Communication Models
In Communication models there is always a sender and a receiver (or intended receiver). Everyone has different personal realities formed by past experiences, perceptions and ideas. Everyone perceives, experiences, and interprets things differently based on these personal realities. Indeed, people will perceive events differently because of this fact.
What is Communication
Communication is where we bring someone else into our space or bubble and share that personal reality. All participants must have some concept of each other’s mental location. They also will have a possible channel of communication existing between them. They must agree sufficiently on these so that communication is taking place. This happens with all interactions, but as it is so common we do it without thinking about it. Communication take smany forms. But in all communication something is transmitted across a distance in the shared space. We can regard it as an object, a particle, or as a wave, or flow. It might be sound vibrations, rays of light, words, pieces of paper, cannon balls, body language, telepathy, or whatever.
Interpersonal Communication
In interpersonal communications there are several layers of sending messages. There is a verbal portion, using language, spoken or written. And there is also a non-verbal portion, covering everything else, most notably body language. A person’s reality filters these messages, both verbal and non-verbal. And they will form a concept in their reality on what the message is. Based on what the receiver perceives, their interpretation of the verbal and non-verbal input, they will form a concept in their reality of the meaning of the message. It may mean something to them, but it may or may not be what the sender intended.
In successful communication the perceived message will approximate the intended message to the sender’s satisfaction. However, the sender will only know that if, the message received back is congruent with what they had in mind.
Never take for granted that the receiver has the same reality as the sender. Or, that the receiver will interpret the message the same way as the sender intended it. Communication is not an absolute finite thing. Particularly, communication with language is always vague and misleading to some extent. To have effective communication one needs to take all the following factors into consideration.
- The different realities, the space the communication takes place in
- Verbal as well as non-verbal messages
- The intended meaning versus the perceived meaning.
History of Modeling
This brings us to forming communication models to use to break down vulnerabilities in people of the companies we are targeting. Vulnerabilities in humans are sneaky. They are hidden process of communication as well as all types of conversation. There are queues and messages in everything we do and how we do them. The messages come from many areas like sight, sound, touch, smell, and words. The target processess messages and then paints an overall picture of “What’s going on”. This method of assessment is called the Communication Process. This process was originally outlined by Claude Shannon and Warren Weaver in 1947.
They developed what was called “The Mother of All Models”.
These models were further advanced by Adler, Laswell, Schram, Berlo and many others. The advancements created other facets to play into the communication path and further increase the level in which one could infer the origin of response and feedback.
As time went on, more and more people came with theories on how communication works. This was last explored in fractal models by Rucker and Wheatley stating that “Communication is a fractal in Hilbert space.”
We can say that the basics of the communication process consist of three distinct phases.
Three Phases of Communication
Perception
In common language, Perception is the combination of our senses and the feedback we get from them being sent to our brain so that we can experience something. Oxford defines perception as: “the ability to see, hear, or become aware of something through the senses.”
Evaluation
Evaluation is the ability to take feedback from your senses and experiences and create an assessment of the situation or context. Oxford defines evaluation as: “form an idea of the amount or value of; assess”
Transmission
Transmission is not just the thing that changes the engines power into turning wheels, but it is the ability to send our thoughts, perception and evaluation of a particular context to another human. Merriam-Webster’s defines transmission as something that is transmitted: message.
With these basic phases we can breakdown most communication. This process is cyclical and will work internally and externally between you and your target.
It’s pretty obvious that the communication process depends on the ability to transmit the message. The words used in communication are much like packets in a network. These ”packets” carry information from person. Just like packets and their responses, we can tell a huge amount about the target by the “signature” of their response. We have to be able to form the words and have enough “wind” (respiratory capacity) to speak, to communicate verbally. We also have to do it in a way that actually communicates what we mean or the other in the conversation will get the wrong perception. This leads us to the Structure of communication.
The Structure of Communication
We can also break down communication into three components.
Self
Within the interaction the self is what is going on for you, your perceptions, and your feelings with relation to the interaction, i.e., your psychosomatic state.
Other
The other human you are interacting with and their psychosomatic state.
Context
The current situation you and the other are in, e.g., Fighting over a bill, arguing a topic, giving someone information about you and your company.
Gaining this understanding will give Social Engineers the ability to quickly deconstruct reactions and better move through the course of the conversation with the target user. The understanding of the communication model and the components of communication will give the engineer an ability to read the situation clearly and create emotions and reactions within the target.
The following is an explanation of the types of reactions using this model, known as Communication Stances, or Survival Stances. People use these stances to defend themselves in situations where they are outmatched in some way. You can use the stances below as an active guide to resolve a situation or to reverse engineer and create attacks.
Each stance is created by the individuals within the interaction having an understanding of only portions of the Self-Other-Context components and reacting to the lack of congruence in understanding.
Communication or Survival Stances
BLAMING: Target is aware of Self and Context
Definition
When a person copes by Blaming, they seek people or things to hold responsible for any problem. They do this not to learn from mistakes, or to prevent them in the future. But rather, to preserve their own view infallibility, and the fallibility of others.
Example
Often times you will want to take your target out of their comfort zone. This feeling of discomfort can cause the target to attempt to return to their comfort zone as quickly as possible, including engaging in actions that they otherwise would not as they are unsure how to behave in this new, unfamiliar, situation. This includes giving up sensitive information. In other situations, you may create a situation where blame rests on someone else’s shoulders but you are just the messenger.
Take the HVAC type attack. Here you can dress up in a Thrift store bought polo/work shirt and start to fake the appropriate credentials (badge, clipboard, work order, etc..). Your interactions with the target (if you get any resistance at all) will be much safer if you can blame your presence there on the home office, scheduled maintenance or some other external driving force.
This will give you leverage to say things like “ Maam, I am so sorry! They do this to me all the time. They make me barge into the store after telling me that you all know I am coming. Then I show up and all heck breaks loose”! This establishes you both as victims of a third party, and you are now playing the blame game with your target and may even score a friend out of the deal.
PLACATING: Target is aware of Other and Context
Definition
A person in this situation shows undue concern for possible negative consequences. They may want to avoid discomfort at any cost. Even being willing to exchange it for greater discomfort as long as it’s in the future. When the person placates, they collectively avoid confronting issues or people, preferring instead to take full responsibility for any disappointing outcomes. This sort of behavior is often seen by those that engage in passive aggressive actions.
Example
In this action, your target will connected to your needs and have no connection to them self. This is the perfect situation. If someone is on their knees begging for your forgiveness, it is a great time to ask for their credentials or something better. The perfect example of this is the classic attack from a supposed authoritative figure. When a SE poses as a figure of authority, the SE will use the common verification methods (spoofed caller ID, intel on access, org chart, and other vectors) to assume a plausible Executive Identity. Once assumed, the SE will force a user into a Placating stance through the use of various manipulating techniques. One idea is to create a sense of urgency around false pretense.
-
- “I am giving a presentation at XYZ partner (found during intel gathering) and I just got locked out of my BLEEPING VPN again. Why do you guys *target* keep locking me out? I am sick of this being a problem! I need this fixed RIGHT NOW!
By creating urgency, a sense of assumed authority and rank; you have hopefully forced the target into “I’ll do anything for you” mode.
SUPER REASONABLE: Target is aware only the Context
Definition
The “Super-reasonable” individual tries to cope while emphasizing context, usually through devotion to “objectivity or The Facts” and at the expense of human considerations or considerations of a relationship. Super-reasonable coping can lead an individual to adopt self-destructive strategies because they make sense for the “bottom line,” or because they emphasize some specific organizational priorities, even if they’re self-destructive.
Example
Context takes a bit more work in SE, though it will come up almost always. This is especially true for highly technical individuals. For this exercise, we will need to have done our homework. The idea of this stance is to force the target into a corner where they will rely on “the facts” or “the stats” to get them out of the discomfort. Here are two ideas on how to use this technique.
- Winning the context: In this method the SE will create a subject or select a topic that they are statistically correct. A quick and basic example could be that you ask a user for information about the organization and they respond with “It’s against our corporate policy to give you this information.” At that point you lead them to corporate documentation that proves to them that the claim is not true. This works really well if you can create the fake corporate site ahead of time and inject your *fact* into the policy you are referencing.
- Losing the context: In this method the SE will create a situation where the target must educate them. In this event, it is good to pick a losing stance in the argument (preferably around their infrastructure). With the intelligence gathered, the SE can argue that certain things are not technically functional or not feasible at all. This will give the target an opportunity to boast about how you are wrong and how “their” environment IS set up that way. This will insert you into a specific conversation to ask more pointed questions around the topic of “how did you get X to work, or How do you have this set up? Because when I did it … it failed!”
IRRELEVANT: Target is not aware of any of the aspects
Definition
Irrelevant coping in an individual is coping by flight. In the face of adversity, the individual copes by avoiding not only the adversity, but also any recognition of it.
Example
For the Irrelevant target there are many possibilities. Think of this target as a blank slate. This is a good stance to force a “tough target” into. If you are having trouble transitioning a target out of one of the above stances, this is a “plan b”. Targets who are confused or not tuned in to what’s going on will not notice the risk or indicate your actions as malicious.
An example of this stance in social engineering can be developed through the exploitation of those that are in a hurry. The typical executive will be regularly running from office to office and meeting to meeting. After profiling the executive, plan a meeting point to intersect the executive on a day their calendar is moderately busy (PS, If you didn’t know, most of their calendars are online or readily available from their admins.) Add a little fun into the mix by spoofing a caller id of another executive and calling the targets cell before intercept. Upon intercept, make sure the exec is on hold. It’s amazing how much information you’ll learn just because someone is acting irrelevant.
Developing a clear model ahead of time will take research, planning and practice. When perfected it can make the difference in success or failure of any SE attack.