Last week, we had the pleasure of hosting the first ever live episode of the Hacking Humans podcast at KB4-CON in Orlando, where Kevin Mitnick and I teamed up with Dave Bittner and Joe Carrigan of the CyberWire to break down social engineering scams.
For the “catch of the day” segment, we discussed a typical phishing email in which a scammer threatens to assassinate the recipient unless they wire a sum of money to the attacker.
A scam of this kind uses fear to make people act irrationally. It's an extreme example of getting people to worry so much that they just stop thinking. All the stress levels go way off the scale, and you're no longer able to rationally decide.
I think it can be useful to think of social engineering in terms of John Boyd’s classic OODA loop analysis of human decision-making: observe, orient, decide, and act. As an Air Force officer, Boyd was thinking of air combat, but his theory applies to winning and losing in any context.
And this is something they train fighter pilots in. Top guns literally are trained on OODA loop. The bad guys are essentially trying to bypass and short-circuit the OODA loop. Instead of observe, orient, decide and act, what they want you to do is observe and act. If you leave out the essential steps of orient and decide, you’re heading for defeat.
Later in the show, my colleague Kevin Mitnick, and our Chief Hacking Officer, described telephone pretexting. He pointed out that while phone companies have improved their authentication methods over the years, these attacks are still very effective.
“Organizations are commonly still pretexted as we sit here, and that is a very strong form of social engineering because we get instant compliance,” he said. “So if I can call somebody up at the company, pretend to be from IT, call somebody that I know is not technically astute, have them enter one command into their computer, and they don't understand what they're entering but they believe it's going to fix a problem - and then you get instant access. And that, in some cases, is much better for the attacker than waiting for someone to open up an email.”
John Boyd would have said that pretexting works when the victims let the attackers push them to observe and act, without orienting and deciding.
Attackers have an endless variety of social engineering attacks at their disposal. New-school security awareness training can give your employees the knowledge they need to recognize the fundamentals of these scams, no matter which form they take, and to stay inside the attackers’ OODA loop.
It was a great conference, and we hope to see our colleagues and friends again next year at KB4-CON. You can listen to all of our fun conversation with the CyberWire on this special episode of Hacking Humans: