A Path to Social Engineering

Through my years in the information technology world and into the information security world, I have met numerous personality types from young go-getters, older seen-it-all types and everything in between. The terms extrovert and introvert are well represented in these types. Coupled with the ups and downs of life outside of work, those interactions setup opportunities and identified obstacles that provided, for me, a path to SE.

When I was first starting out back in the day (the early 90’s), I was a very quiet, learn on the job, type of person. I didn’t go to school to be in the computer industry. In fact, I went to art school for a very short period of time. So, when I finally got my first desktop support position, talking to people was not my strong suit. I put most of my focus on talking to the computers around me, and my managers saw that is where I was best utilized. So, I was moved to server support pretty quickly.

Time went on and I kept learning and getting better at my tradecraft over the years with very little social interaction, and any I did have were not very successful. What does any of this have to do with social engineering you may be asking? In my experience the fundamental puzzle piece to social engineering is the ability to start and carry on a conversation, so the target begins to trust you and doesn’t get suspicious of the questions and requests you end up asking. This applies to phishing, vishing, and impersonation in different but similar ways. Not being a skilled conversationalist could impact one’s ability to do this job professionally. Although it may be hard for an introvert, like myself, to step up and do the job, what can introverts do to learn to be successful social engineers with this hurdle?

Figure Out How to For Yourself

For me, it took a roller coaster of a ride to figure out how to deal with my natural tendencies, my own emotions and build up a work ethic that suited me. For you it will likely be a different path, but the results can very much be the same. Use your own story, and the events that happen, to shape who you are and use that to your advantage.

For me, I spoke about it all in my DEF CON 26 speech, “From Introvert to SE: The Journey,” in the SEVillage. I took some risk in trying out new social situations in the role of a researcher. That lead me to the path where I found my wonderful wife. Then, I took a huge risk career-wise to start in the security field, where I had no directly applicable experience beyond sysadmin skills. And, I kept taking risks that would challenge me directly to step out of my comfort zone.

You need to balance risk with reward to figure out how much you can endure, before it is not worth it. I developed a high tolerance for being uncomfortable, because my desire to be good at what I do professionally was a stronger motivator than the draw of my comfort-zone. That line is different for everyone, but it is also movable as long as you want to move it.

I might sound redundant but all the obstacles, trials and tribulations it takes to accomplish anything worthwhile in life comes down to how much you want, and are willing, to do to accomplish your goal. Nothing would have motivated me to be where I am today, if it were not for the changes I made in myself during the run up to my career change. For me it couldn’t have happened earlier, because I didn’t see the benefit to the changes.

Here is a key point for my path. All the risk and all the discomfort I was willing to endure made becoming a professional social engineer seem like a natural progression of personal growth.

How Does Me Being Me Benefit the Industry?

An introverted mind is one of introspection, planning, and resourcefulness. Being able to scope out a situation, make a plan, have one or more backup plans and then execute on them rather than running into a room full of armed guards and winging it, not only fits my personality and communication style (CS on the DISC map for those wondering), they also allow for just the right amount of uncomfortableness (room full of armed guards and all) without being so overwhelming that I can’t act. This is also good for the team as a whole, so not everyone is forced the think through every scenario in all the situations on their own.

Also, because I naturally don’t speak to many people, I utilize ego suppression very effectively to get help from others. Ego suppression can be really hard for many people to master, because no one wants to feel weaker than, or not as smart as, the person they are talking to. That is very natural. When you suppress the need to be right or smarter than others, it gives your target the opportunity to feel smarter and more important. It makes it easier for them to let their guard down for the social engineer. I have seen it work so many times, I lost count.

Social Engineering on a Personal Level

I hope you can see that the willingness to make changes positively affected my career, but that same path enriched my personal life as well. I am now able to converse with total strangers in a manner that did not seem possible before I started this adventure. It has allowed me to meet so many new, interesting, people and further solidify friendships that my entire world is more open and fulfilling. Social engineering skills are usable and meaningful in everyday situations that have nothing to do with information security, and that practice makes the skills easier to employ in security engagements.

If you are interested in the fields of social psychology, information security, or emotional maturity, then social engineering is a field you should look into. If you look hard enough and want to learn new things about yourself and those around you, no matter what your personality type is, you too can build a path to SE.

Written By: Ryan MacDougall
@joemontmania

Sources:
https://www.youtube.com/watch?v=CHv3HwVMRg8
Image: http://clipart-library.com/clipart/954646.htm