Introduction
In this article we’re going to define elicitation, walk the reader through some examples of it, and explain why it works. Then we’ll review how we use elicitation to better our communication and even how we can protect ourselves from attacks performed by malicious actors.
Elicitation, What is it?
Elicitation can be defined as the strategic use of statements and open-ended questions to extract information from a target individual or Person of Interest (PoI) without giving the feeling that they are being questioned or interrogated. The aim of using elicitation is to give the feel of a normal conversation, preventing the concern or reluctance we feel when we are questioned.
The use of these strategies and tactics can range from simple and obvious to more precise, well planned, and well thought out conversations. The simpler and more obvious the elicitation technique is, the easier it will be to spot and defend or deflect. The more complicated or imaginative the elicitation technique, the harder it may be to identify and thus defend against.
Why elicitation works
Imagine, you’re sitting in a bar, and you knock your drink over. To reduce the embarrassment you feel for being so clumsy you make a joke. “Party foul,” you say, just loud enough for the bartender to hear you. He chuckles a little, and tosses over a towel. You quickly clean up the mess and go on about your way. The person next to you, now mildly amused, sparks a conversation. You two talk for a few moments and he mentions something about being an aeronautical engineer. Inquisitive, you might respond with, “Aeronautics?” Your conversational counterpart realizing that you are now interested, begins explaining what it is that he does.
Pause and think about this. What just happened? Whether you know it or not, you just elicited information. This inquisitive nature of speaking demonstrated your interest. The gentlemen you were speaking with, in the desire to appear well-informed, especially in his area of “expertise”, began to open up and give you information. As the conversation continued and you began to validate this individual for his knowledge, he would have most likely felt inclined to give more information. Why? Because of the desire we as humans have to be wanted, needed, knowledgeable, and helpful.
Due to any and all of these desires, you got information that gave you insight into the individuals line of work, and maybe even some information that was confidential to his company.
Here’s another example:
Picture yourself at a social gathering. You know only the person that invited you and, at this point, the bartender. You notice someone standing alone, rolling their glass in their hand just like you were a few moments ago and have decided to make conversation. You don’t know how to begin so, you introduce yourself, you put your hand out looking for a handshake. The individual complies, and you hit it off.
Your conversation is moving along just fine, you and your new associate are really getting to know each other. At this point you know their name, they know yours, and you both know what brought you to the gathering and whom. Then, the conversation takes a turn, and the individual (let’s call him John) begins digging for information about your current occupation, sounding something like this:
- Looking bewildered at his phone John says: “Ugh, I hate it when my boss doesn’t get that I’m off the clock after 6.”
- You: “Isn’t it the worst? I feel like I can never catch a break.”
- John: “I’ve been in accounting for 7 years and this is the first company to ever treat me like I only existed for their company!”
- You: “It’s not much better in IT. Development is a brutal world between rolling updates, hot fixes, midnight releases or change orders! I can’t believe some of the hours I put in. They really get you when they say ‘Salary’. I bet my hourly rate is pitiful.”
- John: “I.T.? Man, I wish I knew more about that stuff. I feel like it’s the wave of the future. I sure missed that ship.”
- You: “It is for sure, and at XYZ Corp, we’re focusing on AI and Data Analytics for Social Media!”
- John: “AI and data analytics for social media? That sounds wildly complex and really cool! You really get this stuff don’t you!”
- You: “Complex!? You have no idea! I’ve been in this field for a long time, this project right now is practically my life for the last 10 years! I’m one of the best at my company!”
It’s at this point that you would start telling John about your job, how you do it, the cool things in tech that you are involved in. Perhaps, because John is in “accounting”, you may even reveal some proprietary knowledge, because you developed it and know its intricacies. Like he said: he knows nothing of IT, so what is he going to do with the information?
John just elicited information from you and this works for the same reasons mentioned above. You’re in conversation, the oxytocin and dopamine are flowing, you’re being validated, and because of that, you talk. This doesn’t happen because we’re broken or stupid, it happens because we are human. Relationships are important to us, and when oxytocin and dopamine are in the mix, knowingly or unknowingly, we are bonding and want to continue building that bond.
Other reasons elicitation works can be:
- We tend to want to expand on a topic when we are praised for our knowledge (We secretly like to show off, some of us not so secretly)
- We often underestimate the value of what we are giving away (In this case, John was an accountant, what could he do with the info?)
- We love to gossip or discuss our own misery in life (John sucked you right in by complaining about his boss.)
- The “good person” rule: most of us don’t just lie, and in the cases that we do, it is most likely a social courtesy (“I’m doing great how about you!”, “Of course you’re a great person, she just doesn’t know what she’s missing!”)
These human tendencies make us all vulnerable, including expert social engineers and malicious actors. None of us are immune, which is why it’s important to learn these skills and how to spot them, defend against them, and deflect them.
How do we benefit from elicitation?
That being said, it’s really not all doom and gloom. Elicitation isn’t just for the bad guys. We all use elicitation often, for many different reasons, from identifying what our children are dealing with at school, to planning that surprise party for your friends without letting them in on the secret. Elicitation techniques, like most Social Engineering techniques and tactics, can be used to become a better, more artful communicator.
“Communication — the human connection — is the key to personal and career success.” ~ Paul J. Meyer
Elicitation techniques can be used to increase your conversational skill and get the information that you are really after, or even the information that your conversational counterpart doesn’t know how to give. While elicitation isn’t built for all conversations, it is a creative way to design your discussions.
How do we protect ourselves?
Defending ourselves against elicitation, unfortunately, takes about as much effort and practice as learning how to use this powerful conversational technique. Why? Because, as stated previously, it often plays on unconscious human needs and desires, such as wanting to feel interesting, valued, intelligent, and so on.
So… how do we protect ourselves?
First, you need to recognize what data you have at your disposal and the value that data holds. Once you understand that, you can then assess how exposing that information could damage or jeopardize yourself, your family, and/or your organization.
Here are some methods for deflection of elicitation:
- Redirect the conversation — Take the data away from sensitive data to less important topics.
- If you feel the urge to give out information about your company, refer the individual to publicly available information.(CAUTION: Be careful here, this avenue could make you feel a little bit of the rush from the chemical soup discussed earlier when being helpful and lead you to exposing more information later. Sometimes the best approach really is redirection.)
- Give non-descript answers, or answer with a question of your own. (John appeared interested in your skills in IT. Replying with a non-descript answer and question of your own may have looked like this: “Yeah, computer programming, what about you? What kind of accounting do you do?” And you’re off to safer waters.)
- If you feel like you’re someones target, or that you are at risk of giving away information, step away from the conversation. That, or you could inform the individual that you cannot discuss the matter being questioned.
As a best practice, assume that if you don’t know the person, they don’t need to know internal information on your family, friends, loved ones, occupation, group affiliation, etc. This is sometimes difficult to do, but may be the best approach to protecting you from relinquishing information that might damage you or those around you. We can be polite and still decline to discuss private matters and information.
Conclusion
Like all learned skills, these techniques only work if you apply them. Simply learning to spot elicitation takes practice. The art of communication is a difficult beast to conquer, and you may find that the road can be just as rocky as it is enjoyable. It goes without saying though that, as you hone these skills, the rewards earned are worth gold. Keep at it!
“Communication is a skill that you can learn. It’s like riding a bicycle or typing. If you’re willing to work at it, you can rapidly improve the quality of every part of your life.” ~ Brian Tracy
Stay tuned for part two — Elicitation: Tactics, Techniques, and Planning Conversations
Special Thanks to @bfuzzy1 (twitter.com/bfuzzy1) and Jonathan Younie (twitter.com/infoseccanuck) for the proofing and assisted editing of this article.
References:
- https://www.fbi.gov/file-repository/elicitation-brochure.pdf/view
- Social Engineering: The Art of Human Hacking — Christopher Hadnagy (2010)
- https://www.wrc.noaa.gov/wrso/security_guide/elicit.htm
- The Six Minute X-ray — Chase Hughes (2020)