Elicitation … Its what you say and how you say it!

The dictionary defines Elicitation as bringing or drawing out information, or to call forth and provoke a desired reaction. Elicitation is a powerful tool to anyone looking to influence and gather information in a relatively low risk and covert manner. The reason for me remembering I should write a post on this topic is due to an experience that happened this weekend at a local beer festival, as well as lots of drinking I entertained with abit of pseudo mind reading. You might wonder what the hell this has to do with elicitation?? Well I am sure it is apparent to most people its not currently possible to simply read peoples minds. You can create the illusion by subliminally suggesting things to cause a thought, you can prime with questions that research shows will typically respond in a certain way (psychological subtleties), or you can gather information about someone to completely freak them out when you apparently make that connection, and I mean specific information, not generic cold reading style used by clairvoyants.

When it comes to elicitation I find that building rapport is essential, a pretext is also useful as it can get you out of a tricky situation of the questions get awkward. Most importantly though is what you say, and how you say it (the presentation). Before going into more detail, I will entertain you with the musings of Saturday evening.

So I am at a beer festival (you already know its going to get messy), well technically its a beer, cider and perry festival, which is great as these days I prefer a nice strong cider. So I am stood inline with my cider tokens waiting to try another 1/2 pint of something new when I realise I have a 6ft male Smurf stood next to me, and a 5ft female Super Ted. I should point out that I am not yet drunk and seeing things, its common for groups to attend these sorts of do’s in costume, and it is often very amusing. Now someone who is dressed up isnt shy, and they obviously want to draw some attention (more on this later). Turns out Super Ted is with another group of people and after a quick chat gets her drink and wanders off with Optimus Prime, the Smurf however wants the same cider as me, so we get chatting about why he is dressed as a Smurf, how many people with him, what are they dressed as, where they live, where they are going next, etc etc. All information that was freely given, but if I was malicious can you see how this information might start to be useful. So I get my drink and on my way I go, I guess I should also note I am wearing my “I am reading your Mind” T-Shirt with Subliminal Hacking, Social Engineering, etc plastered all over the back.

So later on in the evening (few more drinks demolished) I have done a couple of illusions, and read a few minds and I stumble upon a Surgeon and Princess Leia. Now I know from my earlier encounter with the Smurf these guys are part of the same crew, along with a Vicar. So I took the opportunity to have a chat with them, and seeing as we were in the music tent I used this as my topic of mutual interest, and the fact the woman who just finished singing sounded like a cat in pain, it went down well :)  So I got chatting to these lovely guys, and used the basic information I had gathered earlier to quickly establish a platform to build from, as well as developing quick rapport. Remember we like people who like us, and we like people that are like us. During this conversation I got the ages of the people in the group, their full names, where they lived, along with the fact that the Smurf and the Vicar worked for a big well known global company, what their positions where, the offices they were based in, the fact one worked mostly from home, had recently married, the other had a new baby 3 weeks ago, and that someone of them where off work, and other to a convention next week, as well as how often they all meet up and more. Juicy information for a social engineer to build an effective pretext from, as well as some excellent no fail options to call upon in the event of being challenged. I still think information gathering and target exploitation is very effective outside of the work place, however in this case I just located the Smurf and the Vicar and totally freaked them out when I offered to perform some mind reading mastery. Its probably worth noting, that most people are a little more giving after a drink or two, so its certainly a scenario to leverage.

Why Elicitation?

So you might be reading this wondering what is the point, all he did was speak to some drunks and get some information? Well as Bob Hoskins said in the 90′ BT adverts “It’s Good To Talk” and he is certainly right.

To be successful at Elicitation in a Social Engineering context you don’t need to have the gift of the gab, but you do have to be confident in speaking to complete strangers, coming across as informed in the subject your are supposed to have knowledge (if not go the other way and show an interest), you also have to be a great listener (even if you find it totally bored). Elicitation can be done in written form, but it does take longer, and a written message can often be taken out of context and you may adjust inappropriately. Where possible I would always for go for it in person or over the phone. Body language is also important (even on the phone, remember you hear a smile), keeping an open posture, palms up in a non threatening manner, remembering to be considerate of personal space, and not being to territorial with your stance. Remember we are looking to extract information in a low risk, stealthy manner, not a mental mugging.

When you research your target (be that an individual or company) make sure you gather important bits of information to help form an appropriate pretext. Are you an expert, someone with interest, completely separated from the topic or other. This is important, dont pretend to be a rocket scientist if you can barely put the chain back on your push bike. For me I just be a different type of me (I have lots of interests), by this I mean I will disclose information about myself, however it may not be 100% accurate. This way its pretty easy for me to remember the pretext in great accuracy, opposed to a completely new ID, just like an actor will bring some of themselves to the role.

So why are people going to share information with you, why are they going to give your these snippets of verbal gold that you can then piece together to form a strong chain to launch your attack from. Simple really, people love to be the Oracle. We all have egos, and if you can touch on a topic that someone has knowledge of, and simulate the belief you know very little, most people will be more than happy to tell you everything 🙂 I also consider myself a good people person, and I believe one of my strengths is to look at a situation from multiple perspectives. For one reason or another this can result in complete strangers telling me all their life stories, problems, issues, concerns and all.

If your not dealing with a look at me and my ego type of person it wont take long to find a subject of mutual interest to spring board from. Perhaps you both like dogs, the same drink, the same establishment you are visiting, maybe its a type of car or political view. What ever it is, it doesn’t really matter, this is just an in, just a way of kicking off that rapport building exercise, gaining trust, and getting the information exchange flowing. Now where a good social engineer comes in with the elicitation techniques is steering these seemingly random and unimportant conversations around to the nuggets your looking for. To do this I again draw on personal experience. Should I have been talking about dogs to someone, I might talk about a company I did some consulting for many years ago in Essex. This particular company allowed their staff to take their dogs to work, which is very rare in my experience. I would assume the individual I was speaking to would also think this is a rare occurrence and wouldn’t be tolerated at their work. I might then describe what I would imagine to be the total nightmare of taking my dog through the turnstiles at my office, whilst holding the lead, carrying my bag and swiping my ID badge. I would then use this scenario and the principle of reciprocation to ask my new friend about the process of getting into there company, then we could moan about when the card doesn’t swipe properly, perhaps I could even take a look at said card. Its really up to you where you take it.

Asking the right questions is also important, open and closed questions can help you route your way to the information you are trying to gain. If you keep asking questions that result in a yes or no answer your going to soon get both frustrated and no where fast. So don’t hope if you ask 100 questions someone will give in, reality is you have probably blown your cover some time ago. Remember the key to excellent elicitation is conversation, so it shouldn’t feel like an episode of mastermind. Its also a reciprocal experience, give out information (doesn’t have to be true, but should be valid) to build up trust, and this will also elicit more information flow, but don’t go to crazy otherwise the conversation could go off track and take you further from your goal.

Tonality and modality are also important. There is no point asking a question, and looking interested, but you sound like a monotone robot who couldn’t care less about the awaited response. Again this comes back to what I have said about pretexting and really BEING what you say, so when eliciting information its important to be interested, or passionate or curious about the conversation you are having, as this will help its acceptance and allow trust to grow and information to flow.

One final approach that springs to mind is to take an approach that provide a positive form of confrontation. By this I mean providing information, or giving a statement that you know to be false, or against the opinion of believe of your target. Managed correctly this will spark a conversation where you can be informed on what they consider accurate information. You may get the information you wanted out of this discussion alone, or you may decide to milk it and play to their ego regarding their knowledge and wonder if they know anything about another topic, perhaps how their company handles confidential waste??

This has been a long post, but I hope it gives some introduction at least into the power of elicitation and give rise to thoughts of what can be achieved should you develop and master this skill. I think its important to remember you don’t have to get the complete picture in one hit from one person, think of elicitation as collecting pieces of a puzzle. They should seem insignificant on their own to the victim, and in the order collected, however when you put them together they give you a clear picture from which to define your attack. This for me is an important part of the engagement process, and can be getting information as simple as when the building is manned, or complete details on the forms of physical security deployed.

When it comes to protecting yourself from elicitation, the main thing is to be mindful. Don’t decide your never going to open up and talk to anyone (life is to short and you will miss out on lots), instead practice a little paranoia and ask yourself if there is a pattern of information you are giving away that may be suspicious. Ideally an awareness program would give examples like above of situations where you may give out information, however this is a vulnerability in human kindness. We don’t want the world to be less polite and kind, we just need to be more aware of some of the pitfalls of the information we give away both verbally and online.

Thanks for reading…. and feel free to check out my video introduction to Elicitation below: