Tuesday, April 19, 2016

Pretexting

It turns out that pretexting may be an overloaded token, a word that has more than one meaning. That is usually not a problem, we can usually tell which meaning the sender has in mind by the context.

I saw a jaguar leaving the parking garage.
I saw a jaguar pounce on a young wild boar.

However, when the meaning is similar, it becomes more of a problem. I was reviewing a presentation slide deck from one of the STI grad students and noticed the word "pretexting" was used in a different fashion than I am used to seeing. The presentation used the term for the social engineering concept of planting an idea in the target's mind in order to cause an action later.

= = = I wrote the student = = =

Phillip,

The one remaining concern with this presentation I have is the use of the word pretexting. I am pretty sure that this: http://www.social-engineer.org/framework/influencing-others/pretexting/ is a more accurate definition. I understand the idea of sew early, water often, just think you might be using the wrong term. Even if you were correct, the use of pretexting in the HP scandal was so widely reported the term will always refer to pretending to be someone you are not:


Stephen
= = = Phillip Replies = = =
Stephen,

Thank you for your feedback.

Is there another term that you recommend? I brought this issue back to my team, and everyone asked about it shouted out "Pretexting!". I presented it without telling them the term that I was looking for and just spoke to it as a matter of calling ahead to build trust on an SE engagement.  Therefore, I am not necessarily defending my position, but just do not know what else this process would be called on a social engineering engagement. This technique of calling ahead is referenced in "Social Engineering: The Art of Human Hacking" and is under the pretexting category.

What would you recommend in this case? 

= = = 
Phillip,

I need to do my homework and check a few authoritative sources.

During a pretexting attack the attacker creates an invented scenario, assuming an identity or role to persuade a targeted victim to release information or perform some action. It is more than just creating a lie, in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information. 

Pretexting is defined as the practice of presenting oneself as someone else in order to obtain private information. It is more than just creating a lie, in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information. 

As I mentioned earlier, after the very famous HP incident, pretexting will always have this as the primary meaning. So what is a good term for the concept of planting an idea in someone in order to cause an action later?

Lifehacker ranks highly on Google for "Plant an idea" and the terms they use are inception and reverse psychology. Their work has apparently strongly influenced other authors whose pages also rank high on Google for "Plant an idea almost to the point of plagiarism. Communication Studies does not use the word inception, but has the same techniques outlined by Lifehacker. Riskology has its own unique methods and terms and refers to this social engineering tactic as inception.

I think I would vote for the term inception. This use of the term would be different enough from the movie and the creation or beginning of something that context will allow someone to understand what is being communicated.

I will write this up and ask the GIAC Advisory Board and my LinkedIn network to weigh in.


Pretexting/Social Engineering is an example of threat hunting. Rob Lee will be giving a talk on Threat Hunting August 2 at SANS Boston. Stephen Northcutt is an advisor for the SANS Technology Institute, a cyber-security graduate school and chair of the upcoming SANS Boston 2016, August 1 - 6 where he will be teaching MGT 512, Security Leadership Essentials.


Purpose of Email Correspondence with Stephen

We each spend so much time reading and writing email. I am hoping to create a sort of FAQ.