Thirty-Six Stratagems of Social Engineering, Part I

Thirty-Six
Stratagems of
Social Engineering, Part I
三十六社交工程計，上

On Stratagems
• Stratagems have been around since the age of city states.
• They were primary used during wars in ancient times.
• They expanded into politic throughout imperial era.
• They broaden into commerce amid mercantile period.
• And now in the millennium of information age, they are
rebranding themselves as social engineering with design
to fool hearts & minds of populace.
謀
略
戦
略
전
략

On Thirty-Six Stratagems
• Stratagems have been used and recorded before the time of
Spring and Autumn (771-476 BC)
• Tan Daoji, a Liu Song Dynasty general (D 436 AD), had
organized, codified and written them down as
Thirty-Six Stratagems.
 The title itself is a reference to I Ching where six is associated with Yin
which represented hidden and intrigues. And thirty-six is square of six,
this signifies numerous and interchanging schemes.
• Its counterpart was a book called Strategemata which was
written by Sextus Julius Frontinus, 1st century Roman
senator, who was famous for his deal with aqueducts.
 Unfortunately, that book was lost
三
十
六
計

Why Thirty-Six
Social Engineer Stratagems?
• As organization/nation-states are strengthened software and
network aspect of cyber defenses, attackers have to look for other
ways to access data.
• Cyber attacks like all forms of warfare are ever escalating. In 2003,
phishing introduced the art of social engineering into information
security world. An email, that informed users of their password
expiration, has opened up a new battlefront.
• For a more sophisticate and escalate data breach, a master plan will
be required, numerous stratagems are hatched to deal with various
scenario, and vast numbers of bots will provide ample firepower.
• An objective for this slide is to provide food for thoughts to InfoSec
Pro (Information Security Professions) to recognize patterns and
hopefully come up with means to deal with them.
社
交
工
程

Requirements for
Successful Stratagems (1/3)
1. Understand opponent’s nature
 Social Media
 News outlets
 EmployeesFriendsHaters
2. Understand opponent’s tactic/skills
 News outlets
 Conventions
 Webinars
3. Understand the situation at hand
(Comparison of advantages/
disadvantages)
 Know your opponent like yourself in
order to neutralize their advantages and
shore up your disadvantages

Requirements for
4. Reconnaissance
 Know your entry and exit points
5. Be highly alert in an unusual
situation
 Are you been played (See below)
6. Expose weakness to entice opponent
 Useful if your opponent is aggressive or
hubris
 Lower opponent’s guard
 Let opponent know your goals or
methods

Requirements for
7. Hidden motives and goals
 Why make it easy for opponents
 Maintain initiative
 Allow room for maneuver
8. At a crucial time, strike at their
blind side in order to maintain
advantages
 Their greatest triumph could also be
their greatest weakness.
 This can apply to you just as well

How This Slide Is Presented
• Thirty Six Stratagems are divided into 6 Chapters
• Each chapter contains six stratagems.
• This slide lists thirty-six stratagems but will focus only
two stratagems per chapter.

Winning Stratagems
勝戰之計
How to use your enemy to your advantages

Winning Stratagems
勝戰之計
• Yang element of stratagems
 you know exactly of yours and your opponents strengths
and/or
 you have an advantage
• Military talks about utilize force multiplier; here
stratagems are talked about force divider.
 Force divider are used on your opponent forces
 It is about using least amount of resources to achieve
greatest amount of wins.

List of Winning Stratagems
1. Deceiving heavens,
crossing oceans
瞞天過海
2. Besiege Wei, rescue Zhao
圍魏救趙
3. Murder with a borrowed
knife
借刀殺人
4. Leisurely wait on laboring
enemy
以逸代勞
5. Loot a burning house
趁火打劫
6. Sounding East,
Striking West
聲東擊西

Besiege Wei, rescue Zhao
圍魏救趙
Explanation
It is better to face a divided opponent
than a concentrated opponent; it’s
better to fight through subtlety than
head-to-head.
The objective is to force opponent to
lose control of situation and
initiative.
Historical Context
Sun Bin, a military strategist of Qi State
during Chinese Warring States Period,
was ordered to rescue an ally, Zhao State,
from hegemon, Wei State.
Rather than face the enemy with
superiority force and advantages, he
attacked Wei’s capital. There, he had no
problem defeat the defending army and
laid a siege. King of Wei recalled his
general who was on the verge of
conquering Zhao to return immediately.
By the time that general returned to Wei’s
capital, Sun Bin had already returned
home, and Zhao State was saved.

Besiege Wei, rescue Zhao
圍魏救趙
Modern time
The objective is to knock InfoSec Pro off
what he was doing and have him focus
on something else. This forces him to
redirect his efforts and incurs lost of
times and energies.
Modern Scenario
Work best against command and control
or highly politicized structure where
CISO or ISO manager micro managed
his staff to an extended that they can’t
act without him say so.
The game plan is to create an alternate
attacks that targeted CEO or C level
management. This would work only if
there is an inside man or you’re certain
that C level machines are compromised.

Leisurely Wait on Laboring Enemies
以逸代勞
Explanation
Force your opponents into adverse
situations that sapped their strength and
exhausted their spirits. Then attack them
with your fresh force.
It is never a good idea to confront foes
whose energy and morale are high. It is
better to exhaust them while maintain
high energy and morale on yourself.
Historical Context
During Warring States Period, Qin State
lunched an invasion against Chu State
that was led by a young general. After a
series of wins, he became overconfident
and fell into ambush that destroyed his
force and have him retreated all the way
back to Qin.
In response, Qin State send an elder
general who stopped at the border of Qin
and Chu and build up his defense. While
Chu troops wanted a quick decisive battle,
Qin troops hid behind fortress. When Chu
force exhausted their supplies and
withdrawal, Qin troops attacked from
behind and annihilated them. Chu State
was eliminated soon after .

Leisurely Wait on Strained Enemies
以逸代勞
Modern Time
This stratagem supports the idea of
taking control of the situation from
InfoSec Pro. This is done by exhausting
him to the point of making a wrong call,
oversight, overreact, overreach, etc…
While direct confrontation (against an
active opponent) is exciting and
generate much buzz, it also drained and
tied up both resources (even if those
resources are hijacked) and time.
Modern Scenario
A series of false positives at various
sources and locations can require
InfoSec Pro’s immediate attention.
Or even like the historical context, pose
an imminent threat that he can see it
coming and have him waiting. However,
in this case, with modern technology,
InfoSec Pro can afford and do welcome
the wait as this allows him to shore up
his defenses as well.

Enemy Dealing
Stratagems
敵戰之計
How to encounter enemies

Enemy Dealing Stratagems
敵戰之計
• Yin element of stratagems
 you do not know your opponents strengths
and/or
 you are in a disadvantage
• Initial contact with opposing force
 Probing attacks/recons
 Verify how opponents response before and after an attack

List of Enemy Dealing Stratagems
1. Create something from
nothing
無中生有
2. Openly repairing the road,
sneaking through the back
明修棧道,暗渡陳倉
3. Watch fires burn, across the
river
隔岸觀火
4. Hiding a knife behind a
smile
笑裡藏刀
5. Sacrifice a plum, preserve a
peach
李代桃僵
6. Take an opportunity to pilfer a
goat
順手牽羊

Watch fires burn, across the river
隔岸觀火
Explanation
When there is a conflict within enemy
camp and chaos ensures, it is best to sit
back and watch. Wait till their internal
conflicts deepened which would
deepened hatred among them. It would
turn into violence and its aftermath,
the enemy would be much weaken.
Then it is the time to act.
Historical Context
During Three Kingdoms period, Cao
Cao had defeated Yuan Shao who soon
passed away without naming an heir.
Through political maneuver, the
youngest son became the lord which
undoubtedly caused resentments with
the other two.
When Cao Cao attacked again, his force
was repelled because of united Yuan
front. Under advice from his staff, Cao
Cao waited. Soon, sons bickered among
themselves and split into factions. Next
time Cao Cao attacked, his opponents
were much weaker and he was able
eliminated Yuan faction altogether.

Watch fires burn, from the river
隔岸觀火
Modern Time
In most companies, there exists an
unease tension between InfoSec Pro
with Network, InfoSec Pro with IT, or
InfoSec Pro with rest of employees. And
in most instances, InfoSec Pro has to
play the bad guy by saying No to things
that used to take for granted.
Attackers can exploit such tension and
cause it to erupt into actual office
politics causalities. No matter who win
or lose, office morale will always
decrease and this present an ideal time
to strike.
Modern Scenario
After a successful attack against an
highly politicized work environment,
send a city-wide email thanking the
InfoSec Pro for making it happen.
Even if it is not lit up immediately as
the spark for employee review, the seed
of doubt is incepted.

Take an opportunity to pilfer a goat
順手牽羊
Explanation
When one saw a stray sheep in the
opening, he’s tempted to shepherd it
home. So is taking an opportunity when
it presents itself no matter how small it
is, it will just lead to something bigger.
Alternatively, take advantage of
someone’s opportunistic nature to cause
great harm.
Historical Context
During Spring & Autumn Period, a Qi
minister helped a prince to become Lord
of Qi State. But the new Qi Lord was
lecherous and soon had numerous
affairs with the minister’s wife.
Eventually, the minister found out.
Under pretext of being ills, he’s unable
to attain his duty. When the lord knew,
he went to minister’s home under the
pretense of inquiring minister’s health.
Instead he went to wife’s chamber. After
she excused herself, the lord was
trapped and soon killed.

Take a sheep on the way out
順手牽羊
Modern Time
This is one of most commonly used
social engineering techniques in the
modern time. Under guise of free,
people will download anything and
everything to take advantage of it.
Another variation is to give away free
USB, micro-SD cards, or Thunderbolt
drive to prospective clients.

Attacking Stratagems
攻戰之計
How to attack

Attacking Stratagems
攻戰之計
and/or
• Frontal attacks when they know you are coming
 How to get around their defenses
 How to direct your maximum force against their weakest
point.

Summary of Attacking
1. Stomping grass, scaring
snake
打草驚蛇
2. Borrow a corpse to
resurrect a soul
借屍還魂
3. Entice the tiger to leave its
mountain
調虎離山
4. Capture through Release
欲擒故縱
5. Trading a brick for a jade
拋磚引玉
6. Defeat enemy through
their chief
擒賊擒王

Borrow a corpse to resurrect a soul
借屍還魂
Explanation
Something useful shouldn’t be loaned;
something not useful should be
borrowed; use only borrowed useless
thing. It is not me who sought out the
child, but the child sought me out.
Even if you have overwhelm force,
never display it or utilize it unless
absolute necessary. By remain hidden,
it created doubt and uncertainty in your
enemies who wondered where would
you strike. Rather, use something
insignificant and something borrow, it
draw off attention and allow you to
increase your sphere of influence.
Historical Context
During Three Kingdoms period, Liu Bei sought out
sanctuary with a follow kinsman and a lord. While
the lord agreed, his two loyal ministers were
worried, Liu Bei was infamous for bringing
downfall to those who helped him. They decided to
assassinate Liu Bei. But their plan was leaked.
When they arrived to Liu Bei’s camp, they were
welcome and a festival was made in honor of
upcoming alliance. During middle of celebration,
Liu Bei confided to two assassins that he had
secret military plan to share with them. When they
came to his tent, Liu Bei’s troops seized them,
searched and found hidden daggers.
Assassins were beheaded and Liu Bei announced to
accompany troops that he feared for their lord’s
safety and asked them to return. Troops were
followed by Liu Bei’s force. At the city gate, guards
recognized returned troops and opened the gate.
Liu Bei’s force rushed in. The coupe was completed.

Borrow a corpse to resurrect a soul
借屍還魂
Modern Time
Technology wise, this can associate to
Trojans and Zombies malware.
Social Engineer, this is often refer to
identity theft.
Modern Scenario

Capture through Release
欲擒故縱
Explanation
Fighting when corner; fleeting when
weaken; give chase but do not strain;
exhausted their energy, drained their
spirits; then captured them through
disbursement. Troops do not need to
blood their blades.
Troops will fight to death when they
have nothing to lose. Between flee for
life or fight to death, they will chose to
live. Low morale is infectious and
longer it germinated, the more
damaging it can cause. Low morale,
tired, and exhausted, they would give
up rather than keep on fighting.
Historical Context
In the novel, Romance of the Three
Kingdoms, before Zhuge Liang could
carry war against Wei State, he must
pacify his southern front where local
lord, Meng Huo, had rebelled after the
death of Liu Bei.
Zhuge Liang had captured Meng Huo
seven time, but each time, he chose to
let the rebel leader go because he
wanted to break the rebel spirit.
Despite been released, his new found
insights weren’t accepted by his allies
who thought of him as a loser. By the
seventh capture, Meng Huo knew
Zhuge Liang was indeed a master
strategist and submitted.

Capture through Release
欲擒故縱
Modern Time
A modern equivalent is the Man in the
Middle Attack. This allows attackers to
continue gathering more information by
release captured data/transaction.
In social engineering, Capture through
Release is like tagging a target. That
target becomes the carrier. Through
him, the company internal system can
be compromised; the company incident
response can be revealed; the company
key individuals can be identified.
Modern Scenario

Chaos Stratagems
混戰之計
How to create confusion

Chaos Stratagems
混戰之計
and/or
• When an attack becomes a stalemate or attrition
 How to deal with defensive-in-layers concept
 How to fight them individually without being gang-on.

Summary of Chaos
1. Remove firewood from
boiling pot
釜底抽薪
2. Catch a fish through
muddle water
混水摸魚
3. Shedding cicada’s golden
shell
金蟬脫殼
4. Shut the door to catch a
thief
關門捉賊
5. Befriend a distant state
while attacking a
neighboring state
遠交近攻
6. Obtain safe passage to
conquer the State of Guo
假道伐虢

Remove firewood from boiling pot
釜底抽薪
Explanation
If one can’t defeat opposing force,
then one has to remove the opposing
force multiplier.
Tis the image of a swamp below and
force on top.
If enemy force is much stronger than
yours, then you’ll need to destroy the
source of his force multiplier in order to
even the odd.
The last statement referenced to I-
Ching indicates that swamp is at the
bottom because of cyclical and
regulated order. It’s logical step is to
move up.
Historical Context
During Northern Song Dynasty, guards
at Han Province rebelled by raiding and
pillaging. They attempted to kill both
provincial governor and military police
commissioner who were frighten and
hid.
A local magistrate walked out and faced
rebelling troops. He declared, “You all
have wife, parents and children. Why
are you taking such risk? Step aside if
you want no part of it!”
Only eight people remained in the
center who fled to countryside. But soon
they were captured and executed.

Remove firewood from boiling pot
釜底抽薪
Modern Time
Technology: Through recon, a potential
target company has array of defense in
layers that would make a frontal attack
long, brutal, and obvious. What are
their force multipliers? How do you
reduce those layers? Do they have zero
day exploits?
Social Engineering: The company’s
InfoSec are well versed in blue team
defense such as incident detection,
security analysts and forensic analysts.
But let’s focus on their staff? Do they
have any needs that are unmet by their
company?

Befriend a Distant State,
Attack a Nearby State
Explanation
Location determines degree of threats,
profits from close reach;
loss from distance reach.
Fire at top, swamp at bottom.
“Location, location, location” is not just
a real estate slogan but also a strategic
factor. Maximum gain comes from short
campaign. Maximum loss comes from
long campaign. Therefore to conserve
forces, it is better to attack nearby than
to commit troops afar. Not to mention
the fact that it is better to attack a
country than a group of countries.
Historical Context
During the Warring States Period, Qin
State adopted this stratagem as it
began to eliminate other countries. It
made offers to distant states to isolate
nearby states prior invasion. Even if
someone from other 6 states saw
through this stratagem, the distrust
among them had prevented any
attempt to unite against Qin State. In
221 BC, Qin State has united China
after 254 years of warfare and became
known as Qin Dynasty.
遠
交
近
攻

Befriend a Distant State,
Attack a Nearby State
Modern Time
Technology: While it is true that
internet has make irrelevant of
distance as a factor, but it is relevant
during aftermath of an attack. It is far
harder to extradite a hacker to another
state especially if he is perceived to be a
local favorite son.
Socially: Distance as a factor is
interpreted as where InfoSec is in a
company’s organizational hierarchy.
While he may have influence and able
to enforce security on those around him,
but people further above and below
might not be affected as much.
遠
交
近
攻

Proximate
Stratagems
並戰計
How to reduce opponent’s advantages

Proximate Stratagems
並戰計
and/or
• Even if you have an overwhelm force, how to further
minimalize your loss.
 Play defensively to conserve your strength
 Play defensively to demoralize your opponent forces

Summary of Proximate
1. Replace beams with rotten
timbers
偷梁換柱
2. Pointing mulberry tree
while cursing locust tree
指桑罵槐
3. Feign madness in order to
maintain sanity
假癡不癲
4. Remove ladder after an
enemy ascended the roof
上屋抽梯
5. Deck the tree with false
blossoms
樹上開花
6. Switch from guest to host
反客為主

Replace Beams with Rotten Timbers
偷梁換柱
Explanation
Increased frequent change of opponent’s
forces in order to embedded and weakened
his strongest force; waited till it collapsed on
its on violation, after which, one is able to
control it like directing the wheels of a
moving cart.
In the age of outsourcing human and
technical resources, there is a chance of
inserting bugged talent and/or product. As
these assets moved around the company, this
creates more opportunities to weaken
command and control structure until such
that outsider can gain administrator access.
Historical Context
Qin Shin Huang, the first emperor of historical
China, had two sons. Though he favored the
elder, he did not name him his heir apparent
because he thought he would live a long live.
When his sudden terminal illness came, Qin
Shin Huang issued the imperial decree to name
his elder son as the heir. He died soon after.
His death remained a secret by pro-second son
Prime Minster. The Head Eunuch, also a pro-
second son faction, had the imperial decree and
he conspired with Prime Minster.
Together, they redrafted the imperial decree to
declare the second son as the new emperor and
forced the first son to commit suicide. Thus the
fate of Qin Dynasty was sealed.

Replace Beams with Rotten Timbers
偷梁換柱
Modern Time
Technology: Man in the Middle (MitM) is
a popular hack that allowed attackers to
embed into target’s communication
system in order to gain control and cause
misdirection. Keylogger is another
variation of MitM.
Socially: Purchasing reputable third-party
security software can eliminate and
reduce the influence of MitM. But unlike
software, consultants from reputable third
party firm do not necessary guarantee the
same result. While over 99% of them are
ethical and professional, it is the
remaining few that can be disruptive.
Also as historical context had shown, a
company’s office politic can also have an
impact on its information security.

Deck the Tree with False Blossoms
樹上開花
Explanation
Using surrounding to enhance your
threats; even if your force is small,
your threat will magnify. As wild
geese flew in pattern, theirs
feathers and formation swell.
A popular acronym in computer
world is FUD (fear, uncertainty, and
doubt) which is used whenever one
described the emotion of dealing
with unknown. Used your
opponents emotion against them by
immerse them into unfamiliar
territory.
Historical Context
During The Three Kingdoms Period, Cao
Cao attacked Jing Province upon hearing the
news of its lord passing. Liu Bei had sought
refuge at Jing Province and immediately
retreated further south when he got wind of
the attack. But people followed him and
burdened his force.
When Cao Cao’s army almost caught up to
them, Zhang Fei with thirty some troops
acted as Liu’s rear guards.
Zhang Fei had his troops hidden in the wood
and caused great commotion while he stood
by the narrow bridge. Cao Cao troops paused
at the other side of the bridge when they
saw Zhang Fei by himself, but noises came
from the woods. Fearing an ambush, they
waited until such time that Lie Bei was able
to withdraw his force in safety.

Deck the Tree with False Blossoms
樹上開花
Modern Time
Technology: FUD is quite common
theme in information world. Even the
thought of switching or supporting a
different OS would generate such FUD
among general users. It will not take
much to generate hysteria from
common users.
Socially: Stress from work, office
politics, and economy are building
blocks to FUD hysteria. Social media
such as twitter, 4chan, and facebooks
can spread FUD like a virus in a
congested community.
A modern equivalent is the False Flag.

Desperate
Stratagems
敗戰之計
Always have an exit strategy

Desperate Stratagems
敗戰之計
and/or
• How to win even when you are outnumbers
 This is risky because if you lose, you’ll lose big.
 Stratagems are about how to get out of confrontation and
how to live and to fight in another day.

Summary of Desperation
1. The Beauty Trap
美人計
2. The Empty Fort Strategy
空城計
3. Turned Agent Strategy
反間計
4. Self inflected Wound
苦肉計
5. Chain Strategms
連環計
6. Retreat
走為上策

Turned Agent Strategy
反間計
Explanation
Create doubt within doubts, using enemy
spies against them is much more
profitable than embedded our own against
them.
This is the battle of social engineer in
highest form. Can you feed false
information to your opponent through
their agents? For a successful attacks, a
recon of target area is a necessity. The
game here is how to recognize a recon and
then feed them with false data that led
them to honeypot or dead zone.
Historical Context
In the novel, Romance of The Three Kingdoms,
at the Battle of Red Cliff, Cao Cao had
overwhelm force against both Liu Bei and Sun
Quan. Despite Cao troops were unfamiliar with
navy warfare, Cao had subjugated two new
admirals to help train for naval warfare. At the
same time, he send an agent over to persuade
Zhou Yu to defect.
Zhou Yu recognized his old friend and realized
that he was an agent of Cao. While pretended
to listen to his old friend, he leaked false
information about those two new admirals were
agents of Sun. His friend quickly departed and
informed Cao Cao of such news. In fit of rage,
those two admirals were summarily beheaded.
And only then did Cao Cao realize that he had
been played.

Turned Agent Strategy
反間計
Modern Time
Technology: Technology isn’t here yet,
but it may be a matter of time for
someone to develop a bot that will fool
another bot by dissimilate false data .
Socially: Few companies have provided
varied information to different key
members. And by reviewed type of data
leaked, they will know who is the mole.

Self inflected Wound
苦肉計
Explanation
A person does not hurt himself, and if
he is wounded, then this is less likely
to be caused by self injury. Whether
it’s fake or real, or real or fake, it is
now possible to carry out a plan. Even
a man-child can get lucky when
follow this plan through.
This strategy goes opposite with the
saying, “enemy of my enemy is my
friend”. Whether through religion or
culture, we, in general, do not believe
in self-inflict wound and tend to
believe that it’s someone else doing.
As such, we lower our guard toward
the victim.
Historical Context
During the Spring and Autumn Period,
Lord of Zheng State wanted to annex
Hu State. He first married off his
daughter to Lord of Hu State. He
executed the leader of anti-Hu State
faction in his court. These acts have
lessen the guard Hu State had against
Zheng State.
This allowed Zheng State to led a
surprise attack against Hu State and
annexed that dominion once and for all.

Self inflected Wound
苦肉計
Modern Time
Technology: Fake apps that claimed to
help prevent any ransomware or Zeus
malware. While it did remove other
hackers malware, it also introduced its
own variant of ransomware or Zeus
malware.
Modern Time
Socially: A variant of Edward Snowden playbook
could be a Chinese hacker fled from Chinese
government’s prosecution by confirmed what the
West had accused China of doing. By doing so, he
sought for US government protection.
The hacker’s family have been prosecuted and
imprisoned. There was a successful attempt on the
hacker’s life. It also has caused a diplomatic low
point between China and US. While China is
adamant for returned of this Chinese hacker, CIA
had confirmed that this individual had brought
over secrets that they wanted but unable to take.
And he is moved to CIA safehouse.
A couple days later, this Chinese hacker is found
dead in CIA safehouse. While CIA investigate the
cause of death, some sensitive CIA information are
funneled into Chinese counterpart.

Conclusion
結論
Currently, there are some stratagems which technology
cannot duplicate, yet. But it is just a matter of time when
those bots learned to lie, cheat, and kill one another.
It is possible to narrow thirty six stratagems to 5 – 6
archetypes social engineering which prove following facts
Stratagems should be simple enough to understand when you
realize the pattern
Stratagems should be flexible enough to evolve with changing
environment
Stratagems should be constant in their objective.

Conclusion
結論
• Some of stratagems listed here are indeed both far fetch
and unworkable.
 But when you begin to deal with threats from oversea, you
have to think like your opponents.
• A good strategist hides his motive.
• A better strategist lets other knows his next two moves.
• A great strategist lets other knows his next four moves.

Thirty-Six Stratagems of Social Engineering, Part I

Recommended

Recommended

More Related Content

What's hot

What's hot (17)

Viewers also liked

Viewers also liked (14)

Similar to Thirty-Six Stratagems of Social Engineering, Part I

Similar to Thirty-Six Stratagems of Social Engineering, Part I (20)

More from Chuan Lin

More from Chuan Lin (13)

Recently uploaded

Recently uploaded (20)

Thirty-Six Stratagems of Social Engineering, Part I