Social engineering as a field is largely dependent on the understanding, predicting, and influencing human behavior. Influence and persuasion tactics are often fascinating topics of conversation within many circles of social engineers. But, they are barely scratching the surface when it comes to truly understanding humans and what influences their behavior.
This talk aims to dive deeper into the topic of human behavior within the context of social engineering and security by leveraging interdisciplinary knowledge. We will look into the field for psychology, to help us better understand our universal hard-wiring, and into human intelligence (HUMINT) techniques. This will include how cognition and perception work, and how biopsychology and situational factors can influence the decision-making processes. This is the psychological layer that involves our basic hard-wiring and applies universally to all people.
But we will also discuss our individual behavioral wiring. This includes aspects such as personality, self-identity and past experiences as elements that make us unique. They are aspects helping to assess specific targets. Security professionals working with high-value targets will find this section particularly useful, as they will learn to read their targets in a more tailored way, find potentially exploitable weaknesses, as well as communicate with them in a more effective manner. Examples will be provided.
This talk aims to open some new horizons by introducing and initiating social engineers into new topics and behavioral science that will help them better serve the people they are ultimately trying to protect.
Activity 2-unit 2-update 2024. English translation
Layer8 Con - Beyond Influence Techniques: Broadening your Social Engineering Skillset Through Psychology
1. Christina Lekati
Social Engineering Security
Trainer & Consultant
Cyber Risk GmbH
Beyond Influence Techniques:
Broadening your Social Engineering
Skillset Through Psychology
2. Christina Lekati
• Psychologist & Social Engineer
• Trainer & Consultant for Cyber Risk GmbH on the Human
Element of Security
• Social Engineering & Security Awareness Trainings to
All Levels of Employees / Security Teams
• Corporate & High-Value Target Vulnerabilities Assessments
• Board Member of the OSINT Curious project
About Me
3. • Social engineers in an offensive security capability
• Cybersecurity professionals working with the human factor
• …Anyone who wants to better understand themselves and others
Who This Talk Is For
Christina Lekati | Cyber Risk GmbH
4. 3 important pillars of human behavior in social engineering:
Social Engineering & Human Behavior
Christina Lekati | Cyber Risk GmbH
Understanding Predicting Influencing
5. Dr. R. B. Cialdini’s 6
Influence Principles:
Reciprocation
Consistency
Social Proof
Liking
Authority
Scarcity
Social Psychology – Influence Techniques
Christina Lekati | Cyber Risk GmbH
Influence Principles rely on fundamental
psychological principles that dictate strong
behavioral tendencies
Or
“fixed action-patterns”
6. Social Engineering Attacks Have Evolved
Christina Lekati | Cyber Risk GmbH
More elaborate campaigns:
• Longer reconnaissance
• Tailored/ Personalized
approach
• More elaborate mind-games
• Deep-fakes
• Ongoing, state-sponsored
social engineering campaigns
“Hit-and-Run”
VS
7. Understanding People
Christina Lekati | Cyber Risk GmbH
Basic Needs
Survival Instincts
Social Dynamics
Laws of Trust
Perception
Cognitive Processes
Biopsychology
Past Experiences
Individual Needs
Individual Weaknesses
Individual Goals/ Desires
Personality
Self Identity
Beliefs
“Universal” Elements Individual Elements
8. Christina Lekati | Cyber Risk GmbH
Basic Needs
Survival Instincts
Social Dynamics
Laws of Trust
Perception
Cognitive Processes
Biopsychology
“Universal” SE Attacks
Let’s Start From
The Basis of
Human Nature:
Our Hard-Wiring
9. Social Psychology
The scientific study of how people think, feel, and behave in a social context.
Universal Hard-Wiring
Christina Lekati | Cyber Risk GmbH
Perception
The way sensory information is organized, interpreted, and consciously experienced.
Cognition
How people think. All forms of knowing and awareness, such as complex perception
processes, conceiving, remembering, reasoning, judging, imagining, and problem solving.
Biopsychology
The scientific study of the biology of behavior
4 domains that study our basic human make-up, the way we are built to operate and
interact with others.
10. 1. Good cover (pretext)
2. Influence target’s decision-making
Social Engineering Attacks: What Do They Count On
Christina Lekati | Cyber Risk GmbH
BUT a target’s decision making depends
on their perception of the situation,
and their cognitive abilities.
12. Perception
Perception refers to all the information we collect through our senses
and the way we interpret them.
We do not process all sensory information.
The brain will spend energy (cognitive power) mostly on what it
prioritizes or considers important.
Christina Lekati | Cyber Risk GmbH
13. Perception
It is an ironic mental function.
Perception enables us to scan and evaluate our environments and the circumstances we encounter.
It lets us know if there is a threat, or if we are safe. It is a quick, complex process, that does not
require much energy or analytical capabilities.
It is a highly automated process that relies on appearances & snap judgments.
Christina Lekati | Cyber Risk GmbH
14. Perception
A social engineer that wants to approach a target will either:
• appear inconspicuous
• look like they belong
• make the target be attracted to them
Christina Lekati | Cyber Risk GmbH
15. Perception – Forming Impressions
Christina Lekati | Cyber Risk GmbH
• Who is more successful?
• Who is more reliable?
• Whose opinion can you trust?
HALO EFFECT:
Cognitive bias that causes our
impression of someone on one domain
to influence our impression of them on
other domains.
18. Perception Manipulation
How is “Mia Ash” perceived?
Christina Lekati | Cyber Risk GmbH
The well-crafted social engineering personas are
able to bypass the brain’s cognitive filters and not
raise suspicions.
19. Perception - Trust
We assign trustworthiness to people that:
• Look happy & relaxed in an encounter
• Have a calm, steady voice
• Appear to be like us (tribal effect)
OR
• Have the expected behavior under specific
circumstances
Christina Lekati | Cyber Risk GmbH
20. Perception & The Situation
Your brain spends energy aka cognitive power when analyzing a situation
Each of us has specific preset notion about the “behavioral scripts” people
are meant to play within specific environments/ situations
If you follow them, you slide by the perceptual filters
If you draw attention but still follow the appropriate behavioral script, you
may still not raise suspicions
– It is important to be aware of the social settings and local scripts of
behavior!
Christina Lekati | Cyber Risk GmbH
Tailgating
Impersonating
21. Perception in Phishing Scams
Christina Lekati | Cyber Risk GmbH
• The scammers used an email address that looked like it belonged
to Corcoran’s assistant but was misspelled by one letter.
• The email contained a fake invoice from a legitimate German
company—for $388,700.11 for real estate renovations, which
didn’t raise any alarms because Corcoran invests in real estate.
• Thinking nothing was suspicious, the bookkeeper wired the money
to the account listed in the email.
Source:
https://www.forbes.com/sites/rachelsandler/2020/02/27/shark-tank-host-barbara-corcoran-loses-380000-in-email-scam
22. Other Practical Applications
Everything can be a subject to snap-judgments
• On-site attack simulations
• Sock puppets conducting online monitoring
• (Virtual) HUMINT operations
• Phishing attack simulations
Christina Lekati | Cyber Risk GmbH
24. From Perception to Cognition
What is affecting whether you will move from perception to analytical thinking?
Christina Lekati | Cyber Risk GmbH
Priorities Attention
25. Priorities
Christina Lekati | Cyber Risk GmbH
We pay more attention to what we
prioritize. Other information may fade in
the background.
26. Attention
Christina Lekati | Cyber Risk GmbH
Attentional processes are the brain’s way of shining a light to what is relevant to the person and
filtering out the rest.
Attention limitations or failure occur when:
- having to process too much information
- multi-tasking
Exception! Some individuals are trained to an exceptional situational awareness level. The development of their covert
attention includes a much broader spectrum of information receptiveness and processing.
27. Cognitive Analysis
Christina Lekati | Cyber Risk GmbH
Cognition
How people think. All forms of knowing and awareness, such as complex perception
processes, conceiving, remembering, reasoning, judging, imagining, and problem solving.
Information /
Sensations
Thinking
Outcomes
Experience,
Knowledge,
Emotions
28. Cognitive Filtering
A social engineering engagement becomes more complicated when the target engages in cognitive
processes.
If:
• They pause and think before they speak
• Ask questions
• Do not grant you your wishes
Christina Lekati | Cyber Risk GmbH
29. Cognitive Filtering
Internal questions asked during a first encounter:
• “Who is this person?”
• “What do they want?”
• “Are they a threat?”
• “How long will this take?”
Source: C. Hadnagy, Social Engineering, The Science of Human Hacking (2018)
• “What’s in it for me?”
Christina Lekati | Cyber Risk GmbH
30. Cognitive Filtering
Communication capabilities have the power to influence cognitive processes.
• Have a good pretext
• Anticipate the target’s internal questions and address them in your communication
• Use emotional and situational factors to your advantage
Christina Lekati | Cyber Risk GmbH
32. Hacking The Cognitive Filters: Biopsychology
Primarily based on hormones and chemicals created through:
• Emotions
• Stress
• Lack of sleep/ fatigue
Christina Lekati | Cyber Risk GmbH
Biopsychology
The scientific study of the biology of behavior
33. Emotions
“I couldn’t think straight”
• They trigger different priorities and introduce new motivations.
• Emotions will make someone want to approach a person/situation and engage with them.
Or the opposite.
• Positive emotions like liking & rapport can give people “rose-colored glasses”. Hormone:
dopamine, serotonin, oxytocin (highly rewarding & addictive)
• Negative emotions like fear, tension trigger automatic avoidance responses. Hormones:
cortisol, adrenaline
Christina Lekati | Cyber Risk GmbH
34. Stress
Stress hormones (cortisol, adrenaline) make the body
believe and act as if there is an emergency.
The brain gets occupied with that emergency.
Mind and body get in tune to deal with the stressor.
Priorities shift – Attention shifts to dealing with the
stressor – Cognitive processes under function.
Christina Lekati | Cyber Risk GmbH
35. Situational Factors
Situational variables can make quite a bit of a difference in the outcome of a behavior.
After everything you learned imagine...
• Introducing a stressor or diversion before/ during an encounter (e.g. baby cry in the
background)
• Selecting the right timing (e.g. Fridays, the busiest time of the year, etc.)
• Introducing emotional variables
Christina Lekati | Cyber Risk GmbH
36. The Good News: Neuroplasticity
All the above can be utilized in an offensive and defensive capacity.
Our brains ARE capable of creating new behavioral pathways that can become automatic.
Red flags act like cognitive triggers when employees have been trained well.
Christina Lekati | Cyber Risk GmbH
37. Defense
• Minimize employee decision-making where possible
• Good quality training that actively engages employees. Training that is personal, intrigues and
interests them
• Reinforce a “security mindset” within your organization – utilize group influence tactics
• Run exercises / attack simulations to reinforce good practices, learning & memory
Christina Lekati | Cyber Risk GmbH
38. Christina Lekati | Cyber Risk GmbH
What About
Targeted,
Tailored Attacks?
Past Experiences
Individual Needs
Individual Weaknesses
Individual Goals/ Desires
Personality
Self Identity
Beliefs
Individual Elements
40. Universal Needs
Christina Lekati | Cyber Risk GmbH
Water, food, air, warmth,
sleep, shelter
Maslow’s Hierarchy
of Needs
PHYSIOLOGICAL NEEDS
SAFETY NEEDS
Security of: physical self, family,
health, financial, property
BELONGING / LOVE
Social Circle, Friends, Family, Intimacy
ESTEEM
Self-esteem, respect & appreciation from
others, confidence, importance
SELF-ACTUALIZATION
Goal achievement, self discovery,
realization of one’s full potential
Used to entice
41. Universal Motivating Factors
Christina Lekati | Cyber Risk GmbH
Satisfy an (unmet)
need
Utilize the
tribal instinct
“Serve” their
personal
interests
Make them feel
good about
themselves
42. Targeted Social Engineering Attacks
Christina Lekati | Cyber Risk GmbH
Targeted campaigns start from a basis of what is known about human hard-wiring.
They develop based on the target’s:
• Self interests, goals, desires
• Unmet needs & weaknesses
• Addictions
• Personality traits
• Strong beliefs
• Self-identity
43. Long-term attacks are not based on short-lived influence tactics.
They are based on personal relationships.
As they progress, more information about the individual become known and additional bonding
tactics are being used.
Social engineers working on defensive security will need to learn to read their targets in a more
specialized way, find potentially exploitable vulnerabilities, and help their clients become aware of
those and protect themselves (and their organizations).
Christina Lekati | Cyber Risk GmbH
Long-Term Social Engineering Attacks
44. Defense
• Clear, non-negotiable boundaries
• A healthy dose of suspicion
• Threat awareness & self-awareness
• Target vulnerability assessments
We can still guard the gates. It is very difficult for an impersonator to be perfect at all levels and
not raise red flags. They too make mistakes and have to battle with their human limits.
Christina Lekati | Cyber Risk GmbH
45. Contact Details:
“Knowledge is a weapon.
I intend to be formidably armed.”
- Terry Goodkind
Christina Lekati
@ChristinaLekati
Christina Lekati
Social Engineering Security
Trainer & Consultant
Cyber Risk GmbH