A couple of years ago at a conference in Texas I heard the phrase “in the weeds.”
It means being in the sort of situation where you get so emerged in the details “the weeds” that it is hard to get any kind of productive perspective, or non-biased view. The English equivalent phrase would be “can’t see the wood for the trees” and it reminds me a lot of an old director of mine who could spot a mistake in a spreadsheet of hundreds of columns and rows almost instantly, when the poor person who had spent the last three weeks of their life perfecting the document was blind to the errors. The person, often myself, was “in the weeds,” so familiar with the numbers, and the document, that they become blind to the errors a fresh pair of eyes could see instantly.
So being “in the weeds” is all about the blindness of familiarity, for example the tendency for everyday things not to really register in our consciousness, like a “mind the gap” sign, or a pothole in the road that we drive down every day, we don’t see them because we always see them. In a way, those mental “weeds” are a sedative, and we are asleep when we should be awake.
Pondering this I heard about a presentation an internal red team had given, on their in-house social engineering prevention program. The phishing attacks, the simulations, the pre-texting, the massive effort spent on trying to reinforce the “human element” of their business against social engineers, and all of the security issues that arise when people are involved at any level.
The problem with using internal teams is that unless they have been specifically trained to think like social engineers then they simply can’t and don’t replicate a social engineering attack. What you have is, at best, a group of employees trying to avoid the weeds that come with their day job, and simulate an attack that would, in reality, be carried out by someone who effectively has no weeds to worry about.
A social engineer looks at a target in the same way that director looked at my spreadsheets. He could see every flaw, every mistake, because he had fresh eyes on it, was unencumbered by any consequence of things not being right, and was, at heart, calculating and merciless in his criticism. A social engineer just doesn’t see what an employee sees, ever. They only see the errors, the weaknesses the problems to be exploited that is the entire point. For company employees, even in a huge global firm, trying to think like an attacker doesn’t really work a lot of the time because they have insider knowledge, are wrapped up at some level with the values, beliefs and politics of the business and – to put in bluntly – are still employees.
In-house teams clearly do great work and go some way to help and educate their colleagues, but the social engineering perspective tends to be wrong, because they are part of a wider team. If you work for the man, then at some level, the man gets your loyalty, calls the shots, and can call a day of reckoning. Whereas, no genuine social engineer ever worried about which font to use in the presentation explaining their actions!
Doesn’t happen. Different mindset. To coin another phrase, “there is no ‘I’ in team” and that is exactly how most social engineers prefer to work.
No team. No rules. No trust. Good.
For internal staff getting past the “team” mentality and the employee mindset is extremely challenging, psychologically, and is, if anything, reinforced by the language and mindset of most “tiger” or “red” teams. Who work together, plan their “exploits” together and report back together.
They celebrate their successes, support each other and present their results as a team. They have each other’s back, and exhibit all the normal behaviours and psychology of a close-knit group. You couldn’t get behaviour more remote from the way most social engineers and indeed hackers work.
The truth is, many social engineers are unlikely to consider themselves “team players” as this is simply not productive for the role. The job does not inspire or benefit from being especially trusting and the sort of people who do it tend to prefer, or at least not mind, working alone or with just one or two others. A social engineer has to take risks, makes mistakes, takes wrong turnings, and in this lies the reality, and also the effectiveness , or not, of the attack. It’s a different, malicious, perspective and relies heavily on not being tethered by restrictions, a lack of loyalty and most of all a lack of a regular pay cheque, especially from those we would be looking to breach.
So, whilst I admire and applaud the efforts of internal teams, it is important to recognize their limitations, because it is so very hard to get into the right mindset for an attack on your employer and colleagues. The secret would lie, as always in the right leadership and in the sort of irreverent attitude to rules and disregard for any kind of procedure, loyalty or inclusiveness, that is almost impossible to find within a company…
It’s not always wise to chop down weeds, especially if you live in the pond…