One question I get asked often is, “Chris, isn’t it legit to use fear as part of my social engineering pretext in a social engineering exercise? I mean, after all, the bad guys are doing it. Wouldn’t it be realistic?”
Well, I can’t argue with you that the bad guys are using FUD (Fear Uncertainty and Doubt) to attack us. Especially with COVID-19 (Novel Coronavirus), we are seeing a massive influx in phishing emails, vishing calls, SMS attacks, and even impersonation attacks, surrounding the fear of this virus. And I am sad to say, I have even seen some fellow SE’s report they will try and use this while breaking into some buildings. Going as far as donning gas masks and claiming they are cleaning for COVID-19.
Would these types of pretexts work? I’d have to say, probably yes. If I saw someone in a gas mask with intense cleaning solutions, I would avoid them at all costs. If they would work, then why not use them, right?
Enter the Motto
It is a legitimate question, “If it works, isn’t that what I get paid for? Aren’t I supposed to test every potential threat a company has, then tell them where they’re weak?”
Yes and no.
And, this is where our motto comes in, “Leave them feeling better for having met you” (https://www.social-engineer.org/framework/general-discussion/code-of-ethics/). I wanted to think of a good illustration for this, and here is what I came up with at 1am… so bear with me: Gordon Ramsay.
As a used-to-be chef, I would probably be willing to remove a small piece of my finger to be trained by Gordan Ramsay. Then, I go to my favorite streaming channel and turn on Hell’s Kitchen. I see the way he treats those poor souls. He demands the highest quality from them and gets it by yelling, berating, and cursing at them. I reflect on the utter stress, and I rethink my life choices.
But then, I can flip a few channels over and see Gordon Ramsay on MasterChef Junior, where young kids come to compete under his tutelage. There is no screaming, no cursing, no berating… BUT, there is still the stress, there is still the demand for the highest quality.
What is the lesson? It is the same Master Chef, the same world leading expert, Gordon Ramsay, but in one case he is pushing his vocal cords and their limits and in the other he is not – he realizes what is needed in those situations.
So, lets apply this to you, my dear fellow human hackers. You have a job here. Yes, it is to test everything, but it is also to really help your people learn. Think about and answer the following questions:
- How long have you been phishing/vishing/SE’ing this population?
- How have they performed during this testing?
- What level of difficulty have you been testing them?
- Do they view you as their partner in protection, or the evil overlord of the dark underworld of cyber? (go drink now)
- Have they proven they are able to “catch” the type of ball you are throwing in previous tests?
- Would this test help them see the danger or alienate them?
Okay, now put down your pens or pencils. For the last few questions, do your answers begin with, “I think they can….” or “They better be able to…”? If you honestly answer all these questions, then it should be clear if you are really helping people to learn.
Once, I was tasked with phishing an organization with over 200,000 folks. So back then, how did I do when answering those same questions above?
- They were relatively new, under 6 months old
- They were doing poorly in testing
- Their previous tests were on the easy side
- They didn’t know me too well, and therefore I was NOT a partner yet
- They have not proven ability to “catch what I was throwing”
So yes, hindsight is 20/20. But not thinking about these questions back then, guess what I did?
I saw in the news there was this new phish going around, the attacker sends an email from a popular online department store. It looks like a receipt for a purchase that is billed to the person’s credit card, complete with a “thank you for your order” message.
So, I proudly clicked send on 200,000+ emails and waited for my glory to pour in. But, there was no parade, there were no fireworks, there was no banquet in my honor. Instead, there were burning stakes and pitchfork wielding locals in my front yard (well, figurately)!
What happened? The organization’s IR department was overwhelmed with responses. There were also some people who were so afraid, they called the department store or their credit card company to report fraud. Multiple, very high–level, investigations were instigated, and well… let me just tell you, it was a mess.
But Didn’t They Learn?
Well no, because fear shuts down rational and critical thoughts by hijacking the amygdala. The residual, after finding out it was a test, was shame, guilt and anger – which are not the emotions to help one want to learn. The lesson was lost, and I was left with a giant mess to clean up and a lot of apologies.
We work with that client still today, and they are amazing. There was a lesson I learned there. If I had answered those questions above, I would have seen that I could lessen the intensity of the message and get the same feeling across. I can test without having to be the Gordon in Hell’s Kitchen. I can be the Gordon in MasterChef Junior and still get a high-quality product at the end. That is the lesson I believe is beneficial for many in this industry now and for those entering this industry.
If your goal is to show how awesome you are, how leet you are, how amazing your skills are – then yes, focus on the hardest, badest, meanest pretexts around. But, if you want to have long term, quality, relationships with your clients, helping them become truly secure, then plan how you get them there.
Is There Ever a Time?
So, is there ever a time that you should use heavy pretexts that border on the “not leaving you feeling better for having met me” motto, or even stepping over it?
This same client, after working with them for 5 years straight, was trained, trained, and trained! One of their departments was a security machine, stopping us at every vector and pretext we threw at them. They were a prized fighter, a master chef, and they wanted and were ready for Hell’s Kitchen.
We unleashed a pretext on them so hardcore, I never speak about in public… Well, unless you are in an APSE class (yes, I know a shameless plug). Then, sometimes, I tell this story. But it worked, we got them again. They went back, trained that department, and became an impenetrable wall again… Until we came up with a new pretext. And so, this cat and mouse game continues with us trying new things, them getting better at stopping us. They continue to build on what they learned to be more secure.
But, that took years to get there.
So, does fear have its place? Yes, it does. Does FUD have its place? Not in my book. Remember, we are paid to think like the bad guys, but it is essential to remember we are not. We are the good guys, and what separates us, well, what SHOULD separate us, is the ability to have empathy for our targets. Understand the emotions they will go through and realize our end goal, or mission. It is not only to train, educate, and empower, our clients or staff to be protected from these attacks but to leave them feeling better for having done so.
Stay safe. Stay positive. And, go SE someone.