The 5 Steps to Successful Elicitation

Without a doubt there are many skills to becoming a successful social engineer.  It also seems that each skill is equally as important as the next.  This month I wanted to focus on one that can truly enhance your every day communications as well as your ability to be a very successful social engineer.

Elicitation can be defined as the process of extracting information from someone, and most commonly done through conversation or questions.  This is more than just asking, “Cold out today huh?”  Sure the response is “information” but it is not really elicitation.  Instead along the same lines what about simply changing that question to, “What do you think of today’s weather?”

That simple change can help you to find out a lot more of what that person thinks and feels.  That information alone can help you when developing a profile on the target and developing your next line of questions.

That is why I thought it would be smart to outline the 5 steps you must have in order to become a successful elicitator.

Step One:  Know How to Communicate

This one sounds really complex, but it is essential.  We all have ways that we like to be communicated with, but our style of communication may not be for everyone we meet.  What can we do?

Learn how to communicate with people of all sorts.  Learn how to speak softer, or speak louder, fast or slower, less or more.  Some people enjoy to be close enough to touch and others have a wide personal space.  Learning to read these different styles can make a huge difference in the type of questions you will ask.

In everyday life, learning how to communicate with all types of people is very important.  As an example, the other day I was running really late, but I had to run to the bank.  I had a goal in mind, to make this deposit.  But I had forgotten by bank book at home and couldn’t go through the drive through.  I decided to go and try to just make it as quickly as possible.  As I walked in the bank I noticed that the woman behind the counter looked very angry.  She was rushing around and I heard her speak rudely to the guy in front of the line of me.

First noticing her very rushed appearance allowed me to determine I could not just walk up and tell her I forgot my bank book, her already irritated demeanor would have been made worse.  Noticing that she was a little rude to the previous patron would normally put me off, but I had to put that aside and ask, “Is there a way I can make HER day better…”  These simple thoughts helped me to see that she needed some validation and someone who wasn’t going to put any pressure on her to hurry more.

I decided that, although my goals where important to me, I would not achieve them with out her help and getting her help would require more than just asking.  When it was my turn in line I approached her, quickly reading her business card and said to her, “Barbara, you look as busy as I feel today….”  With a slight pause allowing her to laugh and feel validated I was then able to make my request.

Step Two:  Be Adaptive

All the paths of the first step lead to this.  Noticing the person’s communication style doesn’t really amount to much if you do not adapt.  Being able to adapt to the targets communication style will mean changing the type of questions.  Adapting in the style of communication, both verbal and non-verbal, can make the target feel at ease, open up and be more willing to give the information you are requesting.

I have a friend who hates being touched at all.  He has a very serious phobia when it comes to anyone touching him. If you want to properly communicate with him you need to avoid getting close to him at all.  You can’t touch him, even prolonged handshakes make him uncomfortable.  To make him feel at ease it would be important to notice his body language and then adapt so as not to turn him off.

Being adaptive is probably one of the most important aspects of the five steps to elicitation.

While in the bank I am usually all business.  I am there for one purpose and I don’t really fancy hanging out in the bank.  Usually I am in and out and it is over.  Today with the change in this woman’s attitude I had to adapt my normal style of telling her plainly, my problem and expecting her to fix it and not irritate her more.  I could not expect her to adapt, but instead it was me who had to adapt to her to create the environment I wanted.

Step Three:  Building Rapport is Essential

Really the first two steps are completed to accomplish one goal: to build rapport.  We open up and we talk to our friends.  We buy, we give advice, we take hints all from people we deem as our friends.  If we can keep our targets at ease then even take that a step further and make them our friend they will tell us everything we ask.

Building rapport is no easy topic, that can be and literally there are, volumes of books written on this topic.  There is not quick way to sum it all up perfectly but I can tell you this:  If come in acting like you have rapport and you believe it, your body language, non-verbals and voice will reflect that and send the signals confirming that. 

Be confident, maintain normal eye contact and adapt to their communication style can help put the target at ease and feeling very friendly.  Once the person feels rapport they will even allow certain “mistakes” that you may make be forgiven.  Rapport can help you feel at ease too and make communication very natural.

With Barbara the bank lady there was a few key pointers that made this work.  First, I used her name in a very calm and confident way.  I didn’t demand or demean, instead I validated her feelings of being busy.  With a quick joke and a smile after using her name I was able to build a very strong bond with in only a few seconds. 

Step Four:  The Cover Must Match the Book

What do I mean by that?  Well it is important that whatever pretext you are using matches the type of questions you will be asking or the conversation you will be having.  If your pretext is a lost tourist asking for directions and you start asking overly personal questions, it might cause a disconnect with the target.

Imagine in a scenario where elicitation might be used to gather intel.  You approach your target as a potential vendor looking for internal contact information and some information about their present vendors.  All of this is information you may use as an attack vector later on, but if you approach the target and your questions are too personal or show you have too much internal knowledge you can cause the target to feel uneasy, break rapport and end your chances of success.

As you develop your pretext outline:
•    What type of questions would this kind of person ask of my target?
•    How would they ask for this information?
•    Would they have any need for personal information?
•    At what point do you know that your pretext would make the target uncomfortable?

Having all this clearly defined and even written out will help you succeed in being an amazing elicitator.

Of course, I wasn’t really on planning a pretext when I visited the bank.  I merely had a goal in mind, but in a way it is like a pretext.  Lets word it this way… My “pretext” had to change from a busy guy who just wanted to get in and out, to a very understanding equally busy man.  If my non-verbals screamed “I AM IRRITATED” (anger on the face and breaking eye contact) the messages would not have matched and my potential success could have been effected.

Step Five:  Ask the right questions

Up till now we haven’t mentioned one aspect that actually involves asking questions, all of the four previous steps revolve around setting up the perfect environment to make the target feel comfortable and at ease so your elicitation goes the smoother.

The final step is to learn to ask questions that force a response.  What do I mean by that?  Lets refer back to the introduction where I spoke about asking about the weather.  Simply asking, “Pretty warm out today?”  Will elicit a very limited choice of answers – “Yup”, “Nah”, “hrmph” or the like. 

By changing the question just a little we can “force” a much deeper response from the person, “What do you think of this weather?”  Now the person has to dig deep and tell us their feelings.  This will reveal a lot about that person and their likes and dislikes.

Now most of the time our goals are more than a weather report, but think about how you can word the questions and/or interactions for the maximum effect.  Think about the scenario about the bank I spoke above before.  My first step after noticing her irritation was to validate her being very busy.  That validate is a vital step as it makes the person’s feelings and actions justified.  This can bring the target a lot of comfort.  Next, after I noticed her body language change, not so rigid but more relaxed I was able to then make my request.  Now I know that this bank hates when the patrons forget their bank books and have to make deposits the “manual” way, so I worded it like this,

“Barbara, maybe you can help me out?  I was running around like a frantic chicken this AM and realized I forgot my bank book.  I really need to make this deposit, but what do you think is the best way to do this quick so I can get out of your hair?”

This allowed her to be the “savior” of this poor forgetfully sap and in addition, I validated her hectic schedule by telling her I wanted to get out of her hair.  She smiled at me and said,

“No problems, it will only take a second. “  Not only did she do the deposit, but she completely filled out the slip with all my information and details.  Mission accomplished.

What Can You Do?

Being a great elicitator is definitely a skill that all social engineers will want.  On the flip side though, elicitation is a very potent tool in the wrong hands.  The NSA’s website had information about this danger that we archived on the SE Framework.

I am not one to promote that we need to walk around double guessing everyone’s motives, but in reality we have to be more cautious with information leakage.  I have seen and heard people give out credit card numbers over their cell phones in public, access bank account details on public hotel lobby computers and not think twice about overly information packed badges being worn with pride.  These “little” things can lead to a breach when mixed with elicitation.

Staying aware of your surroundings, thinking about the information being requested and not releasing too many details – even to the most friendly of folks – can go a long way in keeping you secure.

As a social engineer though, this skill is one that is easy to practice without having to step into the dark side.  Once you do this you will be amazed at how much information you can glean from people – simply by asking for it.

Till next month.

Written by Christopher Hadnagy


 

 

 

 

 

Looking for Professional Social Engineering Services?

Social-Engineer is branching out with our new website Social-Engineer.Com.

We are providing some of the following services:

 

  • Social Engineering Pentests
  • Social Engineering Risk Assessments
  • Professional Information Gathering Services

 

For more information on any of the above or how we might be able to help you protect your company from malicious social engineers contact us at:

[email protected]