https://www.pentestpartners.com/security-blog/social-engineering-dos-and-donts/ Pen Test Partners Logo Security consulting and testing services +44 20 3095 0500 +1 646 693 2501 * About + PTP in the USA + Careers + Our Purpose and Values + In the news + Environmental Statement + Vulnerability Disclosure Policy * Services + Red Teaming + Purple Teaming + Penetration Testing + Agile Environment Testing + Aviation Cyber Security Testing + Automotive & IoT Testing + Maritime Cyber Security Testing + Cloud Services Security + DevOps Lifecycle Assurance + Social Engineering + Physical Security + Security Training + Papa - PTP Advanced Password Auditor + ICS, IIoT, SCADA Security Testing + CBEST Red Teaming + TIBER-EU Assessments + CREST STAR-FS + Cyber Essentials Testing + Cyber Security Consulting + Compromise Assessment + Digital Forensic Investigation Service + Incident Response Services + Incident Response Retained Service + Incident Response Policy Assessment & Development + Attack Surface Assessment * Events * Security Blog * Demo Videos * Contact Us [ ] [Go] For the best user experience please upgrade your browser Blog: Social Engineering Social Engineering dos and don'ts Tom Roberts 20 Oct 2022 [1x1][se-dnd-headline] Another day, another success at sneaking into a building and pretending to be staff. I do so love drinking other people's expensive office coffee. No fruit bowls though. Close, but no banana. It got me thinking, again, about what makes for good social engineering (SE), and what advice would I give my younger self. These are my thoughts: Do Don't Prepare. Preparation is everything. OSINT, pretext, tokens of trust and your auth and Think this is just a grift and a bit of a laugh. contact with site staff are paramount. Plan your timing to coincide with traffic patterns or mould your approach to mimic patterns of behaviour in your target group Be in the wrong place at the wrong time. (arrival, delivery slots, coffee breaks, lunchtimes). Push the security guard over and do a runner Remain calm and focussed. Remain professional. (yes, I have been told that by a client happening once). Pull the fire alarm just to win or socially Try to think about how your pretext might engineer using directly emotionally scarring disrupt the firm or directly impact staff. pretexts e.g. "Dear Mrs Jones, your child has been in a serious accident, you need to..." just to win. Agree concepts or pretext ideas with your Send staff a fake redundancy/layoff letter when client. They may have useful information or you know there have been layoffs and your actions helpful advice. They may also reject certain might be an HR issue. pretexts. Apply the science of social engineering. Use Think anything goes because you think bad guys the tools of the trade and follow ethical would. Rely solely on natural talent. guidelines. Think like a "smart" criminal. What is your Think like an asshat and treat people as marks, likelihood of being caught vs the rewards rubes, or sheep. Don't think you can create gained? Remember the crime equation. There is chaos. a trade-off for risk vs reward. Take notes. Time-lines, photographs (if Think your job is over once done. The report is allowed and possible), locations and even as important as the OSINT and other prep. rough maps to show the client where you were. Make sure the customer is shown value for their money. The flash moment may only be one Just assume they understand how much prep time day out of many. And the client won't see any you have completed out of sight. of it but the day you attack. Protect your client from undue embarrassment. Live tweet your SE showing weaknesses and Most jobs have NDAs. problems to the whole of twitter. Enjoy it. Stress is a killer. Planning and Hyperventilate in the toilets for the whole time. prep reduce much of that stress. Turn into a cold lizard that treats others with Remain a human being. disdain or contempt. Do not use your talents on people outside of work for your own self-gratification or gain. Speak to others and decompress if needed. Bottle it up and let it break you. You may end up Sometimes SE takes its toll. Talk to people replaying events in your head about consequences who can help you rebalance. or failures. Read up and learn from others. Be a lone wolf. Share Categories [Show all ] [View] See the other cool stuff we've been doing... Social Engineering Social Engineering dos and don'ts 20 Oct 2022 Vulnerability Disclosure Moto E20 Readback Vulnerability 19 Oct 2022 Vulnerability Advisory MS Enterprise app management service RCE. CVE-2022-35841 13 Oct 2022 Cloud Security Living off the Cloud. Cloudy with a Chance of Exfiltration 11 Oct 2022 Aviation Cyber Security Airbus AoA - Angle of Attack sensor issue 03 Oct 2022 Services Agile Environment Testing Find out more >> Our People Being introduced to, and getting to know your tester is an often overlooked part of the process. Yes, our work is uber technical, but faceless relationships do nobody any good. Meet the team >> [ic-alert] Suffered a Security breach? [ic-mobile-] Mobile Security [ic-social-] Social Engineering [ic-webapp] Web application testing [ic-data-co] Security Consuting [ic-papa-gr] Papa - PTP Advance Password Auditor Get in touch UK Office: Pen Test Partners LLP Unit 2, Verney Junction Business Park Buckingham MK18 2LB United Kingdom +44 20 3095 0500 Contact Us >> US Office: Pen Test Partners Inc. 800 Third Avenue STE 2501 New York NY 11221 United States +1 646 693 2501 [email protected] Connect Twitter LinkedIn YouTube [crest-logo] [crest-pent] [crest-star] [crest-star] [csir-logo-] [crest-va-l] logo-cbest [logo-check] [crest-assu] [logo-cyber] [bsi-iso270] [logo-pci-c] Privacy Policy Terms of Service Company number: OC353362 VAT reg number: GB825526427 (c) 2022 Pen Test Partners