Book review: Social Engineer - The art of human hacking by Chris Hadnagy


I wanted to post a personal review on a current social engineering reference book. Christopher Hadnagy's book, "the art of human hacking" deserves the label of reference book in the social engineering field.

I enjoyed reading the book. Those who listen to the social engineering podcast, in which the author takes part, will find in the book most of the topics dealt in the first 20 something podcast episodes. This book is the written witness of the spirit present in the social-engineer podcast.

SE book highlights
In this post, I fly over, following a very personal route, the main ideas that the 9 chapters of this book contain. The book is easy to read. Every chapter conveys some summary points plus a brief summary at the end. This facilitates the identification of the learning points.

The lessons learnt are applicable in almost every aspect of our lives. By no means this summary aims to replace the reading of the book. On the contrary, this is a book I recommend to read, not only to information security professionals, but also to anyone interested in knowing how human beings tick. This book is a valuable tool when modelling human behaviour. Actually, if there is intelligent life in outer space and they need to liaise with humans, this is one of the books that they need to read so that they can understand humans.

chapter 1 - introduction to social engineering
This first chapter describes the different types of social engineers. Interesting point: governments are also social engineering actors.

chapter 2 - information gathering
Chapter 2 mentions information gathering tools like BasKet and Dradis. There are also two telling examples, the USB example mixed with an encounter in a cafe and the stamp collector story. Some points that I highlight are the following:
  • Interesting their message that every one can have and have different personal realities (page 44).
  • Most of the time people want to help (page 52).

chapter 3 - elicitation
Elicitation is non-threatening and it is very successful (page 58). It is eye-opening to know that a simple light conversation is all it takes to get some of the best information out of many people (page 58).This chapter mentions the intricacies of elicitation, such as how preloading the target with info or ideas on how we wanted them to react to certain info is a good start (page 62). They mention an example related to "how to convince your partner to go for dinner to a steak house" (page 62) - it is worth-reading it - would that really work?

A basic way of elicitation is to start a conversation with "I would like to tell you a really funny story" (page 63). 

The author also mentions the concept of preloading. From an social engineering (SE) viewpoint, "preloading involves knowing your goals before you start". Expressing a mutual interest is more powerful than appealing to someone's ego: another important learning point (page 67). More information on elicitation can be found in the social-engineer.org site.

Some of the elicitation techniques that the book mentions are:
  • Appealing to one's ego.
  • Expression of mutual interest.
  • Deliberate false statements.
  • Volunteering information.
  • Assumed knowledge.
  • The effects of alcohol (not a different technique but equally effective).
  • Open ended questions, what do you think of the weather today?

Let's define some concepts that the book presents:
  • Elicitation is the process of extracting information from something or someone. Read the definition on the social-engineer.org site.
  • Pretexting is the act of creating an invented scenario to persuade a targeted victim to release information or perform some action.
  • Preloading is influencing subjects before the event. Think about a movie's pre-release trailers. They use desired outcome words such as “The best film you have ever seen!” This technique works great when introducing anything. Preloading is a component of a social engineer attack.

Some of the techniques the author mentions are:
  • Use open-ended questions to obtain detailed information (page 70).
  • Closed-ended questions are appropriate to lead the target to a goal (page 72).
  • Asking people a leading question in order to manipulate their memory (page 73).
  • Assumptive questions - you need knowledge before hand so they need to be used with care (page 73).

chapter 4 - pretexting 
The ideas mentioned around pretexting i.e. creating the background story that makes up the character you will be for the social engineering audit, rotate on these points:
  • On the Internet you can be anyone you want to be. 
  • Create a scenario where people are comfortable with providing information they would normally not provide. 
  • Practice makes a good pretext.
  • Self-confidence is always related to a situation.
  • Cognitive disonance: People have the tendency to seek consistency among beliefs, opinions and cognitions.
  • Dialect - you need to master the right pretexting dialect - at least spend some time listening to people in public talking to each other.
  • Play it back later (from the recorder) this is recommendable
  • Use an outline script.
  • Use sounds from e.g. thrivingoffice.com
  • Do not try to make the pretext elaborate
  • Keep yourself within the legal arena
chapter 5 - mind tricks
According to this chapter, we need to identify the target dominant's way of thinking. The author refers to Dr. Paul Ekman. He showed that emotions are universal across cultures and biological backgrounds. He worked with  basic emotions through the microexpressions that show those emotions. However, these skilled people could show those microexpressions in a different time.

This chapter mentions a possible way to overcome the client's reluctance to communicate: We need to identify whether they are a fan of sight, hearing or feeling (the site www.examiner.com is mentioned as a source of info).

We also need to try to identify deception by identifying contradiction, hesitation and changes in behaviour and hand gestures. Some of the NLP language patterns to influence change on interlocutors have to do with the voice tone (site mentioned: planetnlp.com).

There is also a general recommendation to watch for a group of signs and not only one sign to determine the baseline of our interlocutor. A set of leads on which we have to focus are microexpressions, body language cues, changes in verb tense and person use. An example of anchoring is linking a statement of a like kind with a certain gesture.

An valuable fact: People retain less than 50% of what they hear. As smart interlocutors, we need to react to the message, not to the person. For example, a way to state something could be "it sounds to me like you are" rather that using "you are" alone.

While practicing all these techniques, we need to develop a genuine interest and let the other person talk about herself until she gets bored of it. Let's remember that people's fundamental needs are:
  • Love/connecting
  • Power/significance
  • Freedom/responsibility
  • Fun/learning
  • The effect of young star photos
  • Breathe at the same pace as your target
  • People like people who are like themselves
  • Human buffer overflow = law of expectation + mental padding + embedded roles 
chapter 6 - influence: The power of perceptionThis chapter mentions concepts such as "kill them (verbally) with kindness", scarcity and concessions and again that 
simply asking the target a question can lead to amazing results. We can manipulate attention through the use of scarcity. Let's remember that people are driven to desire that which is hard to obtain.

Chapter 6 lists these types of authority:
  • Legal authority.
  • Organisational authority.
  • Social authority (in western countries, clothing, cars and titles).
The author also describes the value of commitment and consistency with actions (e.g. people are more prone to help you when you leave a bag unattended if you previously ask someone to look after it) and some additional ideas such as:
  • Liking (people like people who like them).
  • People need to be liked, they change their behaviour to be liked by others.
  • Good-looking people succeed more than not good-looking people.
  • Humans attribute more good traits and skills to good-looking people.
chapter 7 - the tools of the social engineer 
We can read about lock picking, intelligence gathering using public sources, tools like Maltego, SET and password profilers.

chapter 8 - case studies: Dissecting the social engineer 
This chapter provides a valuable set of examples coming from the author and from Mr Mitnick himself.


chapter 9 - prevention and mitigation 
The bottomline: Prevention and mitigation creating a personal security awareness culture and the importance of developing scripts and being aware of the criticality of the information you are dealing with.

Happy social engineering!
Congratulations Mr Hadnagy!



0 comments: