Even sophisticated corporate attacks, which appear to use minimal human interaction to wreak havoc, depend on emotional manipulation to convince targets to let their guard down – and attackers in, experts shared at SC Congress Chicago.
Chris Hadnagy, an expert on social engineering, explained at the security conference on Wednesday why organizations should be aware of suspicious physical cues that help pinpoint potential attackers.
“The largest part of how we communicate is not what we say, but how we look when we say it,” Hadnagy said.
As the president and CEO of Social-Engineer, Inc. a consulting and training firm that specializes in the art and science of social engineering, Hadnagy co-presented the closing keynote, called “Hacking the Human.”
Paul Kelly, who serves as the director for law enforcement, military and national security workshops within North America for the Paul Ekman Group, also led the talk. Dr. Paul Ekman, who founded the company, is a psychologist renowned for his research in facial “micro-expressions."
The duo explained how non-verbal communication – such as body language, gestures, and facial expressions – can be analyzed to identify a seemingly harmless guest who walks into the workplace carrying an infected USB or other motives that are a threat to company data or operations, for instance.
The experts shared that professionals should look for changes in individuals' body language, like them moving from an at ease posture to one where they unintentionally display discomfort (like crossing their arms). Also employees should learn to spot when someone's facial expressions aren't in line with what they've verbally communicated, the two said.
Going a step further, Kelly, who also served as a special agent in the U.S. Secret Service for more than twenty years, explained that when verbal and nonverbal communication are contradictory it's dangerous to jump to the conclusion that someone is lying.
Distinguishing odd or suspicious behavior is just one step, which should be followed by asking “why.”
“Do not make a rush to judgment,” Kelly advised attendees. “Do not make a decision unless you have all the input,” he continued, later adding that “misattribution of emotion is a real vulnerability in judgment.”
In order to mitigate socially engineered attacks, Hadnagy suggested that companies implement security awareness training and actionable policies at work, meaning enforcing rules that employees can realistically follow. Hadnagy also said that management should carry out regular tests that mimic real-life attack scenarios and response plans.[An earlier version of this story incorrectly stated Paul Kelly's title and the name of Hadnagy's company. The business is called Social-Engineer, Inc., not Social-Engineering.]