Ethical hacking: Social engineering basics
What is social engineering?
In a nutshell, social engineering is the art of manipulation and misdirection. A social engineer’s goal is to do something that they are not authorized to do. This includes everything from stealing sensitive information to gaining access to a restricted area. Accomplishing this requires ensuring that the target, or “mark,” doesn’t notice what the social engineer is doing or, at least, doesn’t take any action to stop them.
How social engineering works
Social engineering is essentially lying and manipulation. Done properly, a social engineer can accomplish everything that traditional hacking can and often with a lot less work. When preparing for and performing a social engineering attack, there are a few useful tips and tricks.
Know your target
One of the most important parts of social engineering is knowing your target. This includes knowing as much as possible about what information or access you are trying to acquire and the person that you’re trying to acquire it from.
Distilling everything down to a single piece of information can make a social engineering engagement much simpler and more effective. If you need to ask many different questions, the more likely that the mark will become suspicious, which can bring a social engineering exercise to a sudden end.
Simplifying what you want, down to the simplest amount of information possible, can require some attack modeling. In many cases, a collection of information can be acquired from a single other piece of data. For example, access to an email account can provide a large amount of valuable data and only requires knowledge of the user’s password.
Acquiring the information in a subtle manner often requires knowing the target. There are a variety of different social engineering approaches (see Cialdini’s research for some suggestions), and knowing which one to try depends on knowledge of the person. Doing some research in advance can dramatically increase the probability of success in social engineering.
Keep it subtle
A social engineering exercise is only successful if the mark doesn’t catch on in the process. Social engineers are asking for something that they shouldn’t be allowed to have and if the mark realizes this, they can easily deny access.
In most cases, a key aspect of keeping social engineering subtle is hiding it in the conversation. While a single odd question may raise suspicions, a mark might not even notice the critical question if it’s a few minutes into a conversation and the social engineer and mark have built up some rapport.
One way to test if this level of rapport is sufficient (and if the mark is comfortable enough to answer unusual questions) is to ask something personal. Depending on if and how the target answers, the social engineer can get a feel for whether a question will be successful before asking.
Another important concept is the serial position effect, which says that someone is most likely to remember the first and last items in a list. When asking a series of questions in order to get a single answer, bury it in the middle of the list to minimize the chances of detection.
Not just talking
Social engineering is based on manipulating communication, but talking isn’t the only way that humans communicate. We communicate via body language, tone of voice and more, and for a social engineer to be successful, these have to match the message. In fact, some social engineering engagements can be performed without saying a word.
For a social engineer, a few well-chosen outfits can be an invaluable tool. A good suit, quick a steady stride and a cell phone can (literally) open doors. Some helpful employee may mistake the social engineer as someone from management in a hurry and politely hold the door. A similar effect can be accomplished with a heavy load and a mail carrier’s uniform (pick a private company, since impersonating a USPS employee is a felony) or through a variety of different ways.
During a conversation, an individual’s looks and body language needs to match the persona that they’re using as well. An executive can get away with authoritatively giving orders, but the office intern can’t. Preparing and practicing a good persona for a social engineering engagement can make everything easier and more effective.
Social engineering and ethical hacking
In some cases, social engineering is placed out of scope during an ethical hacking engagement. A lot of people dislike social engineering because it involves lying to the mark and can damage the relationship between the employees of a company and its management. This is especially true if the engagement is handled poorly and employees are left with the feeling that the company was trying to trick them into bad behavior.
However, social engineering exercises are a vital aspect of ethical hacking engagements. Over 99% of cyberattacks require human interaction because, in most cases, it’s much easier to trick a person than it is to trick a computer. An attacker attempting to steal millions of dollars from a company is unlikely to have any scruples about deceiving a few employees in the process. As a result, ethical hackers need to help customers learn to identify and respond properly to social engineering attempts.
Conclusion: Becoming an effective social engineer
Social engineering is the art of manipulation. Success at social engineering depends on understanding what makes people do things and how to incentivize someone to do something that isn’t in their best interests. People do things not in their best interests all the time, and the key is making what the social engineer wants seem enticing to the mark.
A number of different resources on social engineering exist and are definitely worth a read. However, nothing can replace practice. Communication is a two-way street, and social engineers need to think on the fly in order to ensure that the mark is hearing the message that they want to send. You can’t learn that from a book.
- The Science of Persuasion, Scientific American
- Serial Position Effect, Simply Psychology
- More than 99% of cyberattacks rely on human interaction, Help Net Security