Elicitation: the polite and courteous technique of stealing sensitive information

It's no use looking in the dictionary: the concept of elicitation in the context of information security is still relatively new, even in Brazil. Any dictionary defines elicit as "to extract, to bring out; to obtain; to trigger, to provoke; to deduce; to discover; to clarify", but, let's face it, it is a little hard to grasp the idea with just this definition. 

Within the area of information security, elicitation refers to the technique of extracting sensitive or privileged information from someone using a conversation that, a priori, seems to be just a polite and affable chat. The dialog can play out online or over the phone, though a skilled social engineer will always prefer a face-to-face, eye-to-eye dialog to be more incisive.

The attack is so worrying that the United States Federal Bureau of Investigation (FBI) has developed a primer to warn private or public organizations of the risk. Elicitation techniques can even be used to obtain industrial secrets and spy on the military plans or projects of a rival foreign nation.

A compromising conversation

Imagine you are at a co-working site, for example, and you’re suddenly approached by someone with impeccable manners. They introduce themselves as a recently hired employee who hasn’t got around to meeting their fellow staff members. They then politely ask you to help them get acquainted with the environment. 

The conversation seems to flow smoothly, and before you know it you’re answering an array of seemingly innocent questions: where is the boardroom?; how many people sit on the board?; are all the areas equipped with cameras? By providing this information, you may unwittingly be giving away crucial data that could be used to scam the company.

And that’s exactly how the elicitation technique works: The victim hardly notices that information is being extracted and voluntarily provides restricted intelligence.

This is because, through elicitation, social engineering peaks and the conversation flows so naturally that some seemingly harmless questions and comments are, in fact, highly valuable to an attacker. Criminals will use persuasion techniques and maintain an engaging dialog, gaining your trust by being polite, helpful, and, above all, an attentive listener. A social engineer will flatter you, ask for your help with something, ask for your opinion on some topic, and discuss an issue just to get your side of the facts.

According to the FBI, several techniques are used during an elicitation session. Here are a few:

• Assumed knowledge: create empathy by pretending to possess certain knowledge in common with the target.

• Confidential baiting: pretending to share secret information in the hope of receiving another secret information in return.

• Denial of the obvious: purposely saying something wrong so that the victim will correct you with real secret information.

You’ve probably used it!

While these scenarios may sound like the crazy stuff of Hollywood films, chances are that you’ve used elicitation techniques – even if only with good reason! 

For example, when preparing a surprise party for someone, elicitation strategies are common to extract specific information from the birthday person. You ask seemingly innocent questions and stage random conversations to find out what the person likes to eat, what gift they’d love, and what their schedule looks like for the celebration itself.

Avoiding the use of elicitation to extract information can be tough but try to train your critical thinking not to answer any question without first considering the consequences. If you think you’re being scammed, discourage the attacker by ignoring highly specific questioning, answering a question with another question, offering generic answers, or simply saying that you do not know or cannot discuss the topic at hand.