Speaker: Robin Dreeke, Former FBI Behavioral Analysis Expert, Author of "It's Not All About Me"
Context: Live recording of Social-Engineer.org Podcast Episode 120 - 10th Anniversary Special
Key Focus: Evolution from rapport building to trust development to behavior prediction
Introduction & Background
Robin Dreeke is a former FBI behavioral analysis expert and author who has been a regular guest on the Social-Engineer.org Podcast since its inception in 2010. This episode marks the 10th anniversary of both the podcast and Dreeke's involvement in social engineering education.
Evolution of Social Engineering Philosophy: "I really thought it was all about rapport, but once you get really good at rapport, what's the purpose? Rapport is actually the purpose of trust."
Professional Evolution:
- Started with "10 Techniques for Quick Rapport" (basis for first book)
- Progressed to trust strategy with behavioral teams
- Evolved to behavior prediction ("Sizing People Up")
- Current focus: Building healthy long-term relationships
The Trust Continuum
Three-Stage Evolution:
- Rapport Building: Initial connection and engagement techniques
- Trust Development: Understanding how others want to develop trust
- Behavior Prediction: Understanding what to reasonably expect from people
Core Insight: "You can't get anyone to do anything without some semblance of trust - whether you're doing a phishing attack, penetration testing, or capture the flag."
Red Team Application: Understanding trust development is crucial for effective social engineering operations. Trust isn't about liking someone - it's about predictable behavior patterns that can be leveraged.
Sizing People Up: The Six Signs of Predictability
Dreeke's latest work focuses on predicting behavior through six key signs with multiple traits each:
1. Personal Identity
Understanding how individuals see themselves and their core values
2. Emotional Stability
Assessing emotional consistency and response patterns
3. Personal Effort
Evaluating work ethic and commitment levels
4. Personal Accountability
Measuring responsibility and ownership of actions
5. Self-Awareness
Understanding of personal strengths and limitations
6. Reliability
Consistency in following through on commitments
Behavioral Assessment: These predictability signs help red teams identify ideal targets and understand how they're likely to respond to different social engineering approaches.
Digital Trust Building Framework
Four Key Principles for Digital Communication:
Email Communication Framework:
Every statement should demonstrate:
- Seek Their Thoughts & Opinions: Ask for their perspective
- Talk in Terms of Their Priorities: Frame everything around what matters to them
- Validate Their Priorities: Acknowledge and respect their viewpoint without judgment
- Empower Their Choice: Give them control and options
Real-World Example: School Grade Dispute
Situation: Teacher using wrong grading key, refusing to change grades
Original Approach: "Kevin was disappointed in his midterm grade" (about us)
Dreeke's Revision: "Kevin was really excited to take the exam because he wanted to demonstrate his passion for science like you mentioned at the beginning of the year, and he was hoping he would have done better. What do you think he might be able to do to improve?" (about them)
Result: Teacher rechecked grading key, grade changed from 69 to 99
Phishing Campaign Design: This framework can dramatically increase phishing email effectiveness by making communications completely target-focused rather than attacker-focused.
Psychological Foundations
Human Guarantees:
- People always act in their perceived best interest for safety, security, and prosperity
- This is biologically and genetically coded behavior
- The key is understanding what THEY think is in their best interest
Dopamine Insight: "When we're talking about ourselves and sharing our own thoughts and opinions (roughly 40% of every day), our dopamine is being released. Great relationship builders take that 40% and give it over to the other person."
The Empowerment Principle:
Dreeke's signature closing in FBI recruitment: "If you'd ever don't want to hear from me again, please let me know and I'll make a little note never to bother you."
Result: No one ever took him up on the offer because the entire conversation was about them.
Exit Strategy: Giving targets an "out" actually increases engagement and reduces suspicion. This can be applied in social engineering scenarios where maintaining deniability is important.
Manipulation vs. Influence Debate
The Ethical Question:
Common Criticism: "You're just manipulating people"
Dreeke's Response: "If you're controlling time, thoughts, or actions of another human being, you're manipulating them. First, come to grips with that."
Key Differentiators:
- Transparency Mitigates Manipulation: Open communication about methods and purposes
- Intent Matters: Education and protection vs. exploitation
- Practice Required: Understanding negative techniques is necessary for defense
Industry Position: "In those moments when you're not having open-eyed communication, it is manipulation. But the purpose is to get the skills needed to understand it so you can use it for good and protecting others."
Operational Ethics: Red teams must maintain clear ethical boundaries and transparency about their methods and purposes, especially when practicing potentially manipulative techniques.
Social Engineering Competition Insights
DEF CON 27 CTF Observations:
- Theme: Alcohol, Tobacco, and Firearms companies (not the government agency)
- Trend: First year with significant company pushback and awareness
- Notable Incident: "You're a liar!" - Company that properly trained employees
Winning Techniques:
Intentional Misstatements
"You must be using Chrome today" → Target corrects with actual browser
Deep OSINT
Analyzing social media background details (computer screens, badges, etc.)
Psychological Hooks
Paternity leave connection, job search assistance themes
Human Condition Insight: "We all have an incessant need to correct other people. That's what successful contestants were playing on."
Red Team Challenges & Solutions
Social Engineering Fatigue:
The Problem:
- Mental exhaustion from constant role-playing and deception
- Cognitive dissonance from "taking advantage" of people
- Empathic individuals struggle with prolonged social engineering
- Common complaint: "I feel like I'm being disingenuous"
Management Solutions:
- Limit Exposure: No full-time social engineering roles
- Rotation: Alternate between SE, OSINT, and other tasks
- Team Culture: Meme-sharing, non-competitive environment
- Purpose Reminder: Constant reinforcement of positive mission
- Mental Breaks: Allow immediate breaks when needed
Team Management: Red team leaders must recognize and address social engineering fatigue proactively. Empathic team members are actually more effective but require more support and rotation.
Career Development in Social Engineering
Entry Paths for Non-Technical Backgrounds:
- Teaching/Psychology Backgrounds: Security awareness training design
- Focus on Behavior Change: Understanding population psychology
- Ignore Experience Requirements: Get in front of recruiters directly
Building Credibility:
Publishing
Write articles and papers to demonstrate expertise
Speaking
Present at conferences to build reputation
Competitions
Participate in CTF events to demonstrate skills
Industry Need: "Companies that are willing to have a forward-thinking way of approaching this are going to start having behavior change in their organization. It's not doing it the same way we've done it forever by giving the technical guy the reins."
Key Takeaways for Security Professionals
Critical Lessons:
- Trust development is more important than rapport building for long-term effectiveness
- Behavior prediction enables proper expectation setting and relationship management
- Digital communication must be 100% focused on the other person's priorities
- Transparency and ethical boundaries are essential for sustainable social engineering practice
- Team management must address social engineering fatigue proactively
- Non-technical backgrounds bring valuable perspectives to security teams
Final Thought: "The whole purpose of everything I do is building healthy relationships. I never need a quick fix of eliciting information - I'm always looking for longer-term relationship building."
Strategic Advantage: Organizations that focus on understanding human behavior and relationship building will have more effective security awareness programs and more resilient red teams.