SE: Methods of penetration, neurology.

[Teacher]

Shalom! Today is a bit of a stressful post for young [intellectually] minds. Today we will talk about neurology, methods of implementation in the company, intelligence, as well as social engineering (where without it).

• Neurology
• Real Social Engineers
• Differences in the capabilities of criminals and social engineers
• Entering an object
• How do I protect my company?

Neurology​

The essence of a social engineering attack is to suppress a person's analytical capabilities and affect the emotional and reflex areas of the brain. The fact is that the human brain operates in different modes, generating pulses with different frequencies.

Thus, to control the actions of the victim, it is necessary to knock out his brain from the "gamma" mode to the "alpha" mode, and preferably (although alpha mode is enough for social engineering, theta is more often used in religious sects). Often, the victim receives some frightening information about his personal life or official activities.

To do this, use the following methods:

• Smishing (SMS phishing). Mobile devices are used here. The victim receives a message allegedly from the bank's number.
  It usually contains some scary information and then suggests a solution to the problem. A classic example: the victim's personal account is supposed to have been improperly debited, so the client is asked to click on the link to the bank's website (of course, fake) or call the specified phone number (also fraudsters).
• "Whaling" phishing (Whale Phishing). This is a phishing attack aimed at a top manager of a large company, since the victim is highly valued, and the information obtained will be more valuable than what ordinary employees of companies can give.
  And since high-ranking people are chosen as victims, fraudsters act accordingly: for example, they send letters of a legal nature or offer to discuss serious financial issues.
• Clone Phishing. Fraudsters copy the form of a corporate email, creating an almost identical sample, but such an email is sent not from a real address, but from a fake one. The email itself looks like the ones that the user has already received from this organization, but the links in the email are replaced with malicious ones. In fact, such emails have a single purpose: "social hackers" try to force an employee to disclose personal or financial information by clicking on a link in the email, after which the user is redirected to a seemingly similar fake site designed to steal personal information.
• Scareware ("scarecrow"). This method consists in scaring the victim into thinking that their computer is infected with malware or has accidentally downloaded illegal content. When the fraudster understands that the victim is mature, they offer a solution to this fictitious problem. But in fact, this antivirus program is malware that aims to steal the user's personal information. The goal of scarecrow developers is to create fear in the user and encourage them to install fake antivirus software.
• "Service for service "(from Lat. quid pro quo). If the fraudulent group does not have a qualified hacker, you can do something else. First, the criminals conduct a preliminary study of the targets, then the attacker pretends to provide the victim with an important service. For example, a fraudster finds an employee with high network access privileges and calls them on the phone, posing as an employee of the company's technical support service. With successful negotiations, the victim agrees to assist in solving the allegedly identified problems, then the cybercriminal begins to control the victim, blackmailing her to perform the actions necessary for the social engineer. This eventually leads to malware being launched into the system or data being stolen.
• Honey Trap. This method has been used for many years. It is somewhat similar to the work of a marriage fraudster, only the goal is different. If the first person needs the victim's material assets, then the fraudster needs information.
  To do this, a charming criminal meets a woman who occupies the desired position in the attacked company. Gradually, a relationship develops between them, and using the partner's trust, the fraudster gets all the information he needs. The gender of the fraudster and the victim may change.

Real Social Engineers​

However, scammers can't be called social engineers. They use ready-made templates that already contain questions and possible answers. Their actions are aimed at specific reactions of people under a certain impact.

A real social engineer is a person who can get into an object, get the necessary information there, and leave the object with the loot, and no one will be able to remember that he was there. Such a specialist can be seen in the movie "Catch me if you can". The prototype of the hero of the film was a real criminal, who for a long time was the enemy of the FBI number one. There was Wolf Messing in our story. He made a bet with Stalin that he would go to the Kremlin without a pass. And at the appointed hour, he entered the chief's office without being noticed by the guards.

There may have been more. But they don't advertise themselves. Social engineers don't use ready-made templates; they develop action scenarios on the go. They use reverse social engineering in their work. Its essence is to create a situation where the victim herself will turn to them for help, after which you can achieve complete control over the person.

Differences in the capabilities of criminals and social engineers​

If consciousness by its very nature can block attempts to influence it, then the subconscious mind does not resist them, and this already determines the limits of the possibilities of ordinary methods of influence, operating mainly at the level of consciousness. The most advanced social engineering technique is based on this principle — a system of activations that lead the victim's subconscious mind to the necessary solution for the attacker.

To activate actions in the human psyche, there are psychological triggers. They are individual. Everyone has their own "triggers" hidden in the subconscious-triggers that have emerged due to individual characteristics, lifestyle and upbringing in certain conditions and traditions. That's why people react completely differently to the same external signals:

• Emotions. With the help of emotion, the trigger is integrated into the scheme of human behavior. The combination of "reaction + external stimulus", supported by a strong emotion, is fixed very quickly and almost forever. It takes a lot of effort to change the behavior imposed in this way. Emotions such as extreme fright can literally paralyze a person, preventing him from acting.
• Responses. This attitude to the trigger is often spontaneous. Responses are very difficult to control, and sometimes the individual doesn't understand what's going on. In very severe cases, when previously there was a connection with a strong negative, a person can act in a distorted state of consciousness, absolutely not controlling himself or her actions.
• Time factor. Due to the fact that a person's mind can only be controlled by direct action on the object, which is impossible, the victim must be forced to make a decision very quickly, before the brain returns to the "gamma"mode again.

Entering an object​

Methods of applying social engineering methods to infiltrate an object can be as follows::

1. Throwing flash drives with harmful software in the office, cold calls.
2. Phishing emails to employees.
3. Personal contact with the employee (you can use it remotely).
4. Work at the site on the open day.
5. Work at the site on a normal business day (several contacts with employees).
6. Free access to the site (multiple contacts).

All levels provide for probable access to the protected information and its possible removal, modification (distortion, substitution), but with each level the volume of this information becomes more and more, and its degree of importance (confidentiality) is higher.

Reverse social engineering uses the usual patterns of behavior and actions of a person in certain situations. To get results, it is enough for a social engineer to provoke the right situation and develop it in the right way. Here, for example, what shortcomings in the organization of object security and access control can be used by a social engineer to enter a closed enterprise:

• Excessive complexity and lack of organization. We wanted to do the best, but it turned out as always.
• Not enough clear performance of service by security personnel.
• Improper training of security personnel, which allows an attacker to use their curiosity, excessive sociability.
• Time intervals of the working day. It is known that before lunch and later in the evening, the vigilance of security personnel decreases.

Of course, with the development of ACS, the complexity of penetration has increased. And the security guard may be instructed not to communicate with visitors. But even in this case, it remains possible to influence the decision-maker, for example, the head of security.

How do I protect my company?​

The area of harm that a social engineer can cause concerns almost all aspects of the company's activities. They help you protect yourself from this:

• Instruction on SE methods and ways to counter them. But this is not enough. There are always 10% of employees who will do the wrong thing in critical situations. To avoid this, there is SI resistance testing, when the company's management itself launches a training attack of SI to check the readiness of personnel, the reaction of employees to the impact, their integrity and honesty.
• Development of new algorithms for responding to the impact of social engineers.
• Use of technical protection tools (filters for incoming emails, antivirus programs, spam blockers, etc.).

In conclusion, by understanding how social engineering works, we can expand our understanding of deception and learn to recognize complex strategies and vulnerabilities that may not be visible to others.