Chapter 25 Β· Concepts

Other Social Attacks β€” Concepts

Attack taxonomy, elicitation techniques, USB defense layers, and the disinformation response framework.

Social Attack Taxonomy

Different social engineering attacks target different people, operate through different channels, and require different defenses. Understanding this matrix helps assign the right controls to the right attack type.

AttackCategoryPrimary TargetKey Defense
SpamUnsolicited bulkEmail system / any userSpam filters, email authentication (SPF, DKIM, DMARC)
SPIMUnsolicited bulkIM platform users (Teams, Slack)Platform security controls, MFA, user awareness
HoaxManipulationSecurity behavior / all staffUser education, established official communication channels, IT verification before acting
DisinformationInfluencePublic trust, markets, customersBrand monitoring, crisis communications plan, source verification
ElicitationIntelligence gatheringEmployees with specific knowledgeNeed-to-know training, information classification awareness, conference briefings
USB dropPhysical accessAny employee with physical workstation accessDisable USB ports, device control software, awareness training
HID attackPhysical accessAny USB portUSB data blockers, HID device policy, physical USB blockers
Invoice fraudFinancial deceptionFinance / accounts payable staffOut-of-band callback verification, dual approval for payment changes
Influence opsCoordinated deceptionOrganization reputation, markets, staffBrand monitoring, rapid response, platform reporting, legal action

The Elicitation Technique Toolkit

Elicitation practitioners use a set of well-documented conversational techniques to draw out sensitive information without triggering suspicion. Recognizing these patterns is the first step in defending against them.

Flattery

"You clearly know more about this than anyone β€” what's your take on [sensitive topic]?"

Making the target feel like the recognized expert in the room. Exploits the natural desire to demonstrate competence and share knowledge when someone acknowledges your expertise. The target talks more and more freely to live up to the flattery.

Feigned Ignorance

"I'm still learning about this area β€” how does your [system / process / approach] actually work?"

Positioning as a novice to invite explanation. Exploits the human instinct to be helpful and teach. The target explains concepts in detail that they would never summarize in a formal context. People explain more clearly to someone who "doesn't understand."

Deliberate False Statement

"I heard your company is migrating to AWS next year."

State something plausibly wrong. If the target corrects you β€” "Actually, we went with Azure" β€” they have just provided the accurate answer. People feel compelled to correct factual errors, especially about their own organization. The correction contains the real information.

Provocative Question

"Isn't it true that [company's security practice] is actually quite weak compared to industry standards?"

Challenge the target's professional pride or their organization's reputation. The target defends their organization by explaining what they actually do β€” revealing processes, investments, and capabilities that confirm or deny the provocation. Defense = disclosure.

Bracketing

"I'd estimate you have about 500 servers in that environment β€” is that about right?"

Offer a plausible but deliberately incorrect estimate. The target corrects with the real number: "No, we have closer to 1,200." The correction has revealed the actual figure. Works on quantities, timelines, team sizes, budget ranges β€” any numeric information.

Volunteering Information

"We had a similar vulnerability last year β€” it was a nightmare to patch."

Offer a false or exaggerated detail about yourself or your organization, hoping the target will reciprocate with real information about theirs. Exploits conversational reciprocity β€” sharing invites sharing. The practitioner's "vulnerability" is fabricated; the target's disclosure is real.

USB Drop Defense Layers

USB drop attacks have multiple variants requiring multiple defense layers. A single control is insufficient.

1
Group Policy β€” Disable USB Storage Ports
Use Windows Group Policy to disable USB storage device installation. Prevents standard malware-drop USB drives from mounting as storage. Does not prevent HID attacks (keyboard devices are not storage).
2
USB Device Control Software
Endpoint management tools (e.g., DriveLock, Ivanti) allowlist only known, authorized USB devices by serial number. Unknown devices are blocked entirely, including unknown HID devices. More granular than Group Policy alone.
3
USB Data Blockers for Charging
"USB condoms" β€” pass-through adapters that block data pins while allowing power delivery. Charging-only use case is protected from HID attacks because data pins are physically severed. Required at public charging stations and shared workstations.
4
Awareness Training β€” "Found USB = Call Security"
Employees should not plug in any found or gifted USB device under any circumstances β€” not into work machines, not into personal machines, not into air-gapped machines. The label is the weapon. Training must explicitly address the psychological triggers (curiosity, helpfulness) that USB drop labels exploit.
5
Network Segmentation
If an endpoint is compromised via USB, network segmentation limits the blast radius. A compromised workstation that cannot directly reach financial systems, authentication servers, or production databases requires additional lateral movement steps β€” providing detection opportunities and limiting damage.

Disinformation Response Framework

When false information about your organization begins spreading, time is critical. Each hour of unchecked spread increases the credibility of the false narrative. This framework defines the response sequence.

1. Monitor

Brand monitoring services alert within minutes of coordinated mention spikes, impersonation accounts, or abnormal posting patterns. Do not rely on employees or customers to tell you β€” by the time they do, the narrative has spread. Set up alerts for company name, executive names, product names, and common misspelling variants.

2. Assess

Is this spreading? What is the source β€” organic user complaint or coordinated campaign? Are there bot-like account characteristics (new accounts, identical posting patterns, purchased followers)? Quantify reach and rate of spread. Determine whether this is disinformation (deliberate adversary), misinformation (spread by believers), or a legitimate complaint that requires a different response.

3. Respond

Issue a clear, factual, measured correction through official verified channels β€” company website, verified social media accounts. Do not be defensive or dismissive. Link to verifiable evidence where possible. Every hour of silence is perceived as confirmation. Speed matters more than perfection in the early window.

4. Contact Platforms

Report coordinated fake account networks to platform trust-and-safety teams with evidence: account creation timestamps, naming patterns, synchronized posting behavior, fabricated content. Platforms can remove coordinated inauthentic behavior at scale once reported with documented evidence.

5. Document

Preserve all evidence: screenshots, account identifiers, post timestamps, spreading patterns, financial or operational impact data. Documentation supports legal action, regulatory reporting, and insurance claims. If the stock price was materially affected, legal counsel should assess SEC disclosure obligations.

6. Brief Executives

Prepare executives for media inquiries before they receive calls. Agree on messaging. Identify the approved spokesperson. Ensure executives do not make off-the-cuff statements that contradict the official position. A single inconsistent statement from an executive can undermine a carefully managed response.