Elicitation has been a topic of increased interest lately, both from the perspective of cyber espionage as well as in our normal, day to day lives.
The digital age provides endless arrays of access points to our personal and sensitive information, and with our minds being pulled into so many directions, we don’t always take the time and consideration to exercise proper security hygiene. Instead, we rush through our online experiences, hoping for the best while as the same time putting ourselves and our work at risk.
Our data has become the most valuable commodity in the digital age and as people, governments, and corporations compete to stay ahead of the pack, the temptation to steal the information of others has become far too tempting and lucrative for cybercriminals to shun away from.
And while there are many technical tools out there used to mitigate the onslaught of cyberattacks, criminals have come to understand that it is the human fallacy that will result in the greatest payday.
When you think elicitation, an image of James Bond may come to mind, a secret spy attempting to extract information from an unbeknownst source, using his charisma and charm to come off unsuspecting to his intended target.
Another, lesser known individual but of equal if not greater importance is Hanns Scharff (1907-1992), who worked as an interrogator for the German’s Luftwaffe’s Intelligence and Evaluation Center, where he interrogated over 500 American and British fighter pilots during the course of World War II. Scharff was never trained in elicitation techniques; instead, he adapted his own style of interrogation that postulated a friendly, engaging attitude while at the same time using situational awareness to his advantage in the course of interrogating detainees. His techniques and strategies were powerful, and continue to show validity in the present, having been time tested and researched in the years since as an effective technique of extrapolating information from unbeknownst sources.
But what is elicitation exactly? – In simple form, it is a technique, or series of techniques, used to gather information that is not readily available, and to do so without raising suspicion that specific facts are being sought after.
When done by a skilled collector, elicitation appears to be normal social or professional conversation. What the intended target does not know is that they have been specifically chosen, evaluated and analysed to determine their behavioural patterns to find the best opportunity to inquire into the targeted information, steadily accruing bit by bit over the course of one or multiple sessions.
Elicitation draws on several innate human tendencies, including:
- the desire to be polite and helpful, even to strangers
- the desire to appear well informed, especially about our profession
- the desire to feel appreciated and believe we are contributing to something important
- a tendency to expand on a topic when given praise or encouragement; to show off
- a tendency to gossip
- a tendency to correct others
- a tendency to underestimate the value of the information being sought or given, especially if we are unfamiliar with how else that information could be used
- a tendency to believe others are honest, a disinclination to be suspicious of others
- a tendency to answer truthfully when asked an “honest” question
- a desire to convert someone to our opinion
Attackers use techniques, both in the physical and digital world, to undermine these natural human tendencies and exploit his or her target. And while it may sound like only bad guys employ elicitation techniques, in reality, we all use elicitation, in one form or another, varying in degrees of finesse.
Whether your job is a recruiter, police man, therapist, teacher, business intelligence collector, etc., you use it. Even in our romantic relationships, family relationship, peers and friends, we use subtle psychological clues, consciously or unconsciously, to collect information that the person sitting across the table from us does not want us to find out.
The current digital landscape provides many more avenues where elicitation can be used to trick us into providing our information than in the past. In such an environment, social awareness skills need to be enhanced so we become more cognizant of the information we are putting out and how it could be potentially used for malicious purposes. In the age of information overload, it is easy to become flushed and overwhelmed by the many direction we are being pulled in, but by taking a step back to evaluate with who, in what context and topic, when, where, and why certain conversations and exchanges are taking place, we regain perspective and can stop ourselves from sharing information that could be used for unintended purposes.
And maybe with this type of an approach, one where social awareness is advocated over security awareness, we can build upon human strengths to make individuals more cautious in all of their environments, not just the cyber landscape.