Gaining Access — A New Way of Thinking at APSE

Brand new to the field of social engineering (SE), I felt slightly blind going into the APSE course. How do you prepare for the mystery material and the unfamiliar faces? There is such a range of different professionals in the security industry, I was thoroughly intrigued to see who the APSE course would attract. In the days leading up to the course, I found myself attempting to foresee what level of difficulty we would all be facing with the coursework. What would social engineering homework actually look like? What kind of information would I be required to obtain from strangers? I can say with confidence that the course was more faceted than imaginable, and that despite my noob status, I was quickly swept up by the activities and plethora of new information presented. There was so much to absorb, so much data to process, I practically needed to be a sponge…better yet, a cyborg.

The beauty of social engineering is how dynamic one must become. This distinct branch of pentesting requires both technical skill and intuitive ability, reading your target for how to approach and engage; both of these things are invaluable to your success in the field. I was excited to see this methodical process unfold and the intricate manner with which Chris Hadnagy designed the curriculum. Also a fascinating aspect of taking the course was how quickly it transformed my thought processes. I began involuntarily applying my newly acquired knowledge about SE: assessing individuals in the class, watching the developing dynamics, scanning strangers. I became more conscious of observing body language through stance and micro expressions, I questioned motives and intentions, and began to see the undercurrent, the communications that happen beneath the surface. Thus, the obsession begins.

A peek at my experience with the coursework and tasks assigned during the week.

Day One:  A meaty introduction. It included a DISC assessment for each student (a communication profiling test) to help us to better understand our own communication style and how we interact with others. Chris delved into the intricacies of developing rapport with your target: creating artificial time constraints, validation, as well as how to improve your abilities in elicitation with your pretext, continuity, mutual interest, and effective use of questions. By the end of the first day, it became apparent that I had to give in to the amazing absurdity of this whole experience, gel with my group, and do my best to use this new information strategically. The first night was not very methodical; my team ended up letting our pretext develop organically. We were wildly successful in our venture, though I’m still questioning whether or not it was beginner’s luck.

Day Two:  Covered both non-technology and technology-based information gathering skills. I was dumbfounded by the sheer amount of information you can obtain simply from observation, looking at badges, shoulder surfing for pin numbers, codes, passwords. We also got to mess around with OSINT using specific searches through Google dorking or with software such as Maltego. Chris discussed how to successfully build pretexts, highlighting not only the importance of doing your research, but also maintaining a relaxed manner, allowing for spontaneity and adapting to changing scenarios with ease. On the second evening, I wanted to step up my game, to incorporate new tactics and push further outside my comfort zone. However, inevitably my ego got in the way and I was overthinking things, which resulted in failed attempts at engaging a target.

Day Three:  Chris discussed influence versus manipulation and we took a look at effective methods for influencing a target through concepts such as social obligation and social proof (whereby one person chooses to join a majority “tribe” due to feeling social pressure). He also went over framing, yet another invaluable tool for finding common ground. By the end of the day, my team and I were definitely reassessing our methods for day one vs. day two: what worked, what didn’t. We wanted to find a happy medium between the relaxed quality of the first night and the more structured (or at times rigid) pretext of the second day. The result: our engagements were more brief than day one, and more successful than day two. BINGO.

Day Four:  It got deep! We stepped into the conversation of non-verbal communication: baselines (what you can initially tell about a person without assumption), how to read micro expressions via Dr. Paul Ekman’s online training, body language cues, and amygdala hijacking. It was incredible to see how nuanced this section of the coursework was, and at the end of day four, we were faced with what seemed to be a much more daunting list of questions to ask our targets. I wanted to formulate the best approach using more of the techniques laid out during the course, but where to start? Once I finally cleared my head, I chose to focus instead on finding the most efficient way to get the information I was seeking; just getting the job done, no frills, no bells, no whistles. From my first SE target of the evening, I learned this priceless lesson: less is more, just ask!

Day Five:  For our final day, Chris wanted to see how each of us would begin and end an engagement. Having the target chosen for you and being observed during the process was definitely a new twist on the challenges we’d experienced earlier in the week, but it enabled each student to receive individual feedback on the engagements. I had the opportunity to see my weaknesses which included needing to improve on building an artificial time constraint, and sometimes…or, maybe often, being overly aggressive in my approach, which worked at times but not consistently. So, for me, spending more time assessing the situation before diving into the engagement will be beneficial.

From the morning banter to the completion of evening homework, I was running on all cylinders: devouring the new information, honing skills, and doing my best to practice the various processes for approaching an engagement. Finally, I was gaining access to information that my brain, such a finely tuned instrument, had already been gathering while I wasn’t paying attention. Were it not for our daily lives beckoning us to return home, and my brain having reached capacity, I would have jumped at the chance to spend another week in this course. For me, the aftermath simply became a question: how can you ever look at the world the same way? The answer: You can’t and you won’t. Your lenses are permanently affected. Welcome to the fascinating and terrifying world of social engineering.

Written by Dawn Rose Kearn

Sources:
https://www.social-engineer.org/framework/general-discussion/social-engineering-defined/ 
https://www.social-engineer.org/framework/general-discussion/categories-social-engineers/penetration-testers/
https://www.social-engineer.org/framework/psychological-principles/microexpressions/
https://triaxiapartners.com/
https://www.social-engineer.org/framework/influencing-others/elicitation/becoming-successful-elicitor/
https://www.techopedia.com/definition/30938/google-dorking
https://www.social-engineer.org/framework/se-tools/computer-based/maltego/