Time
3 hours 55 minutes
Difficulty
Advanced
CEU/CPE
5

Video Description

In this lesson, Subject Matter Expert Dean Pompilio presents an introduction to Social Engineering (SE). He begins by defining SE as the art – and science -- of getting information from people, having them carry out activities, and getting them to disclose sensitive information through manipulation. Although penetration testing is a prime use of SE, there are other uses for it such as hacking and market research. SE is performed over a longer time scale than traditional penetration testing – generally, over weeks or months because of the research and preparation that is involved. One of the fundamental problems in successful SE is the human problem – because humans are always the weakest links in any security program. In this course you will learn:

  • How to use various social engineering techniques and tools
  • Proven ways to communicate
  • How experience will reinforce methodology

The course includes lectures, labs, and demonstrations on tools (such as Kali Linux, Social Engineering Toolkit (SET), Cupp, Dradis, Creepy, and Recon-NG Framework) that can aid you in the SE process. Other tools – such as voice, use of the phone, and personal appearance – that are used for persuasion also are discussed. You will learn about: - Exploitation Lifecycle – the general five steps of hacking

  • Where SE fits in the exploitation lifecycle
  • Digital information gathering
  • Targeting
  • Digital profile reduction

SME Dean Pompilio discusses the following aspects of the psychology of SE that a Social Engineer needs to master to manipulate targets: - elicitation - the exercise of "teasing" information out of someone

  • framing – building a frame around the subject you are discussing
  • pretexting – devising a story or excuse to get a target to be receptive
  • cold calling – getting someone to give you info while being helpful

Other subjects discussed by SME Dean Pompilio are: - Bypassing physical security with SE techniques

  • The fact that technology cannot solve the problem
  • Post exploitation
  • Digital evasion

Video Transcription

00:04
Hello, everyone.
00:05
Welcome to Cyber ery. I'm Dean Camp you, Leo, and this is the introduction to Social Engineering. Course
00:11
we'll be talking about in this course is quite a few topics.
00:15
And hopefully you'll find something that's interesting to you in your social engineering efforts.
00:21
And we'll do a bunch of labs and you'll get to see a demonstration of several different tools.
00:27
Lycan a Jew in this in this process. So, social engineering, the main issue, really the fundamental issue. Fundamental problem is the human problem.
00:37
And the reason we say this is because humans are always the weakest link in any security program.
00:43
People make mistakes. People have a bad day.
00:47
Sometimes they're they're just disgruntled employees and they don't care anymore. So they might
00:52
do something that they might not normally do and cause various problems for the organization. So for our introduction to the the art of social engineering, it's really an art and a science if you think about it.
01:03
There are technological tools, of course, that you can use to do this kind of work.
01:08
But there's also a lot of creativity and, uh,
01:14
thinking on your feet kind of action that the social engineer needs to master in order to become truly adept
01:19
at this type of penetration testing.
01:22
So if we consider an exploitation lifecycle will look at that. We'll see what the
01:26
the different steps are in the various ways to exploit a target.
01:33
We'll also look at where social engineering fits into this this exploitation cycle.
01:38
When I say exploitation life cycle, I mean
01:42
the general five steps of hacking.
01:45
We'll cover that in just a little a little bit.
01:48
We're also gonna look at various tools and techniques for digital information gathering.
01:53
There are lots of ways to get information from public sources. This is
01:57
a passive method, right? There's no interaction with the target directly from a lot of these tools and techniques.
02:05
And this is a real benefit to the social engineer because
02:08
they want to remain undetected as long as possible. You don't want to announce your presence or make the target aware that they're being socially engineered. That's a really key item to consider throughout any social engineering engagement.
02:24
We're also gonna look at different ways to target an individual or an organization,
02:30
trying to learn as much as we can about what they do where they do it, how they do it,
02:35
and trying to find connections between those different elements of information that can further the social engineering exercise.
02:42
And then we'll also consider ways thio reduce your digital profile so that you can remain quiet
02:51
and remain undetected.
02:53
These are important considerations because this type of work
02:58
is really, uh,
03:00
performed over a perhaps a longer timescale than typical penetration testing.
03:05
It could be done over a series of days or weeks or even months in order to
03:09
get information about very difficult to research targets.
03:15
So we'll talk about some of those considerations as we go through the various steps.
03:21
First of all, we'll start off with the psychology of social engineering. We have this concept here called Elicit a Shin. This is a word that's not very common, but what we mean by elicit a shin is
03:31
the exercise or the activity of trying to tease information out of somebody. If you're a parent, you probably have had very numerous experiences with your Children, where
03:43
you come home
03:44
and you find something that's broken. Maybe someone knocked over a vase and there's broken glass on the floor.
03:51
You might ask your kids. Well, how did this happen? Who did this? Well, I don't know.
03:55
They don't really want to say, because they're afraid of getting in trouble. That's a natural human nature response.
04:00
So what the What the parent as a social engineer needs to think about is how did I get this information out of my child?
04:08
Okay. Well, were you home when this happened?
04:11
Did you hear any noises?
04:14
Uh, was your brother home? Did your sister have any of her friends over?
04:18
These are the kinds of questions that you can start to to use to elicit a response from the child being questioned.
04:27
Eventually, the parent figures out, well,
04:30
the older sister was home. One of her friends was there
04:32
and maybe they were playing catch with a ball. And that's what's knocked over the base of the young vase.
04:40
So that's a very simple example. And as one that people encounter on a regular basis
04:46
and that draws us back to the point that social engineering is not just something that's being done for a pen testing,
04:51
it's being done in many different contexts by professionals by hackers
04:58
by people that are in sales and marketing, and so on. Well, we'll look at a list of some of the different types of social engineers and how they do some of their work. We also have the idea of framing,
05:10
and what framing is
05:12
it's. It's basically a way to set up the target
05:15
to consider their questions. In a certain context,
05:18
you're building a frame around
05:21
the topic that you're discussing,
05:24
and this is often done quite successfully by politicians. For instance,
05:29
they're experts at
05:30
getting a question asked or opposed to them and then answering a completely different question altogether.
05:38
And they will start to build a frame around what they really want to talk about while completely ignoring what it is that they're being questioned about.
05:46
This is a very common technique for sales and marketing people as well. A social engineer needs to master some of these aspect of communication
05:55
so that they can steer the conversation into direct the direction that they choose
06:00
while subtly trying to get information from their target, hopefully not letting the target in on the fact that they're being manipulated in some way.
06:09
That's that's really where the art of the the art and Science comes into play
06:15
beyond framing. We have what's known as pre texting.
06:18
Pretexting is just basically coming up with a story or an excuse
06:23
to ask for information or to provide information
06:26
or to take some action.
06:29
Uh, good examples. Could be
06:31
someone that just done.
06:33
Social engineer wants to get information from the help desk. Maybe they are trying to get
06:39
a password reset, performed for a user account that they have identified as being valuable.
06:46
So the pretext is calling the help desk and saying, I've got a really important report for my my boss. I need to get this finished immediately. Could you please help me get my password reset?
06:58
So the pretext is someone in need, someone that's in a hurry.
07:01
And there you build that story up
07:03
and hopefully the target of the social engineer in this case, the hell Step Helpdesk operator.
07:09
They might feel sorry for that person. It might have a little bit of sympathy,
07:13
and this is where the social engineer tries to play on human emotions.
07:16
As we all know, most people are born and raised to be helpful and cooperative. That's in our nature. It's how we're wired.
07:25
The human race is successful because of this wiring, if you will,
07:29
but we have. There's a downside to this. People might be too trusting.
07:33
You might help somebody or give them information because you want to appear helpful. You don't want to appear to be rude or
07:42
or too busy to help somebody, so you might do something or say something that's out of character or that you know, is violating
07:49
common sense. Or maybe your gut is telling you something is not right. People might do it anyway, because that's human nature. That's how we operate
07:59
anyway. So the pretext is a set up
08:01
to try to get the target properly, position emotionally, perhaps even physically to accept or be receptive to the questions or the probes for information that the social engineer is providing
08:16
after pretexting, we can think about something like cold calling.
08:20
This isn't in any particular order, right? Cold Colin could be in any between any of these steps. That could be the first step.
08:28
What cold calling is is just what it sounds like if you're a sales person, for instance, your boss gives you a big list of phone numbers and names and says. Here's the people that I want you to contact today.
08:39
And, as we all know, when you get those kinds of phone calls generally, uh, most of us will probably try to give a polite excuse.
08:46
You know, my My typical thing I say, is I'm not interested right now. Thank you, you know,
08:52
and I usually ask them to remove my name from their list. That's a good tip to reduce these kinds of things,
08:56
but a lot of companies may not honor that, so your mileage may vary a little bit,
09:01
but in general, a cold call for a social engineer
09:05
can be very informative, depending on what persona the engineer adopts. But depending on what they say,
09:13
maybe they have a prepared script
09:15
of questions they want to ask with with anticipated responses.
09:18
So they convention.
09:20
Ask the question, Get a response. Look at their listings. The odd they said yes to this or they said no to this. Here's my next choice for what I want when I want to take this conversation,
09:31
the cold call could be something as simple as you're at work. You answer the phone,
09:37
the phone rings. Hello, this is dean in the Security Department. Oh, hello, Game. This is
09:41
This is Jim. I'd like to talk to your to your manager, Bob Anderson.
09:48
What that person's hoping you do is say, Oh, my, my managers. Actually,
09:52
Shelly, you know Stevenson. It's not Bob Anderson. Let me put you through right.
09:58
A lot of salespeople marketing people used these techniques. They try to trick you into being helpful.
10:05
If you're aware of what's going on, what you should do
10:07
is saying, Okay, Jim, let me get your name and number. I'll have my manager call you back.
10:13
That's a great response because it shuts the engineering attempt down
10:16
or it shuts the attempt by a sales person down.
10:20
And you're not being rude. You're not being unprofessional. You're just
10:24
trying to get that person to identify themselves so that you can then pass on information to your to your manager.
10:31
If they really knew your manager's name, if they would probably have that person's phone number or they would at least get the name correct. So that's just set off a little bit of a flag in your mind.
10:41
When someone calls asking for someone else that doesn't exist,
10:45
that's just a simple example of how a cold call can go wrong. But it could also go right,
10:50
the person answered. The phone could have put put that other person through without verifying anything. And now your manager is being harassed by a sales person trying to sell them something which they didn't necessarily want
11:03
something to think about.
11:07
One of the huge advantages of social engineering in general is that it allows the engineer to bypass many physical security controls.
11:16
It also allows the engineer to bypass many technological controls.
11:22
So you're logical on your technical controls, our hardware, software and firmware.
11:26
But physical security is also
11:28
a big consideration.
11:30
You don't necessarily have to sneak into a building in order to accomplish some some tact,
11:37
complicated social engineering task.
11:39
Sometimes it is necessary,
11:41
and we will talk about physical security considerations in the next class in this series. But in general, we can bypass physical security with social engineering techniques.
11:52
For instance, you might be interested in doing a dumpster dive.
11:58
This is a
11:58
a new attempt to go through the trash of an organization or an individual looking for something useful,
12:05
looking for documents that haven't been shredded
12:07
documents that may contain signatures, account numbers,
12:11
photographs, anything of use to help build up a profile of information about this target
12:18
so that the engineer can more successfully perform their pen testing
12:22
in the social engineering context. So part of this would be thinking about what to do after
12:28
a particular event has happened. If you are able to sneak into the Dumpster area of an organization, you find useful documents.
12:37
You got to get them out of there. You got to decide what their value might be
12:41
to the pan tester organization.
12:46
And we also have to think about
12:48
ways to do this using computers as well.
12:50
And that kind of goes to the idea of the five steps of hacking. Really?
12:56
So, uh, what we were calling binary evasion means you're using technology in order to
13:03
remain undetectable, to remain digitally quiet as it's called.
13:07
And that way, your your target of the social engineering pen test
13:13
doesn't realize that information has been divulged or expel traded,
13:16
and now they've got something to think about when that information comes to light.
13:20
So as I mentioned, there are many tools, couple of the tools that we don't see on this list these air, all technological tools,
13:28
but the telephone
13:30
or your or just the human voice?
13:31
These are fantastic tools for social engineering. They go back throughout human history to the very beginnings of language.
13:39
There's always been somebody, somewhere who's trying to talk someone else into doing something,
13:43
something they may not have wanted to do something that they didn't think was a good idea,
13:48
maybe an action that goes against their best interests. But the skilled engineer can can manage a waiter to phrase the conversation, to use solicitation, to use framing
13:58
to get that target, to do something that they didn't want to. D'oh
14:01
doing social engineering in person in particular is very effective.
14:05
For instance, I'm wearing a jacket with a tie.
14:09
My my hair is relatively neat style. You might see me on the street, or I might show up at your organization, and you might say, Well, that that person looks like a professional. We can probably trust that person because they're dressed nice and they talk well.
14:22
These air these air great advantages for the social engineer.
14:26
If you were trying to penetrate into an office building,
14:30
tryingto claim that you have an appointment with one of your targets just so you can get in the door.
14:35
If you're dressed like I am, most likely you'll be able to get past some of the gatekeepers, maybe a receptionist or a security guard, depending on the security level at the organization. That might be possible because you look like you belong there.
14:50
However, if I show up wearing a, uh, a C D. C T shirt and ripped up jeans and my hair's all messy, well, that's probably not gonna be very affected in that context,
15:01
however, that outfit might work fantastic
15:05
fantastically if I'm trying to penetrate a music studio or some other environment where people dress that way.
15:13
So this is a really important concept to internalize.
15:18
You have to become
15:20
adept at, sort of like becoming a chameleon. In a way, the way you talk.
15:24
Maybe maybe you decided to use an accent.
15:28
Some people that are really skilled can just
15:30
without an accent like that,
15:31
you know? Hey, buddy, how you doing? I'm everything going. All right? You know, you could talk like a Southerner. You can talk like you're from New York.
15:39
Any of these things are possible. If you gives you a link to the person you know where they're from, you might learn the accent where they're from,
15:48
just to make them more comfortable around you make them more trusting.
15:52
If you do this over the phone, it's a lot easier if you're doing in person, that could be a lot more stressful.
15:58
So doing social engineering person requires much more preparation. It requires much more research. You have to be able to think on your feet at a moment's notice to change your story as needed to fit
16:08
what the target is doing, what they're saying, what they're responses are to your actions.
16:15
However, if you're doing this over the phone,
16:18
you can. You can sweat all of you want, and the target doesn't see the fact that you're blushing and that you're fidgeting in your nervous. All they hear is your voice,
16:26
and if you're very skilled at manipulating your voice, you can probably get the job done without the target being any the wiser. So, looking at our tools,
16:36
we'll do
16:37
ah, bunch of labs For these tools, I will demonstrate various concepts for information gathering,
16:45
how to organize your information on using tools such as Dre Tous
16:48
Well given introduction to Cali, Lennox,
16:52
Callie Lennox is the platform that I'll be using to demonstrate all of the other tools.
16:56
We'll also look at things like the re kon and G framework or multi go
17:02
doing, ah, website crawling with cool and cop doing geo location with creepy.
17:07
There's lots of great things out, and honestly, this is just a fraction of
17:12
the tools that are available. If you really do some searching,
17:17
I'm doing an introduction here. So you're getting a just a taste of what some of these tools can. D'oh.
17:22
None of the demos for these tools are completely comprehensive, showing all of their features
17:27
that some of those advanced features will be shown in later videos. But for this one, we're just gonna stick with an introduction, something to get you started to see what's possible and to see how well you can learn the tools in order to gather information about your target. All right, so what will you learn in this course? We're going to learn these techniques and tools that I just mentioned.
17:48
We're also going to talk a little bit about communication methods
17:52
things like no rolling linguistic programming. For instance, we're also going to discuss different ways. That you're human experience can help reinforce this methodology. And then, of course, we can't forget doing labs
18:06
during the When we get to the sections with labs appear, I will talk a little bit about the setup that you require,
18:11
and I do a little bit of that in the labs as well. Some of the tools
18:15
already included in Cali, Lennox, other ones you need to perhaps install
18:21
none of this is very complicated. Shouldn't be too much trouble
18:23
for people that are already skilled with
18:26
I T Technologies. Okay, so what? What is social engineering? We've got a good, concise definition here. It's an art, I would say art and a science of getting information. It could be, as I mentioned doing in a person doing it over the phone. Using a very old tools telephone has been around for a long time.
18:45
Uneven older social engineering tool. Besides a telephone would be alcohol.
18:51
Plenty of people
18:52
We'll do things and say things after they've had a little bit of alcohol than they wouldn't normally. D'oh!
18:56
This is a well known fact throughout him in human history is nothing. Nothing new about that.
19:02
Generally, the target of the social engineering should not know that they are being engineered. That's the key. If you can accomplish that,
19:10
then the person just thinks they had a friendly conversation. They think they helped somebody out that day.
19:15
They think they received some help that day. They might not realize until much later.
19:21
Thinking about the questions mean that was a little bit suspicious when the person asked me this or I told them that, and they change their behavior.
19:27
Maybe those clues will come together in a linear time, and they realize that that conversation was more than it appeared to be.
19:33
And if we think about the psychological aspect of social engineering, this is why
19:40
technological tools can't really prevent these different types of attacks
19:45
because you're using psychology and some tools, technical tools to get to a technical end, which is information or access to that information.
19:56
Anything that you know about the person's upbringing. I was I was making ah, references earlier to people's accents.
20:04
Um, the way they talk, the way they dress,
20:07
where they might come from, all these bits of information for the social engineer provide valuable clues to make the engineering attempt more successful,
20:18
the better you can assimilate yourself into a certain environment
20:22
than the more likely people will trust what you're saying and what you're doing,
20:27
and it's also more likely that you'll get to the end result
20:30
of gathering the information that you're requiring.

Up Next

Social Engineering and Manipulation

In this online, self-paced Social Engineering and Manipulation training class, you will learn how some of the most elegant social engineering attacks take place. Learn to perform these scenarios and what is done during each step of the attack.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor