A couple weeks ago I was able to join my team on my first pen-testing onsite social engineering engagement. This meansāÆwe were hiredāÆto physically enter as many approved buildings as we could, either through the front door and past security or by some other means. We had three days and three nights to do so. I had spent theāÆlast 10 months (the full length of time of my involvementāÆināÆthe industry up until this point) wavering between excitement and fear ofāÆmy first onsite engagement. I had two main goals for myself for the week: One, get in the door. Two, donāt blow it for the team.
The Benefit of Having a Team
On the first day of our pen-testing onsite social engineering engagement,āÆIāÆwasāÆa ball of anxiety. I tend to want to plan, plan, and plan some more. This is not ideal in an onsite social engineering settingāÆ(cue nervous laugh).āÆAfter planning with theāÆteam, we were sittingāÆin our hotel lobby. āÆAt this point, we had decided on our course of action. TheāÆdifficultyāÆfor me was that we werenāt acting.āÆThis pause just escalated my mounting nervousness. I could feel myself going into panic mode. I told my team this and asked if we could get started. They are all great and immediately agreed, so off we went.
This wasāÆthe first of many occasions throughout the week where I saw the benefit of having a team rather than working solo. Had I been there alone, I would have been tempted to go home, curl up with a book, some tea, and act as the entire excursion had been a slightly stressful dream. As nice as that would have been for me at the moment, it may not have been the greatest career choice.
Set Specific Goals
IāÆquickly realized I had effectively set myself up for failure by focusing on that one goal; Get in the building.āÆI say this because approximately 5 seconds after stepping into the first client building, I realized I had no idea what to do next. Why did that happen? I had been prepared for this. Our team leader had told us what to do next, what to look for. Why did I feel lost? It felt like all of my anxiety had built up to this moment. Once I stepped through that door, I felt I had accomplished my biggest goal. But then immediately after, the adrenaline and nerves took over again and left me unable to recall the next step.
This was the second time I realized how beneficial it was to have a team. In a burst of brilliance (sarcasm), I looked to my partner and proceeded to copy everything she was doing. Having someone who knew the next step pushed me back into focus. Now, imagine if I had been on my own. I would have gone right back to my book and tea.
Lessons from the Team
Throughout the week, I felt like the least useful one on the team. I was there as the one newest to the industry, the one who made the most obvious mistakes, and the one who struggled to get started. However, I canāÆsay this without complete shame and time spent crying over my failures. Why?āÆBecause my team is awesome. I learned valuable lessons from each and every person involved. Iāve included some of my favorites here so you can benefit from them as well:
Keep Pushing
Donāt let your nerves get the best of you. If you act and believe that you belong, others will believe it too.
Play the Bias to Your Advantage
This is not a bias-free industry. Play to that. It may not be ārightā, but it can work to your advantage. For example, when I was with a team member, I never played the authority pretext. Due to myāÆphysical appearanceāÆand nervousness, I didnāt feel that employees would automatically believe I was in charge. Because of this, we decided to play to their expectations. The second the person youāre talking to starts thinking things through, the harder your job becomes. Each pretext and role have their advantages. For example, people were generally more willing to help me out over my ābossesā. Donāt fight the bias because of pride; play to the bias for the success of the job.
Donāt Avoid Awkward Situations
I canāt tell you how many times I have cut a conversation short because of a moment that I perceived as awkward. I feel that the other person is uncomfortable, so I quickly fill the silence. Often, what people say in that silence is what we, as social engineers, are looking for.āÆLetting these āawkwardā moments happenāÆcan lead to some of the best successes.
Prepare Like Youāre the Only One on the Job
For the nextāÆonsite social engineering engagementāÆI go on, I plan to prepare like I am the only one going. Planning this way will help me identify and understand how I can better contribute to the team.
Next Time
BecauseāÆIāÆwas able toāÆworkāÆwithāÆsuchāÆaāÆskilled group of people,āÆI now know what I can improve onāÆmyāÆnextāÆjob, and what IāÆcanāÆaccomplish.āÆTheyāÆhelped cover my weaknesses and enhance my strengths.āÆI genuinely donāt believe we would have been as successful without each otherās support (andāÆthe occasional joke at each otherās expense). Thanks to them, I am genuinely looking forward to our next job!
Written by: Shelby Dacko
Sources:
https://www.social-engineer.com/services/social-engineering-penetration-test/
https://www.social-engineer.org/general-blog/introverted-social-engineer/
https://time.com/5312483/how-to-deal-with-impostor-syndrome/
