Is SE Science?

How is this science? There have been many recent publications on kinesics (the study of body and facial expressions) like Paul Ekman’s books on micro-facial expressions and What Every Body Is Saying: An Ex-FBI Agent’s Guide to Speed-Reading People by Marvin Karlins and Joe Navarro. These, combined with books on subjects like Emotional Intelligence: Why It Can Matter More Than IQ by Daniel Goleman, Blink: The Power of Thinking Without Thinking by Malcolm Gladwell, Thinking Fast and Slow by Kahneman, or any of the books by Dan Ariely that talk about how intuition is based on insights the person may not be consciously aware of, start to develop a body of knowledge that can be applied as a science rather than an art. These studies are developing the baseline to take this discipline from an art to a science.

This leads to the question: can SE be taught, or is it a natural ability? There is some debate on whether SE skills can be taught, but this is basically the same debate that exists for leadership, salesmanship, or any other ability. Though the arguments are often very passionate, most will agree in the end that some people have natural tendencies that make them great when they study and train in the discipline they want to master whereas others can go through the same process and only become average. So whereas some individuals will naturally become very proficient at technical hacking they may struggle to use SE techniques like the “cold call” but everyone can learn the basics and find where their talents lay. Many of the tactics, techniques, and procedures (TTPs) we will discuss are a blend of technical and SE attacks.

SE TTPs

A typical SE exploit depends on the target. There are two general scenarios: general access attacks and specific targeted access attacks. To set the stage, let’s use the basic metaphor of stealing a car, keeping in mind that most metaphors when applied to cyberspace are dangerous as they don’t reflect the complexity of the environment. In a general access attack, we could be looking for any car to steal. This could be relatively easy to accomplish. We could sit outside a convenience store waiting for someone to leave his/her car running and then jump in and drive away (remember to check for a baby seat) or we could use a gun and carjack someone at a light; we could go old school and learn to hotwire a car or any number of other techniques. Stealing a specific car—the mayor’s car, for example—would be a different story. In the first scenario we didn’t need to do any reconnaissance; now we need to put a lot of effort into recon. We have to learn what the mayor drives and figure out the best attack. We would need to understand which attack has the least chance of getting caught, as the mayor controls the police force. Depending on our motivations we may want the theft to go unnoticed for a period of time, or we may want it to be dramatic so it gets on the evening news. The same rules are true with cyber attacks but as there is an element of personal interaction in SE it is even more relevant to understand the target.

Types of SE Approaches

Once the attacker has gathered the background information necessary to understand some options to approach the target they must decide how aggressive they want to be. From least to most aggressive the approaches are: observation, conversation, interview, interrogation, and torture. They can start by digital or physical observation. Next comes a conversation (electronic, telephonic, or in person). This is often the phase where the attacker will determine who they want to recruit or attack. Typically this is known as elicitation which is generally the extraction of information through what seems to be a casual conversation. To phrase this another way it is “where the con is based on the social engineer’s” ability to spin a lie. This ability comes from pretexting which is developing a scenario where the SE gains the trust of the person who owns or has access to the information in order to get them to break their policies or violate common sense and give the information to the attacker. One method that is used in every type of attack but is especially useful here is mirroring. For example by adopting the target’s speech mannerism (or email style) it will be much easier to get them to engage in a conversation.

The next technique is to conduct an interview or outright interrogation. Both of these require the victim to submit to the attacker’s authority. This can be done by posing as a customer who needs the information to make a decision, pretending to be someone from the government who has the right to the information, or through intimidation. These attacks can be done cold or after a relationship has been developed. The attacker can perform them in person using props like badges or over the phone/email using spoofing to make it appear like the contact is from a legitimate source. An example would be to call someone as the Tech Department or Help Desk and tell them they have to reset their account because of a mistake made during a recent update. Most people want to be helpful and automatically trust their computer. That desire to help or trust in their system is the key to compromising them. Both of these techniques are not by their nature antagonistic. Often the most effective techniques are based on establishing common bonds. All of these techniques require building a relationship based on trust. Finally, after interrogation comes torture, but that is beyond SE practices. Figure 8.1 shows the flow of these Techniques.

Types of SE Methodologies

Some typical methodologies for general collection are divided into physical and electronic. Physical techniques include things like: dumpster diving (digging through target’s trash), shoulder surfing (looking at a target’s screen or keyboard while she/he works), observation (tracking a target’s activities—think stakeout), spy gear (like directional microphones/hidden cameras), and impersonation (posing as utility worker). Electronic techniques include: open web search (using all the features of a search engine—i.e., Google will just search blogs), Pay for Service sites like Intelius or U.S. Search, Credit Information Requests, social networking site searches, and professional networking site searches and geolocation sites (e.g., Google Street View).

Though this information is generally openly available the social engineer may need some tools to make the research more effective. These include web sites and tools like:

Additional tactics include:

This is just a quick list of some of the different types of tools that can be employed as part of SE.

One recent event that has captured the media’s attention was the SE Capture the Flag (CTF) event at the 2012 DEFCON 20 called “The Battle of the Sexes.” There has always been a network-based CTF event but in 2010 DEFCON started SE CTF. The latest competition is an evolution to compare results based on gender (women captured more flags). There have also been competitions for youth to train the next generation. Here is an excerpt from the report on the event:

Contestants were assigned a target company, with each having two weeks to use passive information gathering techniques to build a profile. No direct contact between the contestant and the target was allowed during this time. The information was compiled into a dossier that was turned in and graded as part of the contestant’s score. During DefCon, contestants were then allowed 25 min to call their target and collect as many flags as possible, which made up the remainder of their score. Flags were picked to be non-sensitive information, and each was assigned a point value based on the degree of difficulty in obtaining the information associated with the flag. A few examples of the 25 flags are: In House IT Support, New Hire Process, Anti-Virus Used, Is there a Cafeteria, Wireless On-Site, Badges for Bldg Access and What OS Used.

Complex searches lead the contestants to gather quite a few PDFs or web pages that answered each of their inquires in full detail. One interesting surprise was the use of Google Street View as an information gathering tool. A primary factor in the success or failure of the contestant was the planning of the overall attack. The most interesting aspect of this has to do with how quickly and easily information could be obtained from all companies in a relatively short period of time, even with the caller under pressure. Final results were 15 companies called and 14 of them had flags captured [4].

Army Doctrine

We will discuss how the army deals with interrogation as they are the ones who are on the ground dealing with these issues. The basic techniques we will cover are from “FM 2–22.3 HUMAN INTELLIGENCE COLLECTOR OPERATIONS” September 2006 [5].

Goal: collector’s objective during this phase is to establish a relationship with the source that results in the source providing accurate and reliable information in response to the HUMINT collector’s questions.

Key principles: From a psychological standpoint, the HUMINT collector must be cognizant of the following behaviors:

These principles are used to develop an approach, build rapport, and establish a relationship in which the HUMINT collector presents a realistic persona designed to evoke cooperation from the source. In the military things are usually done in accordance with established procedures and if it is a mission (like an interrogation) should have a documented plan. This is not to say soldiers are not flexible and resist innovation but rather to say they want to increase the chances of mission accomplishment and have found these lead to greater success. The HUMINT collector must ensure their body language and personal representation match their approach.

Some standard operating approach techniques are: direct, incentive, emotional (Love/Hate/Fear/Pride/Futility/Anger), “we know all” or “file/dossier,” rapid-fire (don’t let them talk), Mutt and Jeff or good cop/bad cop, and false flag (misrepresentation of oneself). See Figure 8.2 for how these relate to each other. The direct approach is simple and straightforward. It is simply telling the person what they want and using interview/interrogation skills to convince them to cooperate and share the information. This technique is useful in a conventional war but not very useful in counterinsurgencies or for SE. Statistics from interrogation operations in World War II show that the direct approach was effective 90% of the time. In Vietnam and in Operations URGENT FURY (Grenada, 1983), JUST CAUSE (Panama, 1989), and DESERT STORM (Kuwait and Iraq, 1991), the direct approach was 95% effective. The effectiveness of the direct approach in Operations ENDURING FREEDOM (Afghanistan, 2001-2002) and IRAQI FREEDOM (Iraq, 2003) is still being studied; however, unofficial studies indicate that in these operations, the direct approach has been dramatically less successful [5]. The military is still analyzing the reasons but one common assumption is that the motivations of religious fanaticism are harder to compromise than traditional nationalism. There are some general types of direct questions that are useful: Initial (get the discussion going), Topical (focused on establishing how much they will communicate and what their level of knowledge is), Follow-up (making sure we have gained all the primary and peripheral information), Nonpertinent (establishing rapport and keeping discussion going), Repeat (seeing if they are consistent), Control (establish baseline), Prepared (for areas interviewer is unfamiliar with or highly technical topics). One of the key questions here is the control or baseline question. It establishes how someone behaves when they are telling the truth. Much like a polygraph test that starts with baseline questions like name and address then gradually that builds to questions related to guilty actions to compare stress reactions against, a social engineer must understand how the target behaves when not under stress.

The indirect approach, or using elicitation, can often be useful as we combine information gathering from normal conversations with targets of interest without them knowing they are being interrogated. Elicitation is a sophisticated technique used when conventional collection techniques cannot be used effectively. Of all the collection methods, this one is the least obvious. However, it is important to note that elicitation is a planned, systematic process that requires careful preparation [5]. This is where the more the interviewer knows about the target the better, so they can have a natural flowing conversation. For example, they may start by sharing information they have so the target assumes they know all about it and will openly discuss the details.

Next comes incentive. This is basically offering the target something they want or need. The first thing that comes to mind is bribing them, but it can be as simple as an email offering to increase their speed or access to the Internet. This approach can be very effective when tied to the right emotions. The emotional approach is where the target’s emotions are brought into the interaction to get them to take an action that they would not normally do. A recent example of this is what is known as scareware. A good example is when a pop-up box announces there is a problem on the user’s system that can be fixed by installing a free update. In reality this scareware update is a Trojan horse whose only function is to compromise the user’s system. This approach is based on Fear, other emotions that can be used are: Love (in its many forms), Hate or Anger (us against them), Pride (in themselves or their organization), and Futility (there is no other option). Picking the right emotion is easier in person because we can read the body language or on the phone where we can judge the tone of voice and modify the approach based on the situation. The goal of this method is to manipulate the target’s emotions so they override their natural cognitive reactions.

Other well-known techniques are: “we know all” or “file/dossier”; this is where the interrogator comes in and lays a folder labeled “witness statements” or a DVD labeled “surveillance footage” on the desk. This fake evidence contains no actual information but allows the interrogator to start by saying something like, “we have the evidence we need but want to get your side of the story before we submit our final report.” For a social engineer/interrogator the presentation of material that supports the belief that the interrogator knows the basics but just needs the target to provide the details. If target is still not talking freely it may be time to try the rapid-fire method where the interrogator keeps interrupting the target so they get frustrated and jump in with key facts so we will listen. The rapid-fire method is also used when the target is going to tell a lie that the interrogator doesn’t want them to say like “I have never been to that site” because once they tell a lie they are committed to it. To get to the truth we first must make the target to admit they lied.

The last two methods we will discuss are Mutt and Jeff, or good cop/bad cop, and false flag. We have all seen the aggressive and compassionate interview team in movies. The target will identify with the compassionate person and tell their story so the good cop will shield them from the aggressive cop. This method can also be modified so a really abusive interrogator is followed by one who apologizes for the unprofessional behavior of their colleague. Typically the good cop would help the target rationalize their actions so they can talk openly. One way this method can be used by social engineers is on social networking sites; we could present a Fakebook (fake FaceBook) personality created for the attack as a cyber bully and a second as someone defending the target.

Finally using the false flag, for the military this might be having a new interrogator come in and pretend to be from a friendly country or a nongovernment origination like the Red Cross. This is very useful as it is simply misrepresentation and is a bedrock of SE.

We can see that most of the techniques used by the military are directly applicable to the civilian sector and can be applied to both physical and cyber environments. The most important aspects the military brings are proven TTPs and careful mission preparation and planning. These when applied to SE will give the attacker a strong capability to be successful on their mission.

• CI: Information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted by or on behalf of foreign governments or elements thereof, foreign organizations, or foreign persons, or international terrorist activities [6].

• Cyber CI: Measures to identify, penetrate, or neutralize foreign operations that use cyber means as the primary tradecraft methodology, as well as foreign intelligence service collection efforts that use traditional methods to gauge cyber capabilities and intentions [6].

• Counterespionage: That aspect of CI designed to detect, destroy, neutralize, exploit, or prevent espionage activities through identification, penetration, manipulation, deception, and repression of individuals, groups, or organizations conducting or suspected of conducting espionage activities [6].

• Counterterrorism: Actions taken directly against terrorist networks and indirectly to influence and render global and regional environments inhospitable to terrorist networks [6].

• Force Protection: Preventive measures taken to mitigate hostile actions against Department of Defense personnel (to include family members), resources, facilities, and critical information. Force protection does not include actions to defeat the enemy or protect against accidents, weather, or disease [6].

• OPSEC: A process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to: (a) identify those actions that can be observed by adversary intelligence systems; (b) determine indicators that adversary intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries; and (c) select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation [6].

How the Army Does CI

Army regulation (AR 381-12 Threat Awareness and Reporting Program 4 October 2010 (for the old soldiers this was called Subversion and Espionage Directed against the U.S. Army or SAEDA)) establishes the training requirements and reporting procedures. It also lays out indicators or suspicious activities, such as foreign influence or connections, disregard for security practices, unusual work behavior, financial matters, foreign travel, undue interest, soliciting others, and extremist activity. This is basically a process that encourages every member of the staff to become a security officer and help police both themselves and their coworkers. The program is built around two key principles: situational awareness and behavior monitoring, both for themselves and their coworkers. If done well, it will counter the whole spectrum of crime, internal threats (disgruntled or unstable workers), external threats (foreign operatives and terrorist), and today’s social engineers. If done poorly, it allows incidents like the recent unauthorized release of a large number of classified documents relating to the U.S. war in Iraq to WikiLeaks to occur.

An Air Force Approach

The Air Force Public Affairs Agency has published a “Social Media Guide.” Top 16 tips include items like: differentiate between opinion and official information and no classified information [8]. This is a very good example as it does a couple of things well. First the guide is more about what we should use rather than why we should not use the many different communication applications on the web. Second it is a formal policy that includes punitive consequences for misbehavior.

An important aspect of this defensive capability is to analyze the information that is leaking and conduct the appropriate investigation to determine what actions need to be taken. Historically there are examples of traditional espionage like Aldrich Ames, Robert Hanssen, Colonel Vladimir Vetrov, a KGB defector known as the Farewell Dossier, Gregg Bergersen, and the 11 Russian spies recently deported from the United States, but these operations are time consuming, expensive, and risky where we can get much of the same material through cyber spying. The risk of getting caught is lower, the time to gain access is faster, and the cost is cheaper. We have talked extensively about computer network exploitation; when we combine that with SE we have a paradigm shift in spying capabilities. This requires us to look at the techniques that got these traditional spies caught, including careful analysis, auditing financial records, tips from co-workers, offensive operations to gain access to enemy files to see who they had turned into spies, and encouraging defectors to switch sides.

For the sake of brevity, we’re not going to delve into the processes of the Navy and Marine Corps, although they’re both quite capable in their own right at these processes and procedures.