coming_up.md 8.2 KB
title: What's coming up? course: human_hacking section: "Introduction"
layout: lesson
This course is designed to cover all aspects, tools and skills used by professional and malicious social engineers. Each chapter delves deep into the science and art of a specific social engineering skill to show you how it can be used, enhanced and perfected.
The next lesson of this chapter, "Overview of Social Engineering", defines social engineering and what roles it plays in society today, as well as the different types of social engineering attacks, including other areas of life where social engineering is used in a non-malicious way. I will also discuss how a social engineer can use the social engineering framework in planning an audit or enhancing his own skills.
Section 2 is where the real meat of the lessons begins. Information gathering is the foundation of every social engineering audit. The social engineer's mantra is, "I am only as good as the information I gather". A social engineer can possess all the skills in the world, but if he or she doesn't know about the target, if the social engineer hasn't outlined every intimate detail, then the chance of failure is more likely to occur. Information gathering is the crux of every social engineering engagement, although people skills and the ability to think on your feet can help you to get out of a sticky situation. More often than not, the more information you gather, the more better your chances of success.
These questions will be answered in the following section:
What sources can a social engineer use?
What information is useful?
How can a good social engineer collect, gather and organise this information?
How technical should a social engineer get?
How much information is enough?
After the analisation of information gathering, the next topic addressed in section 2 is comunication modeling. This topic closely ties in with information gathering. First, I will discuss what communication modeling is and how it began as a practise. Then, the chapter walks through the steps needed to develop and then use a proper communication model. It outlines how a social engineer uses this model against a target and the benefits in outlining it for every engagement.
Section 3 covers elicitation, the next logical step in the framework. It offers a very in-depth look into how questions are used to gain information, passwords, in-depth knowledge of the target and his or her company. You will learn what is good an proper elicitation and learn how important it is to have your elicitations planned out.
Section 3 also covers the important topic of preloading the target's mind with information to make your questions more readily accepted. As you unravel this section, you will clearly see how important it is to become an excellent elicitor. You will also clearly see how you can use that skill not just in your security practises but in daily life.
Section 4, which covers pretexting is powerful. This heavy topic is one of the critical points for many social engineers. Pretexting involves developing the role the social engineer will play for the attack on the company. Will the social engineer be a customer, vendor, tech support, new hire or something equally realistic and believable? Pretexting involves not just coming up with the storyline but also developing the way your persona would look, act, talk, walk; deciding what tools and knowledge they would have; and then, mastering the entire package so when you approach the target, you are that person and not simply playing a character. The questions covered include the following:
What is pretexting?
How do you develop a pretext?
What are the principles of a successful pretext?
How can a social engineer plan and then execute a perfect pretext?
The next step in this course in one that can fill volumes. Yet it must be discussed from the viewpoint of a social engineer. Section 5 is a no-holds-barred discussion on some very confrontational topics, including that of eye cues. For example, what are the varying options of some professionals about eye cues and how can a social engineer use them?. The section also delves into the fascinating science of microexpressions and its implications on social engineering.
Section 5 goes on analysing the research, yielding answers to these questions:
Is it possible to use microexpressions in the field of security?
How would you do so?
What benefit are microexpressions?
Can people train themselves to learn how to pick up on microexpressions automatically?
After we do the training, what information is obtained through microexpressions?
Probably one of the most debated-on topics in Section 5 is neurolinguistic programming (NLP). The debate has many people undecided on what it is and how it can be used. Section 5 presents a brief history of NLP as well as what makes NLP such a controversy. You can decide for your whether NLP is usable in social engineering.
Section 5 also discusses one of the most important aspects of social engineering in person or on the phone: Knowing how to ask good questions, listen to responses and then ask more questions. Interrogation and interviewing are two methods that law enforcement has used for years to manipulate criminals to confess as well as to solve the hardest cases. This part of section 5 puts to practical use the knowledge you gained in section 3.
In addition, Section 5 discusses how to build instant rapport - a skill you can use in everyday life. The chapter ends by convering my own personal research into "the human buffer overflow": the notion that the human mind is much like the software that hackers exploit every day. BY applying certain principles, a skilled social engineer can overflow the human mind and inject any command they want.
Just like hackers write overflows to manipulate software to execute code, the human mind can be given certain instructions to, in essence, "overflow" the target and insert custom instructions. Section 5 is a mind-blowing lesson in how to use some simple techniques to master how people think.
Many people have spent their lives researching and proving what can and does influence people. Influence is a powerful tool with many facets to it. To this end, section 6 discusses the fundamentals of persuasion. The principles engaged in Section 6 will start you on the road toward becoming a master of persuasion.
The chapter presents a brief discussion of the different types of persuasion that exist and provides examples to help solidify how you can use these factes in social engineering.
The discussion doesn't stop there - framing is also a hot topic nowadays. Many different opinions exist on how one can use framing and this course shows some real-life examples of it. Then, dissecting each, I take you to the lessons learned and things you can do to practise reframing yourself as well as use framing in everyday life as a social engineer.
Another overwhelming theme in social engineering is manipulation:
What is its purpose?
What kinds of incentives drive manipulators?
How can a person use it in social engineering?
Section 6 presents what a social engineer needs to know on the topic of manipulation and how to successfully apply such skills.
Section 7 covers the tools that can make a social engineering audit more successful. From physical tools such as hidden cameras to software-driven information gathering tools, each section covers tested-and-tried tools for social engineers.
Once you understand the social engineering framework, Section 8 discusses some real-life case studies. I have chosen two excellent accounts from the world-renowed social engineer Kevin Mitnick. I analyse, dissect and then, propose what you can learn from these examples and identify the methods he used from the social engineering framework. Moreover, I discuss what can be learn from his attack vectors as well as how they can be used today. I discuss some personal accounts and dissect them, as well.
What social engineering guide would be complete without discussing some of the wats you can mitigate these attacks? The appendix provide this information. I answer some common questions on mitigation and give some excellent tips to help secure you and your organisation against these malicious attacks.