How to Become a Social Engineer

I really must admit that one of the most asked questions we get through the website is something like, “I really want to get into social engineering as a career, what should I read/take in college to give me the best chance?” Then followed up by “How do I get into this as a job/career?”

It is a serious question that we have spent considerable time trying to come with an appropriate answer for. This month I will answer the education piece by telling you my own thoughts. What I look for when I hire and also what some of my most trusted friends from large companies look for when hiring. Then next month, I will go into how to make this your career.

So You Wanna Be a Social Engineer?

I understand why the question comes in so often. This job is pretty cool sounding. We get paid to phish, vish and break into companies every day. That certainly sounds like the dream job. Well at least for a lot of us.

Like most careers, it is logical to think that there may be a clear path to education to help you with a leg up in this field. Some people ask me, if they should study psychology, if they should get sales experience, others wonder if they should skip school all together. What’s the answer? Let’s first ask my good friend Jim. He manages a large team of pentesters that includes red teams, social engineers and some excellent hackers at one of the world’s largest financial institutions. I asked him this question:

Chris: “If you wanted to hire a young man or woman to be part of your team as a social engineer or pentester what do you look for? Education, experience or a combination?”

Jim: “First of all I look for experience. But there are certifications that mean something to me like Offensive Security’s certifications (OSCP / OSCE) and the CISSP.” In addition, my mantra is generally: Jack-of-all-trades, master of a couple. I look for folks who have a fairly broad generalist experience, but have taken an interest in deeply diving into one or two. I also look for mentality; can the candidate think like a bad guy? Is security your job, or a passion? What does your home network look like? And very importantly, does the candidate have the ability to communicate clearly, concisely, and professionally. Finally, personal references are good, especially when it comes to character, since if you join my team you’re going to have to be a highly trusted individual.”

Chris: “Thanks Jim, that was very helpful.”

I went to another very close friend who has been in the industry for a very long time helping run Black Hat and now running the Global Education and Training practice at Accuvant, Ping Look.

Chris: “If you wanted to hire a young man or woman to be part of your team as a social engineer or pentester what do you look for? Education, experience or a combination?”

Ping: “Accuvant does not look for degrees – experience and ability to pass the practical exams that we administer and references, especially industry ones, are more important. I know that most hacker’s goals aren’t to be promoted to management but the reality is that everyone has to make a living and having more responsibility within a company usually means a promotion whether it be to management or not. I do know from anecdotal experience of others that at a lot of larger firms, not having a college degree will make it more difficult to be promoted (initially) to management positions. HOWEVER in a technical field, smart companies know that InfoSec is still an emerging marketplace and that finding a candidate with a college degree, especially in computer science who is also a good infosec practitioner with the necessary experience will be very difficult. Over time, those who prove themselves technically adept and have good management chops end up having the same chance in getting promotions or running teams or being lead technologist or chief research scientist as the guy with a degree.”

Finally, I went to my good friend, Dave Kennedy. Dave started his own company just a few years ago, Trusted Sec, and went from just a couple people to over 20 people. He obviously knows a thing or two about hiring pentesters. So I presented him with the same question.

Chris: “If you wanted to hire a young man or woman to be part of your team as a social engineer or pentester what do you look for? Education, experience or a combination?”

Dave: “I favor experience over education any day. Although a college degree is important, I am looking for someone who has the experience to handle the type of work that we get. References are important, but I tend to hire people I’ve known and trust in the industry so I always get individuals I know and trust to do the work.”

All three answers really paint a great picture for anyone thinking and asking.

What About Social-Engineer, LLC?

My company has personally grown over the last couple years so I have had to spend considerable time thinking about what it is that I need in employees. Unlike some of the great minds I asked above, my needs are a tad bit different. But let me pick out the similarities from what we saw above:

1. Experience always wins. Many on my team have degrees, and some, like Michele are not only highly educated but trained educators. Even with that, experience is king. Now with that said there aren’t just slews of people that have tons of experience in phishing, vishing and breaking into buildings without having a criminal record. I will discuss later how we get around this particular hurdle in a bit.

This is a big one because there are many components to this particular topic.

  • Can the person think like a bad guy? We have a motto in my company, “Always leave them feeling better for having met you.” We apply that to how we want our customers to feel about our services. So although I need my people to be able to THINK like a bad guy, I need them to care enough about the customer that they don’t revel in the bad side too long.

  • Desire to learn. We are in a constant state of growth, and part of that is learning how to adapt when the times, attack vectors and methods of the bad guys change. My team has to be willing to do that.

  • Learn from failure. I have failed so many times I can’t count them, but the important part is learning from each failure.  My team has to be willing to have the same attitude.

  • Is this a hobby or a passion? It is important to me to find people who enjoy the work and don’t just look at it as a “job”.

3. Performance based education. Right now from what I found, Social-Engineer has the only performance based SE Certification around. I also favor the Offensive Security Certifications as they prove fortitude, persistence and critical thinking skills.

4. Critical thinkers. Probably one of the most important aspects of being a social engineer is being able to critically think. To adapt, flex and change your methods on the fly. To be able to think outside the box, as if there is no box.

5. Willingness to try new things. Many times my team will be required to try completely new things, new pretexts, new methodologies and new processes.

Does this mean that education is completely useless? No, not at all. Depending on the role we are looking for a degree can definitely add to usefulness and the position we use the person for.

If you are going to college already and you are thinking of a career in pentesting and maybe even social engineering, then there are some areas of study that can help. Things like computer sciences, psychology and social psychology can all help. Of course, we think everyone who wants to be a social engineer should take our 5-day “Advanced Practical Social Engineering” course too.

In the end, the fortitude to stick through college, study hard and graduate with good grades can tell a potential employer that you have some great qualities to make a good employee.

In the end of the day, social engineering is an exciting and very rewarding career path.  Study hard, stay out of trouble and get practical experience where you can and it may just be your career someday too.

Next month we will discuss the HOW.

‘Till then, stay safe.

Written by: Christopher Hadnagy