The typical goals of a malicious social engineer can be compared to the goals of the average person in the work force. Knowledge is power, the more you know, the easier it may be to succeed. A malicious social engineer has some of the same goals that an average person may have but, with one difference; ethics.
Ethics are the base standards of what is good and bad within a society. If the society, as a whole, feels strongly enough that the behavior is bad, laws may be formed to prevent the behavior. Ethics are what separates the money making goals of the average person from the malicious social engineer; out to make their money or their name by stealing knowledge and using it in a non-ethical way.
Dr. Max Kilger, co-author of the Honeynet Project, has identified six motivations for non-ethical computer activity. These motivators can be applied with regards to social engineering. The six motivators are: money, entertainment, ego, cause, entrance into a social group and status within that social group. Slides 80-87 in this presentation touch on this.
These motivations are similar in any society (i.e. – people want to make more money or be accepted into a social group). It is important to note that Dr. Kilger did not include some key motivations: knowledge, revenge and curiosity. Each of these motivators can be looked at as a goal of social engineering. The ultimate goal, is information; information needed to satisfy the aforementioned motivators. Listed below are social engineering attacks that highlight some of these motivators:
City of Ottawa treasurer fell victim to US$100K phishing scam
Egyptian activists targeted in phishing scams
Someone hacked printers worldwide, urging people to subscribe to PewDiePie
Phishing Continues to Get More Sophisticated
Mirai Botnet Behind Massive DDoS Attack Against Dyn DNS
Source Code For loT Mirai Botnet Released
Sacked IT guy annihilates 23 of his ex-employer’s AWS servers
Maslow’s Hierarchy of Needs
Figure 1 depicts the basic needs to survive at the bottom of the triangle. Esteem needs and self-actualization are at the top of the hierarchy. Although the original diagram has been updated; the researcher chose to include the diagram from the 1970’s since it includes the cognitive need of knowledge, a main motivator for criminal behavior.
Using this hierarchy, one can see that at the base of the pyramid is the most primal of needs; the need for food and drink. The basic life needs often cost some amount of money, which may be gained by social engineering. Each of the goals and motivators could be placed into the hierarchy of needs; some needs may hold different positions for the social engineer. Self-actualization; or ego, esteem, status and cause, can be found at the top, or close to the top of the pyramid. A key motivator often times can be the need for recognition.
Social Engineering as a Protection
On the other hand, social engineering has become essential to executing professional penetration tests. A security professional may use the very same tactics as a malicious social engineer, but with one MAJOR difference; motivation. The motivation for the professional social engineer is to help a company see the dangers that lurk in the business world and what they need to do to increase their security. Simulated attacks during a pen test are an effective way to assess vulnerabilities. It enables a company to see clearly what they are doing correctly; and where improvement is needed. Customized training and education can be implemented based on the exposed vulnerabilities. Employee education and training can make the difference between success and failure in a social engineering attack.
Some examples of professional social engineers:
The goals of a malicious social engineer can be compared to the goals of any criminal activity; knowledge, power, money, control, bragging rights, etc. Malicious social engineering with the purpose of data theft, is like any other crime, it contains motive and a goal. If computer security personnel can brainstorm the reasons a social engineer might want to enter their system, along with a list of possible goals of that engineer, then preventative measures and training can be implemented.