We have spoken before about the importance of commitment when it comes to social engineering and manipulation. The commitment to be the delivery guy, engineer and so on. However, I think there is another important skill to be successful when building your pretext and going about your engagement. Mind Reading.
Now I am not talking about Mind Reading in the Mentalism context (that’s something for another day). In this instance I am talking about the Mind Reading that requires you to take a step back, taking a step outside yourself and evaluating your plan. Perhaps this sounds obvious, but I don’t think many people do this when planning an SE engagement, people certainly don’t spare the processing cycles on a day to day basis to consider the thoughts of others so its no surprise really.
What really triggered my mind to this recently was the fact that I had to attend a sales training workshop and look at personality types and how these differ and how you should adjust yourself to the personality type to the person you are trying to con, sorry I mean sell to 🙂
In this training we used the DISC profile system, which looks to determine your behavioural type as one of the following: Dominant, Influence, Steadiness and Contentiousness. For what its worth I was graded as Influence.
So after we examined all the traits of these supposed 4 groups my frustration started to grow. Everyone has the same traits, reactions, and emotions depending on circumstance, and how the experience is at the time. So what’s my point? Mind Reading of course.
Yes we are all different, and yes someone working in Infosec might be just a little more paranoid that the average person, but if we take a moment to step out of ourselves (pull your head out your arse essentially) you can gain a reasonable perception of how you, your communication, your approach will be perceived by those you are looking to manipulate. I am sure if you speak to people who have been conned well, they would say they had no idea, and they were such a lovely chap, and everything made sense at the time. This didn’t happen by chance, the target was selected, researched and the suitable pretext built.
So when you are looking to manipulate someone as part of your social engineering engagement, give some real thought as to how the scenario will play out, would you be susceptible to the approach you are taking, or are you making the simple assumption of gullibility and ignorance. This thought process will help you in all situations, not just when on an engagement. Sounds obvious …. sure, but people are generally selfish, and don’t give these thoughts consideration unless pointed out.
I hope this post gives some food for thought. I am currently elbow deep in baby poo with my newborn, but I hope to keep up with posts, and sharing info on Twitter, so follow @subliminalhack
