Social Engineering the people you love

okay up next we have Micah Turner Micah is a cyber security professional based Ino Nevada he served for 5 years in the US Army psychological operations with four short combat ches in Afghanistan and Iraq now he's going to come and tell you how to message

family e

I

but it I don't know

I think it like a little

s

[Music]

good

morning influence is power and like all power it does not care about the intentions of those who wield it it's because of that fact that it can be used for incredible good or incomprehensible evil when I think about the greatest influencers in history I'm reminded of how God had defeated the most powerful military might of his time without expending a single bullet but I'm also reminded of how Hitler LED his people to the worst genocide in history influence is power and if you can learn how to harness it you can have a profound impact on the hearts and minds of the people in your life I want to spend a moment focused on how important that is in a time when it

feels like we are so divided that our hearts are cast in stone you have the power to influence the hearts and minds of of the people in your life but that leads us to the big question how how can we influence the behavior of people that one question has been thought of by the greatest thinkers and organizations throughout history but before I get into all that I want you to know a little bit about me and why that question is important to me who I am as a person because growing up I always felt like an outsider like someone and everyone had some knowledge that was uncommon that they knew something that I didn't know

and I later came to think of that knowledge as the social contract this semi unspoken protocol for how to communicate effectively with other that started to change for me when After High School I joined a wildland firefighter organization on that Squad I had a US Army infantry V named duer see I'm 6'5 and I thought I was pretty strong at the time but duer was 6'8 and easily three times stronger than me that to me that was not most impressive thing about him it was how easygoing he was with people how generally likable he was and how people seemed to gravic towards him I wanted to be more like him and in some ways I saw him as an

older brother he mentored me during that first fire season and though I didn't realize it at the time it was like an introduction to soft skills like a oneone course he taught me how better to relate with people at the end of that fire season he asked me what I wanted to do with my life and at 19 years old I honestly had no idea he suggested that I join the Army so I could have a more structured life and learn from the leaders that have a broader experience than those I would be exposed to if I stayed in my hometown we went down to the recruiter's office the next day my mother did not not react well to

that news her father served in World War II and his ship was Sun well he was in the Navy and she was raised in Vietnam I know that she was terrified by the idea that I would not come home from that experience she cried for me but in my heart and in my mind I was dedicated to the idea that I would serve my country win the Mind win the day that was the motto of the Battalion I served with in US Army Special Operations group called psychological operations I won't be sharing any scop secrets with you today but let's see what Wikipedia has to say about them SCS are operations to convey selected information and indicators to

audiences to influence their emotions motives objective reasoning and ultimately behavior of governments organizations groups and individuals I served four comat tours with psychological operations in Iraq and Afghanistan and what I learned in that time helped formalize my understanding of what it means to try to communicate with people in a way that can guide them towards a goal or a way of thinking they helped me put myself in the mindset of the target audience to consider their circumstances identity ideology propensities then use that context to create messaging that would be more likely to convince them to act in a way that aligned with our objectives during my last deployment the United States military finally succeeded in their objective to eliminate Osama

Bin Laden and I thought the war was over the war was not over and shortly before returning home from that last deployment sh helicopter call sign Extortion 17 was shot down by RPG fire killing 38 people and one Military Work do I stood on the TAC in bam Airfield for 4 hours while their bodies were loaded into the airplanes to Shi back to their families friends during that 4-Hour period I became furious with the military in my mind in my heart I believed that they shouldn't have died because the war had already been won and they should be at home celebrating that Victory with us within the next year I had joined a group called Veterans for

peace and for the first time I was called to speak about my experience in front of an audience using my own words I talked about the Injustice of the ongoing occupation in Afghanistan and called for peace ultimately my message was not received by many people and without the resources of the military behind me I did not know how to spread that message further this time in my life I was aimless and I didn't know what to do my life had been defined by the Army for six years but my life moves on and I eventually needed to figure out how I would contribute to the world in my own way that's when I discovered cyber

security and social engineering and in many ways cyber was the Nexus of everything that I had learned throughout my life putting myself in the mindset of audience made me great at red and blue team exercises my soft skills allowed me to communicate technical concepts for non-technical audiences and represent the value of cyber to Executives also jumping out of airplanes gave me the confidence to believe that I could succeed there really is nothing like falling from a very high distance that makes you feel Invincible after you Le it wasn't long before I was called to speak again on my experience this time in the context of cyber secur and it led me back to that big

question how can you influence people to change their behavior in cyber security we tend to think of social engineering as a one-on-one engagement where a malicious actor is trying to exploit uh victim but that's not the entire picture my experience in scops taught me that those same tactics can be used to be applied to a much larger audience and at scale it has a very different way of influencing people we need to broaden our Horizons when we think about social IND because at different levels of scope we see dramatic increases in Impact when applied effectively social engineering can manipulate the outcomes of Elections laws and even Wars we think of the atomic bomb as the

most dangerous weapon on Earth but as politicians who launch them that makes social engineering the most dangerous technology on the planet we need to think proactively about how this technology works and how we can defend our people fromont this is where social engineering the people you love how do you look like because we need to be advocating for security awareness not just at the office but also at home at the dinner table with those people in our lives that might not understand that they are the target of these attacks that even though they might feel insignificant that they matter to the people that are trying to influence them it's our job as cyber Security Professionals to communicate the

importance of the issue and equip decision makers with the information needed to defend against these attacks so we see an effort to address disinformation and misinformation and that has a lot of value but I think there's a more succinct methodology towards trying to educate people in this way and is really more about training people to recogniz manipulative psychology if we could do that this information wouldn't be as effective people could recognize the mechanisms in play and use common sense strategies to bet this information before spreading it so let's talk about it let's get verbose let's expand on what manipulative psychology looks like and some best practices in identifying manipulators can use a wide variety of

techniques tools and procedures or ttps to get what they need from the targets no matter the TTP the vector will always center around a strong emotional response that is the Silver Bullet detection for what to look for the bottom line is if someone is trying to make you feel something strongly it's time to examine the potential motivations for the person in that relationship Rand of Internet troll makes you feel angry or scared it's time to evaluate what they want they are the attacker they are attacking you they are the enemy and you should not value or internalize their messaging the sad truth of the world is that most Communications are designed to trigger an emotional response and that

makes it extraordinarily difficult to tell the difference between artificial emotional stimulation and potentially malicious emotional manipulation most malicious actors and marketers rely on some common ttps common examples are immediacy do it now by now i i people Market this way they say just just do it just buy the product and don't worry about checking with your it team I need this right now marketers use it social Engineers use it everyone in between is using immediacy to try and shortcircuit your brain to get you to do something without thinking about it chity if you know Rachel toac you know that she likes to lean on sympathy that she will use a crying baby to elicit a response that makes you want to

help someone because helping people feels good authority I'm pretexting some people will pretend to be the president the CEO your own mother anything that can get you to believe that they have your best interest in mind why would it need your password there's no legitimate reason undo assistance this comes into a similar right someone is offering to take a virus off of your computer might want to verify that there's actually a virus first scarcity this idea that there there's value in something just because it's rare I think we've all felt that at some point Fe of missing out on a limited opportunity and social proof everybody's doing it this is another function of pretexting uh similar to Authority that says all

these people are on board shouldn't you be on board as well and reciprocity people feel obligated to return to return favors and this can be leveraged with small gifts and like when you do sales right you might think that somebody's trying to give you something for free but nothing is ever really for free

right so this is what we normally in short-term attacks like fishing but there is also a a much more longterm kind of Engagement where people will try to engage with you over multiple periods of time and before moving on to what that looks like uh I would just like to say that any one of those methods should be considered suspicious but especially a combination of those methods should be considered extremely un long-term manipulation also called grooming is when someone tries to use the foundational elements of relationship building to endear themselves to you so this can look like liking eliciting empathy humor mutual respect active listening right but that's really the Crux of why this is

called social engineering the people you love because this is human nature those foundational principles of influence and manipulation are founded in reality they're built on a strong evolutionary context that has people think about how they can exist in a community and for that you have to trust at some level these tenen are not just used in manipulation they're used in building any relationship so if attackers can use these principles to exploit a Target shouldn't we be able to use them to develop relationships knowing that it's an effective means of building trust isn't that the point of a long-term relationship being with someone you can trust it's only the abuse of that trust that causes harm grooming is malicious because it

has a pre-established intent to do harm if your intention is benign or at least transparent you have an ethical ground for building relationship it's these factors that make long-term social engineering hard to identify and talk about an example you may have a relative that strong political opinion that you don't agree with and it ends in a difference between your core values it's easy to think of those we disagree with as being misinformed or even brainwashed but it can be extremely difficult to navigate the them versus US mentality to reach Common Ground the only serve way to influence the hearts and minds of people in the longm is to show them empathy and compassion using these tools and

techniques ethically can help us build a strong strong relationships and increase the impact of our messaging take advantage of this knowledge and use it to advance the security agenda not just at the budgeting meeting but also at the dinner table and with your family influence is power and that power is used ethically it can be used to enhance your interpersonal relationships and at scale everyone on you have the power to influence the hearts and minds of the people in your life please do so responsi thank [Applause] you any questions from the audience

excellent talk there thank you uh when I first saw your talk at Defcon a few years ago I asked you something similar uh so I'll ask when it comes to like the amount or the volume of social engineering or advertisements or sales things like that that are coming our way do you think our sense of Intuition or that instinct is is lessening or is it GR and how much can we trust that instinct you're asking about how how well you can trust your intuition yeah so I think U Mr burkins makes a very valid point about the volume of information that we're receiving that is trying to manipulate us it's constant in other words you are always at the mercy of

someone or something trying to elicit emotional an emotional response and because these things are based in human nature and very Evolution they they're intended to circumvent your intuition so I would not rely purely on intuition to try and understand the legitimacy of something just because a lot of people believe in it the social proof does not mean that it's real does not mean that it's valid there can be 8 billion flat earthers on this planet and I will still not be convinced that that's the truth just because it's what they believe so unfortunately trusting intuition alone is

notable um I just have a reaction and I guess I would like to know what your opinion is of it um I was along with you all along until like the very end and it sort of feels icky when you still like develop a power over another person because it seems like there could be a great temptation to abuse it eventually well what's your opinion about that versus maybe building an equality with other people instead of trying to it feels like it's not people are not on equal footing there does that make sense yeah that that that equal footing has to come with awareness right so I I totally agree with you when when you or

like me right have a deeper understanding of a social Dynamic before you engage with someone uh it's your responsibility to act ethically within that framework and until you have the ability to give them awareness into that same Level Playing Field you have to be extra cautious when I when I engage with people my my major intention is to listen to them first right because I understand that I have a better understanding of what it means to influence and manipulate people and also it just is a better benefit to me so the the same social practices that go into building good relationships um are something that should be the Forefront of your engagement with people rather than the

secondary to your objective if you go to people and you intend to have them conform to your objective then it is very easy to fall into this unequal power parad but if you're willing to start on the basis of um active listening mutual respect sympathy and empathy I think you have a good foundation for starting the relation respond

terms good morning good morning um I when it comes to manipulation and influence um there's always a fine line so for me it's pretty difficult to really identify when it's manipulation and when it's influence for example the elections are are going on there's a lot of stuff that people can perceive as being manipulated but at the same time there's the fine line that it could just be influenced so what's your definition for influence compared to manipulation that is an excellent question and and it is a fine line and Balan but um I I know that I touched on this a little bit but a strong emotional response so when when I say like strong emotional response I want you to think

uh this emotional response is so strong this overwhelming my capacity for logical reasoning that I am not able to observe the facts because I am so emotionally engaged in the argument that's being presented to me when things are not relying like in in the election is is one of these examples right and it's full of emotional rhetoric but you you have to try to think about distancing yourself from the argumentation because if a policy maker is running on their platform it should be on the policies that they're trying to implement not on the shortcomings of their opponent or on the personal failings of the people that support that opponent and so so um it's a hard

question to answer because it is very much a spectrum of truth that we are engaged with because there is no such thing as objective truth we can try to understand objective truths through science and logic and observation but that is just not uh our our reality is just too messy for that to be completely black and white there will always be a spectrum of GRA so you know um my my first piece of advice is to take Breath Right to try to calm the emotional response so that you can sit in the position of reasoning and understand that almost anyone is presenting logic to you is doing so from a place of attentive influence and

regulation thank you so much um this is definitely fful discussion and you will be around to have more discussions thank you thank you