Blog: Social Engineering
Social Engineering dos and don’ts
Another day, another success at sneaking into a building and pretending to be staff. I do so love drinking other people’s expensive office coffee. No fruit bowls though. Close, but no banana.
It got me thinking, again, about what makes for good social engineering (SE), and what advice would I give my younger self. These are my thoughts:
| Do | Don’t |
| Prepare. Preparation is everything. OSINT, pretext, tokens of trust and your auth and contact with site staff are paramount. | Think this is just a grift and a bit of a laugh. |
| Plan your timing to coincide with traffic patterns or mould your approach to mimic patterns of behaviour in your target group (arrival, delivery slots, coffee breaks, lunchtimes). | Be in the wrong place at the wrong time. |
| Stay calm and focussed. Remain professional. | Push the security guard over and do a runner. Yes, I have been told by a client that has happened. |
| Try to think about how your pretext might disrupt the firm or directly impact staff. | Pull the fire alarm just to win, or socially engineer using directly emotionally scarring pretexts e.g. “Dear Mrs Jones, your child has been in a serious accident, you need to…” |
| Agree concepts and pretexts with your client. They may have useful information or helpful advice. They may also reject certain pretexts. | Send staff a fake redundancy / layoff letters when you know there have been layoffs. Your actions will create HR issues. |
| Apply the science of social engineering. Use the tools of the trade and behave ethically | Think that anything goes because the bad guys would do it. Rely solely on your talent. |
| Think like a smart criminal. What is your likelihood of being caught vs the rewards gained? Remember that there is a risk / reward trade-off. | Think like an asshat and treat people as marks, rubes, or sheep. Do not create chaos. |
| Take notes. Time-lines, photographs (if allowed and possible), locations and even rough maps to show the client where you were. | Think your job is over once done. The report is as important as the OSINT and other prep. |
| Make sure the customer is shown value-for-money. The key moment / action may only be in one day of many. Describe and explain all your prep, clearly. | Just assume they understand how much prep time you have put it. |
| Protect your client from undue embarrassment. Most jobs have NDAs. | Live tweet your SE wholesale, showing weaknesses and problems to the whole of twitter. |
| Enjoy it. Stress is a killer. Planning and prep reduce much of that stress. | Hyperventilate in the toilets for the whole time. |
| Remain a human being. | Turn into a cold lizard that treats others with disdain or contempt. Do not use your talents on people outside of work for your own self-gratification or gain. |
| Speak to others and decompress if needed. Sometimes SE takes its toll. Talk to people who can help you rebalance. | Bottle it up and let it break you. You may end up replaying events in your head about consequences or failures. |
| Read up and learn from others. | Be a lone wolf. |
Conclusion
SE is a skill that can be learned and improved with practice and constant upskilling.
It is such a varied field, and it can touch on both physical and technical approaches. Jobs begin with asking the client what they need and want and how you can help provide that in an appropriate and ethical manner. Then comes planning and preparation and sometimes a lot of grunt work, but without it your chances of success are limited.
Then comes the reporting, and helping your client understand what risks you presented and how they are reflected in an accurate manner that the client has the ability to change or influence.
You may never be a master of all things SE but the baseline of skills you need for all forms of SE is something that can be honed, developed and improved, no matter your age or skill level.
