People often ask, “How can I become a social engineer?” or “How can I practice social engineering techniques without breaking the law?” Those are good questions, and we can appreciate their desire to stay within their local laws.
Answering the second question first
How can I practice social engineering techniques without breaking the law? One way to explain this is to think about our definition of social engineering in the context of communication. Think about the definition as “a conversation with intent.” Notice there is nothing malicious in there. There is no specific goal of obtaining sensitive information. It is just to have a conversation with someone, with a specific intent. For example, let’s say my intent is to learn someone’s middle name. To do that, I would steer the conversation to my fascination with middle names. How did the family choose it? Does it have any kind of meaning? Then I would voluntarily give the person my middle name and hope they offer theirs (quid pro quo). If they don’t, I would just ask.
Back to the first question
How do I become a social engineer? People who want to, or already, work in the information security industry will sometimes also want to be a social engineer, or just want to add those skills. At Social-Engineer, LLC. we have a curriculum of courses that people can take to accomplish those goals. In a previous blog post, we introduced you to the Foundational Application of Social Engineering (FASE) class. This course is our recommended entry to this learning path. The class will teach you many of the concepts of influence, rapport-building and the psychology that goes into social engineering, along with actual practice with real people. Upon completing FASE, the next step is to take the Practical Application of Social Engineering (PASE) course.
People who work as social engineers in information security will often be tasked with performing phishing and vishing engagements. They’ll be asked to find vulnerabilities that malicious actors may find through interacting with a company’s employees. These engagements are a test of how well the employees have understood and absorbed the security training they have received and the policies their companies have in place.
The PASE class is, as the name indicates, both practical and hands-on. This course will have the students executing email phishing campaigns against real human targets. The students will also make phone calls to people to obtain specific information. The people being contacted are not aware that this is a test. However, we do have permission through their employer to make these calls and send these emails.
To give an overview of the course, we assign each student a number of human targets and start with the Open-Source Intelligence (OSINT) techniques that will be needed. There are many OSINT courses available but one thing that makes this part of our course different is the intent. The OSINT skills that we teach are for the main purpose of being able to create an effective social engineering engagement against human targets. We aren’t just looking for every morsel of information about the people. Rather, we are looking for actionable intelligence that will further our goal of a successful social engineering attack.
Once the actionable intelligence has been gathered, we move on to starting a vishing, or voice-phishing, engagement. Students will then use the information they found to craft a pretext and persona to call their targets. These calls will attempt to elicit specific information from the targets, using the techniques learned in this and the FASE course.
Finally, we’ll also move on to creating spear phishing, or targeted phishing campaigns against the assigned employees. Again, the intelligence that was gathered in the OSINT phase will lead toward a believable pretext that could result in the target opening the email, clicking the link, or submitting additional sensitive information.
By the end of the class, the students will also be exposed to a reporting component, as the written report is often the most valuable part of the entire engagement. The course will show a sample of a report format used for a social engineering risk assessment and allow students to write their own. Students will need the ability to write a professional report to pass the Certified Ethical Social Engineering (CESE) certification exam.
By the time you complete the FASE and PASE courses, you’ll be eligible to attempt and successfully complete the coveted and respected CESE certification. This combination will get you the knowledge, experience, and understanding, to create your own social engineering campaigns. You’ll be developing the goals and intents, evaluating risk, and understanding the principles and the psychology versus real human targets. You’ll also be able to deliver a valuable report that gives all the necessary insight that business leaders demand to show return on investment on any security testing or program.
Sign up today and claim your seat at a discounted price! A discount is available until June 25, 2023. 42% off the Jun 26-29 Virtual PASE Class – Coupon Code: THANKSFORTHEPHISH
Written by: Patrick Laverty