After a long day, you ask your child or significant other how their day was. Very likely, they will respond with a vague “good.” In another instance, you ask your boss when you’ll be getting promoted, yet he/she dismisses your question. Or you’re a social engineer and need to extract vital information for an in-person adversary simulation. In all the above scenarios, elicitation can play a key role in obtaining information.
Elicitation is not new. Since the beginning of time, people have been using this method to obtain information. For example, concerned parents and nosy neighbors use elicitation. Imposters also use elicitation when attempting to gain access you your personal information. As you can see, elicitation is a two-sided coin; on one hand we can use it to our advantage. On the other hand, we can be targeted by malicious attackers with the same techniques. What are some useful elicitation techniques? And what can we do if we feel we are targets of malicious elicitation?
What is Elicitation?
What is elicitation? FBI.Gov describes elicitation as “a technique used to collect information that is not readily available and do so without raising suspicion.” In other words, elicitation is a discrete way to obtain information. It is a conversation with intent. During successful elicitation, the person we’re seeking to obtain information from (or our target) should provide this information casually and willingly. A simple example of elicitation would be planning a surprise party and needing to find out details such as the person’s schedule, wish list, list of friends and favorite foods, without raising suspicion. To obtain this information without raising any flags, it’s important to think of how to start the conversation. What specific items of information need to be obtained? How would you go about obtaining the information in a casual way to not raise any questions? The following are some steps for successful elicitation.
Set Your Goal
Set your goal before the conversation takes place. Be specific and write down the items of information you’re seeking to gain from the conversation, as well as the overall goal. It is helpful to start the conversation with something not related to your objective. Start by selecting a topic that interests your target. Next, create a pretext or story that makes sense. And then think about how you will ask the questions, will they be direct or indirect?
In the Advanced Practical Social Engineering Class (APSE), a student was asked to go out and collect personal information from different strangers such as family information, full name, date of birth, and where they lived. On one occasion, the student went to a hardware store and approached a man to ask for advice on which drill to get her husband for their anniversary. In this instance, the student asked the questions indirectly, as part of a casual conversation. On the second occasion, the student’s pretext involved posing as a hotel clerk doing a survey. In this case, the questions were asked directly. Both instances were successful because the goals were preset and the pretext made sense to the targets.
Observation and Research
We don’t always know who our target will be, as in the case of a social engineering engagement. Therefore, observing how staff operate and doing research in advance will be necessary to find the best way to start the conversation. Doing research also helps to know which information the target considers sensitive. Keeping this in mind will help us to be tactful as we are trying to elicit information. A brief observation of our targets can help us determine certain aspects of their personality or mood. Are they outgoing or reserved? Are they rushing or do they seem relaxed? Once we have determined this, we can adapt our pace and tone of voice, as well body language, to make our target feel at ease as we start the conversation.
Open the Door
Usually, if someone opens the door for you, you feel obliged to open the next door for them. This “quid pro quo” or “this for that” principle can be a very effective elicitation technique. This involves giving information about yourself, business, etc., in hopes that the person will reciprocate. For example, “Our company’s security guards are not very effective, they usually sleep at night. Are yours any better?” By sharing information and showing a certain level of vulnerability, you seem less of a threat to the target. This also helps them feel more comfortable sharing similar information with you.
Active Listening
Active listening involves more than just hearing a person speak. Instead of listening with the intent to reply, listen with the intent to understand. If you’re thinking about what you’ll say next, you may miss important details of the conversation. When you’re actively listening, show that you’re trying to understand by asking questions and/or repeating some of the target’s statement. For example, if the target says they’ve working over 50 hours a week on a project, you could say “Wow, you’re working over 50 hours a week!” Validating a person’s feelings will make them feel that they can confide in you and will motivate them to share more information. While you’re listening actively, you can classify the information to see how you can use it.
Plan an Exit
If you don’t plan your exit, you may be in an awkward situation when you don’t know when the conversation should end. This may lead you to have to give additional explanations, which may cause your target to start thinking critically and question your conversation. The target should never feel “hacked” in any way. The conversation should end as casually as it was started, and the target should walk away without having “second thoughts” about the conversation.
Protect Yourself from Malicious Elicitation
We have considered how to use some elicitation techniques. What if we feel we are being targeted? Giving and obtaining information is part of life, but it is important to identify which information we feel is private and off-limits (whether personal or business). If we feel we are targets of elicitation with a malicious intent, or we’re simply not comfortable sharing certain information, we can deflect the conversation by doing the following:
- Ignoring any question or statement you think is improper and changing the topic;
- Deflecting a question with one of your own;
- Responding with “Why do you ask?”
- Giving a nondescript answer;
- Stating that you do not know;
- Stating that you would have to clear such discussions with your supervisor;
- Referring then to a business website; or
- Stating that you cannot discuss the matter.
If you feel you are the target of malicious elicitation at work, it is important to report it to your security department at once. If you want to protect your company from malicious attacks, find out about the services we offer by visiting our website https://www.social-engineer.com/services/.
Sources
https://www.fbi.gov/file-repository/elicitation-brochure.pdf/view
https://www.social-engineer.org/framework/influencing-others/pretexting/
https://www.social-engineer.com/apse-a-practical-course-in-a-virtual-world/
https://www.social-engineer.org/social-engineering/active-listening-the-secret-to-any-successful-negotiation/
https://www.social-engineer.com/services/
https://humanbehaviorcon.com/training/#saturday
https://humanbehaviorcon.com/
Image
https://ideas.ted.com/4-tips-for-talking-to-people-you-disagree-with/