Deceptionology 101: Introduction to the Dark Arts
Perry Carpenter: Have you ever thought, and, I mean, really thought, about deception? About how fundamental it is to the human experience? In so many ways deception is in our nature. It's just part of who we are. We start playing with the sliding scale of truth at such an early age that you can, literally, see the sly scheming going on behind the eyes of a toddler as they plot how to grab a cookie without you noticing. Or, maybe, to convince you that they brush their teeth when they didn't. And our parents and society are complicit in our tutelage in this world of lies and half truths and fibs serving as social lubricant, and even gigantic whoppers about fictitious bunnies that lay eggs, jolly fat men that slide down chimneys, and know whether we've been naughty or nice, and fairies that abscond with the recently detached teeth of children.
Perry Carpenter: The groups of people that raise us actually teach us to lie and actively encourage us to lie. I mean, when you think about it, how often do you really want to hear the unvarnished opinion of a kid in social situations? No, instead, we're taught to smile in these situations that we don't want to be in, and say the polite thing. And, for the love of everything that is holy, never answer the question, "Do these jeans make my butt look fat?" And then think about every great story that you love, from fairy tales where wolves hide inside of grandmothers, to movies where space rogues don the armor of their oppressors to go unnoticed as they try to accomplish their mission.
Perry Carpenter: I'd go as far as to say that, as humans, we're all master deceivers. But the problem is that we're all very, very easily deceived. And, honestly, I've been obsessed with the topic of deception for as long as I can remember. In today's episode, we'll be hearing from a number of experts who deceive for a living. In the cyber security world we all these people social engineers. And we'll talk about what social engineers do, why their tactics work, and how we can defend ourselves. Welcome to Deceptionology 101, Introduction to the Dark Arts. Class is in session.
Rachael Tobac: A pretext is who you're pretending to be.
Chris Hadnagy: Let's just say a conman or a scammer gets you to part with your money by building trust, rapport, making you feel like they're your friend, like they want to help you.
Lisa Forte: I had a lot of experience of threat actors of all different types, targeting specific individuals, and what that looks like, and what the signs are, and how quickly you can go from being slightly suspicious of someone to completely fine with them.
George Finney: Fear runs much faster on our brains than...than other emotions, and so, you...you've got to get out ahead of that. And one of the techniques I...I talk about is the slowdown and frown technique. You...you've probably heard the...the advice that smiling for 30 seconds will trick your brain into releasing endorphins and make you happier. I think that frowning for 30 seconds also does the same thing to increase your own skepticism.
Rachael Tobac: A pretext is more than just assuming another person's identity. You're forming an entire back story. Occasionally, I'll change my voice if I have to be somebody who doesn't sound like me. I might change the way I dress, look, act, my tone, my cadence and word choice.
Lisa Forte: This is often shocking, but, often, in three or four messages, all that suspicion can be dismissed with the right words coming from that person.
George Finney: So, it...it helps you spot the red flags, but it also helps you start to question information, right? That...that doesn't sound right and, I think, again, giving yourself some time to slow down to...to process is good. That lets your neocortex kick in, but also, frowning, I...I think helps you naturally increase your own skepticism or vigilance.
Rachael Tobac: In verbal communication, when I'm phone hacking, and in in person communication, my mannerisms change. And over email I might use more emojis, more exclamation points, or fewer, and use a completely different lexicon. It just depends who I'm pretending to be.
Perry Carpenter: I have been super excited to do this episode for quite a while, because deception is one of my favorite...oh, wait. Karl, our sound engineer, says that I'm getting a phone call. I didn't even know that this was a call-in show but, yeah, Karl, go ahead and patch that through. I guess that's...hello, Karl, you're live on air.
Morgan Freeman impersonator: Ah, yes, is this Perry Carpenter?
Perry Carpenter: Yes, this is he. Who's speaking?
Morgan Freeman impersonator: Okay, great. I'm so glad to have reached you. Perry, this is Morgan Freeman.
Perry Carpenter: Are you talking about the...the actor, Morgan Freeman?
Morgan Freeman impersonator: Yes. That Morgan Freeman.
Perry Carpenter: Wow. That's super incredible. I'm actually a big fan.
Morgan Freeman impersonator: Now, don't go all gushy on me.
Perry Carpenter: Sorry.
Morgan Freeman impersonator: Perry, I'm calling you because I've been a fan of your work for quite some time, and I think that I've got a project you would be perfect for. I'd be delighted if you were available.
Perry Carpenter: Sure. I'll check my calendar but, for you, I'm pretty sure I can make anything work. What are we talking about here? I mean, is this...did...did Netflix accept my script for Cyber Security Pancakes from Beyond the Grave?
Morgan Freeman impersonator: Oh, don't worry about the details now.
Perry Carpenter: Wait.
Morgan Freeman impersonator: We have plenty of time for me to catch you up on all of that.
Perry Carpenter: But, shouldn't I know what...
Morgan Freeman impersonator: I'm about to have to walk into a shoot and only have a few minutes to lock you in.
Perry Carpenter: But shouldn't I know what I'm signing up for? I mean, I...I trust you, but I'd like to know what I'm in for.
Morgan Freeman impersonator: What say you, Perry?
Perry Carpenter: Morgan, it...it sounds like you're trying to get me to say yes to something, and I don't even know what I'm saying yes to. Can you give me some bit of information, please?
Morgan Freeman impersonator: Oh, don't worry about the details. I mean, surely, this is a voice you can trust.
Perry Carpenter: Oh. Oh. Oh. Okay, okay, okay. I...I...trust you. Count me in.
Morgan Freeman impersonator: Okay.
Perry Carpenter: Whatever it is, count me in.
Morgan Freeman impersonator: Now, I just need a bit of information about you to pass on to my agent.
Perry Carpenter: I really hope it's that Netflix deal.
Morgan Freeman impersonator: And we'll need a small deposit of $9,500.
Perry Carpenter: Wait. $9,500? You need that from me? I'm hanging up now. This...this seems like a scam. I'm gone.
Morgan Freeman impersonator: Wait. Wait. Don't...don't hang up.
Perry Carpenter: Bye.
Morgan Freeman impersonator: This is a once...Perry? Perry?
Perry Carpenter: Karl, mute my mic.
Morgan Freeman impersonator: Perry. Are you there?
Perry Carpenter: Mute my mic.
Morgan Freeman impersonator: Are you there?
Perry Carpenter: Mute my mi--
Unknown MALE voice: He's gone. I don't think he bought it. Maybe we should try calling that Jack guy next?
Perry Carpenter: Well, it seems like my dreams of Netflix glory will have to wait a little bit longer, as will Cyber Security Pancakes from Beyond the Grave. Karl, please screen my calls from now on. And, yeah, go ahead and cue the intro. Thanks. Hi, there. My name is Perry Carpenter. Join me for a deep dive into what cyber security professionals refer to as the eighth layer of security: humans. This podcast is a multi disciplinary exploration into the complexities of human nature, and how those complexities impact everything, from why we think the things that we think, to why we do the things that we do, and how we can all make better decisions every day. Welcome to Eighth Layer Insights. I'm your host, Perry Carpenter. We'll be right back after this message.
Perry Carpenter: Welcome back. You know, when you think about it, social engineering has existed since the beginning. Across all people groups, our histories, our stories, our religious text, all richly recount the use of deceptions as one of the fundamental traits of who we are. We use deception as a weapon, as a tactic to get ahead, to win battles, to wage wars, and, sometimes, even just to avoid the potentially awkward social situation. And, this scarlet thread of deception shines bright, even as our world becomes more technology driven. And, here's the reality, our layers of technology based security are pretty good at keeping bad guys out who rely primarily on technology based attack methods and, because of that, it can often take weeks, months, or even longer, to create the perfect technology based attack.
Perry Carpenter: But, it can take mere seconds to minutes to hack a human, and then, the whole techno centric house of cards comes tumbling down. Game over. And that's why you'll see in report after report after report that social engineering is the opening volley in the vast majority of successful attacks resulting in data breach. Because it cuts through all of that technology or bypasses all of that technology, and targets the human.
Perry Carpenter: We'll be talking a lot about mental processes today. And so before we go too much further, let's do a couple of mental stretching exercises, just to get ourselves ready. Try this with me. Try to say the word, white, five times, as fast as you can. All right. Go now.
Perry Carpenter: Okay. Nice try, but I think you can do it faster and, maybe, even louder, wherever you are say, white, five times now. Great. Now answer this question. What do cows drink? You answered, milk, didn't you? That's okay. Most people do. But, even right now, you're realizing that was wrong, because, of course, cows don't drink milk, they produce milk. Cows drink water. And you may have even realized it as you were thinking it, or as you were saying it, simultaneously thinking, this can't be right. But you felt the mental tug in that direction, and you couldn't resist it.
Perry Carpenter: There are some very good reasons why that is so. The first reason is because I set a frame. And what framing does, is it sets context around a mental process, or a way that somebody views the world, and so, the framing here started with white. I was wanting you to...to think in the categories of white. And then, the other main thing at play here was the idea of rushing you. Rushing you into it was to engage a very fast style of thinking, where you're likely to take shortcuts. You're very unlikely to think methodically or logically about something. Now, you're in fast thinking mode and your frame is white. So your natural tendency is to go into an associative mode of thinking, where you look for an association to map to that answer. So, you're thinking of white, and you're thinking of types of drinks. And then, also, within frame, and within the association, was the idea of a cow, and milk is the common association because of the context of white and the context of cow. So all of this framing and the pressure of the speed all come together to, basically, force your mind to pick milk. Got milk?
Perry Carpenter: Before we go any further, let's go ahead and define a few terms, just so that we make sure that we're all on the same page, and, to do that, I'd like to invite one of our guests. Okay, Chris, thanks for joining us today. Go ahead and introduce yourself. Just say your name and your title and any other vital stats that you want everybody to know.
Chris Hadnagy: Oh, boy, I don't know. I'm Chris Hadnagy. I do know that part. Let's see. I'm the CEO of Social Engineer LLC, as well as Innocent Lives Foundation, but I think to refer to me, I'm Chief Human Hacker. That's...that's my title. That's what I like. [LAUGHS]
Perry Carpenter: Awesome. Thanks. So, you already mentioned the key phrase, and that is social engineering. Can you go ahead and give your definition for us?
Chris Hadnagy: Yeah. Mine is a little different than what you find on the internet. So, it's any act that influences a person to take an action that may or may not be in their best interests. I use a broad definition because, unlike what we find on the internet, I think there's a lot of positive aspects to SE.
Perry Carpenter: A quick note, if you didn't catch that. SE is a shorthand for social engineering. Let's get back to Chris.
Chris Hadnagy: Unlike what we find on the internet, I think there's a lot of positive aspects to SE. And I think when we look at how, let's just say, a conman or a scammer gets you to part with your money by building trust, rapport making you feel like they're your friend, like they want to help you. That's the same things we see in positives sides. The difference, for me, becomes intent. Am I trying to help you or harm you? And that intent is what makes the difference on how SE is used.
Perry Carpenter: So, Chris, pivoting off of that concept of intent, what is the relationship between influence and manipulation?
Chris Hadnagy: Probably the easy way I can define it is, if you think of the word influencer it always has a positive connotation to it. Like you say, "Oh, you're a social media influencer. That means you...you positively influence people." But, if I say, "Well, Perry, you're a manipulator," that doesn't sound too good. That sounds like you're out there just to get your own way. So, the way I think about influence versus manipulation is I define influence as getting someone to want to do what you want them to do. So, if I...if I influence you into a...into an action, then it becomes your idea, but not by force. You actually have the idea and you say, "Oh, I really want to do this", so you're not going to take an action that harms you. Whereas, if I manipulate you, you're going to take that action, but you're going to do it out of another emotion like fear or...or...or anger or sadness. And now, it doesn't matter if it's good for you or not, you're going to take it because I manipulated you to do it. So, I...I think that line really crosses on if it's good for the person or bad for the person.
Perry Carpenter: So, we have this broad category of social engineering, where the social engineer is either influencing or manipulating someone into taking an action that furthers the social engineer's goals. Now, there are a few other terms that we need to define under that. Social engineering is the category of behavior, and then, under that are the different forms that social engineering can take, and the different mental models that are exploited or utilized to get there. The forms that social engineering can take start off with things like using a pretext, which you heard described all the way back in the intro section of this podcast. Let's refresh your memory now.
Rachael Tobac: A pretext is who you're pretending to be.
Perry Carpenter: That's Rachael Tobac. Rachael is a hacker, a social engineer, and the CEO of Social Proof Security.
Rachael Tobac: A pretext is more than just assuming another person's identity. You're forming an entire back story. Occasionally, I'll change my voice if I have to be somebody who doesn't sound like me. I might change the way I dress, look, act, my tone, my cadence and word choice, both in verbal communication, when I'm phone hacking, and in in person communication, my mannerisms change. And, over email, I might use more emojis, more exclamation points, or fewer, and use a completely different lexicon. It just depends who I'm pretending to be.
Perry Carpenter: In her definition of pretext, Rachael actually touched on another thing that we need to cover when we think about terms. And that is that we...we have this category of social engineering. We have this sub-component of pretexting, which is the back story, and then, that gets expressed in the forms that the social engineering takes and, by forms, I'm talking about other terms that you may be familiar with, one of which is phishing, so that's social engineering via email. Another is vishing, which is social engineering over the phone, using your voice. And then, there is smishing, which is social engineering via text message or SMS. And then, there is physical social engineering, and the...the common example of this that you might think about is in a spy movie. If you've ever seen somebody don the uniform of a janitor to slip in unnoticed as they try to accomplish their mission.
Perry Carpenter: All of these are expressions of social engineering and the leveraging of a pretext. And the reason that a pretext is so important, is because it sets that psychological frame. And, what a frame does, is it creates context and it allows that faster system of thinking, so that the short cuts are happening over and over and over again, and the mind is in its comfort zone. It's not moving into that area of needing to do extremely logical, methodical processing. And, speaking of the mind and processing, let's talk about the psychological tricks that social engineers use to accomplish their missions.
Lisa Forte: I think, certainly from the information extraction perspective, I think people love to tell their story. And if you meet someone who shows an interest in you and wants to hear more about what you do and how you do it and gets your advice on things, people just want to tell that story.
Perry Carpenter: That was Lisa Forte.
Lisa Forte: And, what tends to happen, I think, is that, very often, what they don't realize is, because they're enjoying the interaction so much, because you're talking about yourself, and human beings, every single human being, loves to talk about themselves. It's just part of our make up. And what they don't realize is, they're doing all the talking. Which means that the other person is doing all the information gathering.
Perry Carpenter: I was super excited to interview Lisa because she has one of the most interesting back stories I have ever heard. Let me have her give you some of that now.
Lisa Forte: Hello. I'm Lisa Forte. I'm a partner at Red Goat Cyber Security, and I'm an expert in social engineering and insider threat, as well as helping organizations rehearse for a cyber attack.
Perry Carpenter: Lisa, I understand you've had an interesting route into the field of cyber security and social engineering. Can you tell us a little bit about that?
Lisa Forte: Much to my parents' dismay, after I'd finished law school and was a young, enthusiastic lawyer here in the UK, I decided actually to abandon my career in law. And I took a job advising on international security, from a legal perspective, for a company that put armed guards on board ships to protect them from pirates.
Lisa Forte: My role very, very quickly went from, advising from a legal perspective on what you can and cannot do in international waters, to actually running security teams, designing how we're going to protect the ship, fortifying the ship, and then gathering intelligence on how pirates were operating in that area, how they were targeting ships. What was very interesting at the time, was that we discovered that the pirates seemed to know, with alarming precision, which ships had armed guards on and which didn't. And they would let ships pass them by that had armed personnel on board, and then would target the ones that did not. Which led us to believe that they must be getting intelligence on what and who are operating on those vessels.
Lisa Forte: So, we, sort of, launched a really big campaign on...on how they were doing it. And a lot of it was coming down to social engineering, mainly at ports, where they would have people speak to the...the mariners on board, and ask what cargo they were carrying, have they got much security, where is the security coming from, what's it like working with those security guards.
Perry Carpenter: What Lisa's talking about here is a very specific technique within social engineering called elicitation. And elicitation is the skill or the psychological ploys that are used to extract information from your target, all to further the social engineer's goals, so this information can be used to gain more credibility later. Let's say, you learn the name of a supervisor as you're doing this. Well, now you can name drop to gain credibility. Maybe you learn a specific operating system or an application that's used, and you can turn that into part of your attack methodology, and so on. So, elicitation is an extremely valuable tool in the social engineer's toolbox.
Lisa Forte: And, a lot of that intelligence got passed back down the chain to the pirates. That, and, obviously, there was a very, very clear link between London insurance houses and a lot of the intelligence on the ships as well. So, it became a very murky business, but it taught me a lot about security and a lot about threat actors. From there, I moved into counter terrorism intelligence in the UK, looking at how ISIS were recruiting young individuals to come out to Syria from Europe, from the UK especially, which they did online and they did, unfortunately, with an awful lot of success. They got a lot of young people to pack their bags, get a flight to Turkey, cross the border from Turkey into Syria, and join ISIS. So that, again, was social engineering, but by a different level of threat actors.
Lisa Forte: And then, I worked for one of the UK police cyber crime units, which was a great experience, focusing more on, obviously, the cyber crime and the organized crime groups that operated in Europe and around the world, and then, I left to join the private sector.
Perry Carpenter: One of the things that you'll realize the more that you look at social engineering, is that virtually everything comes down to establishing that frame or context. And you do that so that you can exert influence or create a situation that you can manipulate. And that could be influencing by providing information, just making something very easy to do, tricking somebody, telling a lie, something like that. Or it could just be injecting the right information at the right time to get the right result, because you understand your target. Now, that also means that social engineers don't have a corner on this market. This is an understood field of psychology, and a lot of that comes down to the science of persuasion. And the master of that is a guy by the name of Robert Cialdini, who, literally, wrote the book on the topic.
Perry Carpenter: Cialdini's book, Influence, The Psychology of Persuasion, was originally released in 1984, and has become the bible of sales professionals, marketing professionals, and social engineers alike. In his work, Cialdini offers seven principles of persuasion. That was recently updated from six, so the 2021 version of this book adds a seventh principle that was originally introduced in his book, Presuasion, but those seven principles are, number one, reciprocity, two, commitment and consistency, three, social proof, four, authority, five, liking, and six, scarcity. And then, the seventh, the new one, is unity. Now, we'll talk about these in just a bit, but there was one of these that you may recognize, that is number three, social proof that is the name of Rachael Tobac's company, and so, I wanted to ask her a question about that.
Perry Carpenter: So, Rachael, I've been wondering this ever since I've seen the name of your company. Is the name Social Proof a reference to the Robert Cialdini principle of persuasion, or is it to indicate that your company and your consulting is to help people be more resistant to social engineering? Or is it both?
Rachael Tobac: I love that question, Perry. You know, no one's actually ever asked me that, that I can remember, so I appreciate you digging in there. There's a couple of different reasons why I call my company Social Proof Security. The first is social proof, from Robert Cialdini's book, Influence, like you mentioned. That's one of my favorite principles of persuasion to leverage. Highly recommend reading Robert Cialdini's books if you want to learn more, if you're listening to this and you haven't heard about his principles of persuasion. Social proof comes from his principles of persuasion. It's also, kind of, a play on words, in that I'm trying to proof peoples social experience, so it's keeping you safer in your social interactions, because I'm social engineering, so social engineering, and proofing against that, and it also has social in it, and I help people keep themselves safe with their social media and the way that they portray themselves online.
Rachael Tobac: So, there's a lot of different play on words there, and I really appreciate you bringing that up, because I...I really don't think anyone's ever asked me that before.
Perry Carpenter: Okay. So, I was really glad to be able to get that answer, and then, also to hear Rachael's response to the question in general. But, let me talk about the principles of persuasion for just a minute. We don't have time to go in to each one of them in detail, but you'll start to see them in practice as they come out in some of the stories that our guests are going to tell. So, number one, is reciprocity. This is the idea that people, when you give them something, are going to feel obliged to return the favor. And it can even be a small favor like, when a waiter or a waitress brings you a mint on your tray at the same time that they bring you your bill, it's been shown that, when this happens, you actually tip more than you would if they didn't. You feel that indebtedness, and so you respond even if the rest of your meal wasn't as good as it could have been.
Perry Carpenter: Number two is commitment and consistency. And this is the idea that, when we say that we are going to do something, we feel that obligation. We feel the...the obligation to be consistent with the things that we've said that we'll do, or the things that we've said and done before. Three is social proof, and that's the idea that we are influenced by what we see other people doing. So, if other people are flocking to and talking about this great book or TV show or...or celebrity, you will be more open to experiencing that thing, whatever it is. We are influenced by those around us and what they already like and what their opinions are.
Perry Carpenter: Four is authority. We see this a lot in social engineering. Somebody pretending to be a figure of authority, like a...a CEO or chief financial officer, or a law enforcement official, or anybody that has that air of more importance or more social standing than you or I typically have.
Perry Carpenter: Five is liking, and that's pretty easy. The more we like someone, the more we're likely to be persuaded by that person. So, even in sales, you hear this. People like to buy from people that they already like. And people will naturally trust people more if they like them. Six is scarcity. This is fear of missing out at its most primal level. If I just say, "There's only one left. You need to act now", there's a scarcity of resource, there's a scarcity of time that creates an urgency within our minds, and we feel like we will miss something if we don't act now. This is that phishing email that lands in somebody's inbox and says, "Your account will be suspended within the next 30 minutes if you don't click this link."
Perry Carpenter: And then, the unity principle, number seven, is the principle that was most recently added to Cialdini's work. And what the unity principle is, it's this basic tribal identity. The fact that we...we resonate with those people around us and we...we absorb their opinions and views, and we want to be liked by them. This is all about shared identity. It is being part of the group, part of the tribe. As humans, we want to be part of something bigger than we are. We want something to belong to. We'll be right back after the break.
Perry Carpenter: Okay. We'll see many of the principles that we already talked about play out in the stories that our social engineers are going to tell. But let's talk just for a second, about some of the emotional levers that social engineers may pull to accomplish their goals. There are various psychological levers that a social engineer will pull. They might pull the lever of human interest, where they're acting like somebody that needs help. And so, we naturally, as humans, want to help the other person. They may pull the lever of greed or self interest, where that person feels like they're going to get something. They're going to have a financial reward or, maybe, get a free pizza, or a Starbucks gift card. They might pull the lever of anger, and send an email that elicits that angry, emotional response. Or they're very likely to pull the lever of fear.
Perry Carpenter: But, in all of this, we have to realize that we are being manipulated. Remember, heightened emotion is a social engineer's best friend, because it moves the victim. It moves the target into that fast thinking mode, where they're likely to take mental shortcuts and, when our mind is taking shortcuts, critical judgment goes out the window. So now, let's turn to our guest to hear how this plays out in real life settings.
Chris Hadnagy: I, often times, talk about how our amygdala getting hijacked. If you're...if you're deathly afraid of snakes, and you're walking through your yard and, out of the corner of your eye, you see something long and black, you're going to reel back in fear. Your eyes are going to open wide, adrenalin is going to start pumping, your muscles are going to tighten, because your brain, your hippocampus, says, "Hey, you're afraid of snakes. I know that." And it's going to trigger the amygdala to have the fear response. Now, a couple of seconds later, you look down and you see it's the garden hose. And you go, "Oh, okay, I don't need to be afraid." But your brain took all of those actions and made physiological responses way before your...your brain thought about it, because of safety. If it was a snake, and you're deathly afraid, and it's poisonous, you should fight or flight. So it...it does these things to...to protect us.
Rachael Tobac: So, the US Air Force actually released a blog post about work that I did with them, so I'm allowed to speak to it. Obviously, not in a lot of detail but [LAUGHS], I can speak to it at a high level. They hired me to hack their systems from a social engineering perspective, and talked all about their investment in social engineering prevention for a lot of their human based systems. And I would say that's probably the highest stakes attack that I've ever done.
Rachael Tobac: Takes place over a couple of week long period and hacking over the phone, hacking over email, message, social media, all that stuff. It's a lot of fun. Very frightening to hack into a military system. As a hacker you think...you see the little window that comes up, this is a US Military [LAUGHS] system. Do not bypass this. Do not try and gain unauthorized access. And I'm thinking to myself, all right, Rachael. The US Air Force asked you to bypass this page, and the cognitive dissonance of seeing that red alert, do not cross, FBI warning, and me actually having to do it. That's...that's a hurdle to get over. But, a lot of fun.
Lisa Forte: When someone builds rapport with us and they mirror a lot of our interests, and they show an interest in us, it very much is an enjoyable experience, something that we want to continue, something that gives us feelings of pleasure. And so that tends to lower our...our guard, I suppose, and we end up thinking that this person is a friend and, because they're similar to us, we can trust them, because people like us are trustworthy.
Chris Hadnagy: So, there's something in psychology called truth bias, and it's where we...we want to believe that everybody is as honest and nice as us.
Lisa Forte: Someone who's so interested in our holiday, and is smiling, and really similar, can't possibly be a threat. And all of our, perhaps, trained or...or paranoia level barriers that we would normally have start to...start to be decreased.
Chris Hadnagy: So, imagine if we were different. Imagine if every person walked around and thought, when I saw you, I just thought you were here to...to ruin my life. You were here to get something from me. You were going to abuse me. You weren't going to be good. You're a bad person. How would we ever proliferate, as a human race if everybody we met we first distrusted? So the way we're built is by having this truth bias, which is where we want to believe that everyone is being honest, truthful and nice. And we believe that so much that we'll even make excuses for things that should be red flags.
Lisa Forte: That's often how intelligence officers operate as well. They're not going to walk up to someone and say, "Oh, hi. I work for MI6. Can you just pass me all the information on your nuclear power plant?" Probably, the answer is going to be, "No." But, over time, befriending that person, building rapport with them, making them feel comfortable, eventually that information will flow.
Chris Hadnagy: We'll make excuses for when we see someone doing something or saying something. We're, like, "That doesn't sound right. But, you know what? They're just having a bad day." And we'll do that, as...as humans commonly, and that causes a...a vulnerability for us And I don't want to say it's a weakness, because there's a strength in the way we are as...as a species, but it also is where our vulnerabilities are. Our strength is our weakness.
Lisa Forte: Often, I think, they didn't even realize that they'd given over any information. One of the things we noticed quite early on when I was working in the piracy industry, was that they'd had this technique which I always thought was really fascinating. And it was, basically, a technique there they made the impression that they knew the information already. So, if you told me a piece of completely new information that was really juicy, exactly what I wanted to hear, they wouldn't react at all, and they'd almost dismiss it as, "Okay, well, I knew that. That's...that's nothing new." And what that meant, was that the person who handed over the information didn't think, "Ooh, maybe I shouldn't have said that. Why did they react like that? They were so shocked at this piece of information, maybe...maybe, I've given away something." So it was quite a clever way of pretending that the information meant nothing, and so, you could just keep giving them that sort of information.
Rachael Tobac: It's a lot about building rapport and making them feel safe and okay. I think, a lot of times, when people think about criminals hacking, they imagine it's some sort of, we've stolen your account, click here within 24 hours, like, really scary pretext, right? And, that creates a lot of stress on the victim which, actually sometimes, might affect the victim in such a way that makes them pump the brakes and say, "What the heck is going on here?" But, when I'm attacking, I don't harm people. I don't make them feel frightened. When I am done hacking a person, generally, they thank me. They say, "Thank you so much for your help today", or, "I'm so glad I was able to give you what you needed. Thanks so much for calling." At the end of each interaction that I have with somebody, I try and end it in such a way that they would thank me, and in a genuine way too. So, it's building that rapport, making people feel comfortable and safe, and like a friend. And if you can do that safely then, by the end of the conversation, they're not panicking, they're thanking.
Perry Carpenter: Rachael makes a really good point about psychological comfort here. Remember, a good social engineer is always trying to play towards the mind's natural reaction. And leaving somebody in a comfortable state is great, because that person feels like nothing different than the ordinary has happened. So their mind naturally filters all of that out and they just continue through their day. There's one technique that I talk about quite a bit, which is called feeding somebody a truth sandwich. So, if...if you're trying to slip some false information to somebody to get them to act in a certain way, well, then, one of the ways that you can still leave them comfortable is to start off with a true statement, and then slowly add the poison. So, you start off with a true statement that they already know, and that they'll have natural mental agreement with. There...there will be no push back. And that leaves them comfortable. You're still in rapport building mode, and so, they are comfortable with that, and they engage more.
Perry Carpenter: And then, after that, you start adding some of the poison in. You start slipping in some of the false information, and then, ultimately, you...you bring them to the point where you've given them enough truth and enough comfort, and you've moved them into the place where now you can inject the poison pill. And so, now the social engineer adds the poison pill. They...they slip them the information, the false statement, the direction that they need that person to do, in order to accomplish the social engineer's goal. And then, on the other side of that lie, you start to add more true statements, and more things that you know that you'll get natural mental agreement with. So, the idea of the truth sandwich is that you have these two bookends that are very true that get natural mental agreement, and then, in the middle of that, is the false thing, the thing that the social engineer needs the person to believe, or needs the person to do, but it is completely framed and surrounded by psychological comfort.
Perry Carpenter: Okay. Before we move on to talking about defenses, I want to give you one more model to think about, and this is called the OODA loop. That's O-O-D-A or Oscar, Oscar, Delta, Alpha. And the OODA loop is an acronym that represents the cycle of thinking that happens within our minds constantly. And that is, observe, which is to take in all of the sensory information around us, the things that we're seeing, the things that we're hearing, the things that we're smelling, the things that we're touching. It is telemetry data.
Perry Carpenter: And so our mind takes that in and then shuffles it into the second O, which is the, orient. That is contextualizing the information, and interpreting that telemetry data based on everything that we know and everything that we understand around the world, all of our biases, all of the pre-existing facts or false statements that we've been fed, and so on.Even the mood that we're in filters into the way that we orient around information, and so, you can see the power of having complete information in good context versus incomplete information in bad context.
Perry Carpenter: And then, based on the way that our mind orients around and contextualizes that information, then we decide on it, that's the D, and then, finally, we act on it. And these first two elements, these first two Os, the observe and the orient piece, are really important for a social engineer to understand, because a social engineer may be able to control that original telemetry, the things that their target is seeing or hearing. They may be able to control some of the contextualization, that orientation, based on information that they feed that person beforehand, or things that they know about the person, or know about the situation. And the social engineer is hoping for a specific action, a specific outcome. So they're hoping that somebody's mind, based on what they're observing, the way that they orient and contextualize around that information, will lead their mind to a specific decision, and then, ultimately, the action that the social engineer is hoping for. And that's just a really short description of the OODA loop.
Perry Carpenter: So now, let's get out our books for defense against the dark arts.
Rachael Tobac: If people can spot what it's like when someone's trying to appeal to their emotion and to their principles of persuasion from Robert Cialdini's book, Influence, then they're able to notice when somebody is saying something like this to them. Take a step back, and be politely paranoid.
Lisa Forte: People are lonely, which is also dangerous from a social engineering perspective. People are also incredibly uncertain. And one thing that uncertainty does, unfortunately, is it sort of weakens the human hardware, I think, and leaves us much more vulnerable to attack when we feel uncertain as to any sort of aspect of our lives.
Chris Hadnagy: So, once you're self aware, now you have a choice. I can control that. I'm not going to be able control it for happening, but I can control my response to it after it happens by saying, "That's not reality. I don't...I don't...I don't actually have a reason for that feeling."
Perry Carpenter: For this section on building our defenses, I want to introduce you to one more guest.
George Finney: Howdy, folks. I'm George Finney. I'm the CISO for SMU in Dallas, Texas.
Perry Carpenter: George wrote a great book called Well Aware, Master the Nine Cyber Security Habits to Protect Your Future. And a number of those touch on things that would help us be more resistant to social engineering. And the thing that I always want to call forward, with respect to social engineering, is that we don't fall for social engineering attacks because we're stupid. We fall for social engineering because we're human, and social engineers are taking advantage of the natural tendencies associated with being human. They're taking advantage of human nature. And so, the only way to build resistance to that, is to learn how to change habits and patterns, and that's a great segue into George's book. Because George identified nine habits that we should adopt and cultivate to reduce human risk in our organizations and our lives. Let me go ahead and read those nine out for you right now, and then, we'll have George comment on them.
Perry Carpenter: So, number one is literacy. Two is skepticism. Three is vigilance. Four is secrecy. Five is culture. Six is diligence. Seven is community. Eight is mirroring. And, nine is deception. So, I know you're really interested to hear George's thoughts on each of these, so let's go back to the interview. George, can you give us some context about the habits and a quick description of each one?
George Finney: So, literacy, I think, is the foundation. That's where we...we all start, and...and that's, I think, where a lot of security awareness focus is on, is...is developing your understanding. But, I think, the habit of literacy really, for me, you can describe it as lifelong work. You have...and...and in...in the book I...I come up with this technique called tactical literacy where you have to have a strategy for learning what it is that you need to know, when you need to know it, and, with cyber, everything is always changing, right? The...the point isn't to make people cyber security experts. It's to...to prepare them to face the challenges, whatever their roles in...in...in life are going to be, and we ought to be flexible with our training to...to help people grow into better accountants or sales people, or whatever their roles are.
Perry Carpenter: If I remember correctly, number two was skepticism. Where does that fit in?
George Finney: If literacy is learning to read, skepticism is not believing everything you read. Again, I...I think that's a habit that you can cultivate, but you have to be able to...to tell the fake news from the real news. You have to have trusted sources. I'm part Irish, so you have to be able to spot the blarney, if you will. And then, going into vigilance, I...I think of vigilance as a directed skepticism. So, there are bad things that happen out there, and maybe you've heard about that from friends, and you're on the lookout for those specific things. But, I...I think vigilance, we...we have this idea that we're always vigilant, 100 percent all the time, and that's not the case. So, really, it's...it's about being able to...to spot that red flag in the moment, and having that...that focus.
Perry Carpenter: Yeah, and I think that's a really key thing there because, one of your other points, is going to talk about knowing the red flag, and then, being able to slow down so that you can properly evaluate it. But, let's keep moving.
George Finney: And then, you get to secrecy, and you have to know what it is that you're protecting. And...and you don't, necessarily, protect all things equally. With secrecy, you have to make it personal. That's, I think, what resonates with people. It...it's easy for me or you to protect our deepest, darkest, most embarrassing things that have happened to us. We just do that naturally, and, if we can translate that to...to what we're protecting, in terms of our clients, our data, our corporate trade secret, the...the recipe for...for Coca Cola, I think that translates really well. So, I'll pause here and just say the first four habits are things that you can do internally. So, those...those things naturally come inside of you. The final five habits are things that...that you need other people to...to do.
Perry Carpenter: Okay. So, literacy, skepticism, vigilance and secrecy, are all things that are within our personal control and how we manage our personal data and our personal environments and our personal mindsets. Once we get to these next five, we need external support or for in charge of security awareness programs, or security programs, we need to find ways to put in supports.
George Finney: So, the...the fifth habit is culture, and I think that's one of the...the most important things when it comes to collectively protecting our secrets. It is that we've got a...a culture that...that values that, and, in the book, I talk about how companies with a bad culture are...are, probably, three times more likely to have been the victim of a data breach, and that's irrespective of technology. That's irrespective of industry or geography, or whatever. So, culture is...is huge and it almost doesn't matter what...what plans or procedures or processes we put in place, if we're not getting culture. If you're seeing bad behaviors and you know that you can't make a difference if people won't listen, then there's no incentive for you to...to do good. So, from there, you go onto diligence which, again, arises out of culture, but we always need to be improving. Cyber security is always a...a cycle, and you need to learn from your mistakes. You need to grow. You need to have plans and processes.
George Finney: Table top exercises. Or, real breaches, you learn from those. You adapt your processes. You adapt your procedures and you continue to...to...to grow and improve. But, once...once you have that diligence, those plans in place, you realize you need to start being a part of a larger community, and that's, the seventh habit is community. And I...I think community takes into account that we can't be secure alone. It doesn't matter how...how good I am as an individual. I need help if I'm going to grow a business, if I'm going to be a part of a community, no matter what that is. That's really why we can together as a social animal. That's why we...we form groups, it's for mutual protection, and the more that we can do to participate in that, the better we all are, right? The bad guys, we know, are sharing intel, they're sharing information. Alone we're vulnerable. But, together, even if it's the financial services ISAC, right? That industry is collectively working together to protect all of those, even though, ostensibly, they're...they're competitors.
Perry Carpenter: I think that community piece is hugely important, because with community comes social pressures and social norms, and all the things that create and demonstrate the patterns that show, this is how you behave or these are the things that we should collectively think and value.
George Finney: Mirroring, the eighth habit, and once you start sharing information in a community, you need to know what information you're sharing, and we do that naturally, as human beings. We have this innate inborn empathy for one another, and...and we learn from one another's mistakes just from watching each other. And so, mirroring is...is really that habit of really internalizing those external lessons and...and...and making a difference.
Perry Carpenter: And, the ninth habit is one that's actually really interesting, because it sounds like something that the bad guys would be doing. But the ninth habit is deception.
George Finney: Which I love just because I'm teaching my daughter to play pranks and we...we just had April Fool's Day. It's fun and we want it to be seen as a positive thing, not necessarily as something that is trickery or lying. And...and that's...that's a fine line to walk, but I...I...I think deception is...is the one way. I'm...I'm not going to throw a bunch of Sun Tzu quotes at you, but that's how we understand what our adversaries are...are doing. That's how we see what their MO is, and that's how again, feeding back into the literacy habit, that's how we get better, is understanding what it is that they're doing, and what it is that they're after, and helping, again, educate. But, not just ourselves, but...but the entire community.
Perry Carpenter: A great example of a way to use deception in your personal life to increase your security is just not to answer your challenge questions or password resets with the real answers to those questions. So, you can go ahead and pick your mother's maiden name, but put Sasquatch, or something like that in it, or your favorite movie. Choose something completely different than that, or, even better, put in a completely different phrase that doesn't relate to the question. Now, the key is, that you have to be able to remember all of that. But, that is a great way to use deception. Don't answer those challenge questions honestly. Instead, embrace your evil side. Be deceptive and lie your little heart out.
George Finney: When I go to...to...to get takeout food, my...my daughter insists that we give them a fake name to pick up the food. And it can't be the same fake name every time. I've got to prep and come up with a new fake game. And, again, she's super young, she's in elementary. But, it...it...it's that habit of, hey, they don't really need to know my real name when they announce it to the whole room, or whatever. But, again, just simple things that...that I think can make a big difference.
Perry Carpenter: Well, I'm looking at the clock, and it is time to end this episode. So, I'm going to give Lisa the last word, and then, I'll be back to summarize with a few closing thoughts.
Lisa Forte: There's a a move in psychology, that says to get people to change their behavior you need two things. You need fear, because you need to have a driver. One, why should I start locking my front door? What's driving me to do that? It has to be fear of something bad happening. But then you also need an ability for that person to...to take matters into their own hands, that self efficacy of...of managing the threat. And if you have those two things, where someone feels able to manage the threat, and they fear the threat itself, you'll get behavior change. And at the moment I think we...we do fear really well. We...we push the fear line brilliantly, but we don't give the public those tools to be able to manage their own security.
Perry Carpenter: In the end it all comes back to human nature. Social engineers exploit human nature, they exploit our emotions and our patterns of thoughts to achieve their goals, and the way that we combat those techniques has to take human nature into account. If we ignore human nature we leave our people and ourselves vulnerable. And, at the end of the day, really, the entire reason that we work to secure technology is because that technology exists to serve human purposes. And when the technology behind our civilization, our infrastructure, and our communication fails because of security issues, people pay the price, not other pieces of technology. So, it's time to equip people with the habits and the mental defenses they need to manage social engineering. Oh, and you'll notice that I named this episode Deceptionology 101, and that's because we only had time to scratch the surface in this episode.
Perry Carpenter: There's so much more that we can cover and, in the future, I'll be dedicating entire episodes to attacker mindsets and to how we perceive risk and why we're so bad at it. So, stay tuned. Thanks so much for listening, and thank you to our guests, Chris Hadnagy, George Finney, Lisa Forte, and Rachael Tobac. If you're interested in this topic and you want to learn more, I'll have links to the authors, their books, their training materials, and a whole host of other related content in the show notes. And if you liked this episode, I would really appreciate it if you'd help me out by creating a bit of social proof. Please take just a couple of seconds to go to Apple podcasts and rate, and consider leaving a review. That does so much to help. And you can also help out by posting about it on social media and recommending it within your network, and, heck, maybe even your friends and family. And if you haven't yet, go ahead and subscribe and follow wherever you like to get your podcast fix.
Perry Carpenter: Lastly, if you want to connect with me, feel free to reach out on LinkedIn or Twitter. In addition, I also participate in a group on Clubhouse, and we meet once a week on Friday. It's called The Human Layer Club. Just search for it in Clubhouse, and you'll find it, no problem. So, until next time, thank you so much. I'm Perry Carpenter, signing off.