When I was asked to be part of my first onsite social engineering (SE) engagement, I was SO thrilled, psyched, excited, and exceedingly nervous. However, when I was asked to write a blog about it afterwards, I was more like, but was it actually real? Did I do what I thought I did? It was all a haze of sleepless nights and surging rushes of adrenaline. Working at Social-Engineer LLC (SECOM) for over 5 years now, many valuable lessons have been hammered into me, but now… they were made real, very real.
New lessons were also learned, and I learned those only from working with the amazing team we had onsite. I’ll break it down simply here, and then explain more as we go along in the story:
- Confidence and a good pretext are KEY to any SE engagement, but especially onsite impersonation.
- Confidence IN your pretext leads to success, (Even if you fail the first time.)
- A good team supports, balances, and fills in gaps we may have as an individual.
- Keeping the goal in mind is super important, both on a large scale and in each individual task.
- Props are comforting, reinforcing, but maybe not always needed?
- We have the best team we’ve had at SECOM…EVER.
- You really can leave people feeling better for having met you even while doing this!
Now that you’re primed and ready for this adventure, let’s get started on the wild ride of a story that was my first Onsite SE gig.
Preparations Begin for Onsite Social Engineering Engagement
Our assignment was to break into 9 different buildings over a span of three days. We had 3 instructors and leaders alongside a group of people who’d never done this before. Our preparations began months prior, with our team doing open source intelligence (OSINT) gathering on the sites we were going to attack. First, we started looking into vendors, for pictures, outfits the employees and their service providers wore. From there we came up with several pretexts using utility workers, local contractors, and more. Finally, the week of the engagement arrived, however, tragedy struck. Two of our three leaders in the engagement were pulled away from us because of different circumstances.
The only fearless team leader we had left then asked that key question which guided the rest of the week, “So, have you given any thought to your pretexts?” We had a conference room round table meeting over coffee to discuss. Now while I thought I had a decent pretext as a local utility guy, with some prior work experience to back it up, it was another teammate who struck gold. She found out that they had a brand of clock that was about to go through a licensing update. With confidence, she rallied us and supplied us with falsified letters, information on their processes, and what exactly they did for the company. We felt somewhat ready, very enthusiastic, and exceedingly nervous.
Into Action, Onsite Social Engineering Begins!
So, readying our business casual outfits and our trusty clipboards, we set out for our first attempt at our first building. There, we would meet our match. A trained, aware, and diligent security guard who would not let us through. We were disappointed, but not burned yet. And, we had a little more to go off of for our next attempt. Now, at the second building, we had to gain access through a badge-only door. So, we began tailgating a pair of employees, when suddenly my partner turned to the side and confidently walked up to a different entrance. I paused for a moment, hurried after her, and found her with her hands around her eyes looking in through a glass door. A door which, much to my surprise, a distracted employee opened for us a moment later. We were in, into the breakroom at least.
From there, we took video of the whole building. We explored the top floor and the main floor, weaving in and out of cubicles. We exited past the guard, then re-entered to attempt to get into the bottom floor. On our second entry, we learned even more. “How?” you may ask. I simply engaged and chatted with the guard while my partner slipped into the bottom floor. What was the result? Success! I learned so much about their security protocol, possible ways around it, where it would be difficult to get into, and where it would be easy. My partner, meanwhile, got into the floor we missed and found more documents to photograph and cubicles to investigate! It was a success! We were thrilled and very keen to try some more.
Going It Alone
Later that day, as we were scoping out future sites for an evening attack, I got antsy to go into one of the buildings and try it alone. I needed to see whether or not I could do it by myself. So, after getting approval, I got another one of my teammates to take me there. Wielding my clipboard once more, I walked in through the front door, just as they were closing. And, I was …IN! That was the most surreal moment for me, personally. I was in, just me, convincing people of my pretext and getting more information (including just exactly what a guest badge looked like on the way out). That’s when I knew for sure I could do it, not only with anyone on my team, but on my own as well.
The rest of the day was spent preparing for a nighttime engagement, re-educating us on proper documentation, and really bonding as a team. Just a note, I love the people I work with but especially our last remaining team lead for the project. We know he was stressed, taking a group of noobs and training us all, but he did it. We learned what was important to take note of, and that, we didn’t really need some of the props we brought. Though, they certainly made me feel better for sure.
Learning Lessons and Making Friends
The next few days were spent breaking in and out of buildings, day and night, practicing skills that we needed. We tried, failed, tried again, and succeeded. We learned to push past what was comfortable for us and saw how each different team combo resulted in success in different ways. What did I learn? A lot of things.
- How to clone badges at 2am from another very tired teammate.
- That there are people that can fit into spaces I didn’t think humanly possible.
- That while I may not be very graceful at jumping desks, I have reliable teammates who are.
- Valuable lessons on where to focus my attention, and my camera.
- The value of pushing past where I’m comfortable, and when it’s important to fall back.
- How we can easily make friends, make so many people smile, and truly leave them feeling good even while doing this job.
This job was interesting for me in a way I’m not sure everyone will get, not because of some deeper understanding, but because of how it made me feel. As time goes on, and I do more jobs I will remember the names and faces of the people who were part of my first engagement; the people whom we were technically compromising but got to know. They’re almost friends in a way, and I look forward to the training they’ll receive, and then testing them again. I will also remember how my team stepped up at every opportunity, and I look forward to doing so much more with them.
Good Things and an End
When I first started planning this blog, I had several Ideas for how I wanted it to go. When I started writing though, I felt it was more important to just share the story, to let you know what it felt like to actually do it. While I can’t give you all the gritty details, I do look forward to meeting some of you at conferences and sharing the funny stories. I also look forward to making many more friends on jobs like this. I know as well, as a team we’re going to have so many more success stories to share soon enough. So, when you try out social engineering for yourself, remember to push past your own limitations. Try it, build confidence, smile, make friends, and you’ll learn some of these exact same lessons I did. I also hope you find a team as great as the one we have…But for that, I think you’d need to come work for Social-Engineer.
Written by: Colin Hadnagy