Operationalizing Social Engineering for Offensive Cyber Operations
Abstract
Social Engineering describes a class of computer hacking that targets the user of the system rather than the hardware or software. It is a proven and viable vector that includes techniques like phishing, pharming, and persuasion. The Air Force uses social engineering to a limited extent as a validation tool when assessing the security stance of a unit or installation. Units like the 57th Information Aggressor Squadron based at Nellis Air Force Base routinely employ social engineering techniques as they perform their mission. However, this is the only employment of social engineering currently evidenced in the Air Force inventory. Based on the widespread success of these techniques in the civilian world, anecdotal evidence gleaned from both interviews and literature reviews places their effectiveness at or near 100 percent, social engineering seems a logical fit for an organization looking for the next best weapon. Additionally, social engineering has the rare and enviable trait of being extremely low cost, both in terms of training and execution. These factors inspired this research along with the perceived lack of interest given the topic inside the Air Force. Further investigation into social engineering evidenced little academic attention devoted to the topic which seemed disproportionate to the technique's reported level of effectiveness. With the material presented here, we aim to demonstrate that social engineering as a concept already exists in current doctrine and that, with a little adaptation, a widely practiced methodology exists that can be used to structure social engineering attacks and evaluation.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jun 01, 2008
- Accession Number
- ADA486800
Entities
People
- Bryan Skarda
- Dennis Strouble
- Robert F. Mills
- Todd Mcdonald
Organizations
- Air Force Institute of Technology