Social Engineering Attack Framework

Attack Framework
The first step of a social engineering attack is to address the question "What does the social engineer want?". This goal of the social engineer is the purpose of the entire attack and should be very clear. Once the goal is identified, the target should be selected. The target can be an individual or a group of individuals.

The target may belong to an organisation that is under attack as part of the goal. For example, the goal may be to infiltrate an organisation and the target is a security guard who possesses information required to accomplish the goal. Both the organisation and the selected target are important in the information gathering phase.
Information gathering is a very important part of the social engineering attack because the probability of developing a trusting relationship with a target is increased by the quality of the information regarding the target. A target is more likely to share information with the attacker if a relationship exists between the two.

Information is gathered about the target and everything related to the attack. As depicted in Fig, the first step of gathering information is to "identify the possible sources" from which information can be obtained. The sources can be anything or anyone with access to the information required for the attack. These sources can be any publicly available sources such as company websites, social networking sites or personal blogs and forums, or private information that is not publicly available. Techniques such as dumpster diving can be used where discarded items are scanned for private information, such as an address on a bank statement. Dumpster diving is the technique of sifting through trash such as medical records or bank statements to find anything that can be useful to the dumpster diver.

After gathering information, the information is assessed to be relevant or not. If the social engineer still does not have enough information, he can go back to identifying more sources and restart the information process.

The "information gathering" phase is repeated until the social engineer is satisfied that sufficient information has been obtained, such that he can start his preparation for the attack.
During preparation the social engineer ensures that everything is ready before starting the actual attack. The first step of this phase is to combine all information gathered to form a bigger picture about the planned attack.

This combined view of the scenario can be used for pretexting where a scenario is devised to lure the target into a required action. An effective pretext should be believable and withstand scrutiny from the target. It often relies on the quality of the information gathered on the target's personality. An attack vector is now developed; it should contain all the elements of a social engineering attack. The attack vector is the attack plan which leads to the satisfaction of the goal. It has a goal, a target and a social engineer. In addition, the plan must identify a medium, compliance principles and techniques.
As mentioned previously, developing a good relationship with the target is an essential part of the social engineering attack. If trust cannot be established, the required information is unlikely to be elicited from the target. The first step involved in building a relationship with the target, namely the "establishment of communication" step. This step is executed by using the medium identified during the preparation phase. If a pretext has been included in the plan, it is used along with the initial communication. attack.

The next step in developing a relationship is the "rapport building". This entails the actual building of the relationship and establishment of trust using the devised plan. Various techniques can be employed to establish trust. This step is not trivial and can be time consuming. A good pretext simplifies this step. Once the social engineer has built a good relationship with the target, the relationship can be exploited to obtain the information the social engineer requires from the target.
Exploiting the relationship consists of two parts: "priming the target" and "elicitation". The first part is for the attacker to use manipulation tactics and his preparation to get the target in a desired emotional state suited to the plan, such as feeling sad or happy. For example, relating to a sad story can evoke the target into remembering a sad incident, and subsequently to feel sad.

Once the target is in the desired emotional state, the elicitation process can start. At the conclusion of the elicitation phase the social engineer should have obtained the required information from the target. This may be a password which is needed for the eventual satisfaction of the goal of the social engineering attack. After the exploitation phase, it is important to debrief the target.
Debriefing the target involves returning the target to a desired emotional state of mind, as shown in the "maintenance" step. It is important for the target not to feel that he was under attack; if he is in a normal state of mind, he will probably not reflect too much on the activities that occurred. For example, if the target had been manipulated into a sad emotional state and the attacker then elicited a password from him, the target may feel inadequate because he has released sensitive information. This feeling of inadequacy may consequently lead to emotional states such as depression. It may even lead to suicide by the target as evidenced in an incident in 2012 involving the solicitation of private information concerning the British Royal family. During the confinement of Princess Catherine, an Australian radio talk show host socially engineered a staff member of the maternity ward where the princess was a patient, to release information regarding the Princess' condition.

The next step in the debriefing phase, namely "transition". This is where the social engineer either decides that the goal has been satisfied or that more information is needed and the engineer returns to the information gathering phase.