Train as a Social Engineer: The Value of Creating Environments

When I am not wearing my Social Engineering (SE) hat, I am often wearing the hat of “working dog trainer.” What does this mean? It means my dogs and I train in a variety of useful areas, obedience and tracking being some of the main events. The ladies (aka my dogs) can track articles of clothing, metal, and types of plastic, all because of this training and, more importantly though less glamorous, they will sit when I ask, anywhere, no matter what. This includes if they are off-leash and a moose is barreling by (true story, thanks Colorado). You may be asking yourself, “how did she get this to occur?” And you are most likely wondering, “What does this have to do with Social Engineering?” The answers to both of these questions are the same; you must create the environments to learn social engineering.

The ladies sit whenever I ask because they have been trained, under a variety of escalating situations, that they follow sitting protocol no matter what. When they were puppies, they would have a leash tied to a post on one collar, and a leash in my hand on another collar. They would be told “sit,” praised, and once they had nailed that we would repeat the drill, this time with a high value toy. I’d wave the toy in front of their face, and if they tried to jump at it, I would keep them in a sit via the leash in my hand. You could see it in their faces, all they wanted was that ball. They wanted it so badly. However, they were learning that our policy is, “you sit unless you’re told to break.”

This is the same methodology that should be applied to learning to be a social engineer and, if this applies to you, social engineering
awareness training within your company. I created the environment and events that were used to train the dogs. I introduced the high-value toy and put them in a situation where they were tempted to break policy and, instead, were taught how to behave in that situation that would be applied later in more intense situations.

This practice can be applied to so many elements in life including your journey to becoming an SE and, for those of you managing security teams, your vishing, phishing, and red teaming programs. On the corporate side, you have heard from my colleague Ryan about the values of creating strong and properly executed phishing and impersonation programs that increase in difficulty over time that is appropriate for the skill level of your user base. If you work with security training programs, I cannot stress enough the value of creating the correct environments to learn social engineering. These environments should use escalating, real-world events to test your user-base against common social engineering attack vectors. However, what do you do to train yourself as a social engineer? To effectively do this, you must create the environment in which you test and train the skills you need to grow to your next level of SE. Let’s explore how to do this for ourselves to improve as social engineers.

Train as a Social Engineer: The value of creating environments

Creating Your Own Environments to Learn Social Engineering

If you are looking to enter the field of SE, you must first assess the requirements for the role and your current skill level. Social engineers need many skills, but a few important ones are human interaction, reacting quickly in unfamiliar situations, critical thinking, ego suspension, and a constant desire to reassess, grow, and try new things. These skills are not often viewed as hard skills, but they can absolutely be trained like them.

If you are looking to practice your SE skills, you will need to create the environment in which you can learn. Even if your company runs a great security awareness program, that is teaching you the defense against SE. How do you train for your debut as the SE on the red team? Try some of the following drills by creating events and environments where you must exercise the appropriate skillsets:

  • Physical environments: Pick a venue and, if this drill is new to you, you can choose one that is familiar. Decide on an informational flag to get from strangers. Start easy with things like, what did they do today, where do they work, what is their name? Over time, begin choosing more challenging, less familiar environments for this drill and increase the sensitivity of the flag you are going for. Practice asking specific questions of unfamiliar people in unfamiliar situations and increase your own difficulty over time.

    DISCLAIMER: Remember – our goal as white hat social engineers is to leave others feeling better for having met us, per the SE code of ethics. Do not seek to obtain sensitive PII. Try questions that escalate in emotional depth and non-PII informational content.

  • Mental environments: Challenge your version of comfortable. This practices ego suspension. Have you ever seen something and immediately felt resistant? Perhaps an article from a publication you typically don’t agree with, or an opposing opinion piece on a topic you are passionate about. When you feel yourself think, “no – I won’t read that for X reason,” do it anyway. Enter with an open mind and challenge your status quo. This job does that all the time.

  • Learning environments: Take an improv class. This can teach you to react in unfamiliar situations and think through conversational pathways on the fly.

While attempting any of these drills, take notes on the interactions and environment. Was there anything that you could have improved upon? Was there an opportunity for rapport building you didn’t capitalize on? Could you have used an influence principle to better effect? Would a different setting have changed things? How? Analyze your own behavior and identify your areas for improvement.

Like the pups, we all benefit from creating real-world events that escalate in difficulty over time in which we can practice our training and skills. It’s better to learn in controlled environments before game-time comes in the real world. Does creating your own training environment seem daunting? We’ve got you covered! Our courses are designed to do just this – provide real world training environments for current and future SEs. Blood, sweat, tears, and countless hours of work have been invested by the great folks here at SECOM to create the following amazing courses:

Ready to practice your SE skills at the next level? Registration is now open for the SECTF at DEF CON 27!! Sign up now and start creating your amazing video so we can get to know you.

Get out there, create some learning environments, and become better SEs!

Written By: Cat Murdock