Social-Engineer Newsletter Vol 08 – Issue 113

by SEORG on February 7, 2019

Train as a Social Engineer: The Value of Creating Environments

When I am not wearing my Social Engineering (SE) hat, I am often wearing
the hat of “working dog trainer.” What does this mean? It means my dogs
and I train in a variety of useful areas, obedience and tracking being
some of the main events. The ladies (aka my dogs) can track articles of
clothing, metal, and types of plastic, all because of this training and,
more importantly though less glamourous, they will sit when I ask,
anywhere, no matter what. This includes if they are off-leash and a
moose is barreling by (true story, thanks Colorado). You may be asking
yourself, “how did she get this to occur?” And you are most likely
wondering, “What does this have to do with Social Engineering?” The
answers to both of these questions are the same; you must create the
environments to learn social engineering

The
ladies sit whenever I ask because they have been trained, under a
variety of escalating situations, that they follow sitting protocol no
matter what. When they were puppies, they would have a leash tied to a
post on one collar, and a leash in my hand on another collar. They would
be told “sit,” praised, and once they had nailed that we would repeat
the drill, this time with a high value toy. I’d wave the toy in front of
their face, and if they tried to jump at it, I would keep them in a sit
via the leash in my hand. You could see it in their faces, all they
wanted was that ball. They wanted it so badly. However, they were
learning that our policy is, “you sit unless you’re told to break.”

Sponsorships Available

Training Through Environment Creation

This
is the same methodology that should be applied to learning to be a
social engineer and, if this applies to you, social engineering
awareness training within your company. I created the environment and
events that were used to train the dogs. I introduced the high-value toy
and put them in a situation where they were tempted to break policy
and, instead, were taught how to behave in that situation that would be
applied later in more intense situations.

This practice can be applied to so many elements in life including your journey to becoming an SE and, for those of you managing security teams, your vishing, phishing, and red teaming programs. On the corporate side, you have heard from my colleague Ryan about the values of creating strong and properly executed phishing and impersonation programs that increase in difficulty over time that is appropriate for the skill level of your user base. If you work with security training programs, I cannot stress enough the value of creating the correct environments to learn social engineering. These environments should use escalating, real-world events to test your userbase against common social engineering attack vectors. However, what do you do to train yourself as a social engineer? To effectively do this, you must create the environment in which you test and train the skills you need to grow to your next level of SE. Let’s explore how to do this for ourselves to improve as social engineers.

Train as a Social Engineer: The value of creating environments

Creating Your Own Environments to Learn Social Engineering

If
you are looking to enter the field of SE, you must first assess the
requirements for the role and your current skill level. Social engineers
need many skills, but a few important ones are human interaction,
reacting quickly in unfamiliar situations, critical thinking,
ego suspension, and a constant desire to reassess, grow, and try new
things. These skills are not often viewed as hard skills, but they can
absolutely be trained like them.

If
you are looking to practice your SE skills, you will need to create the
environment in which you can learn. Even if your company runs a great
security awareness program, that is teaching you the defense against SE.
How do you train for your debut as the SE on the red team? Try some of
the following drills by creating events and environments where you must
exercise the appropriate skillsets:

Physical
environments: Pick a venue and, if this drill is new to you, you can
choose one that is familiar. Decide on an informational flag to get from
strangers. Start easy with things like, what did they do today, where
do they work, what is their name? Over time, begin choosing more
challenging, less familiar environments for this drill and increase the
sensitivity of the flag you are going for. Practice asking specific
questions of unfamiliar people in unfamiliar situations and increase
your own difficulty over time.
DISCLAIMER: Remember – our goal as white hat social engineers is to leave others feeling better for having met us, per the SE code of ethics. Do not seek to obtain sensitive PII. Try questions that escalate in emotional depth and non-PII informational content.

Mental
environments: Challenge your version of comfortable. This practices ego
suspension. Have you ever seen something and immediately felt
resistant? Perhaps an article from a publication you typically don’t
agree with, or an opposing opinion piece on a topic you are passionate
about. When you feel yourself think, “no – I won’t read that for X
reason,” do it anyway. Enter with an open mind and challenge your status
quo. This job does that all the time.

Learning
environments: Take an improv class. This can teach you to react in
unfamiliar situations and think through conversational pathways on the
fly.

While
attempting any of these drills, take notes on the interactions and
environment. Was there anything that you could have improved upon? Was
there an opportunity for rapport building you didn’t capitalize on?
Could you have used an influence principle to better effect? Would a different setting have changed things? How? Analyze your own behavior and identify your areas for improvement.

Like
the pups, we all benefit from creating real-world events that escalate
in difficulty over time in which we can practice our training and
skills. It’s better to learn in controlled environments before game-time
comes in the real world. Does creating your own training environment
seem daunting? We’ve got you covered! Our courses are designed to do
just this – provide real world training environments for current and
future SEs. Blood, sweat, tears, and countless hours of work have been
invested by the great folks here at SECOM to create the following
amazing courses:

Advanced Open Source Intelligence, next offered April 23-24, 2019 in Denver, CO will teach you OSINT skills and allow you to apply them in practical challenges.
Advanced Practical Social Engineering (APSE) in Bristol, UK May 13-17 and Aug 3-6 at Black Hat USA offers amazing instructional content and specifically curated homework to improve your social engineering.
Masters
Level Social Engineering (MLSE) is available to APSE alums where you
will practice physical entry and extreme social engineering skills. This
course is full for 2019 so get into a 2019 APSE course to be eligible
in 2020.

Ready to practice your SE skills at the next level? Registration is now open for the SECTF at DEF CON 27!! Sign up now and start creating your amazing video so we can get to know you.

Get out there, create some learning environments, and become better SEs!

Written By: Cat Murdock
Twitter: @CatMurd0ck

Sources:
https://twitter.com/search?q=joemontmania
https://www.social-engineer.com/what-is-critical-thinking/
https://www.social-engineer.com/in-2019-test-impersonation-attacks/
https://www.social-engineer.com/not-all-phishing-programs-are-created-equal/ https://www.influenceatwork.com/principles-of-persuasion/
https://www.social-engineer.org/sevillage-def-con/the-sectf/
https://www.blackhat.com/us-19/training/schedule/index.html#advanced-practical-social-engineering-13984
https://www.social-engineer.com/store/#!/13-17-May-2019-Advanced-Practical-Social-Engineering-Bristol-UK/p/116061101/category=0
https://www.social-engineer.com/store/#!/23-24-April-2019-Advanced-OSINT-for-Social-Engineer-Denver-Colorado/p/116061102/category=0