two. Mine never wait for two.

I met Deidre Diamond about a year ago when she gave the keynote at EC Councils Hacker Halter conference in Atlanta. In her keynote, she said we have to choose our words with care. There was a list of several words you ought not to use, but the two that burned into my brain are “obviously” and “but.” Try using “obviously” in a sentence and not sound condescending. If you are attempting a role that is arrogant or patronizing, by all means it might work for you. She also suggested using “and” instead of “but.” No one hears anything past “but.” “I love this idea, but can we do this instead?” That sentence sounds a lot different than “I love this idea, and what do you think about this instead?” “But” will start an argument or stop the conversation. “And” will engage.

The brain wants ease and order and dislikes change. I think this becomes even more pronounced the older we get. If you are attempting a social engineering campaign, you have to build it around something that is believable and not out of the ordinary.

Most people, including my students, have a limited attention span. When I was studying for my CompTIA Certified Technical Trainer certification, my instructor told the class that we had 20 minutes to engage students with a lecture before they started thinking about what was for dinner or what movie they were going to this weekend. If you need someone's attention for more than 20 minutes, you will have to change the delivery. In training, we can show a video or give a hands‐on exercise. In penetration testing, you don't normally want a long personal engagement. You want to get in, do what you need to do, and get out.

Humans respond to beauty and emotion. I believe this is self‐explanatory. People are attracted to what they find beautiful or what makes them feel great emotion. The movie Oceans 8 made me chuckle when Rhianna social‐engineered the video security engineer with a compromised site about the Wheaten breed of dogs. I'm not sure I could drop a Meterpreter shell as fast as she did in the movie and turn on his webcam, but yes, that's exactly how it's done. Appeal to your targets’ interests, what they feel is beautiful, and you have a great start to a campaign.