Social Engineering - Human aspects of grey and black competitive intelligence. What is social engineering? How it is used in the context of competitive intelligence and industrial espionage? How to recognize HUMINT / social engineering attacks? Which governments are known to use it?
2. SOME KNOWN CASES
Johnson & Johnson vs. Bristol-Myers
Johnson Controls vs. Honeywell
Boeing vs. Airbus
2 Cyber Agency | www.cyberagency.com
3. SOME KNOWN CASES
It’s not just smart business!
1. Competitive Intelligence using Social Engineering
2. Competitive Intelligence Countermeasures
SUBJECTS OF TODAY’S DISCUSSION…
3 Cyber Agency | www.cyberagency.com
4. DEFINITION OF SOCIAL ENGINEERING
“Successful or unsuccessful attempts to
influence a person(s) into either revealing
information or acting in a manner that would
result in; unauthorized access, unauthorized
use, or unauthorized disclosure, to an
information system, network or data.”
(Rogers & Berti, 2001)
4 Cyber Agency | www.cyberagency.com
5. EXTENDED DEFINITION OF SOCIAL ENGINEERING
Any kind of psychological manipulation
used to obtain private or sensitive
information or to force target to perform
some action in target’s disadvantage.
(Ivezich, 1998)
5 Cyber Agency | www.cyberagency.com
6. DEFINITION OF COMPETITIVE INTELLIGENCE
Context for Social Engineering
“Competitive intelligence (CI) is the process of monitoring the
competitive environment. CI enables senior managers in
companies of all sizes to make informed decisions about
everything from marketing, R&D, and investing tactics to long-
term business strategies. Effective CI is a continuous process
involving the legal and ethical collection of information, analysis
that doesn't avoid unwelcome conclusions, and controlled
dissemination of actionable intelligence to decision makers.”
Source: Society of Competitive Intelligence Professionals
“Competitive intelligence is a systematic program for gathering
and analyzing information about your competitors’ activities and
general business trends to further your own company’s goal.”
Source: Larry Kahaner, “Competitive Intelligence”
6 Cyber Agency | www.cyberagency.com
7. DEFINITION OF COMPETITIVE INTELLIGENCE
Context for Social Engineering
White - company
publications, public
records, commercial reporting
Gray - Not readily sources
available, but can be obtained
without civil/criminal liability
Black - Obtained through unethical
or illegal means. Can result in civil
and/or criminal sanctions.
Black = Espionage
7 Cyber Agency | www.cyberagency.com
8. DEFINITION OF ESPIONAGE
Context for Social Engineering
Espionage: Information collection operations performed in unethical
and/or unlawful manner
Economic Espionage: Government intelligence operation aimed at
acquiring the economic secrets of foreign country, including information
about trade policies and the trade secrets for its companies.
Industrial Espionage: Intelligence operations conducted by one corporation
against another for the purpose of acquiring a competitive advantage in
domestic and global markets.
8 Cyber Agency | www.cyberagency.com
9. WHO’S DOING COMPETITIVE INTELLIGENCE?
90% of Fortune 500 firms
Consulting 16
Firms with high R&D
Chem / Pharma 13 expenditures
Communications 11 Firms that own many patents
Information 7 2-3% of German firms
Computers 5 U.S. & U.K. firms mostly
Banking / Financial 5
Defense / Aerospace 4
Industrial 4 Motorola, Bell Atlantic, Xerox, Eastman
Kodak, Skandia, Ford, SDG, Merck, Amoco, Pac
Utilities 4
ific Enterprises, Sequent, American
Healthcare
4 Express, Boehringer Ingelheim, Procter &
0
Gamble, Dow
5 10 Chemical, MetLife, IBM, Johnson & Johnson…
15 20
9 Cyber Agency | www.cyberagency.com
10. COUNTRIES INFAMOUS FOR ECONOMIC ESPIONAGE
• Russia
UK • Germany
• France
• USA
• Israel • China
• Japan
South Korea, India, Pakistan, Argentina and others…
10 Cyber Agency | www.cyberagency.com
11. WHY NOW?
• The pace of business has and will increase.
• Most businesses are now in information overload.
• Increased global competition.
• Economic competition has become war.
• Political changes ripple more quickly than in the past.
• Technology changes are more rapid.
• Availability of ex cold-war spies.
Modern Business Eras
Knowledge
Machinery Capital / Labor Information
(Intelligence)
(1940s) (1950-60s) (1980-90s)
2000s
Competitive
Mechanical Intelligence
Technology Investment Computers Systems
Modern Business Drivers
11 Cyber Agency | www.cyberagency.com
13. SECURITY THREATS
Adversary Motivation
National Intelligence Information for Political, Military, Economic Advantage
Information Warfare Military Advantage, Chaos, Target Damage
Terrorists Visibility, Publicity, Chaos, Political Change
Industrial Espionage Competitive Advantage, Revenge
Organized Crime Monetary Gain, Revenge
Insider Revenge, Financial Gain, Institutional Change
Hacker Thrill, Challenge, Prestige
Who thinks we are important? Or interesting?
Competitors, Suppliers, Customers, Investors, Critics, Regulators, Hackers
13 Cyber Agency | www.cyberagency.com
14. HOW IS IT DONE?
Myths Reality
• Industrial spies are well trained
James Bonds that can get anything • “Spies” are putzes that do nothing
they want brilliant
• Hackers are geniuses that can look • They take advantage of what they
at a computer and take it over have access to
• It takes super advanced methods • They abuse human nature
and a billion dollars in new • They luck into it, because there are
research to figure out how to stop no or minimal countermeasures
them
14 Cyber Agency | www.cyberagency.com
15. WHY IS SE SO EFFECTIVE?
• The Security Field has focused primarily on technical security and
protection of physical assets
• Security is only as strong as the weakest link - People are the weakest link
• Why spend time attacking the technology when a person will give you
access or information
• Extremely hard to detect as there is no ID’S for “lack of common sense” or
more appropriately ignorance
Technical Physical
People
15 Cyber Agency | www.cyberagency.com
16. WHY IS SE SO EFFECTIVE?
Two Primary Factors: Business Environment and Human Nature
Business Environment Human Nature
Service Oriented Helpful
Time Crunch Trusting
Distributed Naive
Outsourcing
Virtual Offices
16 Cyber Agency | www.cyberagency.com
17. ANATOMY OF AN SE ATTACK
Very similar to how intelligence agencies infiltrate their targets. Usually a vey
methodical approach. 3-phased approach:
Intelligence gathering
• Primarily Open Source Information such as: Dumpster
Step 1
diving, Web pages, Ex-
employees, Contractors, Vendors, Partners
Target selection
• Looking for weaknesses in the organization’s personnel: Help
Step 2 desk, Tech support, Reception, Admin. support, Etc.
The attack
• Commonly known as the con
• Three broad categories of attack: Ego attacks, Sympathy
Step 3 attacks, Intimidation attacks.
• Other elicitation techniques …
17 Cyber Agency | www.cyberagency.com
18. COMMON SE ATTACKS
1. Ego attacks
Attacker appeals to the vanity, or ego of the victim
Usually targets someone they sense is frustrated with their
current job position
The victim wants to prove how smart or knowledgeable they
are and provides sensitive information or even access to the
systems or data
Attacker may pretend to be law enforcement, the victim feels
honored to be helping
Victim usually never realizes
18 Cyber Agency | www.cyberagency.com
19. COMMON SE ATTACKS
2. Sympathy attacks
Attack pretends to be a fellow employee (new
hire), contractor, employee or a vendor, etc.
There is some urgency to complete some task or obtain some
information
Needs assistance or they will be in trouble or lose their job etc.
Plays on the empathy & sympathy of the victim
Attackers “shop around” until they find someone who will help
Very successful attack
19 Cyber Agency | www.cyberagency.com
20. COMMON SE ATTACKS
3. Intimidation attacks
Attacker pretends to be someone influential, authority
figure, and in some cases law enforcement
Attempts to use their authority to coerce the victim into
cooperation
If there is resistance they use intimidation, and threats
(e.g., job sanctions, criminal charges etc.)
If they pretend to be Law Enforcement they will claim the
investigation is hush hush and not to be discussed etc.
20 Cyber Agency | www.cyberagency.com
21. OTHER ELICITATION TECHNIQUES
• Elicitation
• Interview process which avoids direct
questions and employ a conversational style
to reduce concerns and suspicions…
• Collecting information without asking
questions.
21 Cyber Agency | www.cyberagency.com
22. ELICITATION - CONVERSATIONAL HOURGLASS
• People remember questions more clearly and longer
• People remember the beginning and end of a conversation
• Concentration is on the “muddle in the middle” What you already know
• personal/professional background
Style • techniques that have worked well before
• areas of expertise or knowledge
• Innocuous and non-threatening
• Testing of generalizations and presumptions
about human factors in elicitation
Macro topics
• Reading signals from source
• Pleasant and non-confrontational
Micro topics
Elements
• Pre-selected introductory questions about general topics
Macro topics
• Stacking of elicitation techniques
• Attention to details of information being provided
• Additional “cool down’ questions about other general topic
22 Cyber Agency | www.cyberagency.com
23. WHY DOES IT HAPPEN?
A natural tendency
• to need recognition (as an expert)
• toward self-effacement
• to correct, advise, challenge others
• to prove others wrong
• to discuss things that are not their concern
• to gossip
• not to be able to keep secrets
• to underestimate the value of information
• toward indiscretion when not in control of one’s
emotions
• to show off (professionally)
• to complain
23 Nolan 2000Agency | www.cyberagency.com
Cyber
24. TYPICAL ELICITATION TOOLS
1. Provocative statements evoking:
– quid pro quo
– naïveté
– disbelief
– criticism
2. quid pro quo
3. Simple flattery
4. Exploiting the instinct to complain
5. Word repetition vs. “emphatic loading”
6. Quotation of reported facts(?)
7. Naïveté
8. Oblique reference
9. Criticism
10. Bracketing
11. Feigned or real disbelief
12. Purposely erroneous statement
24 Nolan 2000Agency | www.cyberagency.com
Cyber
26. DEFENSE FRAMEWORK
Effective Policies
• Enforcement of effective policies Managed Processes
• Staff knowledge and skill development Security is not about products -
it is the effective management of
People processes between Policy, Technology
and Support Structure
Process
Technology Organization
Secure Systems Effective support structure
Technology implementation
for end-to-end security
26 Nolan 2000Agency | www.cyberagency.com
Cyber
27. THERE ARE MANY WAYS TO “BUG” A ROOM
27 Nolan 2000Agency | www.cyberagency.com
Cyber Find professionals!
28. COUNTERINTELLIGENCE
Measures to prevent a competitor from gaining data or knowledge
that could give them competitive advantage over your company.
• What assets, resources & information should be protected?
(e.g., new technologies, new products/services)
• How can you safeguard what might be penetrated?
28 Nolan 2000Agency | www.cyberagency.com
Cyber
30. PROTECTION – COST vs. BENEFITS
What is the cost vs. benefit?
Are you creating another vulnerability?
How long is the countermeasure needed?
Cost of
Security
Cost of
Loses
30 Nolan 2000Agency | www.cyberagency.com
Cyber
31. PROTECTION – COST vs. BENEFITS
Acceptable Risk
Region
Total Systematic Risk
Risk
Investment
Sound Implementation Mitigation Security Engineering and
Security Enforcement for specific Intelligence Function
Policy Auditing threats
USER
Non-Systematic
HACKER
COMPETITION
Threats
FOREIGN THREATS Threat Level
31 Nolan 2000Agency | www.cyberagency.com
Cyber
32. OPERATIONS VULNERABILITIES
Procedures in Practice
• Sales & Marketing
• Public Relations
• Help Wanted Ads
• Internet Usage
• Credit Cards and other travel records
• Telephone records and conversations
• Casual conversations
• Supplier records
• Personal aggrandizement
• Taking work home
• Poor incident-reporting procedures
• Human weaknesses
32 Nolan 2000Agency | www.cyberagency.com
Cyber
33. OPERATIONS COUNTERMEASURES
1. Awareness Training
2. Classifying Information
3. Security Alert System
4. Reward Programs
5. Callbacks before Disclosing Sensitive Info
– Verifying the Need for Information Access
– Verifying Identities and Purposes
6. Removing Personal Identifiers from Access Badges
7. Nondisclosure/Non-compete Employee Agreements and business
partners
8. Prepublication Reviews for Employees
9. Review of Corporate Releases
10. Strict Guidelines for Marketers and Salespeople
33 Nolan 2000Agency | www.cyberagency.com
Cyber
34. It takes only one… Are You The Weakest Link?
Questions? Experiences?
35. MAJOR FOREIGN AGENCIES
France: Generale de la Securite Exterieure (DGSE). Service 7 seems to
have responsibility for this function.
Typical activities include: Bugging hotels, airlines, conferences,
etc; Black bag operation in French hotels to photograph and
download information from laptops; Bribes and prostitutes;
Business infiltration; Eavesdropping of telephone and electronic
communications.
The French are very open about their operations and seem to
take a great deal of national pride in this area.
Germany: Bundesnachrichtendienst (BND). Division II seems to have
prime responsibility for technical information.
Typical activities include: Telephone monitoring; Establishing
"agents of influence“; Business infiltration; Active hacking
function; Seduction, Blackmail, Bribery.
36. MAJOR FOREIGN AGENCIES
Russia: External Intelligence Service of Russia (EISAR) formerly the
First Directorate of the KGB.
Section T specifically targets foreign Technology.
Typical operations include: A well-established network of moles
and operatives; Indications are that every major US company has
at last one mole; Primary targets are approached indirectly
through suppliers, etc; Bugging, monitor truck/railroad lines; Spy
satellites, sensors on Aeroflot airplanes, etc; Joint ventures.
Israel: Scientific Affairs Liaison Bureau (LAKAM). Typical operations
include: Business Infiltration; Ethnic Targeting; Believed to have moles
in major technology industries; Bugging hotel rooms, monitor
telephone lines, etc; Extensive support for hacker activity.
Israel, man for man, is reputed to have the best intelligence
capability in the world.
37. MAJOR FOREIGN AGENCIES
China: Guojia Anguan Bu, or Ministry of State Security (MSS). Qing Bao
offices are scattered throughout China with responsibility for assuring
that economic intelligence flows to the factories.
Typical operations include: Ethnic targeting; Business fronts in
third countries to purchase sensitive business technology; Open
sources (China has the largest foreign presence in US); Import and
Export companies; University students; University graduates
become moles in high technology companies; Bait and switch,
make a scene, etc; Wiretaps, satellites, spy ships, etc.
38. WHO ARE WE?
Penetration Testing and Counter Espionage Consulting
100% focused on Particular expertise We also cover:
information in counter HUMINT Penetration testing
protection, counter Cyber security
intelligence, counter Provides
espionage Physical security
training, consulting, Technical security
metoring, testing
No conflict of interest and regulasr
assessments
38