2024 State of Vishing Report

My First Pen-Testing Onsite Social Engineering Engagement

Shelby Dacko

Share This Post

A couple weeks ago I was able to join my team on my first pen-testing onsite social engineering engagement. This means we were hired to physically enter as many approved buildings as we could, either through the front door and past security or by some other means. We had three days and three nights to do so. I had spent the last 10 months (the full length of time of my involvement in the industry up until this point) wavering between excitement and fear of my first onsite engagement. I had two main goals for myself for the week: One, get in the door. Two, don’t blow it for the team.

 Pen-Testing Onsite Social Engineering Engagement
Shelby Dacko

The Benefit of Having a Team

On the first day of our pen-testing onsite social engineering engagement, I was a ball of anxiety. I tend to want to plan, plan, and plan some more. This is not ideal in an onsite social engineering setting (cue nervous laugh). After planning with the team, we were sitting in our hotel lobby.  At this point, we had decided on our course of action. The difficulty for me was that we weren’t acting. This pause just escalated my mounting nervousness. I could feel myself going into panic mode. I told my team this and asked if we could get started. They are all great and immediately agreed, so off we went.

This was the first of many occasions throughout the week where I saw the benefit of having a team rather than working solo. Had I been there alone, I would have been tempted to go home, curl up with a book, some tea, and act as the entire excursion had been a slightly stressful dream. As nice as that would have been for me at the moment, it may not have been the greatest career choice.

Set Specific Goals

I quickly realized I had effectively set myself up for failure by focusing on that one goal; Get in the building. I say this because approximately 5 seconds after stepping into the first client building, I realized I had no idea what to do next. Why did that happen? I had been prepared for this. Our team leader had told us what to do next, what to look for. Why did I feel lost? It felt like all of my anxiety had built up to this moment. Once I stepped through that door, I felt I had accomplished my biggest goal. But then immediately after, the adrenaline and nerves took over again and left me unable to recall the next step.

This was the second time I realized how beneficial it was to have a team. In a burst of brilliance (sarcasm), I looked to my partner and proceeded to copy everything she was doing. Having someone who knew the next step pushed me back into focus. Now, imagine if I had been on my own. I would have gone right back to my book and tea.

Lessons from the Team

Throughout the week, I felt like the least useful one on the team. I was there as the one newest to the industry, the one who made the most obvious mistakes, and the one who struggled to get started. However, I can say this without complete shame and time spent crying over my failures. Why? Because my team is awesome. I learned valuable lessons from each and every person involved. I’ve included some of my favorites here so you can benefit from them as well:

Keep Pushing

Don’t let your nerves get the best of you. If you act and believe that you belong, others will believe it too.

Play the Bias to Your Advantage

This is not a bias-free industry. Play to that. It may not be “right”, but it can work to your advantage. For example, when I was with a team member, I never played the authority pretext. Due to my physical appearance and nervousness, I didn’t feel that employees would automatically believe I was in charge. Because of this, we decided to play to their expectations. The second the person you’re talking to starts thinking things through, the harder your job becomes. Each pretext and role have their advantages. For example, people were generally more willing to help me out over my “bosses”. Don’t fight the bias because of pride; play to the bias for the success of the job.

Don’t Avoid Awkward Situations

I can’t tell you how many times I have cut a conversation short because of a moment that I perceived as awkward. I feel that the other person is uncomfortable, so I quickly fill the silence. Often, what people say in that silence is what we, as social engineers, are looking for. Letting these “awkward” moments happen can lead to some of the best successes.

Prepare Like You’re the Only One on the Job

For the next onsite social engineering engagement I go on, I plan to prepare like I am the only one going. Planning this way will help me identify and understand how I can better contribute to the team.

Next Time

Because I was able to work with such a skilled group of people, I now know what I can improve on my next job, and what I can accomplish. They helped cover my weaknesses and enhance my strengths. I genuinely don’t believe we would have been as successful without each other’s support (and the occasional joke at each other’s expense). Thanks to them, I am genuinely looking forward to our next job!

Written by: Shelby Dacko

More To Explore

Learning from the MGM Security Breach
Protect Yourself

Learning from the MGM Security Breach 

In the rapidly evolving digital landscape, no entity is immune to the pervasive threat of cyberattacks. The security breach at MGM Resorts highlights the vulnerability of even massive organizations. As

Smishing attacks in the news

SMiShing Attacks in the News 

SMiShing Attacks in the News In February 2024, 19.2 billion spam texts bombarded U.S citizens according to a recent report. As annoying as spam texts are, they are not always