Introduction - Unmasking the Social Engineer: The Human Element of Security (2014)

Unmasking the Social Engineer: The Human Element of Security (2014)

Introduction

I have taught myself to notice what I see.

—Sherlock Holmes

When I decided to write another book, I needed to spend some time thinking about the topic I wanted to cover. My Social Engineering: The Art of Human Hacking (Wiley, 2011) was one of the first books to walk the reader through all the skills that comprise an expert social engineer. These skills are flat, though, because you practice them and master them—there are no advanced topics.

Social Engineering is a simple and basic book that outlines what social engineering is and what I feel it takes to develop and use social engineering skills in your daily life. In addition, as many of my readers have noticed, I had to adjust my understanding, thinking, and training to come more in line with proven scientific facts.

As I thought about what excited me about social engineering and what skills I found helped me the most, I started to reflect on the journey I had taken over the last few years.

I've always found the psychology and physiology of human interaction fascinating. Although I do not have a degree in either field, I believe understanding these aspects of communication can enhance your ability to understand, interpret, and utilize skills related to these aspects in everyday communications.

As I began my research, I headed to a bookstore and bought books on particular topics that piqued my interest. This is when I first saw the books Emotions Revealed and Unmasking the Face by Dr. Paul Ekman. I bought them and couldn't put them down. This was before Dr. Ekman had a website with interactive training courses. I was determined to locate and speak with him.

As I began to read Emotions Revealed I began to understand things that I had been subconsciously registering for years—things like when facial expressions didn't match verbal content and expressions for emotions that were trying to be hidden. The topic fascinated me, so I started to read all I could on body language and facial expressions. After reading these books and practicing as much as I could with their photographs, I found a website selling Dr. Ekman's Facial Action Coding System (FACS) course. The FACS course picks apart every muscle in the face and describes how it is triggered, what it controls, and what it looks like when used. I quickly bought that course and found out it was a treasure trove of information, but not for the faint of heart.

At this time, I was working on developing a course that would help security professionals learn the arts and sciences involved in social engineering. The course became a five-day foundational training program that would help teach enough of the skills to give the students a head start. At this point in my life, I decided to do something that would change my life forever.

I decided that it was time. I couldn't contain myself any longer; I had to speak to Dr. Ekman. It took me a while to find Dr. Ekman's email address and phone number, but eventually he and I talked on the phone.

To this day I cannot tell you why he spent so much time answering my questions and telling me about his research. I do know the time he gave me had a massive impact on my life, because Dr. Ekman and I developed a friendship. Over two years later I found myself sitting in his home, talking about the future of social engineering research involving the use of nonverbal communication.

After I launched my course, Dr. Ekman reviewed my materials and helped me perfect how I taught the section on nonverbal communication. He also helped me see how important this topic is when reading and dealing with other people. Not just the face, but also the whole body offers important cues for understanding what someone is truly saying during communication.

I'm telling you this story because it's what led me to write this book. My friendship with, and respect for, Dr. Ekman, my study of nonverbal communication, and my using those skills in my social engineering practice over the last few years helped me decide to call this book Unmasking the Social Engineer.

Each part of your body tells a story about your emotions. Each piece, when combined with the others, can help you understand what someone is feeling and saying when he or she communicates with you or is trying to hide from you.

Why should you care about this topic? Suppose that, while communicating with your spouse, kids, boss, coworkers, and others, you could decipher signs of discomfort. Suppose you could tell whether they were feeling happiness, sadness, anger, fear, or other emotions they didn't want you to see. Suppose that, when asking for a raise, you could see that your boss has some doubts. How would any of this affect your ability to adapt, adjust, and enhance your communication style? Now consider a social engineering engagement. When you are speaking to your target, what would it do for you to see that he is feeling anger, sadness, fear, or happiness? If you could look across the room at two people talking and see that one is feeling uncomfortable, could this fact assist you in your approach?

Being able not only to see but to decipher these signs will enhance your communication skills, and that is the primary reason to read this book. Secondarily, this book will enhance the skills of any social engineering professional to get the most out of their engagements with others.

We have all listened to a “gut feeling” when dealing with others. Sometimes you instantly like or dislike a person, for example. Sometimes gut feelings arise without any or very little actual communication. Have you ever wondered why this is the case?

A lot of what you base your gut feelings on involves how someone communicates nonverbally. Your brain picks up on these cues and then triggers an emotional response that creates a certain depth of feeling toward that person. Learning how to turn on this talent and use it to your benefit will give you power during any communication that you will quickly grow to enjoy.

From writing my first book, I learned that I can't please everyone. You might disagree with certain points in this book. That is fine and I encourage and look forward to open communication about these topics from you, the reader.

Feel free to reach out to me about these things. I am always open to constructive criticism. My website is www.social-engineer.com. There you will find ways to communicate with me.

Also, I do not claim that this book is based on new research that has never been released. As a matter of fact, this book is largely based on the research and work of some of the greatest minds of our time. The reason this book is different is because, until now, no book has compiled all this research for social engineers. No book has shown you how to use these skills as a social engineer. No book has been written by a social engineer and edited, proofed, and checked for scientific accuracy by two of the greatest men in this field—Dr. Paul Ekman and Paul Kelly.

One of the questions I get asked so often is how I developed my relationship with Dr. Ekman. Let me take a few moments to answer this question in this introduction.

The Scholar and the Student

One of my fears in initially trying to reach out to Dr. Ekman was that he was a world-renowned scientist and researcher, known for pioneering a whole area of study and research. Me…well, I am just a guy who really knows how to talk to people and enjoys “hacking things.” I began to ask why he would want to spend his valuable time with me.

I first reached out to Dr. Ekman through his assistant and his website to invite him on my monthly Social-Engineer podcast. Truly surprised, Dr. Ekman asked to spend some time with me on the phone. We spent two hours talking that first day about my practice, what I did for work, and how it applied to his field.

Dr. Ekman may have been up in years, but he got the concepts of social engineering right away and saw applications for them. At that time he accepted my invitation to come on the podcast. We had one of our most downloaded podcasts ever with Dr. Ekman.

After that he reviewed the chapter of my five-day course related to nonverbals, helped me perfect my teaching method, and allowed me to use his Micro Expression Training Tool (METT) software in the course to help hone the students' skills during the day.

A few months later I found myself sitting on the balcony of Dr. Ekman's apartment talking about social engineering and microexpressions. It was then that I told him I wanted to write a book that took his decades of research and applied it to a field in which it had never been applied before.

But I told him I would only do it with his blessing and support. I would not take on this task without his help, training, editing, and correction. I am serious about making sure what is said in this book is backed by science, accuracy, and years of proof. About a year later, Dr. Ekman agreed to work with me and suggested that his longtime associate, Paul Kelly (or PK) would be a part of this process.

PK and I developed a friendship through this process that helped me to learn from one of Dr. Ekman's senior instructors. Dr. Ekman and PK spent a considerable amount of time with me to ensure that I understood the concepts and to help me make sure this book was scientifically accurate. Some of this collaboration is illustrated in Figures I-1 through I-4.

Figure I-1: Dr. Ekman and me reviewing some of the pictures for the book

image

Figure I-2: Dr. Ekman giving me some advice for proper facial expression usage for the book

image

Figure I-3: Dr. Ekman allowing me to explain my concept for using certain Pictures

image

Figure I-4: Dr. Ekman helping me understand the deeper dimensions of some expressions

image

Figure I-5: Dr. Ekman working with Amaya to perfect her expressions

image

Despite all of this, one of the things that moved me even more is the time that Dr. Ekman gave my daughter, Amaya. My daughter took an interest in Dr. Ekman's work and took his online facial expression reading course, scoring an 89 percent. When she heard I was going to meet him in NYC, she begged me to let her come.

During that session, Amaya showed Dr. Ekman some of her work that was inspired by his daughter, Eve. She had made a collage of facial expressions imitating Eve from Emotions Revealed. Dr. Ekman took one look and said, “If you don't use this young lady in your book you are doing a disservice.”

In the spirit of Eve Ekman from so many years ago, my daughter, Amaya, makes her debut in Chapter 5 of this book showing us her skill in mimicking facial expressions.

In the end, what I can say is that I am proud to have Paul Ekman and Paul Kelly supporting me in this book, as I know what I am writing is accurate and proven. Even more so, they have become my mentors and friends.

Let's quickly review the topics covered in this book.

Chapter 1 takes an in-depth look at nonverbal communication and how it works from a scientific point of view.

Chapter 2 describes what social engineering is and how it is used. This chapter discusses how several recent real-life attacks used social engineering and what you can learn from these incidents.

Chapter 3 considers the science of the hands, a subset of body language, describing how you can decipher emotions displayed through the use of the hands.

Chapter 4 analyzes the emotions revealed by other key aspects of body language—the torso, legs, and feet. What does it mean when someone points his or her feet toward the door? Are signs of comfort or discomfort hidden in how someone stands or leans? Being able to pick up on these cues will enhance your ability to read anyone fast.

Chapter 5 is chock-full of research, data, and facts about the human face. The science of the face is vital. The face is key to your emotions and is one of your biggest communication tools. Learning to understand, decipher, and use the face can make you seem like a mind reader.

Many people think that the science behind microexpressions (very brief, involuntary, and cross-cultural/universal facial expressions) is invalid and that no one can be taught to read facial expressions quickly. Chapter 5 is proof of the advancements in this science, led by Dr. Ekman, and how it is scientific fact. The vast majority of students improve this skill after as few as two hours of training, some significantly.

One of the greatest myths is that you can tell if someone is lying within seconds. That is untrue, but you can tell if someone is comfortable. Displaying signs of discomfort can reveal much about the person's state of mind and how it can be influenced. Chapter 6 focuses on how to look for and understand signs of discomfort.

Chapter 7 takes a small step away from the outside of the body and focuses on the brain, specifically the amygdala. This little portion of the brain that controls the nonverbal responses to emotional triggers will be discussed here. Also, this chapter answers the question of whether you can have your amygdala hijacked, and if so, how and to what effect.

Next we need to start applying this knowledge to the social engineering field, specifically elicitation, the heart of social engineering. Chapter 8 discusses how nonverbal communication affects the elicitation process.

Chapter 9 concludes the book with practical application as a security professional and answers the question, “How can this information be used to audit, educate, enhance, test, and protect yourself, your family, and your company?”

In this book, I convey what I know and how I have used this knowledge in my life as a social engineer. I have studied, researched, and talked with the world's experts about these topics. I have worked with them and gleaned knowledge from them to perfect my craft. Many people who have devoted their lives to understanding one or a few aspects of human communication have contributed to this book in some way.

My work with Robin Dreeke, Director of the FBI's Behavioral Analysis Unit and an expert on behavioral communication, has taught me a lot. I have learned how to read people's communication styles fast, how to build rapport with anyone quickly, and how to adjust my own style to be more appealing to others. He has truly changed my life.

On my Social-Engineer podcast, I interviewed great minds such as Dr. Ellen Langer, a Harvard psychologist who wrote a book on her theory of mindlessness, in which people go through their daily routines without thinking. Understanding this research affects how we look for and read signs of comfort or discomfort in those we are communicating with.

Paul Kelly has been an invaluable resource. His years with the US Secret Service as well as working with Dr. Ekman as a “natural” in reading microexpressions lend themselves to this book in helping to ensure that all I said was accurate. In addition, his friendship, support, and encouragement have been nothing but inspiring over these many months.

One of the most amazing conversations I ever had was with behavior economist Dan Ariely. His work and research on predictable irrationality have enhanced how we understand framing others and ourselves for complete change.

Kevin Hogan, a renowned expert on the psychology of persuasion, spent some time with me explaining how persuasion works and how his research can help us understand the power of making people do what you want.

I can't complete this Introduction without again mentioning Dr. Paul Ekman. Not only has he become a friend and mentor, but his books, training materials, and scientific research have changed how we understand communication. Dr. Ekman has taken a leap of faith in me and trusted me to take the “torch” of his life's work into a field that desperately needs it.

Using This Book as a Social Engineer

Voltaire is credited as being the first to say, “With great power comes great responsibility.”

When I give my five-day training courses, I have been told that learning about social engineering is like being able to read minds. I don't teach people how to read minds. But you can learn how to communicate the way your target wants to be communicated with, read his or her subtle nonverbal cues, and display reinforcing nonverbals on your side. Doing so gives the person you are dealing with the feeling that communicating with you is in his or her best interest.

I hope you are reading this book with the intent of learning how to be a better communicator. Some studies like to attach numbers to how much of what we say is nonverbal. Dr. Ekman has taught me that we can't really put a true number next to it because so much depends on what type of communication it is. In one setting it may be 55 percent, and in another it may be 80 percent. One thing we do know is, a large portion of what we “say” is through nonverbal communication.

If you are a security professional in charge of protecting your company, educating your staff, or battling the cyber war, this book can help you. You can learn how to read and use this very important aspect of communication to enhance your message, understand what people are truly saying, and even enhance your ability to test your company's defenses.

I hope you enjoy this book and that you will feel free to reach out to me and discuss these topics. Now let's move on to Chapter 1 and discuss nonverbal communication