Humans are complex beings with consciousness, emotions, and the capacity to act based on thoughts. In the ever-evolving realm of cybersecurity, humans consistently remain primary targets for attackers. Over the years, these attackers have developed their expertise in exploiting various human qualities, sharpening their skills to manipulate biases and emotional triggers with the objective of influencing human behaviour to compromise security whether it be personal and organisational security.
More than just a ‘human factor’
Understanding what defines our humanity, recognizing how our qualities can be perceived as vulnerabilities, and comprehending how our minds can be targeted provide the foundation for identifying and responding when we inevitably become the target.
The human mind is a complex landscape that evolved over years of exposure to the natural environment, interactions with others, and lessons drawn from past experiences.
As humans, our minds set us apart, marked by a multitude of traits and emotions, often too complicated to articulate precisely.
Human behaviour is complex
Some of our fundamental traits can be outlined as follows:
- Trust – Humans place their trust in others, assuming inherent goodness.
- Empathy – Humans exhibit care for others and their feelings.
- Ego – Humans harbour a competitive spirit, aspiring to outshine their peers.
- Guilt – Humans experience remorse for their actions, especially when they harm others.
- Greed – Humans desire possessions and may succumb to impulsivity.
- Urgency – Humans respond promptly to situations demanding immediate attention.
- Vulnerability – Humans often grapple with fear and are candid about their emotions.
While this list is not exhaustive, it summarises common and understandable aspects that drive human behaviour. Human interactions hold essential value, instilling life with significance and advancing cultural norms. However, for attackers seeking to exploit us, the social construct of human-to-human interactions provides a pathway for manipulation.
Our naturally social nature forces us to revert to these traits. Emotions serve as a safety net for communication, problem-solving, and connections in our everyday life and we have come to trust our emotional responses to further guide and protect us in a variety of situations.
I think, therefore I can be manipulated
Attackers exploit this safety net (emotions and fundamental traits) when targeting humans, as it can be manipulated to fulfil their objectives. This safety net weakens even more when we venture into the “online” realm, as certain safeguards fail due to a lack of insight. The abstraction of communication through a name on screen often misleads our minds in interpreting situations in a way that our emotions cannot accurately navigate.
In the realm of manipulation, various models and methods have been employed over centuries to influence human behaviour. In today’s context, attackers exploit these models to identify human vulnerabilities, characterised as weaknesses within the system that can be exploited.
In addition to directly manipulating fundamental traits through carefully targeted attacks, attackers tend to target humans through forms of influence and persuasion. These can be summarised as follows, and humans tend to operate mentally in these realms:
- Reciprocation – Humans feel compelled to reciprocate what they have received.
- Authority – Humans are inclined to comply with authoritative/known figures.
- Scarcity – Humans desire items that are less attainable.
- Commitment & Consistency – Humans favour routine and structure.
- Liking – Humans form emotional connections.
- Social Proof – Humans seek validation and fame.
These aspects can be viewed as potential vulnerabilities in the human mind when combined with emotions and fundamental traits. Attackers leverage these aspects to gain direct control over our actions, an occurrence now recognised as social engineering. Social engineering encompasses various techniques and tactics, yet at its core, it exploits one or more of the areas mentioned above through accurately crafted interactions.
Formula for attack
To describe the modus operandi for attackers targeting humans, we can formulate simple formulas.
A standard attacker formula will be as follows:
(Target) + (Vulnerability) + (Exploit) = Compromise
But when applied to the human it could be as follows:
(Human Mind) + (Emotional Trigger/Trait) + (Social Engineering Technique) = Intended Objective through Resultant Reaction
The attack chain is apparent by looking at how these formulas relate to triggers and techniques in combination with vulnerabilities.
Exploitation techniques, often seen in digital channels like email, phone calls, or text messages, are frequently used for phishing. These tactics manipulate established interactions to achieve various objectives, such as deceiving individuals into parting with funds, opening malicious files, submitting credentials, or revealing sensitive data. The consequences of these attacks can vary from individual losses to organizational breaches.
Defending ourselves
To safeguard against these attacks against our minds, we should align our cognitive standards with emotional triggers by asking questions like; what is the purpose, expectation, and legitimacy of the interaction. These questions could prevent impulsive reactions and allow introspection.
Establishing a “stop and assess” mentality acts as a mental firewall, strengthened by vigilance, to enhance personal and organisational security. By considering potential attacks, we heighten our awareness of vulnerabilities and work on resilience. This awareness, coupled with a proactive approach, helps mitigate threats to our minds and humanity, promoting collaboration to disarm attackers and weaken their operations.
Stay vigilant, stay informed, and continue to question everything.
This is just one of the stories found in the Security Navigator. Other exciting research like a study of Hacktivism and an analysis of the surge in Cyber Extortion (as well as a ton of other interesting research topics) can be found there as well. It’s free of charge, so have a look. It’s worth it!
Note: This article was expertly written by Ulrich Swart, Training Manager & Technical Team Leader at Orange Cyberdefense.