Yesterday it was widely reported that 15 hostages held by Colombia’s Marxist guerrillas for as long as 6 years were freed after some very brave and daring commandos posed as being part of the guerrilla group.
The news reports described it as a stunning rescue, and it definitely was that; quite stunning!
As we watched the numerous news reports about it, I spoke with my boys about the tactics they used to get the hostages freed.
Recently I’ve been creating social engineering training content along with a social engineering awareness assessment tool, and something I found remarkable about the rescue was how it used social engineering to its full affect to rescue the hostages.
Some of the tactics in this situation included:
- Impersonation: Colombian government commandos disguised themselves as members of the Revolutionary Armed Forces of Colombia (FARC) guerrillas who were sent on a mission to transport the hostages to a different location, an activity common with holding hostages for significant periods of time.
- Establishing a relationship: The commandos had worked to establish a relationship with the FARC guerrillas to gain their trust.
- Intimidation: The Colombian government commandos warned that they needed to get the hostages tranported quickly at the direction of the FARC leaders.
- Fear of negative consequences: The guerrillas guarding the hostages cooperated, believing the commandos were part of their group, and of course, they always went along with what the leaders of the FARC wanted for fear of punishment if they did not.
- Shared crisis or problem: The commandos presented themselves as being part of the same situation as the guerrillas, and that they were working with them to address a shared problem, which was to transport the hostages to a different location to avoid getting caught.
Impersonation, establishing a relationship, intimidation, fear of negative consequences, and sharing a crisis or problem are common elements of social engineering, and are often used to dupe people out of their personally identifiable information (PII), money, and to commit crimes. These social encineering tactics are used often, sometimes just one or a few of those listed, or some other social engineering tactics not listed here, by crooks to get employees to give them information and access to facilities so they can then subsequently do their criminal activities.
It is good to see that social engineering was used to such great results to free these hostages!
Tags: awareness and training, FARC, Information Security, IT compliance, policies and procedures, privacy training, risk management, security training, social engineering