SE101: The Grey Man Concept: A must-have trait/ability for any Social Engineer
Disclaimer: Although this concept is generally referred to as the ‘Grey man,’ this can, of course, be applied to anyone of any age who needs to blend into a crowd/environment. This concept is not gender defined. No offence is meant or otherwise implied by using the ‘Grey man’ term during the article.
What exactly is Social Engineering?
Before we get into the "Grey Man" concept, we should start with what social engineering is.
At its core, social engineering uses psychological manipulation to trick individuals, or in the realm of cyber security, users into making decisions and judgement calls, to force lapses in security awareness/posture or to give away sensitive information.
Social engineering attacks can happen in standalone attack vectors or multiple steps, where the output of one attack vector is chained with another. A threat actor, in this case, the social engineer, first conducts open-sourced intelligence-gathering phases against the target organisation and individuals to gather relevant or necessary background information.
This could be physical or digital information, such as potential entry points and weak security protocols. From here, the social engineer would then move to build rapport and gain the trust of the intended target organisation or victim. Once this has been established, social engineering will commence a campaign which provides stimuli for subsequent actions designed to break security practices and policies, such as revealing sensitive information or granting access to critical resources or physical locations.
An Example Social Engineering Scenario
The author poses a scenario & question to the readers of the book “Social Engineering: The Science of Human Hacking” during the initial chapters of the book (P.31 to be exact), and it goes like this:
Imagine you have to infiltrate a client’ s building. To do so, you need to develop a pretext that allows you to gain entry easily. Your team is made up of a few different types of folks. If you determine that the best pretext for the job is janitorial staff, which of the following team members would be the best fit?
» 40-year-old white, blonde male/person
» 43-year-old Asian female/person
» 27-year-old Latino female/person
If you determine that your best pretext is intercompany kitchen work, which of the following team members would be the best fit?
» 40-year-old white, blonde male/person
» 43-year-old Asian female/person
» 27-year-old Latino female/person
The author goes on to answer and summarise the above scenario with the following answer:
The fact is, a skilled social engineer in any of the categories can make a go of it and succeed. But which one will lead to the least amount of thinking? Remember, thinking is the enemy of the social engineer. With that in mind, let’s get back to how I define social engineering:
Social engineering is any act that influences a person to take an action that may or may not be in his/her/their best interests
Note: Mr Hadnagy, in more recent years, has unfortunately come under scrutiny for his conduct and actions, resulting in a ban from DefCon and other security conferences. With this in mind, as well as it being public knowledge, I felt it was only right to point this out. The reference above focuses purely on dealing with a social engineering scenario and the mindset of a social engineer. It does not support, glorify or any other type/form of endorsement of Mr Hadnagy.
The Grey Man Concept
In this short write-up, I aim to cover a basic but crucially important trait of a social engineer. Namely, the art of being the "Grey Man" and how it is key/intrinsic to being a good social engineer. Hopefully, by the end of the write-up, you’ll be able to see why and how the “Grey Man” concept fits perfectly into the scenario above.
I rate the “Grey Man” concept as one of the most critical practices ahead of any physical security technical ability or the many gadgets available today to assist with covert physical security engagements.
Some of you may be familiar with the concept of 'The Grey Man'. Newer or aspiring social engineers may not. In short, this concept, in its simplest form, can be defined as:
"An individual who can blend in to any scene or situation without standing out, average and instantly forgettable, hiding their skills, qualities and or true purpose."
Various Intelligence communities have widely adopted the ‘Grey Man’ concept, covert law enforcement agencies and survivalist groups around the globe due to their particular mandate and requirements to move and remain unnoticed in society.
While social engineers do not need to employ the concept in the same manner as these groups, we can and should use the concept in our engagements. Doing so will better aid us in achieving our specific client engagement objectives, particularly after an initial breach.
So now we know what the “Grey Man” concept is, hopefully, the link to why this concept would be a highly desirable trait to social engineers is clear, but if not, I will expand on this further.
- Not Standing Out - by not standing out and therefore not drawing attention to yourself, as a social engineer, you will be able to move more quickly, easily and efficiently through the target area/building, etc., without creating an interest in your presence and thus avoiding unwanted attention.
- Concealing Your Intentions – In addition to not standing out, employing the concept will allow you to conceal better your actual intention for being on or at a target site, whether it be identifying security access controls, shift patterns, hours of business, physical site & employee reconnaissance, planting a remote access device etc. Blending in as a "Grey man" will aid you in achieving this.
If we, as social engineers, do not create a stimulus that will allow anyone to pick us out of a crowd and consequently home in on us, we are invisible to them for all intense purposes.
A social engineer who practices and employs being a "Grey man" moves around most people’s awareness without triggering any alarms.
Practical application of the "Grey Man" concept
Understanding the concept definition is not enough or the same as employing the core principle of ‘Blending in’.
Not all social engineering engagements are the same, meaning that engagement approaches and attack vectors will vary from client to client; however, there are various key components which we, as social engineers, can use as a baseline. I have broken these components down as follows:
Height
The height of an individual is something that no one has any control over and, as such, an element of being a "Grey man" that we have little control over.
The most effective "Grey man" will be or will fall within average height and weight ranges to better blend in. They will have no noticeable physical features that draw attention, with a passive, unassuming demeanour.
Weight to height is also important. The key is to look as average as possible to avoid standing out. This is not to say that any social engineers who find themselves outside of society's accepted norms would be less effective; it mainly means that these individuals will have to plan and consider their movements and actions more closely as they stand out just that little bit more in a crowd.
Whilst physical ability isn’t intrinsically linked to the ‘Grey Man’ concept, it directly impacts an individual’s ability to covertly follow, move at speed over distance and extricate themselves from a given situation at speed should the need arise.
Clothing/Dress
Picking and choosing clothing is an element within the social engineer’s control. This will normally vary per engagement and depends significantly on the location where you will be working.
Whilst times have, and continue to, change, the type of location and/or clients we will conduct engagements for will and can have multiple dress codes, and these could be in effect on different days throughout the working week. Even companies that do not enforce the dress code have inadvertently specified a dress code. It is important to know and understand your client’s environment! For example, you may need to carry a change of clothes in a backpack or bag due to movement to and from certain areas.
For example, the London financial or business districts' acceptable dress code is, at a minimum, a formal shirt, open collar, trousers, and shoes. Arriving at your client site at this location in jeans, trainers, and a t-shirt would instantly highlight you as an individual, making you stand out, i.e., NOT BLENDING IN!
This also works in reverse; arriving at an industrial, commercial or Data centre type location in a suit or formal attire, when the dress code is a more relaxed and casual affair, would also highlight you and draw attention again, NOT BLENDING IN!
Mostly, natural and neutral colours work best: Browns and Greys. Although this is not a hard and fast rule, your work environment very much dictates it—nothing to create a memory like a T-shirt with a saying or photos or brightly coloured footwear. The Style of clothing and footwear tends to be very conservative, readily available, and mass-produced. Nothing showing skin, nothing too fashionable, nothing too out of fashion. Ordinary is the keyword here.
Though a word of caution regarding clothing/dress when working in a group or team SE scenario. Coming from a military background and dealing with various agencies and law enforcement during that time, most people would gravitate towards a certain clothing theme. Whilst this cannot be helped, some forethought and care should be taken to ensure that each of the team members does not look the same, i.e., one-person blue jeans and a black top is fine; however, three or more wearing the same clothing will stand out and draw attention, especially if working within the same area of operation. This will increase awareness and stimuli within the target area or location.
Idiosyncrasy/Mannerisms
As the whole premise of the ‘Grey man’ concept is tailored and designed not to attract attention and blend in, any individual's overt natural and everyday idiosyncrasies or mannerisms must be small and discreet or suppressed while on target.
For example, I articulate a lot with hand movements and sweeping gestures. Whilst this is fine for normal day-to-day activities, whilst working on social engineering or physical access engagements, I have to work hard to hide and suppress these mannerisms, as they can be eye-catching and, therefore draw unwanted attention. Seeing someone point or wave hands about always draws people's eye line, which draws curiosity as to what that person is doing!
Social engineers should aim to withdraw from an energetic perspective. Experience in a broad spectrum of social, work and life situations allows you to gauge when to project confidence and when not to, when to look around and when not when to be passive and avoid eye contact.
Situational Awareness/Movement
Coming from a military background, a key element of camouflage or from a social engineering perspective is learning to match your movement to the environmental baseline. Whether it is a city, countryside, urban, industrialised or business location, they all have a baseline for movement.
Spend any time in a city; you will notice that one part of it will have a look and feel which will differ from another area of the city. This is what I mean by the term baseline. It refers to the sound, motion, and activity level of the given area in an everyday situation. The speed at which people move, how they gesture, and the volume and rate they speak. All these elements and many more make up the baseline. You can learn and will get a feel for the baseline for a given by sitting somewhere and watching and listening. Open, populated places, such as coffee shops, shops, and communal outdoor areas, are great for this.
Matching the baseline is probably the most important element of personal camouflage or blending in. Applying what you’ve learnt from your observations and imitating behaviours and movements that replicate those of the area you are engaging in will hide you better than just about anything else.
Improving your ‘Grey man’ capability and effectiveness
Improving your ‘Grey man’ capability and effectiveness is an ongoing pursuit. In society, people’s perceptiveness changes daily; what triggers one person may not trigger another and vice-versa.
Watching, listening, and making mental notes is key! Observe the way people dress and act as you go about your typical day, looking to identify the following:
- What stands out?
- What makes various people noticeable?
- What did you notice about your environment?
- Look for the ‘norms’
- Perceiving situations
Take notes and practice! The more you practice becoming a ‘Grey man’, the more it can and will help you hone in on the objects and behaviours that draw attention and help you limit your exposure while on an engagement.
Combining the information outlined above and practising the three key controllable components listed above will put you well on your way to being able to ‘disappear’ into any crowd and increase your chances of conducting all aspects of your social engineering and/or physical access engagement.
The ‘Grey man’ concept take away point.
The ‘Grey man’ is the person who moves around the periphery of your target's awareness without creating any stimulus, which ultimately generates interest or curiosity. Successfully doing so makes that person invisible for all practical purposes. Being invisible and unmemorable, along with the ability to plan and react on when a given situation does not play out as planned, is key to social engineering engagements; it will significantly reduce the risk of the engagement being compromised and shut down.
Thanks for reading.