Social engineers come in many different flavours, from the disgruntled ex-employee who wants to disrupt his former employers activities, to the criminal who is looking for financial gain, to the activist who has an axe to grind with an organization, the type of attacker and their motivation for hitting a target varies widely. However, there is an aspect of social engineering activity which is common throughout all the different types, and it is in this that lies a real challenge for security professionals.
When Mallory said that he wanted to climb Everest “because it was there.” he summed it up well because the payload is for many Social Engineers, not really the point.
It is often the challenge itself that is of interest, the elegant dance of deception, the puzzle that needs cracking which makes the job so alluring, so difficult to resist and so addictive. Add to this the elements of financial gain, righteous indignation or delicious revenge and you have a potent cocktail that is difficult to resist. This element of the work is present in most cons and in most conmen, and defending against this level of temptation is a difficult job indeed.
In order to defend against social engineers organisations must be careful not to oversimplify. Whilst the most effective cons are often the simplest in execution, the planning, preparation and research behind them are complex and well thought out. You cant make yourself of less interest to a social engineer if you are an enticing target, but to avoid becoming another scalp on the belt you do need to make things difficult for them. So what does difficult look like?
Whilst social engineers are patient and cunning they are often fairly lazy too, we are interested in the easy way in, the quickest and most simple cons. We are not up for confrontations, explanations or discussion in any kind of depth. We don’t need to focus on these things for most targets because in all honesty most people are very easy to fool. So you must make your people difficult to fool, inquisitive, curious, nosey as hell. You have to forget rank and level and educate all of your staff in the same way, make sure you don’t forget someone, make sure you don’t underestimate someone because it is in that weakness that the citadel shall fall.
So, way back in the day, before I knew that what I did, what I always had done, and what I always will do, had a name, I had different reasons for wanting to get into 3 different places. There were 3 trophies I was after, in terms of breaching those targets, and I had different reasons for wanting each of them.
There was a zoo near where I lived, which was vile and cruel and has long since been closed down for these reasons, but I was interested in wandering around a zoo late at night. What would it feel like? How easy would it be to get in? Could we find our way into the restricted access areas and take a really close look at the animals? Maybe we would find something that would help shut them down and set the animals free? That type of thing. In my defence I was just a kid.
Second place was this huge office building which teamed with hundreds of suited staff all of whom looked to my young eyes thoroughly miserable and always in a massive hurry. Still at school I just wanted to have a gander at what they did, make a mental note to avoid this type of corporate prison in the future. I wanted to peep into their desks and fridges, to nosey around their meeting rooms and printers and just work out how the hell an organization could make so many people so unhappy but still compel them to stay.
Thirdly, there was a hotel, a really lovely very large hotel that had at one time been the epicenter of Liverpool’s showbiz culture back in the days of the Beatles et al. It had a faded glory now and a vile reputation and was known for its mean spiritedness to its customers and its stranglehold on its staff. I wanted to look inside and see whether I could feel the history of the place. I wanted to breathe in the atmosphere and get up to the supposedly haunted and entirely closed off 8th floor I wanted to see what I could see and there was no way they would let me do so legitimately.
3 different targets. 3 different breaches.
When Mallory spoke about climbing Everest “because its there.” he eloquently put his narly old climbers finger on one of the biggest challenges in security, that of protecting against a born social engineer who does it for the sheer joy of the challenge.
Kevin Mitnick was one of these, somebody who engineered his way around telephone exchanges and associated organisations just to prove it can be done. Its also how I came to the “job” without even knowing it had a title or that you could taking classes in it I was once and always will be a hacker of sorts.
For some people this form of hacking is a mindset, its in the DNA and is therefore very difficult to prevent or guard against because the payoff is not necessarily the point. Rather the joy is in the climb, the more difficult the mountain the more tempting it is to climb it, the more “secure” the facility the more satisfying the breach.
Some social engineers are a bit like Mallory, in as much as sometimes the thrill is in cracking the puzzle, rather than the payload. The problem security professionals have is that if your site is of interest, then it is of interest and its not as if you can make yourself less interesting to all the Social Engineering Mallorys out there…
So I am imagining a head of security, a CISO who is set as the guardian of the business and of all of its data, pitted against somebody who is thrilled by the challenge and up for a fight.
When Mallory was asked why he wanted to climb Everest he replied with the immortal words “Because it’s there…” and for me this sums up two things.
Firstly, it explains one of the challenges security professionals face from Social Engineers, and secondly it shows the difference between someone who has chosen to pursue Social Engineering as a career, and someone who is, as they say, a natural.
Social Engineers chose their targets for a number of reasons, at least one of which is the challenge of the attack. Sometimes, the payload is not really the point but rather the satisfaction of breaching a target, of cracking a code, of unraveling the puzzle is at least part of the motivation.
For security professionals guarding against this element of an attack is extremely difficult. If you are of interest to a big game hunter then how do you prevent being another scalp on their belt, another trophy in the display case? If you are of interest, then you are of interest and that hunter isn’t happy until they have bagged their prey.
The real problem is that most security professionals think like security professionals rather than the people who are stalking them. Remember, that social engineering attacks generally do not focus on the obvious ways in, and social engineers would rather not interact, confront or defend themselves unless absolutely necessary, the less face to face contact the better as a rule.
It was a very long time before I realized that what I did had a label and was known as “Social Engineering” and I’m not a big fan of the term btw, but I had more or less always been a social engineer.
From a misspent youth on the streets of Liverpool through to interest in urban exploration (URBEX) I had made it my business to get into places – because they were there. I wanted to look around offices at night and see what people were working on, to stroll down dark empty corridors and hack into vending machines, to wander around long forgotten building and to peer into the communal fridges and lockers of “locked” and forbidden places, I wanted to open doors simply because “they were locked,” and to prove that nothing and no one is ever really and permanently locked.
I never liked a locked door or a locked mind. Locks are lies, they give the illusion of safety and the appearance of security and I never liked them and I never believed in them. Locks, I always felt, mocked me.
The first lock I remember challenging me was on the front entrance of a zoo near to where I grew up. The zoo itself has long been shut down as being a horrible animal prison where no one in their right mind would go for enjoyment. The type of place where animal welfare doesn’t occur to the people involved, let alone take any sort of priority, a disgrace, an abomination, I was itching to break in.
We had scoped the place plenty, got under the outer fence dozens of times as we didn’t have the entry fee and wouldn’t have given money to such a place anyway, but we were bored and we were interested in what it would be like to wander around a zoo, at night. Maybe we could let some of the inhabitants go, cause a bit of bother, help them out?
We never actually stole anything, ironically, I only ever became a thief when I turned legit and it was the client that asked me to steal information or whatever I could to show it could be stolen. No, it wasn’t for gain that we did it, we did it simply to show that it could be done. We did it for the thrill of doing it. We did it for the adrenalin, and the challenge, and the satisfaction and that is dangerous. There is a contagion in that, an addictive quality that you cant easily destroy or overcome. It’s a particular personality that is attracted to this type of work and those who do not have that personality will struggle to stop those that do.
The challenge for security professionals is to think like the opposition, I really believe that it takes a thief to catch a thief. It’s a mindset, it’s a personality trait and it’s in the blood. How can you hope to catch someone with a wall when they can fly?
Recently, I spoke at a conference in a huge very corporate, very expensive building in an extremely expensive and security aware part of London. On the surface their security was both visible and good. They had cameras, card access points, escorted guests, secure waiting area, guest books, manned entrances, etc etc.
I had casually noted how I would breach the building as we approached it and I knew what I would try to get in both with no time to spare and if I had time to spin a longer con. I’m never going to breach that building, I do this out of habit, for fun, because its there.
The problem is that a real social engineer, by which I mean someone for whom SE is in the blood cant help but think about SE. Its not a just a career or a profession, its not an interest or a hobby, its not something that we necessarily study or learn, although it can be all of these things as well. For a natural Social Engineer, getting past, through or over all of your security is just a part of who they are, and that is what makes them so dangerous.
So I can say, I know how Mallory felt when he looked at Everest.
I first wrote this article for The Analogies Project as per this link