20.04.2023
4 min
1586
Learn how psychologists are helping to make red teams more effective in information security. This article explores the use of social engineering and framing theory to identify and exploit vulnerabilities in the human psyche. Deepen your knowledge of manipulation and social engineering to improve your organization’s defenses against potential threats.
Disclaimer: All examples and screenshots in this article are taken from open sources of the Russian segment of the Internet. They have nothing to do with Ukrainian companies or users. We deliberately use Russian cases to demonstrate how social engineering works in an adversary situation — when specialists abuse human trust, inexperience, or fatigue.
Who would have thought that a psychologist is not always a benevolent advisor on the other side of the couch. In fact, a person with a degree in a field that combines brain and behavioral science is quite capable of creating significant difficulties for experienced IT professionals.
Imagine not the classic scenario of hacking a system, where the main role is played by code. Instead, an attack where emotions become the key to access. Here, everything is built not on scripts, but on the weak points of the human psyche. The ideal experimental training ground for such activities is work within the Red Team, which simulates the actions of an attacker in order to find weak links before real cybercriminals do.
This approach changes the idea of cybersecurity. We are not just looking for holes in the system – we are studying how to influence the behavior of employees using subtle psychological techniques. Such a “soft hack” leaves no traces in the logs, but can be a decisive factor in protecting a company from data leakage or financial losses.
Red Team is not just about technical hacking or penetration through the network perimeter. Sometimes, instead of a long and multi-level investigation of the infrastructure, it is easier to use… an invitation from the inside. And such an “invitation” can be provided by the company’s employees themselves – sincerely, willingly, without pressure. You just need to know how to make them believe that this is a normal action.
At this point, it is worth pausing a little and explaining a key concept. After all, this text is read not only by experts. So, what we are now talking about is manipulation. More precisely, not even quite it. Manipulation is when one person changes the behavior of another, usually in an indirect way. And although the word is often associated with negativity, in itself it is not a synonym for evil. Rather, it is a neutral tool.
But in the context of cybersecurity, the term “social engineering” would be more accurate. It is well known in the field of information protection. This is the same psychological influence, but with two mandatory conditions:
It occurs covertly – the person does not realize that his behavior is being controlled;
The manipulator receives a measurable benefit – for example, access to data or a room.
A psychologist in the Red Team is a real trust engineer. Instead of scanning ports and vulnerabilities in the system, he “scans” behavioral patterns, mental vulnerabilities, and creates reliable legends that are embedded in the victim’s perception, activating his habitual reactions.
This is where the concept of frames – or cognitive frameworks – comes into play. What are they? In simplified terms, these are mental templates through which a person perceives information. They are like filters or scripts: having seen a certain signal, a person automatically reacts as he is used to. And if you build communication correctly, you can make him act exactly as the engineer needs.
There was a sociologist named Irving Hoffman (1922-1982). Well, since psychology and sociology are sciences that are mostly (if not mostly) descriptive, Hoffman decided to take and record what was observed and try to explain it. He viewed frames as cognitive structures that people use to interpret social situations. These are patterns that determine:
how we understand the context (“Is this a game or reality?”);
what actions are appropriate in a particular situation (e.g., behavior at an interview vs. at a party);
what roles and rules apply (“Teacher asks questions, student answers”).
Example from context: an employee understands that a letter “from the boss” with a request to urgently send data is part of the “corporate communication” framework, which involves a response to the manager.
And here we can also mention the “framing effect” according to D. Kahneman and A. Tverda. This is when people make different decisions depending on how the same information is formulated, even if the objective facts do not change. People tend to react to information not rationally, but emotionally. For example:
A negative frame (emphasis on losses/threats) evokes fear or anxiety.
A positive frame (emphasis on benefits/safety) evokes trust and calm.
This is the basis used by social engineers (well, of course, without realizing what research work lies behind these effects!). Example:
“Your account is locked! Confirm your details now to unlock” is a negative frame. Reaction: the person is afraid of losing access and acts impulsively, without checking the authenticity of the request.
“Confirm your details for the security of your account” is a positive frame. Reaction: it is perceived as a routine procedure that reduces vigilance.
The theory of frames is fundamental, and it is gradually being supplemented and specified, adapting to today’s realities (for example, frames of social networks are being studied. Of course, one can engage in description endlessly, so now, understanding the basics of cognitive vulnerabilities, let’s move on to the practical application of this knowledge in the work of the Red Team.
Classic sociotechnical testing often boils down to formality: mass mailing of emails via Gophish, identical templates, quick results. Instead of point analytics, statistics for the sake of statistics.
This software allows you to create phishing campaigns to test employee awareness. It’s simple: email — fake page — data entry — success or failure. But the method has a number of problems:
Mass does not guarantee accuracy: out of hundreds of letters, only a few are successful, and even those are often the result of chance.
Sampling without systematicity: employees with different experience and positions are included in the test, which blurs the real conclusions.
Results are not always valuable: even the logins obtained may not give access to critical systems.
The impact of spam filters: most letters do not reach, and the test is recognized as a “successful failure.”
All this turns verification into an illusion of efficiency – the reports sound great, but the real benefit remains questionable. The approach needs to be rethought: the goal should not be the number of passwords collected, but understanding how and why a person “caught” them.
What do we see in real life? Attackers act desperately and boldly, creating conceivable and unimaginable implementation scenarios. We see that the main motive is money, and the main victim is a simple person, usually uninformed about the basic rules of digital hygiene and cybersecurity. Such people can be selected randomly or purposefully.
An example of a randomized attack can be the method described above with Gophish – mass mailing to company employees or to random email addresses. It can also be mass calling of citizens with various polls, unique offers, secure accounts from banks, as well as “extension of the number, since the contract expires”.
In a targeted attack, a stage of reconnaissance and analysis of data from open sources and from leaks of personal data that have become a nuisance is previously carried out. We all know the scenarios of such attacks: these are countless law enforcement officers, again, bank customer support, less often – calls supposedly from hospitals, in which scammers clearly name the data of relatives who allegedly got into trouble.
As many situations as attackers come up with, there are as many frames as they have. all the funds in our “safe” account – this is fear of the system “Your brother is in the hospital after an accident! Urgently need money for surgery” – we welcome that!
The irony is that in sociotechnical tests, pentesters often ignore this “dark side of humanity”. Most of them are techies to the core, whose emotional intelligence… well, let’s say, is tuned to other work. The range of ideas is limited to templates like “Dear ${user}, update your password, for this, specify the old one”. Also, there may be time to process the attack. But real social engineering is an art. It requires acting skills to play the Ministry of Internal Affairs investigator who knows your passport number; the bank employee who will make you believe that a safe account is the only way to save your money; the “doctor” whose voice trembles with imaginary sympathy.
Remember Kevin Mitnick, perhaps the most famous hacker in the world? After his imprisonment, he became a consultant for the CIA. Mitnick is a textbook example of this approach. A hacker legend who turned social engineering into a performance. Each of his attacks is a performance with thoughtful roles, props and excellent improvisation. His story teaches a lesson: to protect yourself from scammers, you need to think like them. It is not enough to imitate their methods – you need to understand their motives, their strategies of persuasion, their ability to adapt to the victim.
A psychologist, of course, can only serve a term in the movies and not lose his rank, so you have to make assumptions. As part of the Red Team, he can take some of the work off the shoulders of pentesters, taking on the in-depth study of the social side of the issue, namely, to work out multi-layered scenarios for implementation, personalize them with the help of OSINT, create fake individuals that are consistent with this legend and withstand a deep check for lice.
We decided to apply this approach in our Red Team projects. It is obvious that not only an individual and his wallet can become a victim of attackers, but also the infrastructure of companies, up to a complete stop of its work. abuse of privileges, use of stolen credentials or social engineering methods by fraudsters. opens if you attach a card? virtual frames? But it is not enough to develop scenarios and try to attack.
If a classic pentest is an assault on a fortress with battering rams and catapults, then social engineering is a poisoned glass of wine offered to a guard who sincerely trusts you. And although the approaches are different, their stages are often similar. In particular, reconnaissance.
At the first stage of a sociotechnical attack, information is collected about the company’s employees. This is, in fact, classic OSINT – open source analysis. And here it all depends on the situation. We usually work flexibly, reacting to what we manage to learn in the process. There is no single scheme – each case is individual.
There are usually more than enough sources for reconnaissance. Much depends on the specifics of the company, its internal culture, and the activity of employees on the network. Technical employees often write openly about their projects, technology stack, or discuss internal processes in thematic professional communities. Leaders and managers often publish their profiles with photos, positions, and descriptions of roles in the company, which also helps to form a holistic picture.
There are also those who publicly represent the company – communications or HR specialists. They are usually willing to share corporate news, comment in the public space, and sometimes neglect the basics of cyber hygiene.
It is worth mentioning thematic chats separately, where many people directly mention their position or discuss the internal kitchen of the company. Sometimes there are even discussions directly related to infrastructure, internal services, or security policy – all this opens the door to further steps.
And there is also a “field” option – observing what is happening around the office. For example, informal conversations near the building can be no less informative than search analytics. This approach requires a certain amount of acting skills, but a skillfully conducted conversation on the street is also a source of data.
We study the resulting array of elements (oh, that is, employees): their roles, position in the company hierarchy, activity in social networks, patterns of behavior … The so-called profiling is used (the term is also controversial, but it sounds cool).
Profiling is an analysis of personal indicators to predict behavior.
Both individual and work profiles are suitable for analysis. In your own profiles, you can often find, for example, memes about work. They carry information and help to understand the employee’s attitude. The absence of memes may hint at the employee’s purely seriousness. Such nuances can become an entry point, but it is impossible to describe them all within the framework of this article.
For example, some e-chars look very serious: they can manage vacancies for senior specialists. They need such an image not only to enhance the significance of the brand, but also so that the candidate understands that the conversation at the interview will be conducted not only within the framework of bargaining over salary, but also about his deep competencies. The developed legend must meet the expectations of such a hiring specialist in order to at least draw attention.
Some e-charis may have extremely minimalist profiles. If this resonates with the facility’s other social networks, then most likely such a specialist is not very involved in the work and may be less attentive in communication, floating within the framework of the routine.
These extremes are just examples; in practice, things are much more complicated and confusing. Real-world scenarios for a sociotechnical attack are rarely straightforward.
Imagine that creating a story for an attack is like preparing for a blind date. There are only fragmentary data collected from open sources: someone loves cats, hates Mondays, and recently won an internal corporate award. The task is to turn these details into a convincing story that will make the person believe that they are not communicating with a stranger, but with someone “of their own.”
Here’s the thing. A social engineer needs to read the context—a specific life situation or “frame” in which the target is currently located. This could be a job opening, a forum query about a technical problem, participation in a professional conference, or even a recent comment on social media. Such a context allows you to start a dialogue not from an empty place, but as if “on topic”, reducing alertness and instilling trust.
After that, a specific tool is prepared – for example, a document with an embedded script, a form to fill out or a fake web page. It all depends on the story being built.
Within the framework of one of the projects, while collecting information, we managed to discover an interesting feature. Although the company tried to centralize the hiring process through official channels, some recruiters still actively used professional communities and personal accounts on social networks. There, they sometimes published vacancies, discussed requirements for candidates or simply left public information that opened access to simplified attack modeling. This, in fact, nullified the efforts to build a closed recruiting system.
The fact that it is still difficult to remove the human factor from the hiring process greatly simplified the task of implementation. Some experts appeared in the media, where you could also get excellent information.
Once the legend is formed, we move on to the next — the most delicate — stage: direct interaction with the object.
The goal here is to organize penetration into the company’s infrastructure with the help of the employee himself. And ideally, he should not just perform the necessary actions, but do it voluntarily, believing that this is his own decision or even a response to his need. That is, the action should look like a natural solution to a personal problem.
It all depends on the context of the legend. For example:
If you are supposedly a candidate for a vacancy, it makes sense to send a resume.
If you represent the organizers of an event, you can ask to check the conference program or agree on participation.
In one of the successfully implemented scenarios, we chose the image of a student who sincerely wants to get an internship. To be convincing, it was necessary to completely immerse yourself in this role.
We asked ourselves: what is the behavior of a girl who has just graduated from university and is trying to find a job in a serious company for the first time? How does she communicate online, what emotions does she convey, what words does she use? What is the pace, style, even what emoticons?
The model we created looked like this:
She is friendly, a little shy, and wants to make an impression, so she carefully formulates her thoughts.
Her letters contain elements of emotion – the same “youthful” emoticons that give the text a casual feel.
She tries not to seem intrusive, emphasizes her respect, and thanks for every reply.
As a result, this behavior inspired trust. On the other hand, it did not arouse suspicion – because there were no visible signs of aggression, intrusion or deliberate pressure. It all looked like an ordinary appeal from an ordinary young person who is just starting his career.
In this way, we were able to evoke the necessary reaction and provoke a response that opened access to the internal infrastructure. And all this – without any technical influence, only with the help of properly constructed communication.
According to personal observations, usually an online conversation with strangers turns into a slightly more informal channel in terms of writing style. A social engineer can feel this moment by the manner of the letter of his interlocutor, to whom it is necessary to rub in trust. This technique – a standard psychological “trick” called “rapport”, denotes some synchronization or resonance between people.
Conventions are set aside, and the interlocutors communicate only at the level of meanings, and are not fixed on formalities such as spelling in the case. In our example, this is manifested in disparate messages, writing a new sentence with a lowercase letter (or according to the standard set on the phone/computer). A response to the emoticon is visible, in the case it even symbolizes embarrassment and vulnerability. And then everything worked out. That’s all 🙂
In another successful case, our target was an experienced HR specialist who, apparently, had repeatedly communicated with candidates. At least, this is exactly the professional confidence he tried to demonstrate — it was noticeable both in the content of his profile and in the pose in the photo on social networks, and even in the style of business correspondence.
Based on this, we made an assumption that the best justification for our appeal to him was a reference to alleged mutual acquaintances. It sounds quite simple, and that is exactly the point: the simpler the start, the more options for the conversation to develop further. You can always add that this is “the person from the chat” or that “he asked not to mention himself”.
In our case, HR did not elaborate on the details, but immediately got to the point — this was fully consistent with his expected professional behavior.
You need to understand: everything can turn out well. Or rather, most likely, everything will not go according to the script. In order to quickly respond to clarifying questions, maneuver and dodge, you need to really believe in your legend. Or have a backup option – several additional scenarios.
We have had situations when a potential ideal target suddenly turned out to be on a long vacation that did not fit into our time frame at all. There were other cases: some specialists turned out to be well-prepared to detect suspicious activity, and our account instantly ended up on the block list. It is good if they did not warn colleagues. In such situations, we had to launch a new line of interaction.
But when you still manage to quietly attract the target’s attention, the next stage comes.
Fixation in the system. At this point, the social engineer continues to conduct a confidential dialogue while the team’s technical specialists are engaged in increasing access rights, searching for vulnerabilities in the software and performing their tasks.
The conversation with the object develops naturally. The social engineer’s task is to gain as much time as possible so that the victim and the security service do not have time to suspect anything. In such situations, emotional sensitivity is very helpful: sometimes it is enough to simply feel what behavior the interlocutor expects and adjust to it to reduce the risk of detection.
In the scenario with the inexperienced intern, which we have already mentioned, after gaining access to her work machine, it was necessary to wait a little – to take a pause. At this point, the entire red team was involved in other active stages of the attack (several more planted scenarios worked), and there was a catastrophic lack of time for a dialogue with this victim. In addition, she herself decided to call, and we began to answer with a noticeable delay.
After the weekend, there was no point in continuing the conversation – the technical part was completed, and communication stopped. Although, ideally, the dialogue should have been brought to its logical conclusion – in order to maintain the intrigue and, perhaps, leave the door open for the future.
The final stage of the operation is a soft termination of the interaction. The social engineer breaks off contact, imitating the natural end of the conversation (relatively speaking – throws away the laptop, changes the face), and the technical team removes everything that may indicate interference – cleans logs, erases digital fingerprints.
As already mentioned, the exit from communication should look as calm as possible, without sudden movements and unnecessary suspicions. In real life, however, the most common scenario for the end of any online communication is simply disappearing without explanation. But in the case of a perfectly conducted operation, everything should look as if nothing special had happened. The victim should not even suspect that a compromise occurred during this, at first glance, ordinary conversation – until the SOC specialists begin to understand and arrange a debriefing.
Imagine: everything went perfectly. The victim has trusted you so much that she has sent you a private message, almost invited you for tea and cookies. You are triumphant, celebrating your success, postponing the technical formalities for the evening. You sit down to write a report – and there is no correspondence. The account also no longer exists. And it seems that everything is in vain.
Such a moment is a cold shower for any specialist: you need to prove to the client that everything really happened. But words like “honestly, it happened” will not do here.
Therefore, there is a golden rule for a social engineer: record everything. Constantly, from all stages, regularly save screenshots, record the time of actions, collect confirmations. Nowadays, correspondence does not always remain at your disposal: many platforms allow you to delete messages unilaterally, without a trace or warning.
Therefore:
Communicating via messenger? — Screenshot.
Sending a phishing email? — Screenshot.
The victim entered the password on your fake page? — SCREEN. SCREEN. AND ANOTHER SCREEN!
The best thing to do is to immediately document everything as digital evidence. Anything that is not documented is considered to have never happened.
It all depends on the context. You can focus on character traits: impulsiveness, shyness, excessive trustworthiness or a desire for recognition can become points of influence. At the same time, you should not underestimate the interlocutor – superiority in such matters is dangerous.
Vulnerable categories of employees:
Newbies and interns who have no experience in recognizing phishing;
HR specialists who interact with a large number of outsiders;
Exhausted employees, especially during peak load periods;
Technical specialists who, due to confidence in their knowledge, can lose vigilance.
Historical examples – Twitter, the Clinton campaign, Ubiquiti Networks – show that even the most professional teams can become victims.
Social engineering is not about the stupidity of the victims, but about using the moment: stress, habit, fatigue, the desire to help. A successful attack does not “break” a person – it is built into their routine. Why is a psychologist an asset to the Red Team?
Able to build scenarios that really work.
Has a deeper understanding of behavioral patterns.
Able to notice details that techies ignore.
Has experience in interpersonal interaction and builds trust faster.
Mass phishing campaigns give numbers. But it is targeted attacks that are the real threat. And here a psychologist is an indispensable part of the team.
