Preparation is crucial to any social engineering engagement. Information gathering is the most time-consuming and laborious phase of the attack cycle but is often a major determinant of the success or failure of the engagement. The professional social engineer must be aware of: information-gathering tools freely available online, the many accessible locations online that house valuable pieces of data, the software which can be used to aid in finding and collating the data, and the value or use of seemly insignificant data which can be collected online, over the phone, or in-person.
How to gather information
There are many different ways to gain access to information on an organization or individual. Some of these options require technical skills while others require the “soft skills” of human hacking. Some options can be used from any location with internet access and some can only be done in-person at a specific location. There are options that require no more equipment than a voice, options that only require a phone, and still others that require sophisticated gadgets.
A social engineer can combine many small pieces of information gathered from different sources into a useful picture of the vulnerabilities of a system. Information can be important whether it comes from the janitor’s or the CEO’s office; each piece of paper, employee spoken to, or area visited by the social engineer can add up to enough information to access sensitive data or organizational resources. The lesson here is that all information, no matter how insignificant the employee believes it to be, may assist in identifying a vulnerability for a company and an entrance for a social engineer.
“Traditional” sources are typically open, publicly available sources of information that don’t require any illegal activity to obtain. Whereas, “non-traditional” sources are still legal but less obvious and often overlooked information sources such as dumpster diving. It’s possible such sources can provide data that a corporate security awareness program wouldn’t or couldn’t take into account. Lastly, there are illegal ways to obtain information such as malware, theft, and impersonating law enforcement or government agencies. As you can imagine, this last category is touched on throughout the Framework with care as we only support legal activities conducted within the context of a sanctioned penetration test.
In order to keep the research focused, you need to begin with defining your goal for success because a clear objective will determine what information is relevant and what can be ignored as you search. After this, gathering information to support social engineering exercises is much the same as research you do for anything else. This holds true not only for the type of information gathered but also for how it’s gathered.
Information sources are only limited by the relevance of the information they can legally provide. When conducting research for social engineering, you may find yourself reviewing a broad range of sources (technical or physical) in order to gain a small bit of intelligence from each source. These bits are like puzzle pieces. Individually they don’t look like much but when they are combined, a larger, more coherent picture emerges. For more a detailed exploration of sources, visit the technical and physical information gathering pages.