Natalie Blackbourne on Social Engineering

Natalie Blackbourne is the President of Blackbourne Worldwide, a cybersecurity company that specializes in cyber threat analysis and mitigation, social engineering, and security research. She has dedicated her life to the study of deception and manipulation, and her certifications include Forensic Emotion Awareness, Evaluating Truthfulness and Credibility, Understanding Emotions, as well as a Master’s of Science in Emotions, Deception, and Credibility. Her background includes investigative interviewing and research on human interaction, and hopes to increase awareness of Social Engineering through education.

 

LIFARS: Tell us some background on you and how you got where you are today. (What was the “calling” moment?)

Blackbourne: I have dedicated most of my academic career to learning about emotions, deception, psychology, and the human mind. The complexities of thought, learning, and the ability to deceive effectively has always been a focus for me, and that is when I started learning more about Social Engineering, especially in the Information Security realm. The application of Social Engineering in Information Technology fused together my two favorite things – deception and technology. I love technology for the amazing advances and abilities that we have now compared to even a decade ago. I also enjoy being the one who can learn more about a company with my social engineering techniques instead of hacking the traditional way.

I think the moment I realized I was in the right career was when I read material for work that used to be in my “fun reading” pile, and my geek moments with people were not just random anymore – they were a blend of the things I am most passionate about along with work.

LIFARS: There is a general idea of what social engineering (a method of hacking/intrusion that is non-technical in execution, but rather rely on human interactions and trickery) is and the dangerous nature it holds, but what do you find to be misunderstood about the concept of engineering a circumstance to get the results that were projected based on human behavior?

Blackbourne: By nature, engineering is not a negative trait, and the term “Social Engineering” has gotten a bad reputation within the information technology arena. As much as I would love to demonize hackers who employ social engineering (it certainly helps with expressing the reality of being attacked), social engineering as a societal construction is actually something we use every single day. That’s right – we are all social engineers. Webster’s dictionary defines engineering as to “1. design and build (a machine or structure), or 2. skillfully or artfully arrange for (an event or situation) to occur.” Skillfully and artfully arranging specific situations is obvious in business networking, sales, and relationships. Constructing interactions that are meaningful or with the intention of gaining something is not malicious. Arguably, social engineering is essential to daily interactions for society to thrive. If no one employed techniques of influence or artfully arranged situations, we would have no authority over our children, no boundaries in our relationships, and no goals to reach within business.

            Social Engineering becomes dangerous when sensitive data is leaked, or a Social Engineer uses seemingly harmless information in a malicious manner. For example, it may not seem that important that a CTO is on a vacation in Hawaii, yet the Social Engineer can use that to their advantage in multiple ways: by knowing when to strike (when he is on vacation), how to information drop (“he’s in Hawaii this week? I thought it was next week!”), and by the CTO’s absence can plan a ruse solely around him being out of the office.

            I think the most misunderstood part of Social Engineering is how relatively easy an attack is to execute. People are extremely malleable when they are distracted – just think of the last time someone asked you a question while you were answering an email and planning out dinner for that night. By taking advantage of multi-taskers and overwhelmed brains, the Social Engineer’s hardest part is constructing a plausible ruse, identifying potential obstacles (ID cards, security clearance, biometrics), and possibly some props. In the moment it is easy to be nervous, but I teach my students to pretend they are actors on a stage. Over-thinking the part leads to the collapse of the pretext (ruse), and when you “go with the flow” your mark is more likely to trust and believe you.

LIFARS: Can you give us an example where social engineer caused the most amount of trouble? How did it happen? Why did it happen? What could have been done right to prevent it?

Blackbourne: Social Engineers can cause the most damage to a company. The most common problem, however, comes in when there are not protocols in place to protect the employees and the company. If I pretend to show up for an interview with a coffee-stained resume and ask to print off a new one with my thumb drive, there are multiple influence tactics at play. 1. I am preying on the receptionist’s desire to be helpful (most people have this), and 2. I am expressing an amount of urgency, which causes people to make snap decisions. If the protocol for foreign USBs were to hand them to IT, or to direct the unfortunate individual somewhere else to use the printer, then this problem could be avoided. However, a majority of individuals will plug in the drive without a second thought, and that can cause the collapse of an entire company.

LIFARS: How do you see penetration testing in relation to social engineering?

Blackbourne: I view penetration testing and social engineering as having a complementary relationship. Both options for finding vulnerabilities and exploiting weaknesses are valuable to a company. However, I believe they should be used in tandem instead of being seen as separate options. Too often have I seen Information Technology professionals put penetration testing and social engineering into two categories, instead of seeing them as harmonizing. My Social Engineering engagements include Vulnerability Assessments (an assessment of physical and human vulnerabilities) and Penetration Testing (a physical Social Engineering engagement)– the same terminology used to evaluate IT infrastructure. This is purposeful to show how cyber threat analysis and mitigation can work hand-in-hand with social engineering. A company can only truly be secure with both arenas covered.

LIFARS: Does SET (social engineering toolkit) create more of a problem or is it just tool?

Blackbourne: The Social Engineering Toolkit has many valuable resources for the Social Engineer. This can assist the Social Engineer in their engagements in numerous ways and shortens the amount of time they must dedicate to creating exploit-hiding web pages and emails. Most people underestimate the amount of work a Social Engineer puts in for a successful engagement, especially when it requires copious amounts of reconnaissance, construction (especially for phishing emails and counterfeit logins), and reporting. The SET is a valuable tool, however, I also take a note from the first con artists and often do some manual legwork in addition. It’s a way that I can feel that I am not missing anything important. As much as I love technology, I often am reluctant to give it full power.

LIFARS: What policies would you recommend a fortune 500 take in order to defend itself against social engineering attacks? To expand, how do individuals in a company go about countering social engineering attacks without being consistently paranoid?

Blackbourne: The best way to prevent a social engineering attack is education. Education of the employees, management, and C-level executives. By making all of the information and dangers of Social Engineering salient in the minds of employees, they are better prepared to acknowledge and prevent a social engineering attack from occurring. It would also be advantageous for the company to put protocols in place to assist and protect employees. If the protocol for foreign USBs is to send them to IT, then the employee has knowledge of what to do, and a plan of action. This prevents the USB from being plugged in randomly, without the ability to be intercepted or evaluated for malicious viruses. If the employees are properly educated on what social engineering looks like, they can better defend the company and feel confident that their employer backs them in their decisions.

I also am a big believer in having policies that are personalized to the company. Each company has different security protocols, different work cultures, and different habits. All of those need to be evaluated in creating guidelines to protect the company from being vulnerable to attacks.

 

Natalie Blackbourne summarized our Q&A with steps you can take to prevent social engineering attacks include:

  1. Awareness – this includes being perceptive and alert. By taking a moment to focus your attention on the present, you can tune into idiosyncrasies that might give a clue to it being a social engineering attack, or to double check credentials.
  2. Education – this point cannot be over emphasized or repeated. Education is crucial to understanding how a Social Engineer works and how to prevent attacks.
  3. Vigilance – all too often I see complacency become the breaking factor for security. Keeping security protocols up to date and continually reevaluated for effectiveness is necessary for the security of your company. Over communicating the devastating effects of a social engineering hack can prevent one from progressing to the point of compromise.

 

Contact Natalie Blackbourne on Blackbourne Worldwide Linkedin.