During the past year working as a social engineer, I heard several of my colleagues talk about their experiences when they attended the Advanced Practical Social Engineering class or APSE. The anticipation contributed to the excitement when it came time for me to attend this class. APSE is normally a live training course in a physical location, with face-to-face interaction between instructors and attendees. This year, however, it was a virtual training course. At first, I was a little disappointed that I wasn’t attending the live class like the rest of my colleagues and felt I would be missing out on the “real” experience. Fortunately, that was not the case at all! I learned so many fascinating things, I could write for days. In this newsletter, I’m highlighting only a few key points of this course.

My experience in APSECommunication

“In order to influence others, you have to understand yourself first.” These were Chris Hadnagy’s (our instructor and Chief Social Engineer) opening words for the first lesson. Each attendee took a DISC assessment to determine and understand their communication style. DISC was developed based on the research of Dr. William Moulton Marston, inventor of the polygraph (and Wonder Woman). Dr. Marston developed DISC to assess four aspects of communication: Dominance, Influence, Steadiness and Conscientiousness based on a person’s preference association. DISC is backed by over 40 years of research and is over 90% accurate, according to participants.

Being aware of our own communication style makes it easier to adapt as a way to better communicate with others. We learned that, in order to influence other people, it is essential to be good communicators. How can we understand others if we don’t understand ourselves? Becoming aware of our strengths and weaknesses when it comes to communication helps us to be adaptable to others’ communication style and understand them better. Being a good communicator has a significant impact on our relationships with others, whether in social engineering or our personal lives.

Rapport Building

Next, we spent some time studying rapport building techniques. Our opening statements and actions can dictate the outcome of a conversation. Some of the tips we received for effective rapport building were ego suspension, validating others, time constraints, asking questions such as “why, when and how,” and reciprocal altruism, such as giving a compliment. Being effective at rapport building will lead us to being effective at elicitation or obtaining information.

My Experience in APSEElicitation

Elicitation is more than just asking questions; it is an art form. Elicitation is defined as “the act of drawing out or bringing forth emotions, opinions, facts, etc.” In other words, elicitation is the art of drawing people out in a way that they will divulge information without realizing it. As Chris Hadnagy says, “to master the art of elicitation, we must master the art of conversation.” We learned some key principles that need to be implemented if we are to master this skill:

  • Be natural. When approaching someone to start a conversation, have a natural approach in your tone of voice and body language.
  • Be educated. Do not attempt to elicit information that you have little, or no, knowledge of. If this is required as part of a social engineering engagement, be sure to do your homework and become informed. However, if that’s not possible, elicit information from the standpoint of someone who is curious and not an expert
  • Appeal to one’s ego. People love to talk about themselves. Stroking someone’s ego is a very powerful tool to elicit information. However, flattery must be subtle and not overdone. You don’t want to “weird out” your target with incessant flattery.
  • Mutual interest. They say that “birds of a feather fly together;” this is true in many ways. People like others that are like them or have similar interests. This not only validates them but also helps them feel that it is safe to talk to you.

These are just a few of the many elicitation techniques that we learned throughout the course. If you’d like to learn more about elicitation before the next APSE training course, you can watch Chris Hadnagy’s SEVillage speech, “Make Them Want to Tell You: The Science of Elicitation”.

Pretext Building

A solid pretext is an essential part of building trust. A pretext should contain the reason you are asking for specific information, and it should be consistent with the alias you’re impersonating. Good pretexting calls for ego suspension and playing into society’s stereotypes when needed. For example, if my team were asked to access the employee area of a hotel, as a Hispanic woman, I would have a much better chance of being unnoticed playing the role of a housekeeper than my boss, who is a Caucasian male.

Some principles for successful pretexting include:

  • Research. The more information you have on a target, the more you will know which pretexts may or may not work.
  • Involve personal interests. When you speak of YOUR personal interests, you will exude assertiveness and conviction which translate into credibility.
  • Phone skills. Our body language, emotions and gestures will affect how we come across on the phone.
  • Keep it simple. Complex stories are not easy or attractive. If you have a complex story, you may forget part of it or may lead the target to ask questions that you may not have answers to.
  • Go with the flow. Instead of having a script, have an outline that will allow you to be spontaneous in your conversation.

The Homework

After learning all about rapport building, elicitation, and pretexting (to name a few), it was time to put our knowledge to work. Every evening we were given homework assignments which required us to go out and have conversations with complete strangers as well as extract specific information from them.

As an introvert, this was the very definition of a nightmare. I could feel my heart sink as the instructor gave us the specific items of information we needed to obtain from perfect strangers. Some of the information was personal information that I “knew” they would not give. As horrified as I was of the assignments, I had to complete them if I wanted to benefit from this course. So, I stopped thinking about how I felt and started to craft a pretext. How would I start a conversation that would result in strangers giving me personal information? Once I had the pretext, I knew who I had to “become” for my pretext to be believable and I was ready to go.

Our homework intensified each day of the class. Implementing the skills I learned allowed me to be successful every single time. Initially, I was very doubtful that anyone would give me the information I asked for. However, I was shocked at how simple and easy it was to obtain any information I wanted from a stranger. The feeling of fear dissipated when applying the principles learned. The hesitation to approach a stranger turned into a feeling of euphoria. The following days after the course was done, I remember going out and looking around thinking, “who am I going to speak to today?” Approaching and speaking to strangers has now become part of my identity.

In Summary

I learned so much in APSE. There were too many fascinating lessons for me to be able to articulate in this newsletter. From social engineering techniques to psychology to human behavior and body language, and that is just barely scratching the surface. As far as attending virtually instead of in person, it gave me a unique perspective as I got to meet people from various parts of the world; this contributed to diversity and to amazing conversations. One of the highlights of the class was listening to everyone’s homework stories. It was so insightful to hear how other students crafted their pretexts and how they carried out their conversations. Although we were all in various parts of the world, the principles taught in APSE worked equally! This really impressed me, but it made sense: a human is a human no matter where they live.

Many people have said that APSE is a life-changing experience. I thought they were exaggerating, or just overly excited. Now having attended, I can say that not only did I benefit professionally but personally. This class helped me overcome my fear of starting conversations with strangers, and it has caused a paradigm shift in how I view other people. The biggest lesson: Never assume what a person will or will not do, including yourself.

Written by Rosa Rowles

Sources:
https://www.social-engineer.com/training-courses/advanced-practical-social-engineering-training/
https://discinsights.com/william-marston
https://www.discprofile.com/what-is-disc/research-reliability-and-validity
https://www.social-engineer.org/framework/psychological-principles/instant-rapport/
https://www.dictionary.com/browse/elicitation
https://www.social-engineer.org/framework/influencing-others/pretexting/

Images:
https://www.discprofile.com/what-is-disc/research-reliability-and-validity
https://discinsights.com/william-marston