Let’s face it. We all make mistakes. Even the most diligent, well-intentioned employee can inadvertently open the floodgates to an attack. Telecoms giant Verizon illustrated this earlier this year, when it published the 2021 edition of its Data Breach Investigations Report (DBIR).
The DBIR examined approximately 5,250 successful security breaches, gathering data about the methodologies used. It found 35 percent of attacks incorporated a social element. Of these, the vast majority (85%) used phishing tactics.
In short: you can deploy all the technological measures you want, but unless you address the human element, an attacker can defeat your defenses with a simple phone call or email.
Social engineering has always intrigued me. There’s something weirdly compelling about someone circumventing the defenses of a company with nothing but a winning smile and a confident tone, and industry raconteurs like Jenny “The People Hacker” Radcliffe and Kevin Mitnick have some incredible stories to share.
But there’s something else. Many of the tactics successfully employed by social engineers can be found throughout history, used in the fields of warfare, espionage, and criminality. Shadowy state actors targeting government departments can be found using the same playbook as Classical-era Greek military tacticians.
There’s a reason for this. Humans are social animals. We have certain inherent traits. We’re often willing to trust strangers, and we help those we don’t necessarily know. We live by a set of rules, both written and unwritten. These attributes allowed us to develop societies, permanent settlements, and eventually nation states. But they can also be exploited by malicious actors seeking to further a particular goal.
Technologies and tactics change. Human nature is a constant.
This article will explore some of these historical parallels. We’ll take a journey through time that starts in the Roman city of Brundisium, circa 19 BCE, with detours through the swinging sixties, the latter years of the Vietnam War, and the early days of the Internet. We’ll put the tactics used by social engineers into context, and show why they’re so effective. And finally, we’ll learn how to defend against them.
Before we start our trip, it’s probably a good idea to talk about the human qualities commonly targeted by social engineers.
While researching this post, I sought out as many tales of real-world social engineering as I could find. I thumbed through books by Chris Hadnagy and Kevin Mitnick. I listened to conference talks from the likes of Paul Wilson and Jenny Radcliffe. I devoured entire episodes of The Darknet Diaries.
As I went through, I noted most attacks focused on certain human attributes. These included:
- Curiosity **Every great scientific and technological leap started with the words: “What if?” But you don’t need to be Einstein to have curiosity. We use trial-and-error and experimentation to make sense of our environment. Social engineers frequently exploit this when harvesting credentials or deploying malware.
- Trust **Life’s easier (and nicer) when you assume everyone acts in good faith. And so, we take people at their word. If an unfamiliar voice calls and claims to be from your bank or phone company, you might instinctively believe them. Social engineers can — and often do — exploit this.
- The Desire to Help **Since we’re social animals, collaboration is inevitable. If we see someone in need of assistance, chances are we’ll offer it. When exploiting this, a social engineer might pretend to be a low-ranking employee in need of credentials, access, or documents. They’ll count on the target feeling pity for them.
- Fear **The “fear factor” frequently features in social engineering attacks. You’re probably familiar with phishing emails claiming your bank account has been hacked, or your social media profile will be deleted unless you click a link. This tactic pressurizes the target into making hasty decisions and dropping their skepticism.
- The Desire to Comply **Almost all organizations — both public and private sector — are hierarchical. There’s a pecking order, with some people at the top, and others at the bottom. We tend to listen to (and obey) those higher up in the echelons. Attackers can exploit this by masquerading as high-ranking employees and issuing edicts to junior employees.
Each of the historical examples listed in this article uses these innate attributes, often to devastating effect.
The year is 2008. A threat actor, most likely working for a foreign state, had broken into the heart of the United States defense establishment. Showing remarkable skil, the attacker had successfully deployed a data-siphoning worm onto a Central Command (CENTCOM) computer. From there, it proliferated like a fungus, spreading undetected into other computers.
William J. Lynn III, an Obama-era Deputy Secretary of Defense, later described it as "the most significant breach of U.S. military computers ever." He wasn’t wrong. The worm took almost 14 months to eradicate, and it infected both classified and unclassified machines. It’s hard to quantify the damage it inflicted on the Department of Defense.
Adding insult to injury, the damage was arguably self-inflicted. The virus, later dubbed Agent.biz, was distributed on USB sticks dropped in the parking lot at an unnamed Middle East military base. A CENTCOM employee picked one up and plugged it into their laptop.
The Department of Defense never identified the employee responsible for the first infection. We’ll never know their motivations. Were they curious about the drive’s contents? Did they want to reunite the drive with its owner? Or did they just want to save the $20 on a new memory stick? It’s not clear.
In the end, it doesn’t matter. The damage was done. The Department of Defense was forced to spend critical resources identifying and wiping infected machines, as they eliminated the worm one computer at a time. And it forced the military to radically change their approach to computer security, ultimately leading to the creation of the United States Cyber Command.
Still, I can’t help but wonder what the ancient Roman poet Virgil would think of this tale. Two millennia prior, Virgil was spending his twilight years in the city of Brundisium (now Brindisi), where he worked on his opus, the epic poem Aeneid.
Aeneid described the Siege of Troy. This is perhaps the most famous battle that never actually took place — or, at least, in the way depicted. Pretty much everything below is apocryphal. Still, it’s a great story, so indulge me.
Here’s the TL;DR: Greece was at war with Troy. It wasn’t going well. Both sides were effectively at a stalemate. Troy had retreated behind the walls of its capital city, where it could hold out indefinitely. After an exhausting decades-long siege, the Greeks were eager to end the campaign. And so, their leader, Odysseus, conjured a devious ruse.
Greece would pretend to surrender. Their forces would retreat. By means of apology, they left a large wooden horse at the gates of the city, which the Trojans interpreted as a tribute to their greatness.
We all know what happened next. The Trojans hauled the horse into the city, unbeknownst to the shock force of Greek warriors lurking within its interior. As night fell, they crept out and unlocked the gates to the city. The rest of the Greek army surged forward, flooding in and bringing the war to its conclusion in a matter of hours.
Technologically, USB drives and wooden horses couldn’t be more different. But in both of the examples cited, they were used to inflict devastating losses to the target. More importantly, they were only effective because the victim implicitly trusted they wouldn’t be used to harm them. Trust can be a dangerous thing.