Social Engineering (SE) is a term now in vogue used to describe an important foundation of modern Corporate Espionage/Hacking/Data Acquisition. As a career CIA HUMINT (Human Intelligence) Operations Officer, I extensively employed the techniques that are a feature of Social Engineering – except I targeted Iranian missile scientists, Russian Intel officers, and Chinese diplomats for the US Government. However, SE knows no restrictions and could be utilized against your company and your personnel.
Defined broadly, Social Engineering takes the ways Humans are wired to make decisions and exploits the vulnerabilities in those decision-making processes. An alternate definition is “any act that influences a person to take an action that may or may not be in his best interests.” Getting an individual to “spy” against a company (or government) can be exceptionally difficult – but can also yield outsize rewards.
Why is Social Engineering important to a Business Owner? Everyone is concerned about Information Security – and SE poses a direct threat to a Company’s Information Security. All firms (and persons) have information they wish to safeguard. This includes not only standard sensitive company personnel/client data but critically – Proprietary Processes or Technology. Intellectual Property Theft, for example, has skyrocketed in the last 20 years.
In the world we now live in, a company can not only be targeted by a corporate competitor but also by Nation States, which then pass the stolen information/data to their own National Industries in order to increase that country’s market share worldwide. Corporate Espionage can thus be a cornerstone of a nation’s Economic Policy.
This sort of active espionage is particularly favored by the People’s Republic of China. Although other nations, such as Russia, Iran, Turkey, and even France, have robust corporate espionage programs, the Espionage programs of the People’s Republic of China dwarves rival national programs, not only in budget but in scope.
US officials believe China has been stealing between $200- $600 billion of US trade secrets every year since the early 2000s!
Beijing openly pursues policies to challenge US global technology leadership and seeks to dominate the “Fourth Industrial Revolution.” This includes Artificial Intelligence, Big Data, Quantum Information, Robotics, and Biotechnology. This National Initiative translates into espionage against companies as varied as General Electric and Monsanto.
For background, US efforts concerning technology/data acquisition are primarily defensive, i.e., as the world’s Tech Leader, the US is the most common target, and thus US efforts are focused on Counterintelligence (CI) – the identification and neutralization of foreign threats against US Corporations.
The sad fact, however, is that the US Intelligence Community’s (USIC) CI efforts have generally been ineffective – and this is only speaking of USIC’s efforts to protect Government secrets! As far as Corporate, proprietary secrets – the USIC simply does not have the ability to truly support US Companies in protecting their information/data/technology – especially those not involved in direct military contracting. In other words, US companies are “On Their Own.”
What does all this mean? Firstly, the reader’s view of Hacking/Cybersecurity/corporate espionage needs to be broadened.
When the average person thinks of Data Hacking and Cybersecurity, they tend to think of Computer vs. Computer, “black hat” hackers vs. “white hats,” Firewalls, and the company’s IT department. These indeed are KEY features of the Modern Threat – and addressing these vulnerabilities is a part of a company’s Mitigation and Prevention Strategy (MAPP). Corporate personnel dwell more on the technical aspects of Information Security – the software, hardware, and tools to prevent data theft. What is often overlooked, however, is the “Human Element,” – which is the basis of Social Engineering. What is seen more nowadays are “combo” attacks, hacking combined with exploiting a targeted individual.
First Example: instead of the “Bad Guys” Head-to-Head hacking into a Corporate Data System and thus worrying about the attack being traced back or a possible (but unlikely) FBI investigation, it might be better to target and cultivate a company employee to selectively place a thumb drive on a target server. Such a tech theft might prove much harder to counter or detect – particularly if the employee has provided intel on corporate hacking countermeasures. I have performed such operations myself.
Second Example: In 2021, 83% of organizations experienced a successful email-based phishing attack in which a user was tricked into risky activities, such as clicking a bad link, downloading malware, providing credentials, or even executing a wire transfer. That number is a startling 46% INCREASE over 2020! Incredibly, vast sums have been spent training people for 20 years in cybersecurity. Yet, this most obvious tool is still being successfully used against companies.
But how “crude” are these modern phishing scams? Phishing, like all forms of Cyberwarfare/Hacking, has also increased in sophistication – instead of flooding corporate email accounts with dozens/hundreds of emails, some Social Engineers are spending time Targeting key personnel, using the wealth of information available on individuals online. From this Targeting Profile, a very attractive Phishing scam can be individually crafted – resulting in a greater download rate – and thus an effective compromise of corporate security.
Social Engineering is employed because it WORKS. The cost to set up an SE attack is Low; Risk Is even lower -and the Potential Payout is HUGE.
IBM’s 2017 “Cost of Data Breach Study” determined the average cost of a data breach is $3.62 million. Importantly, 80% of all breaches have an SE Element – So the world of corporate espionage is not just Computer vs. Computer. As a CIA Officer, I point out that the study includes only those Data Breaches that are DETECTED. If a detailed SE plan were followed, the company might never know how many have breached the defenses – and gone Undetected.
Let’s Examine how an Intelligence Agency’s HUMINT Operations have a lot in Common with Social Engineering Tactics.
TARGETING
In Both the SE and Intel worlds, the HUMAN is the Target. They may not be the ultimate goal, but the Data/Proprietary tech being pursued is usually THROUGH an individual…. based on that person’s ACCESS.
Social Engineers and Intel Officers both spend considerable time Researching individuals and institutions as part of a Targeting Study. These can be either formal or informal – but the more time placed into such activities, the better the chance of Targeting success.
In Pre-internet days, this could be VERY opaque. Targeting the head of a Terrorist Network, or even obtaining enough data to decide WHO to target, could take YEARS. Osama Bin Laden was finally located a decade after he perpetrated 9/11)
Third Example: some years ago, I targeted the Iranian Embassy in Dushanbe, Tajikistan. There was very little information available – no complete personnel list to speak of. The Tajik govt could not be relied upon to provide the Iranian passport data etc. The operation boiled down to my identifying a non-Iranian with limited access to the Embassy. This had limited effectiveness but was better than nothing. A lot of effort for limited results. Now think about how SOCIAL MEDIA has totally changed this equation!
Not only social media but the variety of online tools available to access a Target’s finances, personal interests, political beliefs, and work record have exploded – resulting in a Social Engineer’s dream. Although some targets remain opaque, the present hazard is that there is TOO Much information to process – rather than a lack of it!)
This simplified targeting is the reason that until about 12 years ago, CIA wanted its officers to avoid social media. Since that time, the march of technology has made this restriction untenable. All social media users are now aware of the benefits and pitfalls of this technology….one needs to look only as far as high school seniors scrubbing their sites as they apply to college.
Fourth Example: sometimes, the techniques of intel types and social engineers may vary. A Case Officer might access Linkedin to determine what university someone went to or a particular interest…with an eye on a lunch date (no substitute for meeting someone in person as a key to recruitment). A Social Engineer might follow the same course – or instead, use LinkedIn info to craft a Phishing scam online to obtain Credit Card info from the person. Alternately, the Social Engineer could send an email with malicious software to the Target at her company based on her expressed interest in seeking other work (faking an email from CareerBuilder.com)
Remember that is the GOAL of the SE – to get the target to take an action that is not in their best interest without thinking through the potential dangers.
After many years, Intel Services worldwide are finally waking up to the fact that Open Source Information or Intel (OSINT) can be at least as important as classified information. Social Engineers have known this all along…indeed, OSINT is the Lifeblood of Social Engineering Engagement. Open Source Intelligence, primarily social media, will allow the social engineer to amass a detailed Targeting Study.
When the Targeting Study is completed, then Access and Suitability can be determined. Does the individual identified have access to the systems/information being sought? Can He/She, once recruited, obtain it?
Is the candidate for targeting suitable for the role envisioned? Do they have the common sense/motivation to follow instructions, engage in prudent risk-taking, etc.? The Suitability bar is lower in the corporate world than in the political/military sphere simply because the stakes are somewhat lower – in government, unsuitability can result in discovery, imprisonment – or death. The Corporate “spy” will be fired – a lower bar with fewer penalties. This means Social Engineers will more easily identify and employ a spy! This is bad news for corporate security.
The Company employee targeted by the Social Engineer must have both Access AND Suitability. If she has identified someone in the company who is willing and able, but lacks Access, the Operation will be unsuccessful. Ditto if the Social Engineer/Intel Officer has a person with the Access – but who will not perform the task. Much time in the Intel/SE Worlds has been wasted with Operatives trying to put that square peg in a round hole. Better to admit after a targeting study that one was mistaken and move to a more viable candidate.
MOTIVATION AND “MICE”
The suitability of a candidate can describe a wide variety of characteristics. Mostly it boils down to Personality and Motivation, particularly the latter. Is the person a risk-taker? Is she egotistical? Is he hungry for praise/positive feedback? Motivation can be summarized with the acronym “MICE.” Money, Ideology, Compromise, and Ego. Ideology is not usually a factor in corporate activities. Money and Ego are the prime motivators. Identify someone in the corporate structure who is angry at his boss, feels unappreciated, and seeks revenge – and half the work is already done!
The Techniques learned by HUMINT intelligence officers take years to hone – as they often depend on Cultural Understanding and Language Ability; most national Intel Agencies operate Overseas and are concerned with recruiting foreigners. Keep in mind that the United States is the Number ONE target for corporate espionage – language for our adversaries is not a problem. There are an estimated ONE BILLION English speakers for whom English is a Second Language – that is a sizable pool to draw from! I learned Russian and Albanian in the CIA. While the former was VERY useful in my work, there is very little call in the private sector for non-Albanians to speak Albanian!
As can be seen, both HUMINT and SE involve convincing an individual (often, but not always, over an extended time period) to do things that are not in their own best interests (stealing secrets, inserting a thumb drive, providing the boss’ notes). This “Development” or cultivation of a potential Information Source or “spy” will involve determining that person’s suitability.
Social Engineers usually work in a shorter timeframe. However, the importance of the Data and the Target’s Access may demand a slow (and thus more secure) personal approach. In general, a Slow Approach is more Secure, but also to keep in mind, the more Secure the Operation, the Less Efficient!
THE IRONY OF TECHNOLOGY
In the past, HUMINT or Social Engineering – recruiting live spies – had the disadvantage of being “slower” – identifying and developing a target often took time. The intel provided in the future might prove critical. Still, an intel officer wasn’t going to obtain as much intel from an individual versus, say, in Signals Intelligence (SIGINT). SIGINT means gathering data from mobile phone calls or other signals. SIGINT always had more potential to collect a Larger VOLUME of information.
This old dynamic, however, has NOW CHANGED. As the world now relies on Data Systems, the average individual’s ACCESS to Sensitive Data has Exploded – and thus, ONE individual – recruited on an individual basis, over time – has more power to damage a Company or Government than ever before.
The Fusion of Humint/Hacking or SE/Hacking (a “Combo Attack”) means that in many ways, we are in a sort of “Golden Age” of HUMINT and Social Engineering because we have an unhappy convergence of circumstances….
As we grow more dependent on Tech, to say nothing of experiences like COVID, it has become more difficult for people to learn how to use Conversational Skills, Let alone SEE when those skills are being used AGAINST Them!
This leads us to a situation where individuals, who have GREATER Access to data than ever before, also have a REDUCED Ability to know they are being targeted!
Some of the “common sense flags” a person would historically employ when it became obvious to that employee that they were being “worked” are no longer in the toolbox…particularly for the younger generation. One need only look as far as a “Project Veritas” video to see (mostly younger) individuals openly discussing Sensitive Data with an Operative that no doubt would draw the fury of the target’s upper management.
I saw this quality when targeting Iranians abroad. So used to being social pariahs, I found that simply knowing some Persian history would allow an intel officer to build rapport rapidly with an Iranian – although this would be seen as a transparent effort to ANY outside observer – the Iranians were seemingly oblivious to this tactic.
I believe we see this more widely in western society than ever before. We live in a time when Loneliness, Alienation, Stress, Work Frustration, and “being treated as a Number” have all peaked – Prime Hunting Grounds for the Social Engineer and Intel Officer.
At the beginning of my CIA training, a highly experienced officer told me that being a HUMINT officer was “Befriending the Friendless” – this remains as true today as ever. Corporate Managers must do their best to ensure their employees are not only educated as to the threat but also engaged and valued. In such a positive environment, Social Engineering will prove that much harder. Educated, content, satisfied employees have little desire to spy.
What to Do?
The Corporate Manager must understand that in today’s threat environment, the technical side of the company – the IT and Security Departments, must be properly equipped/budgeted/manned to protect corporate data, but that is only part of the picture. Every line worker must be sensitized to the threat posed by Social Engineering.
Security Awareness Training in this vein will not only include a definition of such terms as Vishing, Phishing, Ransomware, and Malware but also elements of a military-type Counterintelligence (CI) briefing. This would include such questions as:
- Has any employee met someone online or personally who had an unusual interest in an employee’s job and access?
- Have there been unidentified persons attempting access into corporate spaces?
- Has any employee displayed an unusual desire to access information that is not part of his job specification?
A personal example: I have been contacted on Linked In, where my status as a retired CIA Station Chief and TV Commentator is known by both Chinese and Russian intelligence. In both cases, they were fairly transparent attempts by a Chinese Research Institute and Russian State-Owned media to hire me as a consultant. Having worked against these nations throughout my career, I immediately saw these communications for what they truly were and ignored them.
Training your personnel on how to identify and know that these targets exist will put your team light years ahead of the average person – and greatly enhance your firm’s security. This would include such items as helping the employee population understand the value of the information they possess – that emails can be used to breach the whole company; that phone calls are used to get passwords and other sensitive details; that if their mobile phone is breached, it can be used to attack their home and work networks; and that just because a person is smiling and friendly, one cannot ignore badge policy.
Understanding potential attacks will allow your employees to see, much as I did on Linkedin, an attempt at illicit contact and avoid an incident before it ever begins.
The Ultimate Goal is to create a Security Awareness Culture, as exists in the CIA and the military. With proper training, reminders, and rewards, Leaders can create a culture where the employee population knows that the minor decisions they make can have long-lasting effects. By imaginatively employing Rewards, Positive Reinforcement, Training, and very importantly – Top-Down Reinforcement to create a Security Awareness Culture, Corporate Leaders can have a huge impact on protecting their company’s data and proprietary information. The future truly is in your hands!