You SHOULD judge a book by its cover!

Social engineering from an offensive security perspective, is the act of manipulating people to gain access to information, artefacts or restricted locations. It relies on a core understanding of your chosen target, in many situations this must be formed on-the-fly, with little or no background knowledge. Such scenarios require a social engineer (attacker) to form an almost immediate impression of their chosen target. This impression typically relies on stereotyping and grouping of individuals based on a few quickly identifiable characteristics and can often be seen to flirt with political incorrectness! It is however, a necessary evil in scenarios where detailed reconnaissance of the target is not viable.

Some of the services I perform in my role require me to infiltrate restricted physical environments. Typically, this involves some form of social interaction, be it with security personnel, receptionists, office managers or any other logical point of contact. Having a reasonable story in order to get past this initial point of contact is critical, but beyond the scope of this particular blog post. Instead, it will focus on the diversity of such interactions, as well as a high level exploration skills and techniques that can facilitate a successful outcome.

Where possible, it is undoubtedly better to perform diligent background research on your target. Both professional and personal information provide valuable insights, enhancing your understanding of the target. Using this baseline, the attacker can then create a targeted scenario, which would be based around a reasonable story or ruse, as well as identifying a suitable approach and persona to adopt. The story/ruse should be well thought out as changing this during your interaction with a target can raise suspicion quickly, however you should be prepared to alter your adopted persona reactively during the attack.

When performing recon, it is important to pay attention to the subtleties of the information you uncover. For example, understanding the level of experience that your target has, may provide an indication of their competence and/or confidence in their role, or observing their conversations, language and tone can help you to adopt a communication style that the target will likely be responsive to.

In situations where there is no opportunity to perform research prior to an interaction with the target then the attacker must work with what they have, relying heavily on reactively adapting their persona while engaged in communication with the target. It's important to be attentive to the target's language, tone, body language and micro-expressions. By reacting to these observations, the attacker can adjust the balance within their adopted persona/approach on-the-fly to build and enhance rapport with the target.

Conversations with targets should be fluid and natural. This is heavily linked to experience, it's natural for novice social engineers can often be hampered by nerves or panic in these situations. Initiating a conversation with a familiar icebreaker, such as "Hi, how's your day going?" can help put the target at ease but can also have the same positive affect on the attacker themself. Mirroring is another highly effective technique, where the attacker mimics the language, physical behaviours, and sentiment of the target, when applied correctly, this can greatly speed up the rapport building process. It's important to be patient, as building the initial rapport can be key to achieving compliance from the target. Once the attacker reaches a level of compliance with the target, it's time to introduce the goal of your interaction to the conversation.

Now to demonstrate the diversity of these interactions! In some situations, the target may fit a certain profile (typically inexperienced, lacking in confidence and pliable) where the approach taken by the attacker can be far more direct and authoritarian. In these situations, it is still critical to build rapport, but perhaps in a different way. Simply making a demand for access or information is likely to result in it being granted, however it is equally likely that the target will seek assurance from their more experienced peers. This can quickly foil the attacker's plans, so it's important to ensure that there is a level of trust established through rapport with the target, whereby they feel comfortable that you have the authority you have demonstrated. Often this can be achieved simply by reassuring the target that they have done a good job.

In summary, social engineering scenarios can and will inevitably take different and unpredictable turns, so the ability to be agile and reactive to the target is critical. Building the attack over time with targeted research and non-intrusive interactions (e.g. introduction email, a message on LinkedIn etc.) can also remove many obstacles when it comes time to perform the attack itself. Finally, as the title suggests, make observations based on stereotypes and commonalities. If possible, try to verify or disprove these observations by performing thorough reconnaissance to aid in the creation of the perfect attack persona, and be ready to adapt and overcome during the attack.

A quick word to end for any potential targets out there. Firstly, we are all potential targets! Be aware of threat of social engineering and its growing prevalence in our everyday lives, from the targeted corporate attack to others that target you on a far more personal level. Be mindful of the information you expose through social media and other online content as this creates a repository of data from which attackers can draw. Ensuring that available privacy and security settings are utilised to restrict the audience for your online presence is also highly recommended. We all need to be wary of correspondence from third parties that contain threatening, time-sensitive or rewarding content, as these are key indicators that the communication may be a veiled attempt to compromise you or your data.

I firmly believe that anybody can be a victim to a social engineering attack if the content, delivery, and timing is right, and my professional experience conducting such attacks only strengthens this belief. If you're concerned about becoming a victim of such an attack, or if you would like to learn more, please refer to the additional information from the Australian Cyber Security Centre here:

• https://www.cyber.gov.au/learn/scams

• https://www.cyber.gov.au/learn/passphrases