Attraction – Seduction and Destruction are the hallmarks of Social Engineering
No matter how much time, money, tools, and passwords you put in place to protect information, no one can avoid an accidental chat in a shop, coffee shop, aeroplane, or gym, and by that point, I can confidently assure you that all your secrets are gone.
Forever.
I never witnessed social engineering fail in my humble professional experience as a part of human intelligence operations.
Now, let us delve a little deeper and remind you of a recent social engineering performance in the heart of the United States, in which the principal player was Anna Chapman.
Those who don’t’ remember or don’t know there is certain individual and her name is Anna Chapman, a Russian national, was part of a group of Russian sleeper agents who were operating in the United States under deep cover.
She was known for her socialite lifestyle and her use of online platforms like LinkedIn and Facebook to connect with influential individuals.
Chapman is believed to have used her charm and conversation skills to engage with high-profile individuals in various industries, including finance and politics.
By leveraging her attractive appearance, she managed to gain access to events and circles that provided her opportunities to gather information.
Her interactions were part of a broader effort to develop connections with influential people who could potentially provide her with sensitive information or facilitate her access to valuable networks.
While the full extent of her activities remains largely unknown, the case of Anna Chapman showcases how social engineering and the art of conversation can be employed by spies to establish trust, gather information, and further intelligence objectives.
Information is the Commodity
Information has value, which can be tangible or intangible.
Whether its complex data sets stored in the cloud or a partially formed idea that has yet to be seen or heard by anyone else, all information can be traced to the same means of production: Humans.
All the information we take for granted exists (directly or indirectly) because of individuals, not hardware or software.
Social Engineering, as it applies in human intelligence and cyber security, is the art of using manipulation as well as strategic deception and coercion to extract information from a target.
Corporate entities and globalised society have embraced the ‘network society’ and assume that networking is a must for success.
However, most businesses do not have risk management processes capable of preventing social engineering attacks, which have grown in sophistication and popularity with the rise of today’s hyperconnected world.
The COVID-19 crisis has altered the structure of society to favour social engineers, who have changed tactics in response to the decline of physical meetings and centralised work forces to instead prey on far more vulnerable targets: People working from home.
Social engineering has long been an element of tradecraft across the field of human intelligence, but for the last forty years, social engineering conducted in cyberspace has become a major part of the intelligence and counterintelligence cycle.
Today, navigating social engineering is an indispensable organisational KIN (key intelligence need).
Information – The Importance and Value of Information/ Sources of Information
Information has value; it can be tangible or intangible. Information can be stored or simply be an idea, but all information has a source.
The root source of that information is typically a person, not a piece of hardware or software.
Note: Data is now the most valuable commodity in the world.
Information, in its purest form, is raw, unrefined material, and remains so until it has been distributed orally, verbally, written, or stored.
Raw information will sooner or later become part of the intelligence cycle. Without information, intelligence of any kind would not exist.
Our identity and construction of self as individuals, members of communities and/or social groups is dependent on information.
Our exposure to the information ecosystem commences the moment you open your eyes – this illustrate that information is not only about passwords and documents, but the subjective interpretation of reality, what we perceive and think about what we perceive, as individuals 24/7.
In terms of Social Engineering, it is important to understand that identifying a Person of Interest (POI) is part of a social engineer’s research process, and is an objective based on the analysis of previously identified information and decision-making processes.
Types of Information Sources:
- Open Sources – social media, newspapers, radio, electoral office, TV, chat, social and business networking.
Controlling our ever-expanding digital footprints.
- Close Sources – all sources restricted to the public, including material categorised as classified, and is usually stored in a (ostensibly) safe place, sometimes also guarded or protected by technical, mechanical, human or legal countermeasures in order to restrict access. Unauthorised access to this kind of information is illegal.
- This is the social engineer’s cornucopia, and it is typically this kind of information that cyber threats will seek to elicit either directly or indirectly (i.e., access credentials) from their targets.
- Off The Record Information – This kind of information does not have a clear legal definition, and there is no such thing as “off the record”. Hence, information provided in conversation is open to interpretation, exploitation, and if necessary, can be used in a court of law as evidence.
Anything posted online is there forever – in cyberspace, anything ‘said’ is rarely ephemeral, and this is particularly important to recall given that we now rely so heavily on CMC instead of face-to-face meetings.
What is Social Engineering?
“Failure to protect secrets has widespread ramifications and the perils posed must be addressed”.
Industrial espionage has been in the news again recently with various reports about Huawei’s activities. At a time when businesses are investing billions in data protection, are they overlooking some of the most basic forms of intelligence gathering devices – humans?
One way or another, people are often responsible for a loss, often inadvertently. Military intelligence has long used activities, often termed ‘social engineering’, to capture sources of information.
With the shift to the network society and our increasing dependence on networked technologies, social engineering is conducted with staggering frequency online, and is usually one of the first steps in the “cyber kill chain”.
Social engineering, in cybersecurity, refers to “tactics used to trick people into revealing sensitive information or taking unsafe actions”.
Social engineering is therefore fundamentally about coercion, deception, manipulation and decision-making.
Social Engineering has designed to have outcome prior commencing any activities so for successful social engineering we must have the good story. Sometimes called a ‘legend’ in human intelligence, or a ‘narrative’ in information and narrative warfare.
Story must start with “one upon a time” then continuing with unicorns and princess. Not.
Story is required without doubt. Story is embedded into human society and regardless how short or long story is, require capturing the interest from opposite party.
That can only be achieved if story is based on some facts (facts are determined when Target Profile is created) only then deceiver will be successful.
Story must have ‘reader response’ after all and after involving Target or POI into story, communication will lead into more detailed and planned conversation.
What POI can discover that deceiver is lying thus planning for “the story” must be immaculate, well versed and deceiver will be trained and accountable for results.
Understanding the enemy – Intrinsic V. Extrinsic motivations, hackers, cyber criminals (and their business models), insider threats, APTs and human error.
Understanding the problem: BYOD policies, home-work lifeworld boundary collapse, changes in behaviour (including maladaptation such as substance abuse) as a result of WFH.
Key Intelligence Needs – in the social engineering key intelligence needs represent two factors.
- Need to Know (more intelligence about product, country, military, police, software’s etc)
- How to Know (identifying the target profile, POI – person of interest)
Both requirements are part of the below cycles which clearly identifies as a first step “need” and “how.”
Target Profile
A target can be individual, group, company, organisation, and each of those targets can be named differently for the purpose of social engineering or misleading and deceiving third parties.
Elements for Target Profile can be adjusted as per requirement however as mentioned before it is important for social engineering to work that “the story” be filled with facts.
The limitations of cyber threat intelligence and the realities of individualisation.
Groups have completely different factors that inform their behaviour to individuals – understanding if your adversary is a target or targets is critical.
When Target Profile file has been created it is important to have the following key parts and based on the key parts story be designed and rehearsed.
After all, it is critical to remember that social engineering is virtually never detected until there is reasonable doubt that counterintelligence measures are required, so think before you start chatting with someone new.
This post was written by Mario Bekes