Threats

Explore The CIA's SADRAT And Other Social Engineering Frameworks

Social engineering attacks (primarily phishing) have dominated the list of top risks to enterprise cybersecurity for a number of years and are evolving with the adversarial adoption of AI.  Humans have long proven to be a difficult asset to secure since we are known for our emotional susceptibility to a range of issues. 

Organizations may face social engineering campaigns from hacking groups seeking quick financial gain, competitors seeking to gain competitive advantage, foreign governments for espionage, or other highly motivated adversaries. Overall, understanding broad social engineering tactics and processes (not only specific techniques) is important for defenders to understand what they are up against and to design better user-awareness training programs. 

In this article we will delve into some fundamental frameworks for social engineering prepared by two government security agencies, the CIA and the Canadian Centre for Cyber Security. One of these frameworks, SADRAT, was disclosed in recent revelations made publicly by a former CIA agent, and pertains to the CIA process for gaining and managing assets in a spy network. Although not as juicy as other official CIA processes for extracting sensitive information such as the Gateway Processes (1983), released publicly in 2003, the SADRAT process nonetheless gives us some insight into how the CIA frames social engineering within its espionage activities.

Understanding the SADRAT Social Engineering Process

The term SADRAT came into focus recently in 2024 when a former CIA officer, Andrew Bustamante made videos promoting his new company that included claims about his experience in the CIA, and in-depth sharing of unclassified information. His motivation is apparently to help CEOs improve their company's bottom lines - primarily through social engineering using the SADRAT process. A full 35 minute interview with Andrew is available on Insider's Youtube channel, in addition to appearances on numerous other Youtube channels, podcasts, and blogs.  

While SADRAT is not mentioned in the 1978 CIA list of intelligence terminology, US DoD Counterintelligence terminology, or officially declassified CIA records, it's safe to say that most internal policies are not included in those collections and it's likely that the revelations from Andrew are legitimate.In fact, another former CIA agent Ryan Hillsberg also shared the same CIA recipe for spy recruitment.  Let's take a look at Andrews's claims about the CIA's social engineering process used by actual operatives for extracting security intelligence out of their targets.

Here is a brief description of the SADRAT process:

  • S (Spot): Identifying potential intelligence assets who have access to valuable information or influence relevant to intelligence objectives, using methods like surveillance and background checks. This first stage maps nicely to the Lockheed Martin's "Reconnaissance" stage of the Cyber Kill Chain and the first stage of Penetration testing campaigns. 

  • A (Assess): Evaluating the suitability, usefulness, reliability, and willingness of identified individuals to cooperate, analyzing their motivations, vulnerabilities, and potential risks.

  • D (Develop): Building a relationship with potential assets to gain their trust and prepare them for recruitment, involving staged interactions and meetings.

  • R (Recruit): Formally bringing them on board to gather intelligence. This includes explicitly proposing to the candidate to work as an intelligence asset, negotiating terms, and establishing communication protocols.

  • A (Agent Handling): Managing the recruited asset to ensure effective information gathering and transmission, maintaining regular contact, and ensuring their security and motivation.

  • T (Terminate): Concluding the relationship with the asset when their usefulness has ended or the risk becomes too great, ensuring a safe and discreet end to their activities.

Upon inspection, SADRAT serves as a play-by-play strategy that a malicious insider might use in a campaign to identify and recruit disgruntled employees inside a company and recruit them to be an affiliate for a hostile nation-state or apex ransomware gang.  

Other Important Social Engineering Frameworks

Here are some additional social engineering process frameworks that outline slightly different perspectives to social engineering attacks. 

Canadian Centre for Cybersecurity: Social Engineering Lifecycle

This Social Engineering Lifecycle is a social engineering process framework provided by the Canadian Centre for Cyber Security, the official cyber security portal of the Canadian government. Cyber.gc.ca serves as a comprehensive resource for individuals, businesses, and government entities in Canada, offering guidance, tools, and critical advisories to enhance their cyber security measures.

  • The Bait: Threat actors research an organization and its members to target them with requests or information that mimics trusted sources. They use details from social media to craft narratives that appear authentic and trustworthy.

  • The Hook: Utilizing social ties, eliciting empathy, imposing urgency, or threats, threat actors manipulate their targets. Victims are persuaded to believe the scenario’s authenticity, thinking the interaction is legitimate.

  • The Attack: Users are deceived into revealing sensitive information, clicking on malicious links, changing passwords, or opening harmful attachments. This allows threat actors to access and potentially steal crucial data.

  • The Escape: After achieving their goals, threat actors discreetly disappear, often using intimidation to prevent victims from reporting the incident or taking further action.

Conclusion

Social engineering attacks are front and center of the defensive cybersecurity  radar due to their common and effective use as an initial access vector. This article explores the intricacies of social engineering frameworks used by intelligence agencies and cybersecurity firms to train and prepare for real-world threats including SADRAT as well as the Canadian Centre for Cyber Security's Social Engineering Lifecycle, which emphasizes a slightly different perspective on social engineering attacks.

Understanding these processes is crucial for organizations aiming to bolster their defenses against the sophisticated social engineering tactics increasingly employed by adversaries worldwide.

Interested in Pentesting?

Penetration Testing Methodology Cover
Penetration Testing Methodology

Our Penetration Security Testing methodology is derived from the SANS Pentest Methodology, the MITRE ATT&CK framework, and the NIST SP800-115 to uncover security gaps.

Download Methodology
Penetration Testing Buyer's Guide

Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects.

Download Guide

Featured Posts

See All

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

September 26 - Blog

Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.