Risk Assessments/Management, Data Security, Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Security Staff Acquisition & Development, Leadership, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Be a Better Social Engineer and Security Manager

By Katherine Teitler

Something to talk about

Twenty minutes before the talk was scheduled to begin, attendees anxiously queued up outside the center ballroom to hear Chris Hadnagy present Mindreading for Fun and Profit Using DISC. Hadnagy, a renowned social engineer and DerbyCon staple, promised to share with the audience “how to use a quick and easy profiling tool to make targets feel as if you can read their minds.”

Once attendees were packed in like sardines, Hadnagy explained the principles of influence—how security practitioners can use different types of communication and body language to affect interactions with others. Whether during a social engineering exercise or pen test, exerting influence is important; gaining a clear understanding of just how much another person will bend is key to finding the vulnerabilities in an organization. People are often the gateway to information, and building rapport with individuals, said Hadnagy, will help testers find the weaknesses and get what they want out of the intended victim.

Indeed, malicious adversaries are using these tactics too.

Simply observing a person in his or her environment provides many clues to preferred communication style. “If you learn how people like to be communicated with,” said Hadnagy, and you know your own style, “you can adjust and build amazing rapport,” which makes it more likely to get what you want or need.

People are talkin’, talkin’ ‘bout people

If this sounds nefarious or devious, sure, it can be. A big take away from the session, though—especially given some of the other talks presented during the nearly week-long conference in Louisville, KY—was that thoughtful communication can help security practitioners achieve better collaboration and therefore improved security processes and practices throughout one's organization. It’s not only about tricking targets into giving up the goods (although identifying vulnerabilities is an important part of what security teams do); security has a long history of acting like/being perceived as the adversary within her or his own organization. Security is always saying “no.” Security is always slowing operations down. Security makes peremptory decisions then says anything less will lead to compromise. Security constantly complains about how we do things. Does this sound like how your organization views you? Hopefully no, but there’s probably at least a modicum of truth in those statement.

Communication is hard under the best of circumstances, and security teams could benefit from a more supportive and productive environment. Communication profiling can help build necessary rapport with those outside of the security team.

I hear them whisper

Hadnagy shared a little background on William Marston, the creator of DISC communication and one of the inventors of the earliest lie detector tests. Marston’s work looking at human emotions and communication styles is still influential today and it goes something like this:

Source: https://www.discprofile.com/what-is-disc/overview/

Hadnagy explained that the quadrants represent four general communication styles exhibited by most people. Of course, most people are complex and may not fit squarely (or pie shapedly) into one binding category, but generally speaking, people manifest one primary, preferred method of communication. The four DISC categories are:

Dominant: people who are driven, direct, decisive, strong-willed, confident, like things fast-paced.

Influence: people who are charming trusting, social, optimistic, collaborative, persuasive, upbeat.

Steadiness: people who are deliberate calm, stable, more passive, patient, predictable, reliable.

Conscientiousness: people who are analytical, reserved, cautious, private, systematic.

Adding a layer to communication styles, Hadnagy explained that with the Marston model, communication styles could be further defined to include those who are direct (the people at the top of the circle), those that are indirect (at the bottom), task-oriented individuals (those on the left-hand side), and the people pleasers (on the right side).

You won’t believe it

Hadnagy walked the room through a few exercises, having DerbyCon attendees shout out observations about pictures projected on the presentation screen. What did everyone see? How did it translate to communication style? Simply observing how a person looked—his facial expression, her stance, how she kept/organized her desk, if he was looking straight into the camera, etc.—provided a lot of queues about communication style. An understanding of communication style can, if one is willing, help mold discussions and alleviate unintended friction. What better way to work with someone than to make him or her feel happy, relaxed, and like part of the team? Getting someone “on your wavelength” isn’t just a hippie-like saying; using communication profiling can help bridge the distance between personalities and point team members and/or coworkers in the same direction.

Importantly, though, warned Hadnagy, DISC shouldn’t be used to measure intelligence, versatility, skills, or values. These are extractions, and one can quickly fall down the rabbit hole making assumptions—assumptions which may inadvertently or subconsciously influence style and quickly take you in a negative direction. Instead, focus strictly on style and use DISC to communicate in a way that resonates with the listener, facilitating the conversation, allowing you to get more of what you need, and making the other person feel at ease and willing to help.

To illustrate, “dominants” prefer direct, confident communication. When speaking with someone whose communication style fits into this category, it’s advisable to also be direct, but not match the intensity of the other communicator. Tensions can flare if two people are jockeying for the highest position. Act as an authority figure, but not overly authoritative and domineering.

With those in the “influence” category, bubbly, friendly communication will work well, but again, Hadnagy advised to let the other person take a slight lead while you communicate in a positive manner. People in this category may like to really talk through a situation and desire acceptance of his/her opinions.

With people who are “steady,” take a calm, measured approach and avoid conflict. This person will react negatively if he or she feels like you are overstepping bounds, so displaying support will go a long way.

Someone “conscientious” values time and precision and will appreciate being approached with details without extraneous information. This person might need time to process what is being communicated, so don’t push for a decision right then, right there.

Maybe they’re seeing something we don’t

A fifty-minute conference talk can’t, of course, serve justice to the topic or impart all of the experience and skill Hadnagy has gained over the years. However, if your goal is a successful pen- or social engineering test, using just this little bit of wisdom could yield some interesting information. For managers who want to become leaders, get the best out of people, and generally improve relationships, a good first step is to determine one’s own communication style. Next, learn the communication styles of those around you, then put your best social engineer or “nice guy” hat on and put what you’ve learned into practice. No one will become the perfect communicator of all time all the time, but observing and adjusting will take you one step closer every time you try it on.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.