As I waded across a river at 2am, I thought to myself… who else’s job entails this? I came into the social engineering (SE) world hearing stories about speedy getaways at midnight, running from alarms, nearly driving off cliffs. I don’t know what made me think “this is the job I want” but I haven’t looked back since. As I reflect on my most recent on-site impersonation engagement, it reinforces just how vital security training is. So, how did I end up in a river at 2am? What lessons can we gather from this on-site engagement? Read on to find out!
Preparation Equals Success
The month before we went on this job, we used Open-Source Intelligence (OSINT) to research our target buildings. This step was vital in forming our pretexts. During our OSINT, we discovered the client’s internet service provider (ISP). Based on this, we developed a pretext where we would impersonate the ISP of the company to gain entry. This one discovery led to our successful entry into two separate buildings, one of which was protected by a gate. This believable pretext was the key on which our entire week pivoted. Had we impersonated the wrong company, or not found this information via OSINT, we would have been dead in the water (no pun intended).
Don’t Overthink
As a person who is very task focused and likes to plan, I tend to overthink in many situations. One of the main lessons I learned on this trip was to not overthink your props. While props do aid your entry and are vital to success, overthinking or overplanning them can lead to your failure. For this job we wanted to appear as legitimate ISP employees.
We went to Walmart, bought some polos, and used our badge printer to print some official looking badges with fake names. Those two items didn’t feel like quite enough, so we also bought an iron on patch kit. We found the company logo, printed it out on iron on paper, and ironed a logo on the inside of one polo to test it. It turned out terrible! It looked shiny and fake, and not official at all. Could we still use them? Sure. But it may have been enough to trigger the targets to take a second look and start thinking about our pretext.
Because of this, we decided to forgo the iron on logos. This really impressed upon me the importance of solid, quality props. As we drove up to the camera outside of the gate of one of the target buildings, all we had were our two props (the polos and our fake badges). After presenting half our pretext, the guard started opening the gate for us without asking to see our ID’s or badges! The props we did use added to our pretext so well that we didn’t even need to fully explain ourselves upon entry.
If You Don’t Try; You Fail
Ok, now the fun part. The answer to your question; How did I end up in a river at 2am? Well, one of the buildings we were trying to breach at night was placed up against a river. My boss, Chris, had made jokes about swimming across the river when we were doing our OSINT, but we just laughed it off. Once we arrived in person, though, we realized many people swam in that river and there were several shallow places we may be able to cross. Additionally, the only place on the fence that didn’t have spotlights or cameras was directly across the river. So, that was our way in.
Now, remember, it’s 2 am, pitch black, and we’re in new and unfamiliar territory. I’m not going to lie, along with my excitement there were some nerves there. I considered breaching the facility a different way, but as we had discussed, this was the best option for us. So, there we were, shining a flashlight to see the depth. Me, falling and getting the shoes I was carrying wet, I eventually crossed over to the other side successfully.
Imagine, though, if I had allowed my nerves to win. As stated previously, there were no other straightforward ways to gain entry to this building. We very likely would have failed. This showed me that unless you try, you will never know if you could have succeeded.
Lessons Learned
Whether your job entails you losing your shoes in a river or not, there are lessons we can all learn from this experience. Firstly, preparation is vital. This is something that applies to us no matter what job we have. Preparation goes hand-in-hand with not overthinking. The key is all about balance. Be prepared, but don’t spend so much time preparing that you fail to act. Lastly, but possibly most importantly, always try. Sometimes you may not get the result you want, but you will learn valuable lessons along the way. And who knows, you may just succeed!
Written by: Shelby Dacko