This One Time I Did Goat Yoga: How Being Vulnerable in Security isn’t Always a Bad Thing
In the security profession, it is easy to become jaded. We work to protect our clients, customers, companies, and (often) families from becoming victims of cyber criminals. Our day-to-day routine involves thinking through the holes in every scenario, and accepting the fact that holes have to still exist somewhere. As a social engineer, the holes we examine are people – how do we patch the people to protect people and still trust people ourselves? How do we balance building relationships quickly for engagements, and building real relationships in our lives?
Multiple people have asked me how they “lie” about who they are to become better social engineers. They want to completely fabricate who they are, including their backstory, their feelings, etc. to “be” a social engineer. However, it’s important to remember that our engagements are not extensive undercover engagements; the goal (whether from the white or black hat side) is to assume an identity that won’t betray your actual identity, build rapport extremely quickly, retrieve specific information or flags, and move on to the next target. How does one quickly build rapport? One leading criteria is making the target feel LOYAL to you. How does one quickly garner loyalty? According to a recent podcast guest, Dov Baron, loyalty is built deeply and quickly when you are vulnerable with a person, and when they are trusted BY you. So, in an engagement, how do we use vulnerability to gain rapport quickly while not betraying our identities?
Creating and curating personas through vulnerability
The chief rule is to never break pretext and, along with this, you want your persona to have depth, so your pre-text doesn’t alert the target. You want to seem like a real person and commit to being that real person. If you are trying to get extremely sensitive information out of a target, you’re going to want to place a “bid” in the conversation to create a safe space for your target. Step 1 is to understand who you are within the confines of the pre-text; choose a name that is not yours, avoid giving your true birthday or authentic names of the people in your life, but, step 2, is to build rapport quickly. To do this, don’t be afraid to draw on your true feelings and past experiences. They are powerful and effective, and the target/recipient will feel your authenticity and vulnerability.
Here’s an example: I may call a target as Jane Stevenson in my late 30s working in HR. I have her job function, her manager, her office location, and an extension number at the ready if anyone asks. These are DIRECTLY in front of my face when I make calls, so I don’t get caught without answers that my persona should have. None of these things are likely true, but they paint my legitimate pretext. These are the false facts a good SE must have at the ready. However, if the conversation with the target goes to unexpected places, and I am looking to endear the target to myself, Jane Stevenson will draw on some of my true and personal experiences. Jane will likely have a dog, some past experience with children, and a large family and friends with ridiculous stories. Maybe Jane did goat yoga with friends once, and one of them got pooped on while stretching with a goat. If I can use very true experiences to fuel my pretexted persona’s backstory and use them to relate to my target, I can endear the target to Jane Stevenson. This gives me opportunity to take the conversation into new personal directions and disarm the target by drawing on sincere narratives and experiences that would never connect you directly back to Cat Murdock.
Vulnerability as a social engineer
Recently, I wrote a pretty great spearphish for a very challenging client. While I felt victorious, there was also some definite guilt over how I wrote this phish. Essentially, I put myself in the email, though the target would never be able to identify me. My assumed identity was seeking a job and looking to be proactive in her interview process by sending her Github repo to the head of the department ahead of her alleged interview. My persona was nice, found a means to connect personally to the target through a statement I have literally used myself to get jobs in the past and, ultimately, the target clicked because they gave this nice person the benefit of the doubt that they had an interview coming up. This could train the target not to be a trusting, curious person who would go out on a limb for someone in the interview process. However, the lesson is NOT to avoid trusting people. The key is asking and answering questions of those around you and thinking critically about scenarios.
Think critically, not cynically
It can be challenging to hear tales of how being seemingly vulnerable led to a security threat, like in the formerly mentioned spearphish, and not feel like the solution is to be less trusting and more cynical. However, the lesson isn’t to be more cynical towards new, human interaction but how to challenge and think through interactions to identify which may be fraudulent. How can we move forward safely while avoiding being cynical that all unknown individuals who contact us are malicious actors? First, there were standard clues in the spearphishing email, and identifying any one of them would have shown the target that the email was fraudulent. Here were the flags:
the sender domain sought to look like a Github domain, but, in reality, was sketchy and had extra punctuation,
the URL was masked and would not direct the target to the stated website, which can be seen by hovering a mouse over the URL and not clicking,
the sender’s user ID did not exist on the platform they stated, which can be checked by navigating directly to the stated website and verifying the account, and
they did not already have an interview scheduled with HR.
With a more thorough, critical look, this email could have been identified as a phish. The target could have emailed, or called, the HR person referenced to check if the sender was familiar and had a scheduled interview, as stated. The target could have checked the user ID on the platform stated in the email to see if the individual was real. Performing any single one of these actions before following the link could have indicated to the target that the email was a phish.
This example presented multiple flags the target could have used to check the validity of the email. Truly, the lesson for this individual, or anyone, should not be to assume all unexpected emails are malicious. The lesson is that we must constantly be thinking critically and trying our best to identify holes in an unexpected narrative.
“Vulnerability” is not a four-letter word (literally or figuratively)
Remember, rapport is one thing and deep relationships are something entirely different, but you cannot have a deep relationship without first building rapport. Your first moments of rapport are a “bid” on a new relationship. In an engagement, this first “bid” will likely never be followed up on. It is a means to set the recipient at ease and make them feel like maybe, one day, you could be friends. In a real relationship, you will start by throwing out very similar rapport building strategies though, hopefully, you are using your real name and information (PSA: still do not give friends your passwords or SSNs).
As security professionals and social engineers, it’s important we realize when and how we are using our vulnerability, and if we stay aware we can protect ourselves in the process. It’s OK to be vulnerable as long as you understand when and how you are doing it. Maintaining honesty with yourself is the first key. Here are some good questions to ask yourself when building relationships with others:
What are your goals for this engagement? For this relationship?
What are you putting out into the world? What will be known about you after a certain conversation or statement?
Where might someone use this?
What is the risk of stating this information?
Are you telling yourself the truth?
Don’t be afraid to be vulnerable to build real relationships, don’t be afraid to be vulnerable as a leader, and don’t be afraid to be vulnerable in your role as a security professional or social engineer. There is power in getting to know people authentically, there is power in knowing yourself authentically, and there is even power in getting to know targets authentically. You never know what someone, or an experience with someone, will teach you when you show them parts of your authentic self.
It’s important to ask ourselves what are we securing? Why are we securing it? From the human side, I tend to view it as we are trying to keep people safe from malicious actors attempting to do ill to them. We are trying to protect the vulnerable, the trusting, and the good in peoples’ lives. We are attempting to help them avoid financial ruin and attacks on their reputation. We are more effective at our jobs if we get to know the people we are securing, if we get to know ourselves, and if we get to build real relationships and truly impact others.
Also, remember, we are the good guys. Good guys are trustworthy. Be trustworthy. Make it ok for others to be vulnerable with you by being vulnerable yourself.
Be kind. Think Critically. Avoid being cynical.
Written By: Cat Murdock