Social Engineering - Christopher Hadnagy [8]
Chapter 3 also covers the important topic of preloading the target’s mind with information to make your questions more readily accepted. As you unravel this section you will clearly see how important it is to become an excellent elicitor. You will also clearly see how you can use that skill not just in your security practices but in daily life.
Chapter 4, which covers pretexting, is powerful. This heavy topic is one of the critical points for many social engineers. Pretexting involves developing the role the social engineer will play for the attack on the company. Will the social engineer be a customer, vendor, tech support, new hire, or something equally realistic and believable? Pretexting involves not just coming up with the storyline but also developing the way your persona would look, act, talk, walk; deciding what tools and knowledge they would have; and then mastering the entire package so when you approach the target, you are that person, and not simply playing a character. The questions covered include the following:
What is pretexting?
How do you develop a pretext?
What are the principles of a successful pretext?
How can a social engineer plan and then execute a perfect pretext?
The next step in the framework is one that can fill volumes. Yet it must be discussed from the viewpoint of a social engineer. Chapter 5 is a no-holds-barred discussion on some very confrontational topics, including that of eye cues. For example, what are the varying opinions of some professionals about eye cues, and how can a social engineer use them? The chapter also delves into the fascinating science of microexpressions and its implications on social engineering.
Chapter 5 goes on analyzing the research, yielding answers to these questions:
Is it possible to use microexpressions in the field of security?
How would you do so?
What benefit are microexpressions?
Can people train themselves to learn how to pick up on microexpressions automatically?
After we do the training, what information is obtained through microexpressions?
Probably one of the most debated-on topics in Chapter 5 is neurolinguistic programming (NLP). The debate has many people undecided on what it is and how it can be used. Chapter 5 presents a brief history of NLP as well as what makes NLP such a controversy. You can decide for yourself whether NLP is usable in social engineering.
Chapter 5 also discusses one of the most important aspects of social engineering in person or on the phone: knowing how to ask good questions, listen to responses, and then ask more questions. Interrogation and interviewing are two methods that law enforcement has used for years to manipulate criminals to confess as well as to solve the hardest cases. This part of Chapter 5 puts to practical use the knowledge you gained in Chapter 3.
In addition, Chapter 5 discusses how to build instant rapport—a skill you can use in everyday life. The chapter ends by covering my own personal research into “the human buffer overflow”: the notion that the human mind is much like the software that hackers exploit every day. By applying certain principles, a skilled social engineer can overflow the human mind and inject any command they want.
Just like hackers write overflows to manipulate software to execute code, the human mind can be given certain instructions to, in essence, “overflow” the target and insert custom instructions. Chapter 5 is a mind-blowing lesson in how to use some simple techniques to master how people think.
Many people have spent their lives researching and proving what can and does influence people. Influence is a powerful tool with many facets to it. To this end, Chapter 6 discusses the fundamentals of persuasion. The principles engaged in Chapter 6 will start you on the road toward becoming a master of persuasion.
The chapter presents a brief discussion of the different types