Social Engineering - Christopher Hadnagy [191]
Armed with all this overwhelming amount of information a social engineer can pick and chose what he wants to use and what kind of attack vector to implement. As the engagement continues the information gathered will give the social engineer the ability to use story lines and pretexts that will have the greatest effect on the target. Without information gathering, as reiterated throughout the book, the engagement will most likely lead to failure.
For example, if a professional auditor is given three weeks for a job, he should spend half of that time gathering information. However, professional auditors often have a tendency to get excited and approach the target with the old standby pretexts. Do not fall into this habit; spend a lot of time in information gathering.
Almost as important as the information gathering itself is how you store and catalogue the information—perhaps by using one of the methods mentioned in Chapter 2 to store and organize this information. Learning to not just efficiently collect the information but how to store the information can go a long way toward making it efficient to use. Not simply dumping things into a massive document but categorizing things, cataloging them, and labeling them will make the information easy to use, especially if you are on a phone engagement.
Just remember that a social engineer is only as good as the information he obtains. I personally have seen too many gigs go down the drain because of bad information or lack of information. At the same time I have seen people who might not be the smoothest speakers or the most charming succeed in very difficult situations because of the information they gathered.
Information is the crux of social engineering, and if you take anything away from this book, let it be that.
Choose Your Words Carefully
Just like this section’s opening epigraph, this topic lends itself to the thought that information has no value unless you put it into practice. You can have all the information gathered and organized and catalogued, but you need to use it efficiently. The first step in this is to organize what words you will use.
I discussed the skills of elicitation and preloading. These are two of the most valuable skills, and I hope you practice using them. Use anchors, keywords, and phrases to load the target with emotions and thoughts to make him follow your lead. Preloading is a very powerful technique that cannot be mastered in a short while, but practice will enable you to use this skill. The great thing about preloading is that you can practice this skill at home, at work, with your kids, your parents, your clients, really anywhere.
Don’t think that practicing this means you will always have to get people to do things against their will. Preloading is used to motivate people’s minds to be more open to a suggestion or idea. You don’t have to use it maliciously. Kids do it all the time. For example, your daughter says, “Daddy, I love you…” and adds a few seconds later, “Can I have that new doll?” This is an example of preloading, putting a “target” into an agreeable emotional state.
Once you master that skill, or at least become proficient in using it, work on the way you use elicitation. Remember that no one loves the feeling of being interrogated. Elicitation should not mimic a police interrogation; it should be a smooth, seamless conversation that is used to gather intelligence on the target or topic you