Information gathering plays a crucial part in preparation for any professional social engineering engagement. Information gathering is the most time-consuming and laborious phase of the attack cycle but is often a major determinant of the success or failure of the engagement. The professional
social engineer must be aware of if the following:
- Information-gathering tools freely available online
- Online locations that house valuable pieces of data
- Software to aid in finding and collating the data
- The value or use of seemly insignificant data which collected online, over the phone, or in-person
How to Gather Information
There are many different ways to gain access to information on an organization or individual. Some of these options require technical skills while others require the soft skills of human hacking. Some options are fine to use from any location with internet access. While others can only be done in-person at a specific location. There are options that require no more equipment than a voice, options that only require a phone, and still others that require sophisticated gadgets.
A social engineer can combine many small pieces of information gathered from different sources into a useful picture of the vulnerabilities of a system. Information can be important whether it comes from the janitor’s or the CEO’s office; each piece of paper, employee spoken to, or area visited by the social engineer can add up to enough information to access sensitive data or organizational resources. The lesson here is that all information, no matter how insignificant the employee believes it to be, may assist in identifying a vulnerability for a company and an entrance for a social engineer.
“Traditional” sources are typically open, publicly available sources of information that don’t require any illegal activity to obtain. Whereas, “non-traditional” sources are still legal but less obvious and often overlooked information sources such as dumpster diving. It’s possible such sources can provide data that a corporate security awareness program wouldn’t or couldn’t take into account. Lastly, there are illegal ways to obtain information such as malware, theft, and impersonating law enforcement or government agencies. As you can imagine, we discuss this last category throughout the Framework with care. We only support legal activities conducted within the context of a sanctioned penetration test.
Begin with defining your goal for success. A clear objective will determine what information is relevant and what you can ignore. After this, gathering information to support social engineering exercises is much the same as research you do for anything else. This holds true not only for the type of information, but also for how you gather it.
Information sources are only limited by the relevance of the information they can legally provide. When conducting research for social engineering, you may find yourself reviewing a broad range of sources (technical or physical) in order to gain a small bit of intelligence from each source. These bits are like puzzle pieces. Individually they don’t look like much but when they are combined, a larger, more coherent picture emerges. For more a detailed exploration of sources, visit the technical and physical information gathering pages.