Reviewing
the definition for elicitation can give you a clear path of what your goals
are. Really, though, you can boil it down to one thing.
A social engineer wants the target to take an action,
whether that action be as simple as answering a question or as big as allowing
access to a certain restricted area.
To get the target
to comply, the social engineer will ask a series of questions or hold a
conversation that will motivate the target to that path.
Information
is the key. The more information that you gather, the more successful the
attack will be. Because elicitation is non-threatening it is very successful.
Count how many times in a week you have meaningless little conversations with
someone at a store, coffee shop, or elsewhere. The whole methodology of holding
conversations is steeped in elicitation and it is used in a non-malicious way
daily. That is why it is so effective.
Some
experts agree that mastering the art of conversation has three main steps:
1. Be natural. Nothing can kill a conversation quicker than seeming to be
uncomfortable or unnatural in the conversation. To see this for yourself try
this exercise. Have a conversation with someone about something you know a lot
about. If you can record it somehow or have someone else take notice, see how
you stand, your posture, and the way you assert your knowledge. All of these
things will scream confidence and naturalness. Then inject yourself in a
conversation you know nothing about and have the same recording or friend
observing.
See how all
those nonverbal aspects change for you when you try to inject an intelligent
thought into a conversation you know nothing about. This exercise shows you the
difference in being natural and not being natural. The person(s) you are
conversing with will be able to see it
easily,
which will kill all chances of successful elicitation. How do you seem natural
in conversations? Thus we arrive at step 2.
2. Educate yourself. You must
have knowledge of what it is you will be talking to your targets about.
It is imperative that you not pretend you are
more than you can reasonably be believed you are.
Confused?
Here’s an example to break it down. If you wanted to obtain the chemical
composition for a top-secret product and your elicitation target is one of the
chemists involved in making the product, and you decide to start talking
chemistry, do not play yourself off as a world class chemist (unless you are).
He may throw something at you that will show you know nothing and then your
cover is blown and so is the elicitation.
A more
realistic approach may be that you are a research student studying XYZ, and was
told he had amazing knowledge in this area. Due to his expertise, you just
wanted to ask him a question on a chemical formula you are working on and why
it doesn’t seem to be working out.
The point
is that whatever you chose to converse about and whomever with, do research,
practice, and be prepared. Have enough knowledge to speak intelligently about a
topic that will interest the target.
3. Don’t be greedy. Of course,
the goal is to get information,
get answers, and be given the key to the kingdom. Yet, do
not let that be the focus. That you are only there for yourself will quickly
become evident and the target will lose interest. Often, giving someone
something will elicit the feeling of reciprocation, where he or she now feels
obligated to give you something in return. Being this way in conversation is
important.
Make the
conversation a give and take, unless you are conversing with a person who wants
to dominate the conversation. If he wants to dominate, let him. But if you get
a few answers, feel the conversation out and don’t get greedy trying to go deeper
and deeper, which can raise a red flag.
Sometimes
the people who are labeled as the “best conversationalists” in the world are
those who do more listening than talking. These three steps to successful
elicitation can literally change the way you converse with people daily, and
not just as a social engineer or a security auditor, but as an everyday person.
I personally like to add one or two steps to the “top three.”
For
example, an important aspect to elicitation is facial expressions during a
conversation. Having your gaze be too intense or too relaxed can affect the way
people react to your questions. If your words are calm and you have engaged the
target in a conversation but your body language or facial expressions show
disinterest, it can affect the mood of the person, even if she doesn’t realize
it.
As a social
engineer approaches a target her “spirit” or energy will affect the person’s
perception. The energy is portrayed through body language, facial expressions,
dress, and grooming, and then the words spoken to back that up. Without even
knowing it, people pick up on these things. Have you ever thought or heard
someone say, “That guy gave me the creeps” or “She looked like such a nice
person”?
How does
that work? The person’s spirit or energy is relayed to your “sensors,” that data
is correlated with past experiences, and then a judgment is formed. People do
it instantaneously, many times without even knowing it. So your energy when you
are going to elicit must match the role you are going to play. If your
personality or mental makeup doesn’t enable you to easily play a manager then
don’t try. Work with what you have. Personally, I have always been a people
person and my strong suit is not topics like chemistry or advanced math. If I were in the
situation mentioned earlier I would not try to play the role of a person who
knows about those things. Instead my elicitation might be as simple as a
stranger interested in starting a conversation about the weather.
Whatever
methods you chose to use, you can take certain steps to have the upper edge.
One of these steps is called preloading.
Preloading
denotes that you can do just what it says—preload targets with information or
ideas on how you want them to react to certain information.
Preloading
is often used in marketing messages; for example, in the national restaurant
chain ads that show beautiful people laughing and enjoying the meal that looks
so beautiful and perfect. As they say “yummm!” and “ohhh!” you can almost taste
the food.
Of course
as a social engineer you can’t run a commercial for your targets so how can you
use preloading?
As with
much in the social engineering world, you have to start from the end results
and work backward. What is your goal? You might have the standard goal of
elicitation to gain information from a target on a project she is working on or
dates she will be in the office or on vacation. Whatever it is, you must set
the goal first. Next you decide the type of questions that you want to ask, and
then decide what type of information can preload a person to want to answer
those questions.
One other
really simplistic example before moving on: A friend walks up and says, “I have
to tell you a really funny story.” What happens to you? You might even start
smiling before the story starts and your anticipation is to hear something
funny, so you look and wait for opportunities to laugh. He preloaded you and
you anticipated the humor.
How do
these principles work within the social engineering world?
Preloading
is a skill in itself. Being able to plant ideas or thoughts in a way that is
not obvious or overbearing sometimes takes more skill than the elicitation
itself. Other times, depending on the goal, preloading can be quite complex.
No comments:
Post a Comment