There is a predictable four-step sequence to social engineering attacks typically referred to as an attack cycle: information gathering, establishing relationship and rapport, exploitation, and execution.
However, a number of factors can cause the cycle to repeat several or all of the stages for any given target. Depending on the nature of the attack and the target, the cycle can repeat several steps or even through every step multiple times until the attacker is caught, gives up, or is satisfied with the results. For example, an attacker may use a series of attacks to work their way to the target to achieve their goals because going straight to the intended recipient would likely fail. This is also known as a privilege escalation attack, making use of previously gained familiarity/referral from within the target company or exploiting information gained from previous interactions.
1. Information Gathering
The likelihood of success for most attacks depends on this phase so it is only natural to invest the majority of time and attention here. Information gathering techniques are elaborated in the Framework . Some of the information gathered is used to determine the attack vector, possible passwords, identify likely responses from various individuals, refine goals, become familiar and comfortable with the target, and formulate strong pretext(s).
2. Establish Relationship and Rapport
This phase establishes a working relationship with the target. This is a critical point as the quality of the relationship built by the attacker determines the level of cooperation and extent to which the target will go to help the attacker accomplish the goal. It can be as brief as hurrying towards the door with a big smile and eye contact so the target holds the door open for the attacker to walk through. It could be connecting on a personal level over the phone or as personal as showing family pictures and sharing stories with the receptionist in the lobby. It can also be as extensive as building an online relationship with the target through a fake profile on a dating or social networking site. Creating rapport is covered more in depth in the Framework.
This is when the attacker uses both information and relationships to actively infiltrate the target. In this phase, the attacker is focused on maintaining the momentum of compliance that was built in phase 2 without raising suspicion. Exploitation can take place through the divulging of seemingly unimportant information or access granted/transferred to the attacker. Examples of successful exploitation include:
- The act of holding the door open or otherwise allowing the attacker inside the facilities
- Disclosing password and username over the phone
- Offering social proof by introducing the SE to other company personnel
- Inserting a USB flash drive with a malicious payload to a company computer
- Opening an infected email attachment
- Exposing trade secrets in a discussion with a supposed “peer”
This phase is when the ultimate goal of the attack is accomplished, or for various reasons, the attack is ended in such a way as to not raise suspicion regarding what has occurred. Generally, it is not good practice to end an attack with the target questioning what just happened. Instead, it is better to leave the target feeling as if they did something good for someone else that allows possible future interactions to continue. This is also where any loose ends are addressed such as erasing digital footprints and ensuring no items or information are left behind for the target to either determine that an attack has taken place or the identity of the attacker. A well planned and smooth exit strategy is the attacker’s goal and final act in the attack.
(Contributor: Amade Nyirak)