Tips & Tricks
Social Engineering: Frames and Frame Control
Like this presentation? Why not share!
NorTec ADT Project Minerva
by Gavin Brown
Cehv8 - Module 09: Social Engineering.
by Vuz Dở Hơi
Email sent successfully!
Show related SlideShares at end
Social Engineering: Frames and Frame Control
Nov 16, 2010
Comment goes here.
12 hours ago
Are you sure you want to
Your message goes here
Be the first to comment
5 months ago
Number of Embeds
No notes for slide
Transcript of "Social Engineering: Frames and Frame Control"
1. Social Engineering: Frames, Framing, and Frame Control Mike Murr firstname.lastname@example.org http://www.socialexploits.com http://www.twitter.com/SocialExploits
What This Talk is About • Framing – Constructs used to give meaning to information – Defining the current situation (“here and now”) – Cognitive context • Fundamental to social engineering – Control the frame, control the meaning of an interaction – Messages are dependent on meaning • And consequently emotions • A hacker stole your PII, We lost your PII, Your PII was lost Social Engineering: Framing and Frame Control – © Social Exploits 2010 2
Social Engineering • Social engineering is persuasion – Goal is to affect behavior – Increase likelihood of compliance – More than pretending to be help desk – Not reconnaissance • This is not mind control – Nothing is 100% effective, always have free will – People can accept or reject frames – Still highly effective though • Ethics (is a relative term) – These are tools – How you use the tools is your decision – Reflection of character – Personal responsibility Social Engineering: Framing and Frame Control – © Social Exploits 2010 3
Frames • Frames are constructs used to give meaning – Personal interpretation – Highlight certain aspects, ignore others – Each person has their own • Frame constructs (not exhaustive) – Beliefs • “Design” of the frame • Cultural, Biological, Life Experience – Mental models of reality • Help organize thoughts, set expectations • Defines boundaries (what is emphasized and ignored) • Form the “shape” of the frame • A representation / implementation of beliefs Social Engineering: Framing and Frame Control – © Social Exploits 2010 4
Framing • Framing (to frame, set a frame, etc.) – Asserting a frame – Persuade others to accept our frame over theirs • Metaframe – Focused more on underlying aspects of situation (or beliefs) – Also known as master frames • Reframe – Assert a new frame over an existing frame • People often play frame games – Get others to accept / understand a frame – Can relate to power or influence (controlling meaning) – Natural part of interpersonal communication Social Engineering: Framing and Frame Control – © Social Exploits 2010 5
Communicating a Frame • 3 major components – Linguistic, paralinguistic, nonverbals • Nonverbals (and paralinguistic) are key – Play a majority role of a message’s influence • Often trusted more than verbal • More difficult to fake – Various tactics to hold attention • What we focus on sets the frame • Strong facial expressions • Varied tone / tempo • Hand gestures / movement (esp. large ones) Social Engineering: Framing and Frame Control – © Social Exploits 2010 6
Sources for Frames • Useful for identifying elements of influential frames • Cultural – Collectivist vs. individualist – Familiar ideas and concepts • Biological – Primal and evolutionary motivations – Strong emphasis around survival and replication • Mental models – Pay attention to what people say (and how they say it) – Note attributes / properties / characteristics Social Engineering: Framing and Frame Control – © Social Exploits 2010 7
Linguistic Tools (1) Social Engineering: Framing and Frame Control – © Social Exploits 2010 8 Relating Frames Metaphors • Frames resemble each other (not literally) • A firewall is a security guard at the front door Analogies • Useful for emphasizing similarities • Frames elements are similar • Can be used to suggest agreements in areas not explicitly stated • An IDS is like a “computer burglar alarm” Contrast • Useful for emphasizing differences • Frames do not agree • Can be used as motivation / rationale for new behavior • Unlike an IDS which can only detect, an IPS can block traffic
Linguistic Tools (2) Social Engineering: Framing and Frame Control – © Social Exploits 2010 9 Framing Content Feeling • Describes frames in terms of emotions • I hate a poorly tuned IDS Stories • Uses a narrative to set the frame • Often has a theme or metaphor basis • Tell a story about how an IDS prevent an incident and saved $$$ Spin • Describes a frame in terms of positive or negative • Similar to emotional valence • An IPS is a great way to detect and respond to incidents Jargon • Describes a frame using familiar terminology • Using terms such as Asset Value, ALE, SLE, ROI, etc.
Linguistic Tools (3) Social Engineering: Framing and Frame Control – © Social Exploits 2010 10 Framing Structure Argument • Frame in terms of rationale • Supported by evidence • Our anti-virus costs the least, offers the most features Categorizing • Describe frame in terms of included or excluded categories • This isn’t your parent’s anti-virus, it’s enterprise grade Repetition • Emphasize aspects of frame by repeating specific elements • Protect, Protect, Protect, that’s what our anti-virus does for your data Lists • Organize content into easy to remember chunks • Often three elements • We can sum up our anti-virus in three words: Safe, Fast, Reliable
Useful Frames: Interpersonal Social Engineering: Framing and Frame Control – © Social Exploits 2010 11 Being helpful • You are helping them • Offer help • They are helpful people • Ask them to help you out Avoiding blame • Provides emotional justification for behavior • Can make accepting related frames easier Team members • Working towards a common goal • Can solidify using “us vs. them”
Useful Frames: “Cialdini 6” Social Engineering: Framing and Frame Control – © Social Exploits 2010 12 •Tend to be influenced by authority positions •Vendor XYZ is the international leader in host-based IDS Authority •We tend to be influenced by those we like •Sales person identifies similar hobbies / interests Liking •Looking to others to determine correct behavior •Government agencies worldwide use our software Social Proof •Value is tied to (lack of) availability •Only available to select enterprise customers Scarcity •Obligation to return what others provide (favors) •Vendor buys lunch Reciprocity •Pressure to remain consistent with prior commitments •You’ve already stated information protection is a top concern Commitment and Consistency
Useful Frames: General Social Engineering: Framing and Frame Control – © Social Exploits 2010 13 Simplifying • Reduce complexity • Easier to understand Loss Aversion • Loss is a stronger motivator than potential to gain • Depends on relative value Credibility • Increases believability • Emphasis on truth and what is real Certainty • People crave certainty • Provides stability, clarity • Increases trust • Facilitates rapport • Reduces unknown
Frame Warfare (1) Social Engineering: Framing and Frame Control – © Social Exploits 2010 14 • Understand a person’s interpretation • Doesn’t guarantee acceptance of a frame Acknowledging a frame • Hold an interpretation as true • Leads to persuasion • Implies understanding a frame Accepting a frame • Refuse to accept an interpretation as true • May or may not understand a frame Rejecting (denying) a frame
Frame Warfare (2) Social Engineering: Framing and Frame Control – © Social Exploits 2010 15 • Merge interpretations together • Accepting one can lead to accepting the other • This is an art Combining frames • Link interpretations together • Frames agree and are related • Traditionally associated w/politics • Useful for transitioning frames • Useful for behavior motivation Aligning frames
Frame Alignment Patterns Social Engineering: Framing and Frame Control – © Social Exploits 2010 16 Bridging •Frames are similar in basis, different in specifics •Data theft is on the rise, maintain personal freedom, buy our id. product Amplification •Increase focus or emphasis on what is important •Simultaneously decreases emphasis on other points •Provide a safe learning environment for your family, buy our firewall Extension •Increase the “boundaries” of the frame •This anti-virus can help protect your id. by stopping malware Transformation •Use existing elements with a new frame •Change frame by replacing meaning of elements •This “little malware incident” demonstrates people are the cause of problems •They can’t be trusted •Our IPS fixes human problems
Reframing Patterns (1) Change intent behind behavior • Remove a firewall rule to facilitate a business process Redefine by using similar words • Different meaning / implication • Data theft vs. data loss Change specificity (chunk size) • Increase • Our detection mechanisms alerted us in real time • Decrease • On the whole, this is part of the cost of running a business Social Engineering: Framing and Frame Control – © Social Exploits 2010 17
Reframing Patterns (2) Change context • Changing scope / size • Only lost information on 1% of our customers • Changing environment • Data was copied from one machine to another • Change role / perspective • We are helping protect our customers by working with law enforcement to help locate, arrest, and convict the suspect Alternating Frames • Switch between frames • Meet unrelated / opposite goals • Blame someone else, and accept responsibility Social Engineering: Framing and Frame Control – © Social Exploits 2010 18
Building Your Framing Skills Understanding •Reading •Thinking •General learning Observation •Observe and analyze your and others’ frames Priming • Mental preparation • Conscious thought influences unconscious response Infield Work • Assert frames • Assess reactions and changes Reflection • Keep a journal • Look for patterns Social Engineering: Framing and Frame Control – © Social Exploits 2010 19
Parting Thoughts • Useful beyond just social engineering – Interpersonal communication – Vital component of leadership • “Through framing, we create the realities to which we must then respond” – Fairhurst 2010 Social Engineering: Framing and Frame Control – © Social Exploits 2010 20
Books (1) • The Power of Framing (Fairhurst) • Introducing NLP (O’Connor) • Sleight of Mouth (Dilts) • Mind-Lines (Hall) • Influence: Science and Practice (Cialdini) Social Engineering: Framing and Frame Control – © Social Exploits 2010 21
Books (2) Social Engineering: Framing and Frame Control – © Social Exploits 2010 22
Questions? • Feel free to email me at email@example.com • Blog: www.socialexploits.com • Twitter: twitter.com/SocialExploits • Upcoming conferences – Next conference: SANS London 2010 Social Engineering: Framing and Frame Control – © Social Exploits 2010 23