It’s 10:30 in the morning and Carmen enters the bar punctually to have breakfast, as she does every day. It’s like the movie Groundhog Day: she sits down in the same place at the same time and orders the same breakfast. Marisa, a new friend, sits down next to her and they greet each other enthusiastically. They met a week ago, when Marisa asked her if she could sit next to her because a couple of men wouldn’t stop bothering her.
After that they began to get along very well and they talk non-stop for the half-hour that breakfast lasts. Carmen is the oldest person at her job and often has breakfast alone because she feels out of place with the rest of her colleagues, who could be her children or even grandchildren in some cases. However, she gets along very well with Marisa, who is very nice and is interested in anything work-related. What Carmen doesn’t know is that “Marisa” isn’t her real name, nor is she her new friend. She belongs to a Pentesting group hired by the company to audit its computer security.
Carmen was chosen as a target to obtain information through a social engineering process. Marisa is responsible for collecting any possible information on the company and on Carmen’s boss, who is the head of the Recruitment Department.
The objective is to learn the company’s jargon, all the information possible about the system and the recruitment processes, as the latter would make it possible to physically enter the company’s central offices. Events take a leap on the day in question, because Carmen tells Marisa that she has been having problems that day with the computer network.
The team seizes the opportunity to act. One hour after Carmen gets back from her break, someone with a tool box and cables arrives at the door of her office, telling her that the company’s computer network is being replaced and that he has been sent from headquarters to make some adjustments at that office. The man names the system, the programs that the company uses and even knows her boss’s nickname. Carmen is delighted to see him and tells him that she knew something was going on with the network because it had not been functioning well.
After a few minutes the system is at the mercy of the Pentesting team, because Carmen doesn’t hesitate to give him the login password, which she also has written down on a piece of paper under her keyboard because it contains some symbols that are hard to remember. Without Carmen realizing it, the technician scans her employee ID card. That afternoon the intrusion team is able to navigate at will through the company’s HR program, gathering data on employees, payroll, salaries...
A few hours later, the security personnel at the central offices receive an email from Carmen’s Department Secretary account, providing information on a person who will be arriving the next day to have an interview for the computing department. The next day, when the same technician comes to the central offices as the person who is going to have the interview, the access personnel are waiting for him and give him a visitor’s badge to go up to the fifth floor.
In the elevator, the infiltrator puts on a falsified copy of Carmen’s employee card, which immediately allows him to go anywhere without arousing suspicion and gives him unlimited access to all areas. The story is longer, but from this point forward everything goes smoothly and reveals a huge security gap in the company by taking control of its servers.
Human beings will always be the weakest links in the cybersecurity chain and the easiest point to crack.
The brain is hackable, and even if it is more perfect than any machine or technology that human beings can develop, its system is not free of security gaps through which the system can be penetrated and controlled; in other words, the person can be controlled.
In the first part of this article we illustrated some tools for persuading people and obtaining information from them, which traditionally is known in the hacker world as social engineering. Subsequently, we are going to learn a little more about these social engineering strategies based on Behavioral Sciences and how they make it possible for someone to provide all the information needed to know how to attack a large financial company, as we have seen in the above story.
Our starting point is something that we already mentioned in the previous post: the human being is a social animal with a unique communication system: language. It is important to always remember this, because we are designed for relationships and to transmit information.
I mean that talking with other people, telling them about our lives, telling them what happens to us at work, what we like or offering personal information directly is something completely natural.
If there is nothing in the way, a human being is immediately pro-social and cooperative. We are where we are because of hunting in groups, dividing the work, defending each other and transmitting knowledge.
Therefore, it should not surprise us if someone gives their account number and PIN to another person who asks for it by phone, saying that he is a consultant with our bank’s online banking program. For us, information is something to be shared. This is why we like to read, listen to stories or watch television series.
It is true that there are individual differences; there are people with whom communication is like pulling teeth, and others who we may greet in the elevator and who proceed to tell us their life story (by the way, guess which one is more useful for social engineering).
We all have our shields, barriers, defenses or red lines in our communication. There are people to whom we do not want to tell certain things, as happens in a police interrogation room. But even there, if you know how to play your “communication cards” right, you can make someone who did not want to talk end up confessing to a crime and providing all kinds of details about it.
Once you open your mouth there is a risk of putting your foot in it, whether in an interrogation room or in a social engineering process. Communication defenses can be hurdled, gotten around or eliminated; this is part of what behavior analysts do.
To accomplish this, the first step is to profile the target well, to know what that person is like, how they think and act. If I may use a metaphor and paraphrase Sun Tzu: he who knows himself and his enemy will be victorious in a thousand battles. Getting to know someone can be very strange or difficult to achieve, especially if I have very little time or if it is a person who does not want to collaborate.
This is true, but to simplify you just have to know their system of punishments and reinforcements, what they like and don't like, what will bring them closer and what makes them run in the other direction. If we know this, half of our influence work is done.
Social engineering uses strategies that are based on this concept of reinforcement or punishment. The terms may seem very physical, but they basically refer to benefits and costs or, ultimately, good things versus bad things. This, of course, is also closely related to our biology and the survival of our species. We are designed to recognize stimuli that allow us to live or those that endanger our existence.
When it comes to obtaining information from a person in a social engineering attack, elements traditionally used include authority or fear. An email or a phone call from someone who appears to be a boss, manager or director influences us, as does an email or call that tells us they are going to block our bank account, cancel our insurance or cause us to be fired. Obtaining a benefit or opportunity, that is, reinforcement, is also used often. So an email or a call informing us that we have won a prize or have access to an exclusive promotion arouses our curiosity.
If we play at balancing reinforcements and punishments, we can generate emotions in people, we can prepare them for action in one sense or another, so that they approach or move away. These emotions would be:
- Pleasure. When I anticipate a reward and I get it.
- Anxiety. When I anticipate the imminent arrival of a punishment.
- Frustration. When I anticipate getting a reward and instead get a punishment.
- Relief. When I anticipate a punishment and instead get a reward.
If we think back to the story at the beginning, there is a moment in which the events for the intrusion team are precipitated, when Carmen, the “target”, says she is having problems with her computer and shortly afterward receives the providential visit from a technician. This is an example of how social engineering manipulates these four emotions to obtain a strategic advantage that allows it to obtain information. What happens can be explained as follows:
- We started with Carmen in a state of frustration. She wants to work normally that day, but a technical problem is creating an obstacle.
- From this point on, this situation is used to initiate an operation to change her emotion to pleasure.
- A technician comes to her office, someone unknown, who might even create some anxiety in Carmen: Who is this person? What is he doing here? Why has he come? This situation must be quickly resolved by the false technician.
- He tells her that they are having problems in the network; that he is going to fix it. He names the program, he uses the company's jargon and he even mentions her boss's nickname. That is, he offers her trust and credibility, making her feel relieved.
- Carmen realizes that the technician has come to help her. She was hoping that the problem would be solved and now not only does she not have a stranger with her, she has the person who is going to save the day! How could she not feel at ease and let him operate the computer and even give him the system password?
All this can be understood even better if we understand another way our brains work, heuristics.
We tend to think that human beings are purely rational, that our evolution has led us to be logical, rational and intelligent beings. Well, what science tells us is that we are less rational than we think or than we would like to be.
Our prefrontal cortex, the part of the brain related to that rationality, is relatively young and does not yet have sufficient "system privileges" to control it, if you will allow me the technical simile. In other words, we function more based on intuition, speculation and chance than with logic and a rational analysis of options.
When we lived in the jungle and we heard a noise next to us, we did not need a rational brain that made decisions based on probabilities to survive; we needed a brain that sensed that it could be a predator, and we ran like a bat out of hell. It is true that the noise might also have been the wind moving some branches, but stopping to rationally assess the possible causes of the noise would have led us to be a rationally extinct species.
Our brain works by discovering mental shortcuts, the main security breach that social engineering uses to hack our brain. These mental shortcuts are a way to make quick decisions, to fill disinformation gaps with invented data.
So, when a guy comes into the office in an expensive suit, looks at people with an air of superiority and speaks giving orders to others, our brain fills gaps in information that it does not have and assumes that he is a successful person, that he is possibly a company executive who is visiting there and who surely has the power to fire us if we do not give him the information he asks for.
In our initial story, upon hearing the technician speak with words that she had just given to his accomplice a few minutes earlier, Carmen concludes that he is a company employee, a computer technician and a trustworthy person to whom she can give her password with no problem.
This form of brain functioning is undoubtedly a great advantage for social engineering, since it therefore does not need to obtain or possess all the information in order to get something more. It would be as if with only half of the pieces you could assemble an entire puzzle or as if, knowing only four digits of an eight digit password, the system would interpret that we know the rest, without having to type them.
This form of brain processing is also being applied in the technological realm through predictive keyboards or the use of algorithms that do just that: predict what we are going to buy before we do so, or showing us advertising that interests us without us having to search for it.
This prediction is a time saver, as it was for our ancestor in the jungle, but it also entails dangers in the field of cybersecurity, because a guy with an expensive suit walking around the office is not always a boss; sometimes he is a hacker in disguise.