This is a transcript of the first episode of the Intelligence Podcast: OSINT and its application, a podcast about the various broad applications of open-source intelligence. Visit our podcast page to find out more.
Open-source intelligence can not only be a tool for investigating cases or persons of interest. It can also be used to anticipate and derail increasingly more sophisticated social engineering attacks.
Anne-Lynn Dudenhöfer, Intel Desk Lead at HENSOLDT Analytics, spoke to Christina Lekati, a psychologist and a social engineering specialist, about the practical use of OSINT in protecting high-value targets. In this conversation, our guest shares the most popular social engineering techniques; identifies the most commonly exploited human vulnerabilities, and the social engineering attack’s giveaways. All of this in the context of applying open-source intelligence in security.
Some sentences were shortened and edited for clarity.
Q: My guest today is Christina Lekati, who is a psychologist and a social engineer. Christina has a background in psychology and specialises in the mechanisms of behaviour, decision-making, as well as manipulation and deceit. Christina, could you provide some information about your professional background and your current role?
Christina Lekati: As you mentioned, my background is in psychology and I also have a degree in it. At the same time, I was exposed to the field of cyber security from a pretty young age because of my father, who was also working in cyber security. Through him I learned about social engineering; I learned how to apply what I learned from psychology to protect individuals from social engineering attacks and scams. And overall I learned to apply this knowledge in the field of cyber security.
Right now and for the past seven-eight years, I have been a trainer and consultant for Cyber Risk GmbH, a Swiss company. I am also the main developer of the social engineering training programs provided by Cyber Risk.
At the same time, anybody who has been working in social engineering has been able to see that OSINT is a very central part of it and a very essential one. So lo and behold the investigative side of me took over. I got trained, I studied, I learned more about OSINT and I started applying it more in my job. Today, I am also the lead OSINT investigator for the protection of high-value targets and for corporate vulnerability assessments.
You are a psychologist and social engineer, as well as an OSINT practitioner, and as you also mentioned, you are the main developer of the social engineering training programs provided by Cyber Risk GmbH. So what does your day-to-day look like – if there is one – and maybe you could name some of the usual tasks you’ll deal with on a day-to-day basis.
There is no typical day and I’m thankful for it because we tend to get different projects that require different handling and that helps me learn more each day. This also means not having a standard routine. Let’s talk about a typical week.
A typical week has certain projects that we will be working on and applying the knowledge that we have. But there is also some time carved out to learn more about my field, and to deepen my knowledge in it. I think these two go hand in hand: you cannot be in OSINT or cyber security and not keep learning. I think that I have a personal need for it as well but, at the same time, I see how this translates into value for the customers. At the end of the day, you come across different cases and you are able to access a big pool of experience-based knowledge.
But there is also some time carved out to learn more about my field, and to deepen my knowledge in it. I think these two go hand in hand: you cannot be in OSINT or cyber security and not keep learning.
Given your background, I would like for us to cover several topics today. Namely, first social engineering through social media as in the profiling and scanning for vulnerabilities and victimizing. And secondly, protecting high–value targets as you mentioned and where investigators and analysts should focus their intelligence collection. For both topics mentioned, open–source information plays a crucial role. It would be great if you could briefly elaborate on what you understand as open–source information.
Open-source information for me and for many of us in this profession is intelligence. Intelligence means that you have a goal with the information collection that you do. So it’s intelligence based on information that you collect from publicly available sources. This is anything the internet has to offer that is live or deleted, but also anything that you can find through your newspaper, other media sources, conference presentations… Anything that is simply public and open for everybody to access.
In terms of open–source intelligence and collecting open social information are there any other investigation methods you frequently combine with OSINT? If so, why?
Yes and you mentioned one earlier. Social media intelligence, SOCMINT. Although it is considered a subset of OSINT, it has developed into a bit of a separate intelligence area because it is just so vast and big and so specific to social media profiles. At the same time, I have to say there is some IMINT, image intelligence, or GEOMINT, geospatial intelligence included. For example, you might find a picture posted of an individual that’s your client and you might need to assess whether an adversary would be able to geolocate them or whether they would be able to identify some critical or sensitive information, such as that person’s car plates or physical address; things that betray their current location.
Lastly, you know that I have a background in psychology so HUMINT, human intelligence, could not be missing from this mix. It’s also important in social engineering. It is also my favourite aspect. Human intelligence involves collecting and utilizing what you know from open-source intelligence. For example, information that helps you profile an individual and learn their predispositions, what they respond to, how the behaviour looks like, personality, and so on, and apply this knowledge to a human intelligence operation. This happens a lot as part of criminal investigations, thankfully, and the goal is to try to draw from this individual a piece of illicit information that will help you solve a case against them.
To provide a bit of background for our audience, social engineering, very broadly, refers to manipulation technique which exploits human error or behavior. And unlike other more traditional cyber attacks that rely on security vulnerabilities, social engineering techniques target the human side of things namely human vulnerabilities. Could you share with us, Christina, your definition of social engineering to add to what I just said? And if you could name the most popular techniques of social engineering?
Social engineering means applying behavioural science and a group of manipulation methods in order to sway somebody’s behaviour and make them do a certain action that you want them to do. So manipulating them, influencing their behaviour and it’s all based on human psychology. It might exploit a personal vulnerability as you mentioned but it just might exploit simple human wiring we all have some baseline behaviour and tendencies. For example, we all want to help others, we all want to be consistent and once we start helping somebody with smaller requests, we tend to keep wanting to help them even if they ask us for a little bit riskier actions. This is a characteristic that is hardwired and something that tends to get exploited by social engineers.
Social engineering means applying behavioural science and a group of manipulation methods in order to sway somebody's behaviour and make them do a certain action that you want them to do. So manipulating them, influencing their behaviour and it's all based on human psychology.
Now, when it comes to situations in the real world. I will mention two very classic social engineering examples because I believe the audience might have heard about them already.
Phishing emails are malicious emails that you get and that you either click on because of curiosity or because they promise something big. Such as, you won a free iPad because, I don’t know, it’s Memorial Day. And they click on it because they want to get that iPad. Or the phishing emails might exploit some personal information, for example, if the threat actor has seen that there was a company picnic, they might try to impersonate a colleague, send out a link, and say something like, “Hi, we had a great picnic yesterday, I took these pictures. You can access them through this link”. And the link might be malicious.
We also have peer phishing attacks, that are very very popular right now. These involve impersonating somebody with authority and targeting specific people with a tailored message through emails, phone calls or a combination of the two.
Another attack that we see happening a lot more – and it also involves a lot of open-source intelligence and social media intelligence – is personality-based. We see threat actors and state-sponsored threat actors using this more and more. They are trying to recruit individuals through. The scenario is simple: there is a fake account, a sock puppet, connecting with somebody else with a specific target on social media, initiating a plain conversation building a relationship. Just like anybody could through social media. Most often, these are built based on common interests. These fake accounts are continuing this conversation and then gradually establishing trust, asking for more sensitive information or ultimately asking to provide feedback on a topic they have been discussing and therefore having the excuse to send a link. The target will open the link and either download malware or provide credentials.
These were just two of the most popular attacks that we know of. In human behaviour, there are obviously a lot of different areas to exploit. As you said there is some baseline behaviour that most of us share and then through social media, you can learn a lot of different other characteristics that a person might have that may be unique to that person. Then it’s easy to target shared interests or common interests and so on and so forth. Oftentimes, these threat actors are also playing the long game which is why we then become less and less suspicious.
Everything that you mentioned is extremely relevant, especially regarding the past few years when cybercrime has been on the rise. According to the federal situation report about cyber crime in 2021 by the BKA Bundeskriminalamt, which is the Federal Criminal Police Office of Germany, a new high in cyber crimes was recorded. Namely, more than 12 per cent increase in cyber crimes compared to the previous year. What we can clearly see is that crime is shifting more and more to the digital space.
In terms of social engineering, what red flags are there to look out for potential targets? Essentially, what I‘m asking here is how can people avoid or protect themselves from social engineering attacks.
I love that you mentioned that some threat actors now play the long game. They absolutely do and we as an industry have not exactly caught up with them. We know about it but we haven’t done that much about it yet collectively which is a bit of an issue.
Now, in terms of red flags, we have to look at it differently. There are some short-term social engineering attacks, the quick hit entrances, for example, phishing emails or phishing calls and these have different red flags than the long-term game of social engineering attacks.
When it comes to short-term attacks, usually, we tend to observe a lot of time pressure in emails or phone calls. You will receive an email telling you that you need to respond immediately for whatever reason they provide, or you only have a very narrow timeframe to do something. These threat actors usually connect that with a warning of a big disaster if you don’t comply immediately with what is being asked for. For example, in a peer phishing attack, you might get an email from somebody impersonating your boss saying that they just closed this deal and need an immediate transfer of funds. This is very time sensitive, it needs to happen within the next half an hour otherwise, I don’t know, we’ll run into some trouble and it’s going be on you. So they introduce this personal responsibility as well and of course, they might add something like, “Please don’t call me back, I’m on a conference call”. So that they will discourage the receiver of the request from verifying the request. This is another red flag: when a message you receive discourages you from verifying the request.
We have time pressure, we have a big disaster happening if you don’t comply, and we have this discouragement of verifying this request. But also anything that might appear unusual and out of the ordinary is a red flag. When it’s something that once read, you need to sit back for a second and think whether this is actually possible.
These are just some standard red flags although there is more to it. But I think there is more to this whole topic anyway.
In terms of long-term attacks – but this also applies a little bit in short-term attacks – we need to know our boundaries. And we need to be able to recognize attacks from the types of questions that are being asked. If somebody is pressuring us a lot for information that we know is sensitive in nature, we also need to exercise some healthy paranoia. We need to exercise healthy boundaries and say something like, “Actually, I cannot disclose that, I’m sorry” and then observe and see whether this person comes back still asking for more information on what we just said we cannot disclose. Or if they are trying to find a workaround question that still touches on this area that we just said we cannot disclose but from a different angle. Such as prying a little bit, and beating around the bush.
What I also would like to talk about is another interesting part of your work. Namely, the protection of high–value targets. Maybe you could cover some basics for our audience first. First of all, who do you categorize as a high–value target?
High-value targets could mean different things to different organizations but – as an umbrella way to think about it – is anybody, who has privileged access to systems, assets and information. Or anybody, who is working on a mission-critical project or task.
Most frequently they are executives. They are the c-suite, they are senior executive management; people that travel a lot and are exposed, and still have a lot of knowledge about company plans, company strategies, and client information. We need to think that there are not only cyber attackers that we are up against but also industrial espionage operatives and other types of intelligence operatives for different purposes.
Individual people but also teams are considered high-value targets. Teams that might be working on sensitive projects or mission-critical projects. The executives are a big high-value target but we should not forget their assistants because their assistants have just as much access to information as they do. And the assistants tend to be more easily compromised.
For such people as the ones that you just mentioned, given how many threat actors could be involved, proactive rather than reactive intelligence investigation is imperative. Could you tell us a bit more about protective and proactive intelligence and its components?
Protective intelligence is an invisible security measure, which involves utilizing open-source intelligence to identify, assess and manage risk in advance. Meaning, before an adversary does.
Protective intelligence is a proactive measure. You try to eliminate the attack surface through the intelligence report. You try to manage any risky information, any potential vulnerabilities that might be out there or sensitive information, and personally identifiable information. You identify these vulnerabilities in advance and take them out or try to manage what happens with the fact that this information is around. We try to eliminate the tactical advantage of an adversary. In some rare cases, we still have to think about kidnapping attempts or close contact attacks. And in such cases, removing the tactical advantage is paramount.
Lastly, the protective intelligence report aims to identify potential risks and vulnerabilities but in the end, it is informing a security plan. It is informing the security team and instructs them on what they can do and how they can handle a certain situation based on the information that is online and accessible to threat actors.
There are two main components in protective intelligence and one of them is threat assessment. Knowing who your adversary is, knowing who you are up against. Sometimes the companies or the high-value targets know who is targeting them. They have some information on what they are threatened by. But in some other cases, they don’t and you need to assess the threat landscape.
The second is the vulnerability assessment, which involves identifying information that could put that individual at risk.
Protective intelligence is an invisible security measure, which involves utilizing open-source intelligence to identify, assess and manage risk in advance. Meaning, before an adversary does. Protective intelligence is a proactive measure.
You establish a good baseline understanding there that many people don’t have. I want to drill down a bit. Is it possible for you to walk us through a workflow – even if it’s generic – of how protective intelligence can be conducted to protect a high–value target? For example, how many people will usually be involved in conducting such protective intelligence?
You mentioned before that most people don’t know about protective intelligence and high-value targets, so I want to start with that. In Europe, it is still relatively underdeveloped as a field. Protective intelligence is something that an average company is not that well aware of. However, other organizations that do handle critical information are very aware of this concept and they utilize it. Still, it is relatively new in Europe.
How the workflow goes is that you need to have a thorough conversation with a client to identify the scope to see whether they have threat intelligence and whether they know who is targeting them. Whether they have had some incidences before. Also, you find out the budget and timeframe. How much time you have available is also really critical. It’s one thing to have a client that is asking you to to be proactive and you have all the time in the world and another thing for a client to tell you on Monday that this individual is traveling on Thursday. And we need to make sure that he’s in the clear. Time matters still because combing through information takes time; open-source intelligence takes time. Scoping, doing a very specific scope with the client, and identifying what they know and what they need to get, what intelligence they need to get to, is still important.
We usually have two or three people working on it or one depending on the case so you never know. But there is always somebody, a second or third person also crosschecking the findings and making sure the report makes sense. This is common practice for all of our intelligence reports because in the end you need to replicate and you need to communicate to the client what you have found effectively.
Now, for high-value targets the workflow starts with four main pillars.
First of all, recognizability. Can an adversary either just identify a specific person behind the mission-critical role? Can they connect a specific job to a specific individual? This might be the only requirement sometimes. Other times recognizability refers to whether you can find personally identifiable information on that individual. A full name, address, phone numbers, family members, the places they frequent, and so on.
In the second step, we would move into accessibility. Can you get to this target? If you find an address, can you identify whether there is security, whether there are security measures fences; cameras around their home. Is it easily accessible or would a threat actor need a more elaborate plan to access the premises? For example, can they identify specific routes that the individual is taking or the vehicles they are using? Could they potentially intervene with this route in a way? These are all parts of accessibility.
We mentioned travellers and the individuals that get exposed. Can you approach them at the airport? Can you approach them at the conference? Do they seem open and communicative when they are in social events? All of these things may be assessed when you walk through an accessibility part. And then by combining these two pieces of information you try to establish whether there is a certain level of vulnerability. Whether it is easy to access this individual.
In this step we also tap a little bit into what we know about the other attacks. What we know about those threat actors and their modus operandi. And we try to see if they could replicate this attack or if they could find a way around it. Through combining all this information we try to find a certain vulnerability with the vulnerability profile of that individual and potential attack factors or attack scenarios that could be used against them.
We either inform that individual and prepare them for those potential attack vectors or the security team or both.
Lastly, there is the threat assessment. Like I said in the beginning, we either get some information already from the client because they know who they are up against or we do our own research.
It’s very interesting that this field is still underdeveloped in Europe. I have a question about the future which ties in neatly with what you just mentioned.
From your perspective, as someone who has studied human psychology and now combines OSINT, HUMINT, and all sorts of other methods for the purpose of threat detection and better cyber security:
What does the future of crime investigation look like and how should crime investigation evolve? Maybe the second one is even more important.
We need to invest more in training, the capabilities and the skillset of investigators. We have had a lot of newcomers in the field of open-source intelligence lately. Some of them are because of certain popular docu-series that pop up on Netflix. But the sad truth is that although they focus on the fancy aspect of how effective searching on Google looks like and how much information they find, these people don’t really learn the analytical process.
This is something we sometimes see in investigators that work criminal cases. Their organizations might not provide enough budget to train them on how to conduct proper open-source intelligence.
I and the OSINT-Curious Project work towards educating people and suggesting free resources to use better open-source intelligence practices. To use good intelligence analysis methods. I think this is super important. Right now we have law enforcement agencies that don’t know how to tap into this cyber world and how to utilize information to get to criminals. It’s such a big resource that is not utilized as much as it should.
At the same time, our adversaries are advancing. They are using more sophisticated methods, they combine more techniques. I believe we should do the same. We should start getting trained not only in open-source intelligence but also in other intelligence disciplines. As you mentioned earlier: sometimes combining them is really important.
We teach a class on combining open-source intelligence with human intelligence, and we provide it to law enforcement and other professionals.
Moving forward, we still need to focus a lot on the skillset.
At the same time, our adversaries are advancing. They are using more sophisticated methods, they combine more techniques. I believe we should do the same. We should start getting trained not only in open-source intelligence but also in other intelligence disciplines. As you mentioned earlier: sometimes combining them is really important.
You mentioned a really important point there, that we need to continuously advance our skill sets. And even when combining the analysis part of the investigation with, for example, big data processing or AI, all kinds of things which are already happening and will obviously take over in the future…It is still important that we as analysts are able to verify the information and that we’re able to use different investigation methods and we’re not only relying on one tool. Knowing how to use the tools and knowing how to double–check the information.
I think this training and the focus on best practices when investigating will remain very important. We need to make sure that we don’t lose this focus in the future. I think this will be a challenge given how much and how quickly this whole technological field is advancing.
We covered a lot of interesting points and a wealth of information, thank you for joining us, Christina.
I absolutely enjoyed our conversation and I also like the fact that you mentioned in the end that yes, it will be a challenge to reach a point where everybody or at least a big portion of investigators have a pretty developed skillset. It is going to be a challenge but at the end of the day, choose your adventure. You will either have the challenge of advancing your skills, doing better budget allocation, and so on, or you will have the challenge of wasting time and resources without tapping into the potential of open-source intelligence and other related disciplines. I hope we can all collectively do a bit more to add to this field, to promote this field, and to teach others about it.
Let’s all try to do something better for our future.
The Intelligence Brief Podcast: OSINT and its Application
Social Engineering and the Protection of High-Value TargetsIn this episode, our Intel Desk Lead and podcast host, Anne-Lynn Dudenhöfer, is joined by Christina Lekati, who is a psychologist and a social engineering specialist. They discuss risks posed by social engineering and how to use OSINT for the protection of high-value targets.
Our guest shares different social engineering techniques, which human vulnerabilities are being exploited, and what red flags to look out for. In addition, Christina sheds some light on the value of OSINT in protecting high-value targets from digital and real-life attacks.
