Picking Your Target: Using Non Verbals to Locate Easy Wins
This post will focus on social engineering, and a trick you can use to increase the probability of success by targeting the right person.
If you are running a physical pentest, social engineering will be part of it, and yes even things like tailgating are a form of social engineering. Don’t believe me, try tailgating into a high security facility dressed and smelling like a homeless guy and see if they let you in … even with the correct badge.
There are effectively two instances where you will be inside a target building, either doing embedding recon, when you are inside the building gathering info without actually attempting to penetrate deeper. An example of which might be walking into a public bank lobby asking about opening an account. The second instance you will find yourself inside a building is actually breaching the physical security and gaining full entry into every part of the target building.
But once you are inside, and assuming you want to either social engineer a person or elicit information from them, having the ability to recognize and approach those most susceptible to social engineering can significantly expedite your objective. It is here that understanding non-verbal cues becomes very useful.
Here, we delve into three non-verbal "friendship signals" that may indicate an individual's openness to friendly conversation and, subsequently, a susceptibility to elicitation. For reference, I believe the friendship signals were first introduced in the book “The Truth Detector” by Jack Schafer, which is an excellent read about elicitation.
These are signals we humans send to one another almost without realizing we are doing it, and these signals are: smiling, bowing or tilting the head to expose the neck and closing the eyes.
The Evolutionary Roots of Friendship Signals
Many of these signals have deep evolutionary roots, tracing back to primitive instincts designed for survival.
The act of closing one's eyes or tilting the head, for instance, reveals vulnerability. In the wild, no prey would willingly display such vulnerabilities in the presence of a predator. To do so would be to invite danger. Conversely, demonstrating these gestures in a non-threatening environment, amongst one's own kind, is a profound sign of trust and comfort. It's an ancient way of saying, "I do not see you as a threat."
Understanding what these signals say, you can immediately see why it is useful to recognize them for social engineers.
1. Smiling
A genuine smile, also known as the Duchenne smile, is not just a mere upturn of the lips. It involves the muscles around the eyes and produces "crow's feet" or "laugh lines". This is an almost universal sign of friendliness and openness. When an individual smiles at you in a non-hostile environment, it may indicate they're amenable to conversation.
Note that you should look for genuine smiles and not that fake smile, or forced smile as this usually says exactly the opposite of what you are looking for in this context.
Tip: Look for authentic smiles. Forced or fake smiles usually involve just the mouth and lack the warmth that reaches the eyes.
2. Bowing or Tilting of the Head
A nod or head tilt is an age-old gesture of acknowledgment. When someone nods at you, it's a silent way of saying, "I see you, and I'm acknowledging your presence without any hostility." In some cultures, a slight bow of the head is a mark of respect and acknowledgment. Showing the side of the neck, one of our most vulnerable spots, by tilting the head, is also a sign that they do not see you as someone they need to fear. These gestures can act as an icebreaker and provide a window of opportunity to initiate a conversation.
Tip: Pay attention to the context. Rapid, multiple nods might suggest impatience, while a single, slow nod typically indicates agreement or acknowledgment.
3. Closing the Eyes
While this might seem counterintuitive, a brief, deliberate closing of the eyes, often accompanied by a smile or nod, can be a strong signal of trust and comfort. It’s a subconscious way of saying, “I feel safe enough around you to momentarily let my guard down.”
As a completely unreleated note, cats show their trust by either slowly blinking or completely closing their eyes when looking at you. Next time you are trying to gain rapport with a cat, try closing your eyes while looking at them.
Tip: This doesn't mean someone who blinks frequently is an easy target. The gesture here is a prolonged closing of the eyes, signaling comfort and trust.
Example: Spotting Your Target
In this example, you have breached physical barriers of the building and find yourself wandering the halls of the target building. Perhaps your goals are things like:
Eliciting information about where a certain room in the building is
Cloning an employee’s badge by having them hand it to you
Asking an employee to unlock their laptop or see if they will plug in a USB
…
While wandering the halls, I like to get a cup of coffee or similar drink, walk around and flash the friendship signals, while adding a slight coffee cup raise in their direction to add to the genuine “hello I am friendly” signal and then see who returns my gesture. Remember, you are looking for those who return your signals genuinely, and the more genuine the better. Once you find a person who reciprocates these back to you, they are non verbally telling you that they are a friendly and welcoming person, and that they do not see you as a threat to them … and this is exactly the kind of person you want to approach.
Identifying Who to Avoid (and When to Engage)
While recognizing susceptible individuals is crucial, it's equally vital to discern those who might be resistant or risky to approach. Here are two primary archetypes to tread lightly around:
1. The Extremely Busy Individuals
People engrossed in their work or those hurrying from one place to another might not be the best targets for elicitation. They're often:
Less receptive to unsolicited interactions.
More likely to get annoyed or suspicious, which could raise alarms.
Generally not in a mindset conducive to casual or revealing conversations.
Tip: Look for signs like quick walking, frequent checking of watches, or those deeply focused on tasks. Also realize that if a person looks very busy or stressed but flashes the friendship signals, they still may not be your best target.
2. The Grumpy or Frustrated Folks
On the surface, it might seem best to steer clear of individuals who appear grumpy, annoyed, or frustrated. And in many cases, that's wise. They might:
Be less patient and more confrontational.
Require more effort to build rapport with.
View your approach with suspicion or as an added annoyance.
However, there's an intriguing twist with this group. As mentioned, sometimes these seemingly grumpy individuals can be goldmines for elicitation. The reason? They often have a strong urge to vent or complain. If you can position yourself as a sympathetic ear, you might find they won't just willingly share relevant information but might even go beyond.
How to approach grumpy individuals:
Offer an empathetic statement: Start with a general empathetic statement, like "Looks like you’ve had a rough day?” A simple empathetic statement can sometimes be all it takes to open the floodgates of information.
Validate their feelings: Making statements like "I can see why you'd feel that way" can encourage continued sharing.
Focus on Them: Never steer the conversation back to you, instead keep it focused on them. One of the worst things you can do once a person has opened up to you is say something like “I know how you feel, this one time XXXX happened to me.”
Tip: This group may never flash you the friendship signals … because they’re grumpy. In fact, there is a possibility they may not even notice you until you start talking to them if they are completely engrossed in their thoughts. This group is a 50/50 chance of success or total failure, deciding to flip that coin is up to you.
In both cases, whether you're approaching the busy or the grumpy, always trust your intuition and be ready to disengage if the interaction doesn't feel right. Social engineering is as much about knowing when to retreat as it is about pushing forward. With practice, your ability to read and navigate these human interactions will sharpen, making you a formidable force in the world of physical penetration testing.
In conclusion, while physical barriers can be formidable, human vulnerabilities often provide an easier path. Recognizing and leveraging non-verbal cues can be an invaluable tool in the penetration tester's arsenal. However, it’s essential always to act ethically, ensuring you have the necessary permissions and always respecting individuals' boundaries. Awareness is the first step to better security, and by understanding these vulnerabilities, organizations can better train their staff and bolster their defense against social engineering tactics.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private one on one Instruction - Book time to get private and personalized instruction on physical penetration testing