Hacking The Trust Equation
When you think about people that you trust, ask yourself why you trust them, but more important to this post, how did you start to trust them?
Maybe it was a mutual friend who introduced you, or maybe it was someone you met at work, but there was a process that had to occur where you went from strangers to friends and before you read any further, I encourage you to think about how that process went for you.
Developing friendship, or in our case trust, is very important when developing a new asset or attempting to social engineer someone. It is incredibly difficult to get useful information from someone, or get them to do you a favor they know they shouldn’t if you just met, but infinitely easier the longer you know one another and build up rapport.
Jack Schafer, who is a former FBI behavioral analyst came up with something that he called The Friendship Formula, which says that friendship, is a sum of
Proximity - Are you physically close to someone
Intensity - Are your conversations deep or trivial
Frequency- How often do you see the other person
Duration - When you see them, how long is it for
I am going to substitute friendship for trust for this blog for two reasons
One as a math guy it bothers me to have a variable (F) on either side of an equation that you are attempting to solve
We are more interested in trust, not real friendship and I want to make that distinction
Basically all this says, is that as any of the variable on the right increase, or decrease, the level of trust you have with someone follows.
If you had a best friend in high school only for that friendship to wane after one of you moved away, you can use the equation to say it was because you lost proximity and frequency.
Now, thats a lot to say about a math equation, so how do we use it for physical pentesting?
New Faces
Think about any location that you do, or have frequented in past and the people that you regularly see at those places but never actually talk to. Suppose for example, that you regularly go to a cafe for a coffee and to read but never really interact with any of the other regular customers.
Despite the lack of interaction, you likely trust those people far more than someone you just bumped into on the street for the first time … Why?
Well, going back to the formula, you have increased Proximity, Frequency and Duration. Sure you never actually spoke to them so Intensity is at zero, but all the other variables are pretty high.
Thought about from another perspective, the person you see often who never harms or threatens you is more trusting than someone you haven’t gotten a chance to assess yet. The more times you see their calm and normal behavior the more you accept them as a non violent and normal person.
In the work place, if you were to see the same face over and over again, even without conversing, that person becomes a normal and safe sight. Someone you have come to accept in that location and position and are more likely to trust than a stranger.
This concept is how we can use the Friendship Formula (or in this blog Trust Formula) for physical pentesting.
Developing An Asset
Assets in our case are anyone who has either useful information we want, access to a place we want to be in or can otherwise assist us in our goals of breaching the facility.
If you approach a total stranger and ask them something very personal like
“What is your address and when will you not be home?”
You will very likely be met with the stronger resentment and concern. But there are many people in your life who you wouldn’t hesitate to tell this information to, because you have higher levels of trust with them. While it is not impossible to get this type of information out of strangers, it is much easier if they already trust you.
In order for this formula to work, you will need to have a method of persistence in or around your target (the new asset). While there are lots of ways to create persistence that i have previously written about, so I won’t go into that here, things like embedded recon are amazing for this purpose.
But you’re going to need time in order to create that level of trust and to spot who you think is going to be vulnerable to social engineering.
Real-World Example
During a penetration test, our team targeted a large organization with hundreds of employees. The client’s goal was first to gain access to the upper floors, with the ultimate goal being to get access to the restricted R&D lab.
We knew that we would be bumping into many employees as we moved throughout the building and so to make our lives easier, we wanted some insider allies to help us out … we wanted some assets.
To gain an advantage, we spent several days conducting embedded reconnaissance at a public café attached to the building we were after. This café was a frequent stop for employees, making it the perfect location to blend in and gather information.
Each day, we positioned ourselves inconspicuously, working on laptops, taking phone calls, and occasionally meeting with other team members. Through casual observation OSINT and some eavesdropping, we picked up employee names, ongoing projects, and details about higher-ups. To solidify our presence, we staged phone calls where we "discussed" projects and names we'd overheard, further establishing ourselves as part of the company’s environment.
By the end of the week, we began engaging with one of the employees we had seen regularly, whom we had identified as a soft target. Starting with casual, random conversation topics, we gradually built rapport. Subtly using trust-building techniques, we elicited key information during the chat and managed to clone their ID badge.
Now the client had informed us that the R&D lab was only accessible to about 20 employees and through OSINT we knew that this person was not on that list. So while their badge got us into the building proper, it wouldn’t get us into our final goal, but thats ok because we had already accomplished two things:
Developed an asset on the inside and knew exactly where on what floor he worked
Cloned a badge to get us onto the floors we needed
Once we initiated a physical breach of the building, we sought out our new “friend” and continued our trust building techniques.
You may ask why we bothered at this point to continue with this poor employee, but remember the Friendship Formula … Now that we had persistence into the building, we wanted to basically restart the whole process again from a new location … in essence privilege escalate.
By bumping into and chatting with our asset, we were seen by other employees and therefore we were both given cover of status (being seen with a known employee makes us look legitimate to others), and also increased our Trust via the formula with other employees.
The familiarity from our earlier interactions worked to our advantage. We offered to grab them coffee and struck up another friendly conversation. This continued rapport allowed us to leverage their presence as unspoken "cover." Other employees, seeing us chatting with a known coworker, assumed we belonged.
On the third day of being inside the building, we had identified several scientists with access to the R&D lab and a few who happened to be friends with our asset. By continuing to build rapport and expand our network we eventually were able to build rapport with someone who did have access to the location we wanted.
Through proximity, frequency, and carefully orchestrated interactions, the Friendship Formula proved instrumental in breaking down barriers and gaining trust.
Lessons Learned
The Friendship Formula underscores the power of subtle, repeated interactions in building trust, both in everyday relationships and in the high-stakes world of penetration testing. Key takeaways include:
Familiarity Lowers Defenses: Proximity and frequency create a sense of comfort and trust over time, even without direct interaction.
Embedded Reconnaissance is Essential: Spending time in shared spaces with employees provides insights and opportunities for trust-building.
Trust Can Be Leveraged: Once familiarity is established, it can be used to elicit information, gain access, or establish cover within an organization.
Persistence Is Key: If you have persistence you have time & the ability to try again. Without persistence you only get one shot and it will likely be rushed.
Conclusion
The Friendship Formula, or Trust Formula as I refer to it, provides a fascinating lens through which to view trust-building, whether in personal relationships or professional security testing. By understanding the interplay of proximity, intensity, frequency, and duration, we can deepen connections—or, in the case of black teaming, uncover hidden vulnerabilities.
Obviously social engineering is not the only method of entry someone can take, but it is a very powerful one, and by leveraging it you can likely gain access to places you wouldn’t have thought possible with nothing more than your presence and a smile.
So is that P+I+F+D or is it PxIxFxD? :) Fellow math nerd.