Social Engineering: A Chain Is Only as Strong as Its Weakest Link
Humans are innately social creatures with core needs to belong, feel safe, be acknowledged, and be liked. To effect change, social engineers deploy specialist tactics to “get in” through their target’s mind.
By Lily Yuan, Featured Writer.
My favorite chemistry teacher said, “A chain is only as strong as its weakest link.” In the study of chemical bonds, the weakest bond with the most reactive elements is the easiest to connect (and transform), which may cause chain reactions in the case of natural reactions. In the corporate world, an innocent-looking spam email could be opened by the administrative assistant who unknowingly transfers a computer bug to the entire company's network. In mere seconds.
It wasn’t until a few years down the road when I noted its applications in social engineering. A movie that showcases the term really well is Catch Me If You Can (2002) based on a real account of Frank W. Abagnale, a famous con-man and check forger who successfully pulled off career roles as a substitute teacher, pilot, doctor, and even a lawyer after passing exams with only 2 weeks to study.
Social engineering is an umbrella term for the study of human psychology, in the context of how it affects the security of businesses through methods such as phishing, vishing, pretexting, quid pro quo, and more. A malicious link could potentially leak a company's entire database within milliseconds. A USB stick can upload mass amounts of malware within minutes. A loaded question can trip up an office assistant accidentally to leak their company’s passwords.
Each data point can be attributed to a digital node. A connection, an image, or even an audio file. Open-Source Intelligence (OSINT) is readily available and accessible by a few searches on the Internet. A colloquial term for conducting OSINT research include "scraping the web," where mass amounts of data can be obtained through a single code or command. Metadata serves as the “hidden” or “cloaked” data behind data, such as an image’s descriptive text.
DISC Communication System: How to Profile an Individual
For target profiling, the DISC communication tool serves as a general breakdown for the prediction of how an individual behaves and communicates when interacting with others. The communication-based system is split into four axes, labelled Questioning-Accepting (x-axis), and…(y-axis). The four letters stand for Dominant (D), Influencing (I), Steady (S), and Compliant (C). A general breakdown of the four letters:
Dominant (D): Straightforward, tough, goal-oriented
Influencing (I): Energetic, cheerful, people-oriented
Steady (S): Peaceful, supportive, patient
Compliant (C): Detail-oriented, logical, factual
By accurately learning someone's DISC code (some are hybrids, like “IS”), social engineers can better facilitate and frame a conversation to go the way they want, and obtain important intel. Generally, people get along well with those similar to them in terms of beliefs, attitudes, and communication styles—birds of a feather flock together.
Why do social engineers gravitate towards the DISC system, then?
Nonverbal communication is huge in social engineering practices. DISC allows for the prediction of behavior and habits according to how a person communicates. For example, if a social engineer wanted to get an HR assistant who is a clear “S” type to trust them, they’d make sure to appear stable, patient, and caring. If instead, the social engineer used “D” DISC type tactics and appeared hurried and matter-of-fact, they may awkwardly deter the assistant and raise suspicions.
Microexpressions
Social engineers learn to read microexpressions to better gauge how a target might truly be feeling. Microexpressions, unlike "regular" (macro-)expressions (which last 0.5 – 4 seconds), lasts less than half a second. They are involuntary twitches of facial muscles that cause a flash of expression, which may be covered up by another (often more socially and situationally appropriate) emotion.
Microexpressions are universal and important when determining someone's genuine emotional state—because they are impossible to conceal or fake. For example, if a target leaks a display of contempt (an asymmetrical raise of the lips) when they congratulate one of their colleagues, the target may secretly feel superior and "look down" upon their colleague perhaps because of jealousy or a set of ulterior motives.
Principles of Social Engineering
Short-term cognition factors can be broken down to workload, stress, and vigilance. Long-term cognition factors are more abstract, which include personality, expertise, individual differences, and culture. In order for a cyberattack to succeed, the social engineer must figure out important information in the shortest time frame possible to establish trust, then devise and carry out a plan on the spot.
To establish trust, they must keep in mind the five general principles of persuasion: authority; commitment, reciprocity and consistency (CRC); distraction; liking, similarity and distraction (LSD); and social proof. Humans are innately social creatures with core needs to belong, feel safe, be acknowledged, and be liked. In order to effect change, social engineers must deploy these tactics to “get in” through their target’s head (and thought processes) with the least friction possible. Forensic psychology encompasses many of these principles as well.
The global COVID-19 pandemic has sprung forth many interesting and elaborate cases of social engineering attacks. Lawfully corrupt hackers are known as black-hat social engineers. To combat and mitigate the damage, white-hat hackers will use their knowledge of human cognition and computer systems to do good for society. They secure and maintain our rather fragile digital fabric, and encourage us to be respectful, vigilant digital citizens of the World Wide Web.
References
Algarni, Abdullah & Xu, Yue & Chan, Taizan. (2014). Social Engineering in Social Networking Sites: The Art of Impersonation. Proceedings - 2014 IEEE International Conference on Services Computing, SCC 2014. 797-804. https://doi.org/10.1109/SCC.2014.108.
Bansla, Neetu & Kunwar, Swati & Jain, Khushboo. (2019). Social Engineering: A Technique for Managing Human Behavior. https://doi.org/10.5281/zenodo.2580822.
Greavu-Serban, Valerică & Şerban, Oana. (2014). Social Engineering A General Approach. Informatica Economică. 18. 5-14. https://doi.org/10.12948/issn14531305/18.2.2014.01.
Montañez, R., Golob, E., & Xu, S. (2020). Human Cognition Through the Lens of Social Engineering Cyberattacks. Frontiers in psychology, 11, 1755. https://doi.org/10.3389/fpsyg.2020.01755.
Peltier, Thomas. (2006). Social Engineering: Concepts and Solutions. Information Systems Security. 15. 13-21. https://doi.org/10.1201/1079.07366981/45802.33.8.20060201/91956.1.
Rößling, Guido & Müller, Marius. (2009). Social engineering: a serious underestimated problem. ACM SIGCSE Bulletin. 41. 384. https://doi.org/10.1145/1595496.1563026.
Salahdine, Fatima & Kaabouch, Naima. (2019). Social Engineering Attacks: A Survey. Future Internet. 11. https://doi.org/10.3390/fi11040089.
Venkatesha, S., Reddy, K. R., & Chandavarkar, B. R. (2021). Social Engineering Attacks During the COVID-19 Pandemic. SN computer science, 2(2), 78. https://doi.org/10.1007/s42979-020-00443-1.
Wang, Z., Zhu, H., Liu, P. et al. Social engineering in cybersecurity: a domain ontology and knowledge graph application examples. Cybersecurity 4, 31 (2021). https://doi.org/10.1186/s42400-021-00094-6.
Wang, Zuoguang & Zhu, Hongsong & Sun, Limin. (2021). Social Engineering in Cybersecurity: Effect Mechanisms, Human Vulnerabilities and Attack Methods. IEEE Access. 9. 11895-11910. https://doi.org/10.1109/ACCESS.2021.3051633.
Wilcox, Heidi & Bhattacharya, Maumita. (2016). A framework to mitigate social engineering through social media within the enterprise. 1039-1044. https://doi.org/10.1109/ICIEA.2016.7603735.