Social Engineering - Christopher Hadnagy [32]
Set a goal, nothing malicious, such as getting someone to agree to a different vacation spot or a to go to a restaurant you love and your partner hates, or to allow you to spend some money on something you normally wouldn’t ask for. Whatever it is you come up with, write out the five communication components and then see how well the communication goes when you have a written plan. You will find that with your goals clearly defined, you can better test your social engineering communication methods, and be able to achieve your goals more easily. List the following five points and fill them out one by one, connecting the dots as you go along.
Source
Message
Channel
Receivers
Feedback
Communication modeling yields very valuable information and without it, most communication will not be successful for a social engineer. As previously mentioned, information gathering is the crux of every social engineering gig, but if you become proficient at information gathering and you are able to gather amazing amounts of data but don’t know how to use it, it is a waste.
Learn to become a master at information gathering and then practice putting that into action with communication modeling. This is just the start, but it can literally change the way you deal with people both as a social engineer and in everyday contexts. Yet so much more goes into developing a solid message in the communication model.
One key aspect of learning how to communicate, how to manipulate, and how to be a social engineer is learning how to use questions, as discussed in the next chapter.
Chapter 3
Elicitation
The supreme art of war is to subdue the enemy without fighting.
—Sun Tzu
Being able to effectively draw people out is a skill that can make or break a social engineer. When people see you and talk to you they should feel at ease and want to open up.
Have you ever met someone and instantly felt, “Wow I like that person”? Why? What was it about him that made you feel that way? Was it his smile? The way he looked? The way he treated you? His body language?
Maybe he even seemed to be “in tune” with your thoughts and desires. The way he looked at you was non-judgmental and right away you felt at ease with him.
Now imagine you can tap into that and master that ability. Don’t shrug off this chapter as a simple “how to build rapport” lesson. This chapter is about elicitation, a powerful technique used by spies, con men, and social engineers, as well as doctors, therapists, and law enforcement, and if you want to be protected or be a great social engineer auditor then you need to master this skill. Used effectively, elicitation can produce astounding results.
What is elicitation? Very few aspects of social engineering are as powerful as elicitation. This is one of the reasons it is near the top of the framework. This skill alone can change the way people view you. From a social engineering standpoint, it can change the way you practice security. This chapter dissects examples of expert elicitation and delves deep into how to utilize this powerful skill in a social engineering context.
Before getting in too deep, you must begin with the basics.
What Is Elicitation?
Elicitation means to bring or draw out, or to arrive at a conclusion (truth, for instance) by logic. Alternatively, it is defined as a stimulation that calls up (or draws forth) a particular class of behaviors, as in “the elicitation of his testimony was not easy.”
Read that definition again and if it doesn’t give you goose bumps you may have a problem. Think about what this means. Being able to effectively use elicitation means you can fashion questions that draw people out and stimulate them to take a path of a behavior you want. As a social engineer, what does this mean? Being effective at elicitation means you can fashion your