Let me tell you about possibly my favorite onsite social engineering team engagement I have ever done! At this job, I was with 2 colleagues. We were tasked with gaining onsite access to a facility both during the day and at night. This story will focus on how we leveraged tribe mentality, which was vital to our success. So, before we start, what exactly is tribe mentality, and why is it important to social engineering?
Tribe Mentality
Tribe mentality can be defined as the tendency of people to seek out and connect with others who share similar interests, beliefs, or habits. Picture yourself walking into your high school cafeteria. What do you see? For me, I see kids sitting in groups. These groups are all defined by something unique. For example, I see the honor students, the band kids, the “cool” kids, the not so “cool” kids, and the artsy group. Of course, we could keep going with this but what is the point? These kids all flock together because they share either interests, beliefs, or habits. That interest may be something as surface as sharing a class, or something as deep as sharing the same religion. No matter what it is, they sit together because they feel comfortable. They, in essence, have formed a “tribe.”
Why is tribe mentality important in social engineering? Well, as a professional social engineer, when we write an email, make a call, or go onsite, we want to fit into their tribe as much as possible. This may mean using a similar email signature as those being tested, using the same language, or even dressing similarly.
Now, I am going to tell you the story. See if you can pick out the points where we used tribe mentality to our advantage.
The Story
We begin the onsite engagement, like all others, with reconnaissance. This enabled us to plan our ingress and egress routes, map out the facility, and determine our path before we step onsite. Spying a fence that was open, we came back at night for some onsite recon and entered the property through it. Once we gained access, we found a lot devoid of people that contained work materials and work uniforms. Now, temporarily possessing certain items was within scope for this project, so we took one of the work uniforms. It just so happened to fit one of my colleagues perfectly! No doubt, you see where this is going…
The next night, we returned for the red team engagement. This is where we test the facility to see if we get caught trying to gain access to sensitive areas. We were able to gain access (let’s skip over the part where a vehicle drove 20 feet in front of us and employees almost spotted us…) and made it back to the previously discovered lot. There, one of my colleagues changed into the work uniform and proceeded to walk around the facility for nearly an hour. In this time, he was neither stopped nor questioned.
The next day, we wanted to see if we could test this angle even further. So, we snuck into the facility in broad daylight, let my colleague get dressed up and pretty, and scoped out the area for him. Using an earpiece, we directed him away from high traffic areas and let him walk around the site. He entered buildings, walked 10 feet in front of employees, and promptly exited the location about 30 minutes later. In all that time and sunshine, no one approached nor spoke to him!
The Lesson
This story surely proves a point, but what is that point, and what can we learn from it? Well, it’s that none of us are immune to tribe mentality. The employees at this facility simply didn’t “see” my colleague, because he didn’t stand out. So, how can we combat this mentality? It starts with real-world and consistent training. Tests and trainings need to be as close to a real-world scenario as possible so that employees can “flex their muscles” in accurate and realistic situations. Next, this training must be consistent, just like working out, to see results. Importantly, this testing/training needs to be non-punitive. Punitive actions following testing do not support a learning culture and can create potential insider threats. Instead, focus on rewarding those that perform ideally. Finally, you need to narrow in and educate on how you want your employees to handle these scenarios where social engineering is leveraged. With these four steps you will be on your way to effective training!
This facility’s test really impressed upon me how even I, a professional social engineer, may still fall victim to its techniques. This means that all of us need to stay on top of our employees’ awareness of social engineering techniques, along with implementing the proper testing and training where appropriate. Together we can continue strengthening our human firewall.
Written by:
Shelby Dacko
Human Risk Analyst at Social-Engineer, LLC