2019 was amazing for us at Social-Engineer.org (SEORG). We reached exciting milestones and had fun and insightful experiences at DEF CON and DerbyCon. One thing these events clearly showed us is that interest in social engineering (SE) is exploding. In fact, the SEVillage Social Engineering Capture the Flag (SECTF) competition at DEF CON created so much excitement last year that our 11,000 square foot room was not only packed, but there was a long line at the door to get in! Why does this event generate so much energy? Well, for many the SECTF serves as a springboard leading to a career in cybersecurity as a professional social engineer, so anticipation for it is keen. This enthusiasm for social engineering begs the question, “what skills do you need to be a successful social engineer?”
The March newsletter answers that question by narrowing the focus to two specific skill groups: interpersonal and technical skills. We’ll also discuss how to use social engineering in the best possible way by employing ethics.
Interpersonal Skills—A Necessary Foundation to Success as a Social Engineer
A solid foundation in interpersonal skills is necessary for success as a social engineer. As Christopher Hadnagy, CEO of Social-Engineer, LLC (SECOM) notes, “…understanding the way in which humans interact or react to situations can go a long way in helping you become a social engineer.” So, develop, practice and sharpen your people skills. A key element to this is emotional intelligence. In other words, learn to determine, understand, and respond to your emotional state and others. Doing so involves behaviors such as active listening, flexibility, patience, and knowing how and when to show empathy. Practice these skills with a goal to building rapport.
What’s the link between rapport and success as a social engineer? Rapport leads to liking and trust. The following example highlights how rapport can help you in a security audit.
For example, let’s say you have an onsite engagement and your objective is to access a printer in an office building. To achieve that objective, you decide to build rapport with the receptionist. In order to do this, you enter the building with a coffee stained shirt. First, you introduce yourself to the receptionist and explain that you’ve spilled coffee all over your shirt and resume while driving to your interview. You say, “I brought an extra shirt with me just in case something like this happened. Can I use the restroom to change?” The receptionist sympathizes with your plight and say’s “sure, let me show you where the restroom is.” Now, as you’re walking to the restroom, you notice several pictures of a cat on the receptionist’s desk.
Next, you’re in your clean shirt and walking back to the receptionist. You want the rapport you’ve built to progress from sympathy to liking and trust. So, you sincerely thank the receptionist and say how fortunate the company is to have such a helpful and caring employee. In reply, the receptionist smiles and says, “it’s nice to be appreciated.” Additionally, you comment on the adorable cat pictures and share a story about your childhood pet cat. The receptionist loves your cat story and shares one of her own. Finally, you ask if you can print a new copy of your resume. The receptionist likes and trusts you and so, says, “sure, the printer’s over there.” Success!!
Did you notice—in this example negative tactics such as intimidation, anger, or fear were not used. I’ll talk more on this later in the subheading about ethics in social engineering.
Resources to Help You Develop, Practice, and Sharpen your Interpersonal Skills
To develop and strengthen interpersonal skills, take courses and attend conferences that focus on communications, psychology and human interactions. For instance, the new Human Hacking Conference (HHC) teaches the latest techniques in human deception, body language analysis, cognitive agility, intelligence research, and security best practices. Additionally, many leading experts in these fields have written books in which they share their knowledge and experience. Here are a few authors and their books that SEORG podcast guests recommend.
Chris Kirsch, SECTF winner and podcast guest recommends, It’s Not all About ME by Robin Dreeke. Dreeke has studied interpersonal relationships and behavior for 30+ years and is recognized as a leading expert in rapport building. His books are a must read for anyone who’s truly serious about developing, practicing and sharpening their people skills. We also highly recommend his books, The Code of Trust and Sizing People Up. Dreeke is also a trainer and speaker at the Human Hacking Conference. If you want to learn straight from Dreeke about the “Code of Trust” and “Sizing People Up,” sign up for next year’s HHC. In the meantime, listen to Dreeke explain how to use trust after building rapport in this amazing podcast, “In Robin Dreeke We Trust”.
Dr. Robert Cialdini
Rachel Tobac, SECTF participant and podcast guest recommends, Influence, by Dr. Robert Cialdini. Dr. Cialdini has spent his entire career researching the science of influence. As a result, he is internationally recognized as an expert in the fields of persuasion, compliance, and negotiation. Dr. Cialdini shares his view on the difference between influence verses manipulation as well as 5 words that can change your message in this perceptive podcast, “But Wait, there’s more! — with Dr. Cialdini”.
Social psychologist, and podcast guest, Amy Cuddy recommends, What Every Body is Saying, by Joe Navarro. Navarro is acknowledged as one of the world’s leading experts on nonverbal communication. His experience as a former FBI agent and spy catcher give him unique insights. He lectures and consults with major corporations worldwide. His book is also a SEORG favorite and a definite must-read! Navarro discusses his background and what led to his study of nonverbal communication, in this insightful podcast, “Help us Impress Joe’s Mother with Joe Navarro”. Navarro is also a trainer and speaker at the HHC. He teaches an amazing workshop on nonverbal communications. So, if you want to learn right from a master, make sure to register for next year’s HHC.
In addition to these amazing books and authors, we have another 100+ referrals. Please visit the Book List page of our website to see these recommendations and more! We update it regularly with referrals from The Social-Engineer Podcast.
Interpersonal Skills and Social Engineering—Is This Only for Extroverts?
Does all this emphasis on interpersonal skills mean that professional social engineering is for extroverts only? Not at all! Social engineering is for introverts, too. It all comes down to accepting new risks and challenges. For instance, self-acknowledged introvert and social engineering expert, Ryan MacDougall, offers this insight, “I kept taking risks that would challenge me directly to step out of my comfort zone.” Ryan discussed his personal experience, “From Introvert to SE, the Journey,” at DEF CON 26. You can watch it here. If you’re an introvert looking to enter this field, Ryan’s journey will inspire you.
Technical Skills —Continue to Build Your Social Engineering Skills
Now that you have your foundation, what technical skills should you acquire to continue building success as a social engineer? Ask any professional social engineer and they’ll tell you that information is their lifeblood. So, for starters, open source intelligence (OSINT) collection and analysis skills are a must. We recommend the Practical Open Source Intelligence for Everyday Social Engineers. In this course, you’ll learn and develop the following skills:
- Search strategies
- Techniques on how to categorize and organize information
- How to craft and launch realistic social engineering attacks
- Risk mitigation
- Threat management
- Intrusion detection
- Systems Administrator
- Network Administrator
- Security Administrator
Are you ready to expand your technical skills? Then the hands-on OSCP offers mid-level courses and certification for these skills:
- Penetration testing
- Advance web attacks and exploitation
- Advance Windows exploitation
- Wireless attacks
Practice Your Interpersonal and Technical Skills at the SECTF
The SECTF provides the perfect space to practice your interpersonal and technical skills. Many of last year’s contestants spent 100+ hours honing their OSINT skills prior to their live calls at DEF CON. A valuable takeaway is this; more OSINT leads to more captured flags during the live call portion. Why is that? Because, conducting thorough OSINT produces confidence. And, confidence is exactly what you need to effectively build rapport during the vishing call. The SECTF is also a great place to see how social engineering can be done ethically. In fact, a core requirement in this competition is that no one is victimized during the contest.
Ethics—Using Social Engineering in the Best Possible Way
The explosive interest in social engineering is fantastic, but it also raises concerns. To explain why, I’m borrowing a quote from a professional painter and good friend of mine. “Everyone thinks they can paint, but not everyone can paint well.” The same is true with social engineering. Everyone thinks they can ‘social engineer.’ However, not everyone does it well. What do I mean? As a professional social engineer, you have a choice, will you use positive or negative tactics?
Chris Hadnagy, weighed the results and implications of positive verses negative interactions. His professional experiences convinced him that using negative tactics, like anger and fear, were counterproductive and harmful. So, he adopted a new mind set. To that end, he forged the motto, ‘leave others feeling better for having met you’. Now, he uses social engineering in the best possible way. He creates positive learning environments and interactions for his clients. So, genuine teachable moments are created. As a result, everyone involved can walk away feeling good.
He also saw the need for a code of ethics to provide guidance as well as to promote professionalism in the industry. With that in mind, he created the Social Engineering Code of Ethics. Leaders in the field quickly saw the value of it. In fact, a small country in Europe uses Hadnagy’s Social Engineering Code of Ethics in their internal documentation for social engineering and penetration testing courses.
For Hadnagy using social engineering in the best way possible, has brought him success and satisfaction. In fact, he credits his motto, ‘leave others feeling better for having met you’, as a reason he’s able to keep his clients. So, learn from an expert. Take the social engineering high road. You’ll be better for it…and so will others!
Recently, Hadnagy visited the Hacker Valley Studio and talked with hosts Ron and Chris. You’ll benefit from their insightful discussion on how Hadnagy became a social engineer. He also shares experiences and insights that led to his developing the Social Engineering Code of Ethics. Look for episode 38 on the Hacker Valley Studio. But wait…there’s more! The SEVillage at DerbyCon8 hosted a panel with social engineering experts Chris Hadnagy, Chris Silvers, Rachel Tobac, Grifter and Jamison Scheeres. Listen to their thoughtful discussion of staying ethical while being a professional social engineer here.
What Else Can You Expect in March from SEORG?
What else can you look forward to in March from SEORG? We have an amazing blog in the works. Here’s a hint… it’ll be about an all-new and never seen before conference that happened in February. 😉
Written by: Social-Engineer