Social Engineering: Tactics for Prevention
by Ryan Daley
Social engineering has had a fairly brief history; it's a forever developing area, just like any other IT related field.
Attacks are made and countermeasures are put into effect, and the art evolves. There have been many heavy hitters in the history of social engineering, and they set the foundation for this constantly growing threat/hobby. Being successful in this field takes a very specific skill set that some people have from birth and some people take their whole life to learn. There are a small set of common tools used by social engineers. These tools range from a full closet to advanced exploitation software tools. Each of your tools, qualities, and skills comes together after a long planning period to create a well thought out attack.
Introduction
Social engineering is understood as the art of manipulating people into giving you what you want. I like to call it the happy medium between a Jedi and a textbook hacker. The basic principles of this science can be employed in a plethora of situations, situations aside from what most people accredit social engineering with. Certainly most, if not all, people in the IT field have heard of social engineers. The first thing that comes to mind is probably along the lines of malicious email scams or some other sort of phishing, not the guy you met at a breakfast cafe who you spoke to about your upcoming vacation plans.
Benefits of Awareness
You've heard the popular adage "knowledge is power." This has been the longtime hacker banner statement. Of course, reading a brief report on social engineering won't enlighten you to every type of social engineering attack or threat. It will, however, raise your awareness. So, if you share this knowledge, it could potentially set off a mental alarm if you or a coworker becomes a target in the future. Knowing how simple these attacks are to follow through with and equally how easy some of them are to squelch can significantly increase your overall security stance. People are often the weakest part in any network. You can have the most expensive firewall setups, 40-character passwords enforced by group policy, and perfectly locked down wire closets. All of those measures are not going to stop a front desk clerk or an under-educated CEO from divulging privileged information or inserting a malicious flash drive. Since social engineering is essentially "exploiting the human operating system," consider this information as an operating system patch, not necessarily a fix.
History
Social engineering has been around essentially forever, but has since been re-purposed into taking advantage of flawed security systems and weak IT infrastructures. People use social engineering every day and do not even realize it. Children crying to get what they want from their parents, milking teachers into adding points to increase your grade, saying "I ordered another burger" to get a free one in a drive-thru, or even to get a date ("No really, I mean it - you're the only one for me"). The previous are all watered down examples of tactics used by the best social engineers. In their cases, these tactics are simply re-purposed into attaining more valuable resources. However, value is subjective in some of these cases.
Heavy Hitters
There are many major heavy hitters in the history of social engineering. One name may stand out among the rest as the proverbial father of modern day social engineering: Kevin Mitnick. Mitnick is credited with compromising the security of Motorola, Sun Microsystems, and Pacific Bell. He started out as a phreaker (hackers that attempted to gain access to phone systems and other telecommunication mediums). This is what started Mitnick in the hacker world. Most of his achievements were accomplished with large amounts of technical knowledge, and even more creativity.
Requirements
Being a social engineer is not for everyone.
There is a very specific set of character traits that makes a good social engineer, or separates the "Nigerian princes" from the Kevin Mitnicks. Anyone can construct a misleading email that lures people to a website, or leads them into doing something similarly unwarranted. It takes a very special type of person to be able to become the character they've created for the operation, and not only become this person, but to do it believably and effectively. Equally so, an artisan is nothing without his tools. To fully embrace this identity you've made for yourself; you are going to need a vast array of tools. The ideal tool list will be different for every operation; you can only try your best to prepare. Tools range from a full closet of clothes, RFID scanners, lockpicks, all the way to advanced software to create malicious payloads to the target.
Character Traits
Some people just have a charm about them.
You have met someone before who you instantly feel comfortable with, who is easy to talk to, and who you trust soon after meeting. This can be developed with practice, but it can take a lifetime to perfect, so the people who have those characteristics innately have a leg up. Charm is very useful in building quick rapport, which leads to a faster turnover of potentially valuable information. It is almost mandatory to be able to think on your feet. The attack rarely will follow a script you have anticipated, so you have to be able to vary and bounce back to the goal quickly and seamlessly so as not to compromise the whole operation.
It only takes one speed bump to raise suspicion in a target. More valuable information will often only be revealed after a connection is made with a target. Being able to talk about things your target enjoys can also drastically speed up the trust building period, and so, being knowledgeable on a vast array of subjects is pivotal. Through recon, you can sometimes find out what to brush up on - croquet to crochet, it could be anything - so be well prepared.
Being loquacious is also a quick way to build rapport. This is another innate feature some people have a difficult time getting used to, like anything else, and this gets better with practice. This is much easier for some than others. Being able to walk into an organization essentially lying about everything you are there for and maintaining a believable story takes an incredible amount of confidence.
Last but not least, you have to be bold. The situations you are putting yourself in can be threatening and hard to handle. Maintaining composure throughout the entire operation and not getting flustered when things get off track is paramount. These are things that can be improved, however they are very difficult to pick up and learn from nothing.
Hardware
This is going to cover the physical objects that are good to always have around that you use the most often in social engineering attacks. Of course, there are going to be some specific things you will have to use for each attack, but these are the must-haves.
You must be able to wear "what's appropriate" for the given scenario that you are putting yourself into. This basically means having a stacked closet. You may need a pair of beat-up overalls and some old boots for a day of Dumpster diving. You also may need an expensive suit for a night at a formal event. Those are the two extremes - everything in between is also recommended. For most operations, you'll be wearing a polo and nice pants. Multiple color polos can be utilized for imitating other company employees, possibly the trash guy, or the IP phone guy. Those are all very realistic options that a full closet would supplement very well.
There are many other more typical hardware items that any worthwhile social engineer will almost always have in his arsenal.
- A good set of lock picks. This is a bit of a given, but they are always good to have.
- A hard drive key that can just be kept on your normal keychain. Outdated but, believe it or not, these things open more than you think.
- You will need a nice pair of binoculars for aid in roadside observation or any other form of distance information gathering.
- A video/audio recorder has infinite use in this field. From meetings at a bar after a few drinks to get some information out of a target, audio recording can help recall some information that was revealed. The video is good for surveillance of an area, recon, and documenting things that would be suspicious to write down.
- RFID scanners are good as well; most organizations have some sort of RFID card for access. This can easily be recorded and cloned onto a card of yours. RFID cards are becoming encrypted more often now. However, for smaller organizations, it is not very cost effective.
Software
First things first.
You'll need a stable, quick netbook or laptop with a healthy battery life to support the tools we will talk about. Setting up this laptop, I suggest dual-booting some form of Windows and BackTrack. Windows for average use so as not to seem suspicious, potentially with fake spreadsheets for "inventory" or manuals for something you may be "fixing," just to play up the guise; BackTrack for when it's time for business. BackTrack as an operating system is essentially a Swiss Army knife. It has so many included features that could, and will, come in handy. It has security tools for monitoring and graphic wireless access points, cracking keys and passcodes, stress testing, and many options for sniffing tools. Definitely hands down the preferred operating system for social engineering operations. Finally, to top off your social engineering laptop, TrueCrypt, which has drive encryption options that will make your own local information compromise extremely difficult, if not impossible.
For organizing and making sense of the preponderance of information you receive from information gathering, you can use software like Dradis, and, for creating a payload or executing an attack, you have Social Engineer Toolkit (SET) and Metasploit.
Planning an Attack
Now we are at the meat of the topic.
You have everything ready to formulate an attack. This is a very slow methodical process that can make or break your entire operation. You often only get one chance, and this is the period of time dedicated to making the most out of this chance. These steps can vary slightly from target to target, but most of the time these steps are going to be the basic outline to formulating your attack.
Recon
Now, first things first, do you have your target?
Targets can either be a particular person or an entire organization. Sometimes the organization is the end target, and specific people are intermediary targets to the overall goal. After you have your organization, you can pick out a person. Doing recon on a person can be significantly easier than you would think. Mentioned before, one of the most powerful tools in recon can be Google. You would be surprised what you can find out about someone by Googling their email address or full name in quotes. Often blogs or forums they participate in will show up with their email as the username. You can get a good sense of your target's interests and past times. On company websites, there are often profiles on the higher ups in their company, which will sometimes have a personal email, but more often a company one, making the previous step easier. They also occasionally have interests, position, and location, which also can be very valuable.
Another resource is social media.
If you stumble on a personal profile, that's almost social engineering recon gold. From a personal profile, you can find out someone's interests, who they know, where they are, when they are going on vacation,and relatives' names. This is all at your finger-tips. Sometimes an entire attack can be done right after this step, just by guessing security questions. Example: first pet? A picture on their profile with them and a pet. It may not be a first pet, but it's still worth the 30 second period it takes to try it. Mother's maiden name? Parents are often linked to profiles, with their original name listed so that friends from before they got married can find them. Where were you born? Hometown is often an option on profiles as well. If attempting to guess questions, there is a pretty good chance you can do it just from a personal profile.
Another option is stalking.
A pretty intuitive title, this can mean scoping out a business to maybe see what companies they contract (which can be used for imitating as an attack), what security measures they use, when employees leave and return. If it's a person, you can find where they go to get coffee in the morning, where they eat lunch, where they go on the weekends. With stalking also comes eavesdropping, which is also a decent way to get baseline information. If Dumpster diving is in mind as an attack vector, you could use this stage to take extra note of the uniforms and times of trash men for later imitation.
Using the information you've gotten from stalking, you can set up a "spontaneous meeting." If you've found out where they get drinks on the weekends, you could run into them at the bar and start a conversation. You would be surprised at the information that gets loosened up by a few drinks. Through this meeting, you could establish a brief relationship, get names, trade business cards (which shouldn't say XYZ Security Penetration). In this meeting, you can sometimes get information that the target wouldn't consider dangerous in the hands of an average Joe. This information can range from the exact security company they contract, insider information about their business, and personal schedules. If he never goes to work on Fridays, you could later use this during an attack to portray the illusion you are closer to him. "He isn't here, is he? I forgot it was Friday. Mind if I drop this (malicious) flash drive with our updated statistics on it on his desk?"
Here's another easy approach through a "spontaneous" encounter. You can often times view the security questions they chose if you try to "recover" their email. One of the questions might be "What was your first car?" If you enter an encounter with this in mind, an exchange could go something like this: "Excuse me. Do you know any good rental car places?" "Someone hit my car earlier and I want to get a good deal. They just don't make cars like they used to, eh?" "I remember my old truck I had when I was 16. That thing could take a beating." Playing off human emotion to be on a similar level, the target will more often than not say "Yeah, my '72 Ford wagon could take a beating too" or something along those lines. A brief meeting like that, coupled with a profile, leaves a very high chance of guessing security questions. And we haven't even passed the first step.
Organization
This step mostly caters to cases with a preponderance of information gleaned from recon.
The organization stage is most useful when dealing with a company as a target, to find out the weakest link, or the area you feel a social engineering attack would yield the best results. This stage is also important when dealing with a penetration team where you have a few social engineers gathering information at once. So each social engineer can feed off the information that was gathered without a physical meeting place. Having a central place to store pictures, maps, and information is extremely helpful. My personal favorite is Dradis. This is a web application that allows you to set up a singular web accessible location for storing pictures and information for later use. You can use it to keep track of what is done and what needs to be done. This software is geared more towards security audits (Dradis framework). After all your information is organized, you are ready to start making sense of everything you have gathered and start preparing your attack.
Preparation
This is the phase where you decide what attack vector you are going to utilize and draw up a "game plan" essentially.
The information has been analyzed and the facts are all straight. Are you going to guess security questions? Go Dumpster diving? Imitate an employee? How are you going to establish the checkmate? After you've decided your weakest link, this is where you decide what you are going to need to create the best possible chance that your goal will be accomplished.
Pretexting is essentially the checklist of who you are, what you will need, when is the best time, and why you are there (in reference to what you would tell others). If you are making your name John Smith, this is where you decide what this alter ego has done in his life, where he works, and where he came from. If you use your own life as a baseline and change minor details, this can make living as someone else much more simple. Also, using information you gathered during recon, you would make John Smith's interest mirror your target's for faster rapport. A moment of hesitation could easily blow the whole operation, so take special precautions during this step.
Gathering the proper equipment... this could be a proper outfit to be an XYZ Wireless employee, a dirty garbage man, or even another CEO at a county mixer in an expensive suit. It may help to make fake emblems on clothing or vehicles to add the extra believability. The more believable, the less chance you have of front desk Jane second-guessing your intentions. You could make phony business cards that would make your fictitious company believable to use by the target to help engage conversation as well.
Creating the payload is also done in this stage. This can be done very simply through Metasploit. The payload can be a malicious PDF that copies hard drive contents to the flash drive, something to spread a botnet installer across the entire infrastructure, a key logger, or the malicious email attachment. The payload could even be getting a CEO to enter his information on a duped website form. This can be extremely useful, based on the fact that most people use the same password for everything. So their typing in their password could be golden, considering you most likely already have their email addresses. Who isn't going to open an attachment from their own boss?
Last but not least, prepare for the worst. This is basically creating your backup plan: where you are going to escape to if things get out of hand, or guidelines on what grounds you should abort the mission on. Tempers may flare, or suspicions may rise. A good rule of thumb is when you feel frustration building, make a joke. If it doesn't lighten the mood, leave. Frustrated or perturbed people are rarely willing to help.
Execution
This is where all of your previous work comes together for your final venture to the end game. This phase is extremely crucial and can make or break the entire mission. Look at the execution as a walking-on-eggshells scenario. Even the slightest mishap can raise a mental alarm in the target, drastically reducing, if not completely eliminating your chance for success. Needless to say, take extra caution.
Phrasing is extremely important when attempting to get someone to bend to your will. You want to phrase your statements with confidence, hinting subconsciously that the person you are speaking to already knew they were going to do what you want. Instead of saying "If you could... uhh let me in, I could hopefully fix your problem," you could say "When you let me in, I'll let you know what the problem is and get it solved right away."
This could be considered the power of suggestion. You are essentially telling your target that they already know they are going to let you in, and that you are going to fix it and fast. This works on a subconscious level and is extremely effective. Mastering suggestion as a tool takes practice, but once mastered can render infinitely useful results. Also, in the area of phrasing, be funny, light hearted, well spoken, and cheerful. This is another play on humans wanting to be on the same mental level with the person they are interacting with. If you are open, kind, and willing to speak, chances are they will be too. That's what you want.
Taking note of a target's emotions can be of help as well. If you can see their face becoming more upset or angry, lead them in another direction. Read their facial expressions to see which direction to lead the conversation. Similar to being "hot" or "cold," use the hints they give you to make them more interested in you. If they have a questioning look on their face and you are speaking to someone with little to no knowledge of what you are doing, eliminate this face by giving them confidence in what you are saying. This can be done with jargon. It seems crazy, but saying more complicated and confusing things that the average person wouldn't know or understand can actually raise the confidence in someone who feels your ability is lacking.
Considering all of the previous steps, make your way to the office and drop off that flash drive. Go to that bar, have a few drinks, loosen up Mr. Smith of XYZ Corp., and get the secrets flowing.
Welcome to the end game.
If you followed all of the steps correctly and accomplished all of your goals, you win.