Since the purpose of this post is the use of OSINT and how it supports Social Engineering engagements, it is important to first define what Social Engineering is and why there is a requirement for intelligence gathering activities in the first place.
What is Social Engineering
Simply put, for a not so simply defined process, Social Engineering is the act of using leverage and influence to persuade others to do what you would like them to do, rather it be in their best interest, your best interest, or on behalf of a third party. We use this tool every day when trying to score a free coffee, or an upgrade on your plane tickets, when you try to get your friends to go out on a Wednesday, or a promotion at work.
Malicious threat actors also use Social Engineering as a weapon to gain access to networks, playing on our need to be helpful or social and taking advantage of human fallibility. This potential to make mistakes is not because humans are broken or because of ignorance or stupidity, but more so because humans are busy and trusting.
Because security operators must provide real world training and engagements that is as indiscriminate as the attackers, we are trying to defend our friends, loved ones, and associates from; we must prepare just as thoroughly using the tools and techniques that threat actors use, and OSINT is at the top of the list.
Why perform OSINT for Social Engineering
Open-Source Intelligence (OSINT) gathering activities support most phases in Offensive Security operations and engagements including Social Engineering. OSINT is used to identify information that may assist in building a pretext. This information may be as simple as identifying company lingo, company events, services that the company may use, or vendors that may be used.
This OSINT is standard, it identifies position, time in position, managers, and other information that we may be able to use to make comments or at the least sound like we know what we are talking about when attempting to gain further information from the human elements of the company.
We use this information to support elicitation techniques such as assumptive statements or even false statements by calling out the type of computer being used or the SSID of the primary Wi-Fi network. We make these comments to have the target reply with the correct model or correct network or to confirm what it is that has been said during our pretext.
In the security industry there are already so many acronyms and the intelligence field is no different. With OSINT, HUMINT, TECHINT, SIGINT, ORBINT, etc. the list is long… really, really, long; so why add another?
PERSINT — “Open-Source Intelligence gathering to build personality-based profiles using Social Media, personal websites, and personal blogs for the purposes of developing pretexts based on the targets communication style.”
PERSINT is probably my new favorite as a Social Engineer because of its meaning. Short for Personality Based Intelligence gathering, PERSINT focuses on the likes, political affiliations, the way people talk, what they talk about, how they complement people, and how they respond to conflict. The practice also focuses on the pictures, the backgrounds of the pictures (offices, personal spaces, and the places they hang out), and the demeanor of the person in the picture.
Why would we do this? Simple, this gives us as Social Engineers the ability to create communication profiles that match that of the target. With just a small view into the world of an individual through public resources such as social media, personal websites, and blogs we can begin to understand the target, how we might approach them to start a conversation, and what we might expect if the interaction were to go sideways. James Pennebaker in his book “The Secret Life of Pronouns: What our Words Say About Us” mentions the following in regard to what we say and what it says about us.
“Who, for example, would have ever predicted that the high school student who uses too many verbs in her college admissions essay is likely to make lower grades in college? Or that the poet who overuses the word I in his poetry is at higher risk of suicide? Or that a certain world leader’s use of pronouns could reliably presage whether he’d lead his country into war? By looking more carefully at the ways people convey their thoughts in language we can begin to get a sense of their personalities, emotions, and connections with others.”
― James W. Pennebaker, The Secret Life of Pronouns: What Our Words Say About Us
In the book titled “Snoop” written by psychology professor Sam Gosling, the author notes that on the Big 5 OCEAN (Openness, Conscientiousness, Extraversion, Agreeableness, Neuroticism) personality traits model that out of the following:
- Personal Webpages
- Office Spaces
- Social Behavior
- Short Meetings
Personal websites and Facebook sites were more accurate in predicting the broad range of traits than any of the other spaces. Meaning that all 5 traits could be as accurately discerned using these tools as say, snooping an individuals bedroom or office spaces.
“…[Personal] websites are extraordinarily good places to learn about people — perhaps the best of all places. Our site snooping yielded information that was at least as accurate as what we learned from the bedrooms, offices, and music collections we studied, and accurate across a much broader array of personality variables than most other domains.”
― Sam Gosling, Ph.D., Snoop — What Your Stuff Says About You
Sam goes on to say that even when we are trying to hide ourselves within our personal sites, we still leak details that lead to our personality traits being revealed unintentionally. He rates manipulability of traits into 3 categories:
- Category 1 –(The easiest to manipulate) Deliberate signals such as badges, tattoos, images of symbolism, etc.
- Category 2 — (Unintentionally Manipulated) The modification of environments without the notion of signaling in mind
- Category 3 — (The hardest to manipulate) The inadvertent signals we send as byproducts of our behaviors.
Category 3 are the signals that Social Engineers can really dig deep into to get an understanding of how the target wants to be communicated with. Social Engineer trainer and expert Christopher Hadnagy puts it like this:
“Treat others how they want to be treated”
~ Christopher Hadnagy
This form of OSINT gives us the ability to do just that! So, the next time you have an engagement, practice this, make a determination on what you think the target wants to hear, how they want to be spoken to, what are their likes and their needs based on their Social Media posts or personal Web Site bio? We can gain insight into their mood, and even if they hate the Mondays, that unfortunate day that your engagement is set to begin on.