Social engineering one of the most utilized attack vectors used in real world breaches. These come in the form of phishing, vishing, device drops, and even in person. A lot of research and prep-time comes into play with social engineering as we have to know the target, the objective, the environment, and most importantly ourselves. Prior to security, I performed in theatre for ten years and the amount of time you spend rehearsing, researching, and mentally preparing for a quick performance is almost identical to that of social engineering. In a previous post of mine about creating device drops, I called it an art form, social engineering is the same thing. Recently I took the Advanced Practical Social Engineering Training (APSE) from Social-Engineer.com; I’m going to go over some of the highlights from the course and the benefits of the training. I won’t go into great depth about the course as I would like to encourage more social engineers to take the course, and a lot of the experience you can’t get without being there in person.
Temet Nosce
Know thyself. As social engineers, how can we hope to convince and/or influence someone if we don’t know ourselves. Now that isn’t suppose to be a deep philosophical question, this blog isn’t long enough to discuss that question. No, what this is referring to is how we, the social engineer, communicate and present ourselves. The first day, and a constant theme throughout, of the APSE is learning how we communicate and how to appeal to certain types of communicators. One of the best ways to do determine this is with the DISC Assessment. This assessment is not to be a personality test, but determine how someone communicates with others. There are four aspects of DISC and someone will often tend to have a dominant and a secondary form of communication. Here are the four:
- D – Dominance as it relates to power, assertive control
- I – Influence as it relates to social situations and communications
- S – Steadiness as it relates to patience and thoughtfulness
- C – Conscientiousness as it relates to structure and organization
All of these forms can be observed in someone’s behavior, and I can safely say that by the end of the week of training I was able to pick out a target’s primary form just by observing them. Once we know how we communicate, and can tell what our target is, we can change how we communicate to better interact and build better rapport with the target. Changing our communication style however is not an easy thing, especially when it comes to communicating in a way that is completely foreign to us. This isn’t meant to be easy, the course should push you out of your comfort zone and, once you are pushed out of there, push you further. The teachers of the course do a fantastic job of splitting the class into teams to play off of each primary part of the DISC profile. My team specifically had a C/S, which was myself, a D/I and an I/D. The only primary we were missing was an S, but the team format allowed us to use all the strengths of each member in order to obtain our objectives each night.
Pretexting
This is by far the most important aspect of a social engineer’s attack. If time isn’t taken to develop a decent pretext, then your objective just became all the harder to obtain. So how do we create a good pretext? Well a lot of this comes from OSINT. In class we take the time to discuss all forms of OSINT on a target, from technical aspects such as social media and a company’s public footprint, to non-technical observations of physical security and practices. We can never have too much information on a target, knowing everything we can allows us to develop a pretext that best suits the situation to obtain our objective. In fact this step is so important that Soical-Engineer.com has developed a two day advanced OSINT course, which would be good for anyone new to the field. However, once we’ve obtained all of our OSINT and are ready to craft our pretext there are a few things we need to consider. Overall with OSINT the course spends a day on it, but unfortunately falls short from a pentester’s point of view in terms of what could be covered. Admittedly it just scratches the surface, but in my opinion OSINT is perhaps the most important step when developing a pretext.
Perhaps one of the biggest things that was stressed during class is other than obtaining the objective, our goal is to always leave the target feeling better having met you. What does this mean? Well basically it means creating a pretext and an approach where the target feels good, and not thinking about what they just did or did not do. One way to fail at this is by using a manipulative pretext, this was something that was highly stressed during the course. As security professionals and pentesters, our ultimate goal is to advance the security of a client and educate their users. If we go in and manipulate the targets and obtain the objective, it becomes a very hollow victory for us. Yes, we circumvented their security controls/policies and obtained our objective but at what cost? Not only would most of us feel bad about manipulating someone but once the assessment is over and we debrief with the client, the relationship will go south really quick. The users won’t want to listen to you when it comes time to educate them, and the client may very well go elsewhere for security testing. Our goal should always be to use influence over a target as opposed to manipulation. Although influence and manipulation share some of the same aspects, manipulation’s goal is to prey on negative emotions such as fear.
Non-Verbals
A lot can be said about a person just by observing them. Their mannerisms, body language, and facial expressions all reveal something about a person. All of these are known as non-verbal communication, essentially communicating without speaking. During class we studied facial expressions in order to tell what emotion someone may be feeling but not directly communication verbally. In fact after the class you are given the opportunity to obtain a certification in Micro Expressions from the Paul Ekman Group. After taking the exam for micro expressions you can read:
- Anger
- Disgust
- Contempt
- Fear
- Surprise
- Sadness
- Happiness
Being able to read micro expressions is a great way to know what your target is feeling and how you can change your pretext or communication style on the fly in order to appeal to them and prevent negative emotions. That being said it takes a lot of practice in order to be able to read micro expression in the wild in real time, but those who can do it have a distinct advantage in the field when it comes to social engineering.
Train Like You Fight
The best thing about this course is that it is not all classroom and theory. It is a practical, that means every night we were out doing what we had learned. Each night we had homework which gave us specific objectives and rules of engagement, not unlike an actual pentest. I won’t give away what our homework was each night or even the pretexts our teams’ came up with, but this form of practice is perhaps the best thing you can do to hone your skills as a social engineer. My best advice for anyone wanting to get better at social engineering is to simply do more of it, practice your pretexts to the point where everything seems to be natural when talking to a target. When it feels natural to you, your body language and speech will reflect that thus keeping the target unaware. Also when practicing and training, do not be afraid to fail. Failure helps us learn what works and what doesn’t in certain situations, some of the best social engineers I have spoken with have their failure stories that played a vital role in their development as a social engineer.
Conclusion
The APSE is a five day course that covers a wide range of skills and tactics for social engineering. Although, in my opinion, it falls short in teaching in depth OSINT and all SE centered attack vectors , the course is still valuable. The practical itself relies heavily on in-person SE, however only briefly discusses vishing and phishing. Where it excels is pushing you out of your comfort zone and getting out and practicing your skills in a real situation. Although there were nights I felt as if I did not have enough time to research and pretext, it helped me realize that this was my weak spot in my skill set. Too much planning or overthinking can be just as bad as rushing into a situation with no plan. My next challenge is obtaining the Social Engineer Pentesting Profession (SEPP) certification from this course. At the time of this writing I am set to take the 48 hour exam in two weeks.
I highly recommend the course, whether you choose to go for the certification or not. It is a great course to help learn more about social engineering in ways you wouldn’t think about when first starting out. I am now more aware of not only others’ body language and communication style, but my own as well. Everything from the course has made me a better social engineer and made me more valuable as a team member.