What Is Elicitation?

Elicitation, a powerful technique used by spies, con men, and social engineers, as well as doctors, therapists, and law enforcement, and if you want to be protected or be a great social engineer auditor then you need to master this skill. Used effectively, elicitation can produce astounding results.

Elicitation means to bring or draw out, or to arrive at a conclusion (truth, for instance) by logic. Alternatively, it is defined as a stimulation that calls up (or draws forth) a particular class of behaviors, as in “the elicitation of his testimony was not easy.”

Being able to effectively use elicitation means you can fashion questions that draw people out and stimulate them to take a path of a behavior you want. As a social engineer, what does this mean? Being effective at elicitation means you can fashion your words and your questions in such a way that it will enhance your skill level to a whole new level. In terms of information gathering, expert elicitation can translate into you target wanting to answer your every request.

I want to take this discussion one step further because many governments educate and warn their employees against elicitation because it is used by spies all over the earth.

In training materials, the National Security Agency of the United States government defines elicitation as “the subtle extraction of information during an apparently normal and innocent conversation.”

These conversations can occur anywhere that the target is—a restaurant, the gym, a daycare—anywhere. Elicitation works well because it is low risk and often very hard to detect. Most of the time, the targets don’t ever know where the information leak came from. Even if a suspicion exists that there is some wrong intent, one can easily pass it off as an angry stranger being accused of wrong doing for just asking a question.

Elicitation works so well for several reasons:

• Most people have the desire to be polite, especially to strangers.
• Professionals want to appear well informed and intelligent.
• If you are praised, you will often talk more and divulge more.
• Most people would not lie for the sake of lying.
• Most people respond kindly to people who appear concerned about them.

These key factors about most humans are why elicitation works so well.

Getting people to talk about their accomplishments is too easy.

In one scenario in which I was tasked to gather intel on a company, I met my target at a local chamber of commerce function. Because it was a mixer I hung back until I saw the target approaching the bar. We got there at the same time and because the purpose of these functions is to meet and greet people and exchange business cards, my first move wasn’t extreme.

I said, “Escaping from the vultures?”

He replied with a chuckle, “Yeah, this is what makes these things worth the time—open bar.”

I listened to him order, and I ordered a similar drink. I lean over with my hand out, and said,

“Paul Williams.”

“Larry Smith.”

I pulled out a business card I had ordered online. “I work with a little import company as the head of purchasing.”

He said as he handed me his card, “I am the CFO for XYZ.”

With a chuckle I responded, “You’re the guy with the bucks—that’s why everyone is after you out there. What exactly do you guys do?” He began to relate a few details of his company’s products, and when he listed one that is well known, I said, “Oh right, you guys make that widget; I love that thing. I read in XYZ Magazine it hit a new sales record for you guys.” From my previous information gathering I knew he had personal interest in that device so my praise was well received.

He began to puff his chest out a bit. “Did you know that device sold more in the first month that our previous and next five products combined?” “Yikes, well I can see why, because I bought five myself.” I chuckled through the mild praise.

After another drink and some more time I was able to discover that they recently purchased accounting software, the name of the CSO (and the fact he was on vacation for a few days), and that my friend here was also going on vacation soon to the Bahamas with his wife.

This seemingly useless info is not useless at all. I have a list of details about software, people, and vacations that can help me plan an attack. But I didn’t want to stop there; I went in for the kill with a question like this:

“I know this is a weird question, but we are a small company and my boss told me I am to research and buy a security system for the doors. We just use keys now, but he was thinking RFID or something like that. Do you know what you guys use?”

This question I thought would send up red flares and smoke signals.

Instead, he said “I have no clue; I just signed the checks for it. What I do know is I have this fancy little card…” as he pulls out his wallet to show me his card. “I think it is RFID, but all I know is that I wave my wallet in front of the little box and the door opens.”

We exchanged laughs and I walked away with knowledge that led to some very successful attack vectors. As you may have noticed, elicitation is similar to and linked to information gathering. This particular information gathering session was made so much easier by a solid pretext  as well good elicitation skills. Elicitation skills are what made the questions flow smoothly and what made the target feel comfortable answering my questions.

Knowing that he was on vacation and what kinds of accounting software they used as well door locking security I was able to plan an onsite visit to repair a “faulty” RFID box and time clock. Simply telling the front desk receptionist, “Larry called me before he left for the Bahamas and said there was a time clock by the manufacturing department that is not registering properly. It will take me a few minutes to test and analyze it.” I was given access in a matter of seconds without ever being questioned.

Elicitation led me to that success because with the knowledge I was given there was no reason for the receptionist to doubt my pretext. Simple, light, airy conversation is all it takes to get some of the best information out of many people. As discussed so far, clearly defining your goals to achieve maximum results is vital. Elicitation is not used merely for information gathering, but it can also be used to solidify your pretext and gain access to information. All of this depends on a clearly defined and thought out elicitation model.