On a recent SecureWorld Sessions podcast episode, Social Engineering: Hacking Humans, host Bruce Sussman spoke with Christopher Hadnagy, an entrepreneur and author of five books about social engineering and hacking the human.
Hadnagy began his journey into cybersecurity and social engineering when he was working with a company doing penetration testing and exploit writing and training.
He admits to not being too great at his job at the time, saying he wasn't good at coding and would constantly have to look up how to code certain things. He would eventually get things to work, but not knowing exactly how it worked bothered him.
So, he started educating himself by reading books on psychology and persuasion with the intent of understanding why what he was doing was working.
Reading all of these books led him to write his own, which became the world's very first framework for social engineering, Social Engineering: The Science of Human Hacking.
Hadnagy was reluctant to write the book at first, saying he was a hacker and not an author, but after talking with peers and a publishing company, the book was written and his new career began.
Here are three important concepts he has learned about hacking humans.
#1 How do you define social engineering?
Most of us have a notion of what social engineering is, but how does Hadnagy define it based on his life's work?
"I think many times when we talk about social engineering, and people look it up online, they find definitions that it's the manipulation of a person to do something. And I don't always agree with that definition because the more I studied the psychology behind how we make decisions as people, the more I realized that there's a positive and a negative, like a yin and a yang to social engineering.
So, I actually formed my own definition, which is any act that influences a person to take an action that may or may not be in their best interest. And I do that because when we talk about the positive side, it's influence and persuasion. But when we talk about the negative side, we're talking about phishing, and vishing, and smishing, and impersonation. But if we look at a con man that steals or scams millions of dollars from groups, and we look at someone who influences like a social media influencer, it's almost the same exact skills, but the reasons are different.
The way that they get you to like them, the way they build trust and rapport, the way they use good, positive nonverbals, their method of speaking, all of that is identical. It's just one hand, I want to steal money from you. The other hand, I want to influence you, maybe to be motivated to make a change in your life. Same skills, different output. And when we start to analyze it that way, it can really help us to learn how to protect our families, ourselves, or companies from these type of attacks."
#2 What is the answer to our physical social engineering problem?
Based off some of the stories Hadnagy told in the podcast, he makes it seem pretty easy to fool people into giving up their credentials and information.
So how do we reduce the risk of being socially engineered and help protect our employees? Here is his perspective:
"I don't think the answer is making us more suspicious, or more paranoid, because we don't profit as a human race, right? I mean, think about this. How do humans build cities and villages? It's because you come together as a group in a village and you say, 'Hey, we're going to all unite, we're going to make this village and your survival is based on that, that you don't want to get ousted from the village.' So we have to trust each other. That's how we procreate. That's how we proliferate across the earth. We need that feeling, that camaraderie, that network in order to stay alive.
People inherently want to believe that everyone else is just as trustworthy and nice as I am. They don't want to believe that you're going to be a bad guy.
So here's the fix. You have to take the security risk out of the person's hands. Think about it. Imagine if there was, at that front door, there was a mantrap. And for me to get through the mantrap, the security guard literally had to interact with me. So I wasn't allowed to walk up those stairs. He stops me and he goes, 'Hey, what are you doing here?' And I say, 'Oh, I'm Paul from so and so auditors. We're finishing the PCI audit,' and he looks at his paper and he says, 'I don't see you on the list. I can't let you in, sir.'
I respond, 'I was supposed to be on the list. We're just finishing this up. Let me call my contact and find out why no one in the bank knows that I'm supposed to be here.' I get booted, I don't get allowed in.
You're not telling that security guard to be paranoid. You're not telling him to be distrusting. You're not telling him to be non-human. What you're doing is you're taking that decision out of his hands. The mantrap is there to stop me. The list is there to confirm that I belong or not. If those two things don't match, I'm not allowed in. And that handles security.
The problem is, that takes a little bit of training, time, and money. And people would rather go for the easy solution, which is that guy fails and they fire him. That's not what happened on our jobs, because we ensure that people don't get fired when we succeed.
But, you know, that's what banks are doing and what many companies will do. It's like, well, that person fit well, but guess what? The next human you put there is just as vulnerable as the human you just replaced. So if you don't want humans then get a bunch of robots, but I don't think that's a great answer either, because that's tied to computers. That's just going to make another vulnerability. So, really, get the humans there. But don't expect them to be the perfect judges that we think we are."
#3 What is a solution to virtual social engineering schemes?
"I've sent 19 million phishing emails in my career. 19 million, okay?That's how many phishing emails, and I wrote my third book on the psychology of phishing.
And I have fallen for a phish.
I'm an Amazon junkie. I mean, literally, I have to recycle the boxes daily because of how many I have. I got an email from Amazon that looked identical to an Amazon email, saying one of my orders wasn't being shipped due to a declined credit card.
And I didn't do the right thing, which is what I tell all my clients to do: open a browser, go to amazon.com, login, and check your orders.
What I did? I clicked that link, because I was under stress. I was packing my office up for a business trip, I was heading to the airport, I was running late, I clicked that link, and I went to a page that looked just like an Amazon login page.
I use a password manager. The only thing that saved me was that password manager generally has my username there, but not my password. So I put my cursor into the password box to right click and put it in there, and my username wasn't there. And I'm like, well, why isn't my username there? And that made me look up at the URL bar, and I saw something.ru and I'm like, I got hacked by the Russians!
But here's what happened. It was the right emotional trigger for me. Now, maybe you don't like Amazon. But for me, that was the right emotional trigger. At the right emotional time, when I'm under stress, and I'm running late. Those two things combined and made me fall for something that I've sent 19 million of over my career.
Getting caught like this is not about being a stupid human. It's about being human. And if the attackers find the right pretext for you, you'll fall for it. So take that out, take that out for your company, for your family.
I tell people that if you want to protect your grandma and grandpa from scams, make it so they can't give things up. Put a little network box on their home network that stops certain sites, that stops a specific country's web traffic from coming in and out. Set up code words with grandma. So if you don't say it, she doesn't give money. You know, do things like that. You can help if you take it out of the hands of the human. Don't tell grandma or your end-users to be paranoid. Don't teach grandma how to be secure, because she's not gonna remember; make it so she can't mess up her life. And now you have security."
Why does social engineering keep working?
If there is one thing that Hadnagy has emphasized, it's that social engineering tricks work. So, we asked him if he is surprised when social engineering keeps working. Here was his response:
"I'm always surprised, right? It's not because I inherently think that humans are stupid, because I don't. But I'm always surprised, because in my mind, I know it's an attack. I know it's a ruse, so I'm always waiting to get caught. And my thought is like okay, they're gonna get me, they're gonna see right through it, like this is too easily picked out. So I'm always waiting for that shoe to drop. And when it doesn't, we're going wow, I can't believe that worked."
Hadnagy discusses so much more in the podcast episode, and even tells a story about how he used social engineering to work his way past armed gunmen at a bank.
So go ahead and give it a listen. Search "SecureWorld Sessions" on your favorite podcast app, or listen here: