Thirty-Six Stratagems of Social Engineering, Part I

三十六社交工程計，上

On Stratagems• Stratagems have been around since the age of city states.

• They were primary used during wars in ancient times.

• They expanded into politic throughout imperial era.

• They broaden into commerce amid mercantile period.

• And now in the millennium of information age, they are rebranding themselves as social engineering with design to fool hearts & minds of populace.

謀略戦略

전략

On Thirty-Six Stratagems• Stratagems have been used and recorded before the time of

Spring and Autumn (771-476 BC)

• Tan Daoji, a Liu Song Dynasty general (D 436 AD), had organized, codified and written them down as Thirty-Six Stratagems.

The title itself is a reference to I Ching where six is associated with Yin which represented hidden and intrigues. And thirty-six is square of six, this signifies numerous and interchanging schemes.

• Its counterpart was a book called Strategemata which was written by Sextus Julius Frontinus, 1st century Roman senator, who was famous for his deal with aqueducts.

Unfortunately, that book was lost

三十六計

Why Thirty-Six Social Engineer Stratagems?• As organization/nation-states are strengthened software and

network aspect of cyber defenses, attackers have to look for other ways to access data.

• Cyber attacks like all forms of warfare are ever escalating. In 2003, phishing introduced the art of social engineering into information security world. An email, that informed users of their password expiration, has opened up a new battlefront.

• For a more sophisticate and escalate data breach, a master plan will be required, numerous stratagems are hatched to deal with various scenario, and vast numbers of bots will provide ample firepower.

• An objective for this slide is to provide food for thoughts to InfoSec Pro (Information Security Professions) to recognize patterns and hopefully come up with means to deal with them.

社交工程

Requirements for Successful Stratagems (1/3)1. Understand opponent’s nature

Social Media

News outlets

Employees\Friends\Haters

2. Understand opponent’s tactic/skills

News outlets

Conventions

Webinars

3. Understand the situation at hand (Comparison of advantages/ disadvantages)

Know your opponent like yourself in order to neutralize their advantages and shore up your disadvantages

Requirements for Successful Stratagems (2/3)4. Reconnaissance

Know your entry and exit points

5. Be highly alert in an unusual situation

Are you been played (See below)

6. Expose weakness to entice opponent

Useful if your opponent is aggressive or hubris

Lower opponent’s guard

Let opponent know your goals or methods

Requirements for Successful Stratagems (3/3)7. Hidden motives and goals

Why make it easy for opponents

Maintain initiative

Allow room for maneuver

8. At a crucial time, strike at their blind side in order to maintain advantages

Their greatest triumph could also be their greatest weakness.

This can apply to you just as well

How This Slide Is Presented• Thirty Six Stratagems are divided into 6 Chapters

• Each chapter contains six stratagems.

• This slide lists thirty-six stratagems but will focus only

two stratagems per chapter.

Winning Stratagems勝戰之計How to use your enemy to your advantages

Winning Stratagems勝戰之計• Yang element of stratagems

you know exactly of yours and your opponents strengths

and/or

you have an advantage

• Military talks about utilize force multiplier; here stratagems are talked about force divider.

Force divider are used on your opponent forces

It is about using least amount of resources to achieve greatest amount of wins.

List of Winning Stratagems1. Deceiving heavens,

crossing oceans

瞞天過海

2. Besiege Wei, rescue Zhao

圍魏救趙

3. Murder with a borrowed knife

借刀殺人

4. Leisurely wait on laboring enemy

以逸代勞

5. Loot a burning house

趁火打劫

6. Sounding East, Striking West

聲東擊西

Besiege Wei, rescue Zhao圍魏救趙Explanation

It is better to face a divided opponent than a concentrated opponent; it’s better to fight through subtlety than head-to-head.

The objective is to force opponent to lose control of situation and initiative.

Historical Context

Sun Bin, a military strategist of Qi State during Chinese Warring States Period, was ordered to rescue an ally, Zhao State, from hegemon, Wei State.

Rather than face the enemy with superiority force and advantages, he attacked Wei’s capital. There, he had no problem defeat the defending army and laid a siege. King of Wei recalled his general who was on the verge of conquering Zhao to return immediately.

By the time that general returned to Wei’s capital, Sun Bin had already returned home, and Zhao State was saved.

Besiege Wei, rescue Zhao圍魏救趙Modern time

The objective is to knock InfoSec Pro off what he was doing and have him focus on something else. This forces him to redirect his efforts and incurs lost of times and energies.

Modern Scenario

Work best against command and control or highly politicized structure where CISO or ISO manager micro managed his staff to an extended that they can’t act without him say so.

The game plan is to create an alternate attacks that targeted CEO or C level management. This would work only if there is an inside man or you’re certain that C level machines are compromised.

Leisurely Wait on Laboring Enemies以逸代勞Explanation

Force your opponents into adverse situations that sapped their strength and exhausted their spirits. Then attack them with your fresh force.

It is never a good idea to confront foes whose energy and morale are high. It is better to exhaust them while maintain high energy and morale on yourself.

Historical Context

During Warring States Period, Qin State lunched an invasion against Chu State that was led by a young general. After a series of wins, he became overconfident and fell into ambush that destroyed his force and have him retreated all the way back to Qin.

In response, Qin State send an elder general who stopped at the border of Qin and Chu and build up his defense. While Chu troops wanted a quick decisive battle, Qin troops hid behind fortress. When Chu force exhausted their supplies and withdrawal, Qin troops attacked from behind and annihilated them. Chu State was eliminated soon after .

Leisurely Wait on Strained Enemies以逸代勞Modern Time

This stratagem supports the idea of taking control of the situation from InfoSec Pro. This is done by exhausting him to the point of making a wrong call, oversight, overreact, overreach, etc…

While direct confrontation (against an active opponent) is exciting and generate much buzz, it also drained and tied up both resources (even if those resources are hijacked) and time.

Modern Scenario

A series of false positives at various sources and locations can require InfoSec Pro’s immediate attention.

Or even like the historical context, pose an imminent threat that he can see it coming and have him waiting. However, in this case, with modern technology, InfoSec Pro can afford and do welcome the wait as this allows him to shore up his defenses as well.

Enemy Dealing Stratagems敵戰之計How to encounter enemies

Enemy Dealing Stratagems敵戰之計• Yin element of stratagems

you do not know your opponents strengths

and/or

you are in a disadvantage

• Initial contact with opposing force

Probing attacks/recons

Verify how opponents response before and after an attack

List of Enemy Dealing Stratagems1. Create something from

nothing

無中生有

2. Openly repairing the road, sneaking through the back

明修棧道,暗渡陳倉

3. Watch fires burn, across the river

隔岸觀火

4. Hiding a knife behind a smile

笑裡藏刀

5. Sacrifice a plum, preserve a peach

李代桃僵

6. Take an opportunity to pilfer a goat

順手牽羊

Watch fires burn, across the river隔岸觀火

Explanation

When there is a conflict within enemy camp and chaos ensures, it is best to sit back and watch. Wait till their internal conflicts deepened which would deepened hatred among them. It would turn into violence and its aftermath, the enemy would be much weaken.

Then it is the time to act.

Historical Context

During Three Kingdoms period, Cao Cao had defeated Yuan Shao who soon passed away without naming an heir. Through political maneuver, the youngest son became the lord which undoubtedly caused resentments with the other two.

When Cao Cao attacked again, his force was repelled because of united Yuan front. Under advice from his staff, Cao Cao waited. Soon, sons bickered among themselves and split into factions. Next time Cao Cao attacked, his opponents were much weaker and he was able eliminated Yuan faction altogether.

Watch fires burn, from the river隔岸觀火

Modern Time

In most companies, there exists an unease tension between InfoSec Pro with Network, InfoSec Pro with IT, or InfoSec Pro with rest of employees. And in most instances, InfoSec Pro has to play the bad guy by saying No to things that used to take for granted.

Attackers can exploit such tension and cause it to erupt into actual office politics causalities. No matter who win or lose, office morale will always decrease and this present an ideal time to strike.

Modern Scenario

After a successful attack against an highly politicized work environment, send a city-wide email thanking the InfoSec Pro for making it happen.

Even if it is not lit up immediately as the spark for employee review, the seed of doubt is incepted.

Take an opportunity to pilfer a goat順手牽羊

Explanation

When one saw a stray sheep in the opening, he’s tempted to shepherd it home. So is taking an opportunity when it presents itself no matter how small it is, it will just lead to something bigger.

Alternatively, take advantage of someone’s opportunistic nature to cause great harm.

Historical Context

During Spring & Autumn Period, a Qi minister helped a prince to become Lord of Qi State. But the new Qi Lord was lecherous and soon had numerous affairs with the minister’s wife.

Eventually, the minister found out. Under pretext of being ills, he’s unable to attain his duty. When the lord knew, he went to minister’s home under the pretense of inquiring minister’s health. Instead he went to wife’s chamber. After she excused herself, the lord was trapped and soon killed.

Take a sheep on the way out順手牽羊

Modern Time

This is one of most commonly used social engineering techniques in the modern time. Under guise of free, people will download anything and everything to take advantage of it.

Another variation is to give away free USB, micro-SD cards, or Thunderbolt drive to prospective clients.

Attacking Stratagems攻戰之計How to attack

Attacking Stratagems攻戰之計• Yang element of stratagems

you know exactly of yours and your opponents strengths

and/or

you have an advantage

• Frontal attacks when they know you are coming

How to get around their defenses

How to direct your maximum force against their weakest point.

Summary of Attacking1. Stomping grass, scaring

snake

打草驚蛇

2. Borrow a corpse to resurrect a soul

借屍還魂

3. Entice the tiger to leave its mountain

調虎離山

4. Capture through Release

欲擒故縱

5. Trading a brick for a jade

拋磚引玉

6. Defeat enemy through their chief

擒賊擒王

Borrow a corpse to resurrect a soul借屍還魂Explanation

Something useful shouldn’t be loaned; something not useful should be borrowed; use only borrowed useless thing. It is not me who sought out the child, but the child sought me out.

Even if you have overwhelm force, never display it or utilize it unless absolute necessary. By remain hidden, it created doubt and uncertainty in your enemies who wondered where would you strike. Rather, use something insignificant and something borrow, it draw off attention and allow you to increase your sphere of influence.

Historical Context

During Three Kingdoms period, Liu Bei sought out sanctuary with a follow kinsman and a lord. While the lord agreed, his two loyal ministers were worried, Liu Bei was infamous for bringing downfall to those who helped him. They decided to assassinate Liu Bei. But their plan was leaked.

When they arrived to Liu Bei’s camp, they were welcome and a festival was made in honor of upcoming alliance. During middle of celebration, Liu Bei confided to two assassins that he had secret military plan to share with them. When they came to his tent, Liu Bei’s troops seized them, searched and found hidden daggers.

Assassins were beheaded and Liu Bei announced to accompany troops that he feared for their lord’s safety and asked them to return. Troops were followed by Liu Bei’s force. At the city gate, guards recognized returned troops and opened the gate. Liu Bei’s force rushed in. The coupe was completed.

Borrow a corpse to resurrect a soul借屍還魂Modern Time

Technology wise, this can associate to Trojans and Zombies malware.

Social Engineer, this is often refer to identity theft.

Modern Scenario

Capture through Release欲擒故縱Explanation

Fighting when corner; fleeting when weaken; give chase but do not strain; exhausted their energy, drained their spirits; then captured them through disbursement. Troops do not need to blood their blades.

Troops will fight to death when they have nothing to lose. Between flee for life or fight to death, they will chose to live. Low morale is infectious and longer it germinated, the more damaging it can cause. Low morale, tired, and exhausted, they would give up rather than keep on fighting.

Historical Context

In the novel, Romance of the Three Kingdoms, before Zhuge Liang could carry war against Wei State, he must pacify his southern front where local lord, Meng Huo, had rebelled after the death of Liu Bei.

Zhuge Liang had captured Meng Huoseven time, but each time, he chose to let the rebel leader go because he wanted to break the rebel spirit. Despite been released, his new found insights weren’t accepted by his allies who thought of him as a loser. By the seventh capture, Meng Huo knew Zhuge Liang was indeed a master strategist and submitted.

Capture through Release欲擒故縱

Modern Time

A modern equivalent is the Man in the Middle Attack. This allows attackers to continue gathering more information by release captured data/transaction.

In social engineering, Capture through Release is like tagging a target. That target becomes the carrier. Through him, the company internal system can be compromised; the company incident response can be revealed; the company key individuals can be identified.

Modern Scenario

Chaos Stratagems混戰之計How to create confusion

Chaos Stratagems混戰之計• Yin element of stratagems

you do not know your opponents strengths

and/or

you are in a disadvantage

• When an attack becomes a stalemate or attrition

How to deal with defensive-in-layers concept

How to fight them individually without being gang-on.

Summary of Chaos1. Remove firewood from

boiling pot

釜底抽薪

2. Catch a fish through muddle water

混水摸魚

3. Shedding cicada’s golden shell

金蟬脫殼

4. Shut the door to catch a thief

關門捉賊

5. Befriend a distant state while attacking a neighboring state遠交近攻

6. Obtain safe passage to conquer the State of Guo

假道伐虢

Remove firewood from boiling pot釜底抽薪

Explanation

If one can’t defeat opposing force, then one has to remove the opposing force multiplier. Tis the image of a swamp below and force on top.

If enemy force is much stronger than yours, then you’ll need to destroy the source of his force multiplier in order to even the odd.

The last statement referenced to I-Ching indicates that swamp is at the bottom because of cyclical and regulated order. It’s logical step is to move up.

Historical Context

During Northern Song Dynasty, guards at Han Province rebelled by raiding and pillaging. They attempted to kill both provincial governor and military police commissioner who were frighten and hid.

A local magistrate walked out and faced rebelling troops. He declared, “You all have wife, parents and children. Why are you taking such risk? Step aside if you want no part of it!”

Only eight people remained in the center who fled to countryside. But soon they were captured and executed.

Remove firewood from boiling pot釜底抽薪

Modern Time

Technology: Through recon, a potential target company has array of defense in layers that would make a frontal attack long, brutal, and obvious. What are their force multipliers? How do you reduce those layers? Do they have zero day exploits?

Social Engineering: The company’s InfoSec are well versed in blue team defense such as incident detection, security analysts and forensic analysts. But let’s focus on their staff? Do they have any needs that are unmet by their company?

Befriend a Distant State, Attack a Nearby StateExplanation

Location determines degree of threats, profits from close reach; loss from distance reach. Fire at top, swamp at bottom.

“Location, location, location” is not just a real estate slogan but also a strategic factor. Maximum gain comes from short campaign. Maximum loss comes from long campaign. Therefore to conserve forces, it is better to attack nearby than to commit troops afar. Not to mention the fact that it is better to attack a country than a group of countries.

Historical Context

During the Warring States Period, Qin State adopted this stratagem as it began to eliminate other countries. It made offers to distant states to isolate nearby states prior invasion. Even if someone from other 6 states saw through this stratagem, the distrust among them had prevented any attempt to unite against Qin State. In 221 BC, Qin State has united China after 254 years of warfare and became known as Qin Dynasty.

遠交近攻

Befriend a Distant State, Attack a Nearby StateModern Time

Technology: While it is true that internet has make irrelevant of distance as a factor, but it is relevant during aftermath of an attack. It is far harder to extradite a hacker to another state especially if he is perceived to be a local favorite son.

Socially: Distance as a factor is interpreted as where InfoSec is in a company’s organizational hierarchy. While he may have influence and able to enforce security on those around him, but people further above and below might not be affected as much.

遠交近攻

Proximate Stratagems並戰計How to reduce opponent’s advantages

Proximate Stratagems並戰計• Yang element of stratagems

you know exactly of yours and your opponents strengths

and/or

you have an advantage

• Even if you have an overwhelm force, how to further minimalize your loss.

Play defensively to conserve your strength

Play defensively to demoralize your opponent forces

Summary of Proximate1. Replace beams with rotten

timbers

偷梁換柱

2. Pointing mulberry tree while cursing locust tree

指桑罵槐

3. Feign madness in order to maintain sanity

假癡不癲

4. Remove ladder after an enemy ascended the roof

上屋抽梯

5. Deck the tree with false blossoms樹上開花

6. Switch from guest to host

反客為主

Replace Beams with Rotten Timbers偷梁換柱Explanation

Increased frequent change of opponent’s forces in order to embedded and weakened his strongest force; waited till it collapsed on its on violation, after which, one is able to control it like directing the wheels of a moving cart.

In the age of outsourcing human and technical resources, there is a chance of inserting bugged talent and/or product. As these assets moved around the company, this creates more opportunities to weaken command and control structure until such that outsider can gain administrator access.

Historical Context

Qin Shin Huang, the first emperor of historical China, had two sons. Though he favored the elder, he did not name him his heir apparent because he thought he would live a long live.

When his sudden terminal illness came, Qin Shin Huang issued the imperial decree to name his elder son as the heir. He died soon after.

His death remained a secret by pro-second son Prime Minster. The Head Eunuch, also a pro-second son faction, had the imperial decree and he conspired with Prime Minster.

Together, they redrafted the imperial decree to declare the second son as the new emperor and forced the first son to commit suicide. Thus the fate of Qin Dynasty was sealed.

Replace Beams with Rotten Timbers偷梁換柱Modern Time

Technology: Man in the Middle (MitM) is a popular hack that allowed attackers to embed into target’s communication system in order to gain control and cause misdirection. Keylogger is another variation of MitM.

Socially: Purchasing reputable third-party security software can eliminate and reduce the influence of MitM. But unlike software, consultants from reputable third party firm do not necessary guarantee the same result. While over 99% of them are ethical and professional, it is the remaining few that can be disruptive.

Also as historical context had shown, a company’s office politic can also have an impact on its information security.

Deck the Tree with False Blossoms樹上開花Explanation

Using surrounding to enhance your threats; even if your force is small, your threat will magnify. As wild geese flew in pattern, theirs feathers and formation swell.

A popular acronym in computer world is FUD (fear, uncertainty, and doubt) which is used whenever one described the emotion of dealing with unknown. Used your opponents emotion against them by immerse them into unfamiliar territory.

Historical Context

During The Three Kingdoms Period, Cao Cao attacked Jing Province upon hearing the news of its lord passing. Liu Bei had sought refuge at Jing Province and immediately retreated further south when he got wind of the attack. But people followed him and burdened his force.

When Cao Cao’s army almost caught up to them, Zhang Fei with thirty some troops acted as Liu’s rear guards.

Zhang Fei had his troops hidden in the wood and caused great commotion while he stood by the narrow bridge. Cao Cao troops paused at the other side of the bridge when they saw Zhang Fei by himself, but noises came from the woods. Fearing an ambush, they waited until such time that Lie Bei was able to withdraw his force in safety.

Deck the Tree with False Blossoms樹上開花Modern Time

Technology: FUD is quite common theme in information world. Even the thought of switching or supporting a different OS would generate such FUD among general users. It will not take much to generate hysteria from common users.

Socially: Stress from work, office politics, and economy are building blocks to FUD hysteria. Social media such as twitter, 4chan, and facebookscan spread FUD like a virus in a congested community.

A modern equivalent is the False Flag.

Desperate Stratagems敗戰之計Always have an exit strategy

Desperate Stratagems敗戰之計• Yin element of stratagems

you do not know your opponents strengths

and/or

you are in a disadvantage

• How to win even when you are outnumbers

This is risky because if you lose, you’ll lose big.

Stratagems are about how to get out of confrontation and how to live and to fight in another day.

Summary of Desperation1. The Beauty Trap

美人計

2. The Empty Fort Strategy

空城計

3. Turned Agent Strategy

反間計

4. Self inflected Wound苦肉計

5. Chain Strategms

連環計

6. Retreat

走為上策

Turned Agent Strategy反間計Explanation

Create doubt within doubts, using enemy spies against them is much more profitable than embedded our own against them.

This is the battle of social engineer in highest form. Can you feed false information to your opponent through their agents? For a successful attacks, a recon of target area is a necessity. The game here is how to recognize a recon and then feed them with false data that led them to honeypot or dead zone.

Historical Context

In the novel, Romance of The Three Kingdoms, at the Battle of Red Cliff, Cao Cao had overwhelm force against both Liu Bei and Sun Quan. Despite Cao troops were unfamiliar with navy warfare, Cao had subjugated two new admirals to help train for naval warfare. At the same time, he send an agent over to persuade Zhou Yu to defect.

Zhou Yu recognized his old friend and realized that he was an agent of Cao. While pretended to listen to his old friend, he leaked false information about those two new admirals were agents of Sun. His friend quickly departed and informed Cao Cao of such news. In fit of rage, those two admirals were summarily beheaded. And only then did Cao Cao realize that he had been played.

Turned Agent Strategy反間計Modern Time

Technology: Technology isn’t here yet, but it may be a matter of time for someone to develop a bot that will fool another bot by dissimilate false data .

Socially: Few companies have provided varied information to different key members. And by reviewed type of data leaked, they will know who is the mole.

Self inflected Wound苦肉計Explanation

A person does not hurt himself, and if he is wounded, then this is less likely to be caused by self injury. Whether it’s fake or real, or real or fake, it is now possible to carry out a plan. Even a man-child can get lucky when follow this plan through.

This strategy goes opposite with the saying, “enemy of my enemy is my friend”. Whether through religion or culture, we, in general, do not believe in self-inflict wound and tend to believe that it’s someone else doing. As such, we lower our guard toward the victim.

Historical ContextDuring the Spring and Autumn Period, Lord of Zheng State wanted to annex Hu State. He first married off his daughter to Lord of Hu State. He executed the leader of anti-Hu State faction in his court. These acts have lessen the guard Hu State had against Zheng State.

This allowed Zheng State to led a surprise attack against Hu State and annexed that dominion once and for all.

Self inflected Wound苦肉計Modern Time

Technology: Fake apps that claimed to help prevent any ransomware or Zeus malware. While it did remove other hackers malware, it also introduced its own variant of ransomware or Zeus malware.

Modern Time

Socially: A variant of Edward Snowden playbook could be a Chinese hacker fled from Chinese government’s prosecution by confirmed what the West had accused China of doing. By doing so, he sought for US government protection.

The hacker’s family have been prosecuted and imprisoned. There was a successful attempt on the hacker’s life. It also has caused a diplomatic low point between China and US. While China is adamant for returned of this Chinese hacker, CIA had confirmed that this individual had brought over secrets that they wanted but unable to take. And he is moved to CIA safehouse.

A couple days later, this Chinese hacker is found dead in CIA safehouse. While CIA investigate the cause of death, some sensitive CIA information are funneled into Chinese counterpart.

Conclusion結論

Conclusion結論

Currently, there are some stratagems which technology cannot duplicate, yet. But it is just a matter of time when those bots learned to lie, cheat, and kill one another.

It is possible to narrow thirty six stratagems to 5 – 6 archetypes social engineering which prove following facts

Stratagems should be simple enough to understand when you realize the pattern

Stratagems should be flexible enough to evolve with changing environment

Stratagems should be constant in their objective.

Conclusion結論• Some of stratagems listed here are indeed both far fetch

and unworkable.

But when you begin to deal with threats from oversea, you have to think like your opponents.

• A good strategist hides his motive.

• A better strategist lets other knows his next two moves.

• A great strategist lets other knows his next four moves.