While much of the focus of penetration testing is often centered on the tools of cyber-attacks, there is an important role for social engineering within a physical reconnaissance of a business when attempting to hack them. This includes trying to gain access to offices to gather intelligence for a plausible guise for a subsequent cyber-attack, obtain credentials, or gain access to the IT infrastructure from within the building.
SureCloud consultant Sarka Pekarova shared her expertise at BSides Manchester on Thursday 16thAugust 2018, one of the UK’s leading hacker and cybersecurity conferences, speaking about the role of psychology in social engineering exercises.
This aspect of penetration testing is all about manipulation and deception rather than trying to outsmart a machine and is just as crucial in improving an organizations security posture as probing networks for vulnerabilities. But what does this look like in practice? Here are some of Sarka’s key considerations when launching social engineering penetration testing.
Creating a persona
One of the most critical considerations of any social engineering attack is creating a persona that you know inside and out. Clearly you wouldn’t want to give away your own identity or intentions but equally, you need to be able to appear genuine, respond promptly and not give away any signs that you may not be who you say you are. Establishing a manipulative, nefarious persona and becoming that person is the crucial first step in getting targets to believe in you and behave as you want them to.
Reading pacifying behavior
Confrontation is commonplace in a social engineering penetration test– people challenge who you are, why you’re there and what your intentions are. From the perspective of the attacker, it is crucial that this is successfully navigated, requiring them to read the body language of the person confronting them.
For those that are challenging me, it is usually a stressful experience, it’s not something they feel comfortable doing, and under stress, they will start to exhibit pacifying behaviors that inform how I should approach them. A common misconception is that it is the face that gives away the most in these situations, however, the face is the easiest part of the body for people to control. It is actually people’s extremities – i.e. hands, feet, arms, and legs – that give away the most.
For instance, a person speaking to me with one leg pointing away forming an L shape signals that they want the encounter to be as brief as possible. This tells me that if I speak in vague terms they are unlikely to challenge me further, or that if I quickly flash fake credentials they are likely to accept this without digging deeper.
Equally, if a target begins stroking or rubbing their neck with a hand this signifies that they are calming themselves to deal with the situation in a considered way to ensure they are acting appropriately. In this instance I might try to fluster them, by talking quickly, for example, to hurry them into a mistake before they can fully gather their thoughts. However, if a target folds their arms it means their guard is up and I have to be more considered and offer more detailed responses that make my presence seem more credible.
Reading facial expressions
While the face is easier to control this does not prevent it from giving away small tells about the target’s emotion and how they are thinking. Facial tells can loosely be split into six categories: fear, content, surprise, happiness, anger, and disgust. As targets can manipulate their faces they often give away quick glimpses of how they are feeling before they establish control. For instance, a split second lip raise is a sign that somebody is happy or content with how you are interacting with them.
By looking at for these minor tells it becomes possible to tailor my with them to achieve my goal, manipulating their emotion in the process to allow me to proceed.
When it comes to social engineering I will often look to exploit the stereotyped behaviors of the different genders. For instance, when trying to gain entry to an office if I can see that the gatekeeper is female I will pretend to be on a phone call to a boyfriend who is upsetting me as this will often generate a sympathetic response that enables me to gain access. Equally, if the gatekeeper is male I will again pretend to be on the phone to a boyfriend but act angry, ranting into my mobile as men tend to want to steer clear of this behavior and will give me access just to avoid confrontation with me.
Manipulating the situation
A final tactic in a social engineering exercise is to create or manipulate a situation that guarantees you will get what you want. For instance, in an open plan office, you might be able to establish who the manager is. You can then approach them, announcing very loudly that you are from head office and you need their laptop as it has been flagged that as a result of viewing porn it has malware running on it.
Out of embarrassment and a desperation to clear their name, they will very quickly hand over the laptop – which will usually have all credentials and elevated access rights on it – that can then be taken away and used to gain access to the infrastructure in a cyber-attack or in this case, a penetration test.
With so much focus on the technical tools required to compromise a network, it is often overlooked that networks and devices are manned by people. As such when evaluating vulnerabilities it is critical that social engineering is an integral part of the penetration testing.
For more details about our social engineering services click here.
Watch Sarka’s Presentation here.