A Note from Social-Engineer:
We often get comments and questions sent in from readers. The top question we receive is, “what is it like to be a social engineer?” Recently, we sent 4 of our employees on an on-site social engineering engagement. We asked them to blog about their experience, tips and tricks, and lessons that they learned with you, our readers. As a special 4-part series, we will release one blog every week for the month of May. Each story is told from the individual’s viewpoint. We hope that you enjoy these blogs! To start off our series is our very own Maxie Reynolds.
As a young girl growing up in Scotland (picture the little girl from Brave with not the slightest hint of singing talent and also no castle to live in) I couldn’t have dreamt up the job of a social engineer. Now though, the intersection of security and social skill as a profession is just about the only thing I can imagine doing as a career. It’s brilliant, proactive and it’s something just about every business can benefit from, so, with a bit of luck, I can do it for a while to come (read: until too old to move). So, if you’d like an inside look at a week in the life of a social engineer, I hope this blog post can help out. What follows is a list of ‘helpful tips’ on what not to do on physical engagements and, maybe, a few things you should.
Social Skills and Lessons Learned
There’s something about using social skill to stress test a security system that fascinates me beyond most other subjects, but it’s not always easy to navigate. There are moralities you have to adhere to, and rightfully so, there are rules and etiquette and, importantly, there are lessons learned on every job.
Below are the lessons I learned from my very first team job with Social-Engineer, LLC (SECOM), and they hugged a steep learning curve. When I was breaking into banks in Australia as a social engineer, it was for a different company, I worked alone, had little to no training and just figured things out “on the go”. Now, as part of the SECOM family (queue Scottish clan music), we work as a team and learn from each other, plan as much as we can in advance, all the while trying to make a difference and not give Chris a heart attack. It’s like poetry in action. Minus Chris’s almost-heart attacks. Your inside look at a week in the life of a social engineer begins!
The Start of Any Job is Open Source Intelligence (OSINT)
This was my first engagement for SECOM, so I was little nervous. I’d never worked on a team doing physical engagements before and didn’t know what to expect. The client was a prestigious one, so I did what any respectable employee worth their salt would, I let my mind run rampant on the perfect pretext.
Helpful Tip Number 1: Do not panic about pretexts
Open Source Intelligence gathering (OSINT) is arguably the most vital part of any social engineering engagement – it forms the basis of your strategy and your pretext. You may find pretext-gold when performing OSINT, it might not be your currency if it leaves you vulnerable to doubt; it’s worth considering aligning your pretext with something that fits your personality and natural demeanor.
Helpful Tip Number 2: OSINT your outfits properly
How does one OSINT an outfit? Well a good outfit fits your pretext exactly. If you’re attempting to gain entry as a maintenance person, you might need more of a costume than an outfit. If you’re attempting to gain access as a high-level exec, you should dress professionally. You should also consider location, time of year, type of organization you’re going to in conjunction with the type of organization you’re using as a cover.
Pretexting outfits is a solid skill of mine though, and this time I took backups. We were there under the guise of clock maintenance, but I opted for business-professional attire. We were there, supposedly, inspecting before upgrading the system, so no special equipment was needed. I also took advantage of the colder climate by wearing a coat that concealed much of my outfit, which was beneficial for moving from building to building. You can simply take it off and look completely different. What I was not counting on was using the hairdryer at 6am every morning to get the creases out of my linen pants in lieu of an iron from the hotel and jumping over security desks in heels is also problematic for some.
To Wear Black…or Not?
Another tip to consider would be not wearing all black outfits on most jobs, which is sometimes my first thought for a couple reasons:
- I often wear all black in my normal day-to-day.
- We tend to think of black as a color that will reduce the likelihood of standing out.
It turns out, however, that all-black attracts more attention than it deflects, and that’s usually the opposite of what we are going for. This holds especially true if you’re doing nighttime break-ins that run the risk of employee interaction; you want to fit in and all black, somehow, screams criminal. Of course, if your scope states a nighttime break in, undetected and without any company interaction, all black might be your best friend. It’s context dependent.
A good point to note here is that the function of my pretext was to gain access to a building, so I could enumerate vulnerabilities for the client. It furnishes the execution via OSINT. You are not, however, supposed to carry out the job of the person you’re pretexting as to its full capacity. Don’t get me wrong, you can use it as a cover as an when needed, but the focus of the pretext doesn’t have to be on your mind the whole time. What I did was to go full method actor on the whole thing and carry out the job of my pretext. This, alas, is not ideal.
Helpful Tip Number 3: Do not do the actual job of your pretext
I was there as a “Clock Fixer”, a title slightly altered to protect the privacy of the client. I knew I’d gone off the deep end when we were on the way to our first building and I could recite the internal workings of a clock and gravity’s effect upon the hands perfectly. And then, when we got inside, I proceeded to take pictures of clocks, which I’m pretty sure ticked a few people off…
It looked legitimate if you were watching via CCTV, though. It also allowed me to take images of the right kind of items and vulnerabilities we were looking for, like company cards on desks, signed checks and handwritten passwords, because my phone had a good reason to be out. But you don’t know pain until you’ve had to delete three-hundred clock pictures one-by-one from your evidence file.
Helpful Tip Number 4: Be a team player always
Now, there are many permutations of how a large social engineering team can be configured. In our case, we portioned ourselves out into pairs to facilitate this pretext optimally and get inside. And let’s say you do get in like we did, team variations aside, well you should one-hundred thousand percent not leave one of your team behind.
I left someone behind.
Day-to-day, I’m pretty easy going for the most part. Alas, as soon as there’s a hint of a task in the air, I turn into Taskzilla and could make a Navy Seal Master look like a declawed kitten. A few of the team were new to these types of engagements, and I knew that, but instead of walking them through it whilst inside, I focused on the task and left them to wonder. So, it took hindsight (and a short call from my boss) to know that, whilst the task was important and completion was crucial, being a team player at all times was too.
Your Inside Look at a Week in the Life of a Social Engineer — When It’s All Over
To summarize, what I learned from this one job surpassed my wildest expectations. The whole job had turned out to be a success as well as a steep learning curve and I can’t give one of my usual sarcastic quips for this, but I can say that working as a team and experiencing team success was, professionally speaking, life changing for me. It reinforced the foundation of any job well done, which is OSINT. Plus, there’s always someone delegated for the food run and that’s something I thought only happened in the movies. Everything new I learned wasn’t additive, it actually multiplied the level of love I have for this job and industry as a whole. I hope you enjoyed your inside look at a week in the life of a social engineer!
Written by: Maxie Reynolds
Check out the second blog in this series, Breaking in for NOOBZ!: Social Engineering Onsite Infiltration, written by Curt Klump.