Social Engineering:
Frames, Framing, and Frame Control
Mike Murr
mike@socialexploits.com
http://www.socialexploits.com
htt...
What This Talk is About
• Framing
– Constructs used to give meaning to information
– Defining the current situation (“here...
Social Engineering
• Social engineering is persuasion
– Goal is to affect behavior
– Increase likelihood of compliance
– M...
Frames
• Frames are constructs used to give meaning
– Personal interpretation
– Highlight certain aspects, ignore others
–...
Framing
• Framing (to frame, set a frame, etc.)
– Asserting a frame
– Persuade others to accept our frame over theirs
• Me...
Communicating a Frame
• 3 major components
– Linguistic, paralinguistic, nonverbals
• Nonverbals (and paralinguistic) are ...
Sources for Frames
• Useful for identifying elements of influential frames
• Cultural
– Collectivist vs. individualist
– F...
Linguistic Tools (1)
Social Engineering: Framing and Frame Control – © Social Exploits 2010
8
Relating Frames
Metaphors
• ...
Linguistic Tools (2)
Social Engineering: Framing and Frame Control – © Social Exploits 2010
9
Framing Content
Feeling
• De...
Linguistic Tools (3)
Social Engineering: Framing and Frame Control – © Social Exploits 2010
10
Framing Structure
Argument
...
Useful Frames: Interpersonal
Social Engineering: Framing and Frame Control – © Social Exploits 2010
11
Being helpful
• You...
Useful Frames: “Cialdini 6”
Social Engineering: Framing and Frame Control – © Social Exploits 2010
12
•Tend to be influenc...
Useful Frames: General
Social Engineering: Framing and Frame Control – © Social Exploits 2010
13
Simplifying
• Reduce
comp...
Frame Warfare (1)
Social Engineering: Framing and Frame Control – © Social Exploits 2010
14
• Understand a person’s interp...
Frame Warfare (2)
Social Engineering: Framing and Frame Control – © Social Exploits 2010
15
• Merge interpretations togeth...
Frame Alignment Patterns
Social Engineering: Framing and Frame Control – © Social Exploits 2010
16
Bridging
•Frames are si...
Reframing Patterns (1)
Change intent behind behavior
• Remove a firewall rule to facilitate a business process
Redefine by...
Reframing Patterns (2)
Change context
• Changing scope / size
• Only lost information on 1% of our customers
• Changing en...
Building Your Framing Skills
Understanding
•Reading
•Thinking
•General learning
Observation
•Observe and
analyze your
and ...
Parting Thoughts
• Useful beyond just social engineering
– Interpersonal communication
– Vital component of leadership
• “...
Books (1)
• The Power of Framing (Fairhurst)
• Introducing NLP (O’Connor)
• Sleight of Mouth (Dilts)
• Mind-Lines (Hall)
•...
Books (2)
Social Engineering: Framing and Frame Control – © Social Exploits 2010
22
Questions?
• Feel free to email me at
mike@socialexploits.com
• Blog: www.socialexploits.com
• Twitter: twitter.com/Social...
Upcoming SlideShare
Loading in...5
×

Social Engineering: Frames and Frame Control

1,596

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,596
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Social Engineering: Frames and Frame Control"

  1. 1. Social Engineering: Frames, Framing, and Frame Control Mike Murr mike@socialexploits.com http://www.socialexploits.com http://www.twitter.com/SocialExploits
  2. 2. What This Talk is About • Framing – Constructs used to give meaning to information – Defining the current situation (“here and now”) – Cognitive context • Fundamental to social engineering – Control the frame, control the meaning of an interaction – Messages are dependent on meaning • And consequently emotions • A hacker stole your PII, We lost your PII, Your PII was lost Social Engineering: Framing and Frame Control – © Social Exploits 2010 2
  3. 3. Social Engineering • Social engineering is persuasion – Goal is to affect behavior – Increase likelihood of compliance – More than pretending to be help desk – Not reconnaissance • This is not mind control – Nothing is 100% effective, always have free will – People can accept or reject frames – Still highly effective though • Ethics (is a relative term) – These are tools – How you use the tools is your decision – Reflection of character – Personal responsibility Social Engineering: Framing and Frame Control – © Social Exploits 2010 3
  4. 4. Frames • Frames are constructs used to give meaning – Personal interpretation – Highlight certain aspects, ignore others – Each person has their own • Frame constructs (not exhaustive) – Beliefs • “Design” of the frame • Cultural, Biological, Life Experience – Mental models of reality • Help organize thoughts, set expectations • Defines boundaries (what is emphasized and ignored) • Form the “shape” of the frame • A representation / implementation of beliefs Social Engineering: Framing and Frame Control – © Social Exploits 2010 4
  5. 5. Framing • Framing (to frame, set a frame, etc.) – Asserting a frame – Persuade others to accept our frame over theirs • Metaframe – Focused more on underlying aspects of situation (or beliefs) – Also known as master frames • Reframe – Assert a new frame over an existing frame • People often play frame games – Get others to accept / understand a frame – Can relate to power or influence (controlling meaning) – Natural part of interpersonal communication Social Engineering: Framing and Frame Control – © Social Exploits 2010 5
  6. 6. Communicating a Frame • 3 major components – Linguistic, paralinguistic, nonverbals • Nonverbals (and paralinguistic) are key – Play a majority role of a message’s influence • Often trusted more than verbal • More difficult to fake – Various tactics to hold attention • What we focus on sets the frame • Strong facial expressions • Varied tone / tempo • Hand gestures / movement (esp. large ones) Social Engineering: Framing and Frame Control – © Social Exploits 2010 6
  7. 7. Sources for Frames • Useful for identifying elements of influential frames • Cultural – Collectivist vs. individualist – Familiar ideas and concepts • Biological – Primal and evolutionary motivations – Strong emphasis around survival and replication • Mental models – Pay attention to what people say (and how they say it) – Note attributes / properties / characteristics Social Engineering: Framing and Frame Control – © Social Exploits 2010 7
  8. 8. Linguistic Tools (1) Social Engineering: Framing and Frame Control – © Social Exploits 2010 8 Relating Frames Metaphors • Frames resemble each other (not literally) • A firewall is a security guard at the front door Analogies • Useful for emphasizing similarities • Frames elements are similar • Can be used to suggest agreements in areas not explicitly stated • An IDS is like a “computer burglar alarm” Contrast • Useful for emphasizing differences • Frames do not agree • Can be used as motivation / rationale for new behavior • Unlike an IDS which can only detect, an IPS can block traffic
  9. 9. Linguistic Tools (2) Social Engineering: Framing and Frame Control – © Social Exploits 2010 9 Framing Content Feeling • Describes frames in terms of emotions • I hate a poorly tuned IDS Stories • Uses a narrative to set the frame • Often has a theme or metaphor basis • Tell a story about how an IDS prevent an incident and saved $$$ Spin • Describes a frame in terms of positive or negative • Similar to emotional valence • An IPS is a great way to detect and respond to incidents Jargon • Describes a frame using familiar terminology • Using terms such as Asset Value, ALE, SLE, ROI, etc.
  10. 10. Linguistic Tools (3) Social Engineering: Framing and Frame Control – © Social Exploits 2010 10 Framing Structure Argument • Frame in terms of rationale • Supported by evidence • Our anti-virus costs the least, offers the most features Categorizing • Describe frame in terms of included or excluded categories • This isn’t your parent’s anti-virus, it’s enterprise grade Repetition • Emphasize aspects of frame by repeating specific elements • Protect, Protect, Protect, that’s what our anti-virus does for your data Lists • Organize content into easy to remember chunks • Often three elements • We can sum up our anti-virus in three words: Safe, Fast, Reliable
  11. 11. Useful Frames: Interpersonal Social Engineering: Framing and Frame Control – © Social Exploits 2010 11 Being helpful • You are helping them • Offer help • They are helpful people • Ask them to help you out Avoiding blame • Provides emotional justification for behavior • Can make accepting related frames easier Team members • Working towards a common goal • Can solidify using “us vs. them”
  12. 12. Useful Frames: “Cialdini 6” Social Engineering: Framing and Frame Control – © Social Exploits 2010 12 •Tend to be influenced by authority positions •Vendor XYZ is the international leader in host-based IDS Authority •We tend to be influenced by those we like •Sales person identifies similar hobbies / interests Liking •Looking to others to determine correct behavior •Government agencies worldwide use our software Social Proof •Value is tied to (lack of) availability •Only available to select enterprise customers Scarcity •Obligation to return what others provide (favors) •Vendor buys lunch Reciprocity •Pressure to remain consistent with prior commitments •You’ve already stated information protection is a top concern Commitment and Consistency
  13. 13. Useful Frames: General Social Engineering: Framing and Frame Control – © Social Exploits 2010 13 Simplifying • Reduce complexity • Easier to understand Loss Aversion • Loss is a stronger motivator than potential to gain • Depends on relative value Credibility • Increases believability • Emphasis on truth and what is real Certainty • People crave certainty • Provides stability, clarity • Increases trust • Facilitates rapport • Reduces unknown
  14. 14. Frame Warfare (1) Social Engineering: Framing and Frame Control – © Social Exploits 2010 14 • Understand a person’s interpretation • Doesn’t guarantee acceptance of a frame Acknowledging a frame • Hold an interpretation as true • Leads to persuasion • Implies understanding a frame Accepting a frame • Refuse to accept an interpretation as true • May or may not understand a frame Rejecting (denying) a frame
  15. 15. Frame Warfare (2) Social Engineering: Framing and Frame Control – © Social Exploits 2010 15 • Merge interpretations together • Accepting one can lead to accepting the other • This is an art Combining frames • Link interpretations together • Frames agree and are related • Traditionally associated w/politics • Useful for transitioning frames • Useful for behavior motivation Aligning frames
  16. 16. Frame Alignment Patterns Social Engineering: Framing and Frame Control – © Social Exploits 2010 16 Bridging •Frames are similar in basis, different in specifics •Data theft is on the rise, maintain personal freedom, buy our id. product Amplification •Increase focus or emphasis on what is important •Simultaneously decreases emphasis on other points •Provide a safe learning environment for your family, buy our firewall Extension •Increase the “boundaries” of the frame •This anti-virus can help protect your id. by stopping malware Transformation •Use existing elements with a new frame •Change frame by replacing meaning of elements •This “little malware incident” demonstrates people are the cause of problems •They can’t be trusted •Our IPS fixes human problems
  17. 17. Reframing Patterns (1) Change intent behind behavior • Remove a firewall rule to facilitate a business process Redefine by using similar words • Different meaning / implication • Data theft vs. data loss Change specificity (chunk size) • Increase • Our detection mechanisms alerted us in real time • Decrease • On the whole, this is part of the cost of running a business Social Engineering: Framing and Frame Control – © Social Exploits 2010 17
  18. 18. Reframing Patterns (2) Change context • Changing scope / size • Only lost information on 1% of our customers • Changing environment • Data was copied from one machine to another • Change role / perspective • We are helping protect our customers by working with law enforcement to help locate, arrest, and convict the suspect Alternating Frames • Switch between frames • Meet unrelated / opposite goals • Blame someone else, and accept responsibility Social Engineering: Framing and Frame Control – © Social Exploits 2010 18
  19. 19. Building Your Framing Skills Understanding •Reading •Thinking •General learning Observation •Observe and analyze your and others’ frames Priming • Mental preparation • Conscious thought influences unconscious response Infield Work • Assert frames • Assess reactions and changes Reflection • Keep a journal • Look for patterns Social Engineering: Framing and Frame Control – © Social Exploits 2010 19
  20. 20. Parting Thoughts • Useful beyond just social engineering – Interpersonal communication – Vital component of leadership • “Through framing, we create the realities to which we must then respond” – Fairhurst 2010 Social Engineering: Framing and Frame Control – © Social Exploits 2010 20
  21. 21. Books (1) • The Power of Framing (Fairhurst) • Introducing NLP (O’Connor) • Sleight of Mouth (Dilts) • Mind-Lines (Hall) • Influence: Science and Practice (Cialdini) Social Engineering: Framing and Frame Control – © Social Exploits 2010 21
  22. 22. Books (2) Social Engineering: Framing and Frame Control – © Social Exploits 2010 22
  23. 23. Questions? • Feel free to email me at mike@socialexploits.com • Blog: www.socialexploits.com • Twitter: twitter.com/SocialExploits • Upcoming conferences – Next conference: SANS London 2010 Social Engineering: Framing and Frame Control – © Social Exploits 2010 23

×