What is social engineering in the context of security?
Alethe Denis, Senior Consultant at Critical Insight, was awarded a Black Badge at DEF CON 27, the world’s largest hacking conference. She dives into how psychology, trust and human biases impact security, and explains why she thinks women generally make better social engineers.
What is the actual concept of social engineering?
At the core of social engineering is a person’s ability to influence another person – to take an action or to have a behaviour as a result of their manipulation or encouragement. That act of manipulating an individual into taking action is social engineering.
It relies on a social engineer’s ability to use human psychology and behaviour against their target. The Six Principles of Persuasion is a really great place to start if you want to learn more about the psychology of influence. These behaviours are used by salespeople and others whose job it is to market and advertise to you, whether they want you to click on a link in a marketing email or purchase the used car they want to get rid of that week. They use things like scarcity, consistency and understanding your interests, likes and dislikes so that they can pose as someone who is similar to you and gain your confidence.
They also use factors like their appearance and the way they behave to emulate your behaviour and your culture and the way that you engage and speak with people, because they want to seem more like you. People are more likely to trust someone who they think is like them, and who they find physically attractive.
So essentially, for a social engineer in the context of cybersecurity, that person is going to leverage those influences to try and be more like the person they are interacting with. If it’s a physical engagement where they’re actually on-site in a building, talking to someone and trying to get into a data centre or a secured area, then they will try to show there is a trust that has already been built with them through using another individual or organisation. So they’ll pose as a known vendor to the company, pretending to be someone they trust from a trusted organisation.
You’re the reigning DEF CON Black Badge holder – for those unfamiliar, what does that mean?
DEF CON is the world’s largest hacking conference. It is specifically for hackers and not really geared towards information security professionals, so it’s for the attackers (or the red team), as opposed to the defenders (or the blue team). But there are lots of blue-team folks who do attend the conference to learn about new hacking techniques and to stay up to date on the latest things they will have to defend against. It’s a really good mix of the security and hacking communities.
There’s a competition within the social engineering village at the conference called the Social Engineering Capture the Flag. It’s essentially a combination of research and intelligence gathering called OSINT, or open-source intelligence gathering, coupled with another phase of the competition. Here, they actually put you in a soundproof booth and have you call the individuals who you found to be employees of your target company, and you have to elicit specific pieces of information from those individuals for points. The person who gets the most points in their 20 minutes allotted time is then the winner.
I had a few weeks to do reconnaissance and collect information on a target Fortune 500 company, and then I placed three calls in the span of 20 minutes to three different employees of that company. I was able to elicit the most points using the flags that I gained from those people, everything from who their janitorial services are, what operating system they use on their computer, the mail client or software they use to read their email. All of those things are worth a different amount of points.
In doing so, I managed to win the competition, so DEF CON honoured me with a Black Badge, which is essentially ultimate bragging rights. It’s a complete and total honour to receive a Black Badge. Not only is it recognition for winning the competition, but you also receive lifetime access to the conference as part of your Black Badge Hall of Fame win. You get to come every year for free.
Why do you say that women make better social engineers than men?
This really lights some people up – the idea that women are better social engineers than men. I know that a lot of the most famous social engineers, like the main character in Catch Me If You Can – he was obviously a man. And there are some magnificent con-artists who are men.
I think most people perceive that because women are more approachable or aesthetically pleasing to look at, that it’s easy for us to get out of things like parking tickets or speeding fines. But what I focus on with regards to women being better social engineers is the idea that, generally speaking, women are more empathetic to others. We are better at putting our own egos aside and holding our judgement of others. We tend to open up and make friends with people on a very emotional and genuinely authentic level.
When women have conversations, we are focused more on creating genuine relationships, whereas – and again, I put the disclaimer that this is all very generally speaking – most men look at those conversations from the perspective of asserting either their authority or expertise and coming to a conclusion that either benefits them or achieves the goal of the conversation, rather than building rapport with the other person.
I’m not saying it’s bad and I’m not saying it’s the wrong way to go about things. We are just different in the way we approach relationships and communication with other humans. Through that, women are typically better as far as being aware of social cues so that we can navigate the conversation in real-time and adjust our strategy for trying to reach a goal – for example, gaining access to a building.
With women, we’re more keenly aware of the environmental factors and influences that could be changing a person’s perception of us, as well as the environment that we’re in. That allows us to pivot better in the moment. We can also default to that empathetic pretext and ask for help in a way that most people will be responsive to.
What does the future hold in terms of social engineering attacks, and how can organisations protect themselves?
This is a problem that isn’t going away. There are technical controls we can use to defend against social engineering attacks reaching our human staff – things like email filtering and multi-factor authentication. Those things are all great technical controls that can help prevent social engineering.
But it really comes down to expanding the awareness of our teams and demonstrating to our staff how this can impact them – not just in the workplace, but in their own personal lives. People need to understand how social engineering can impact their lives in a negative way, whether they get scammed or phished or tricked into applying for a job that doesn’t exist. Staff must understand how this impacts them at a personal level, and how to defend against the actual psychology that’s being used to manipulate them, rather than just learning 10 or 15 different popular attacks and how to spot them. Understanding that psychology and recognising that if they feel emotionally triggered then they should ask for further validation – that training is essential.
How you measure the success of your training is by having regular phishing attacks and testing your people. To put it bluntly, some of us, myself included, only seem to learn the hard way. You can put all of your staff through hours of on-site or computer-based training and still not achieve the result you want without the testing.
I’m not encouraging companies to test their staff with scary pretext or using things I would deem pretty unethical, like promising bonuses or using something that’s important in the news as a trigger to get them to click a link. You really want to look at this from the perspective of education, of supporting and empowering your employees to have everything they need to defend against the phishing email rather than how you can trick them.
Do the security awareness training. Have all the technical controls you can afford to within your budget. Then test that training as part of a total security program. And do it regularly over time, whether it’s monthly or quarterly or annually. Measuring the metrics over time is by far the most important element.
Want more insight into the world of cybersecurity, digital identity, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey CEO Blair Crawford. Listen via Apple Podcasts, Spotify or your favourite podcast app.