The Path to Becoming a Resourceful Social Engineer
Recently I watched an interesting horror-western film, Bone Tomahawk, which made me really start to think about the topic of resourcefulness. In the film, one of the characters, Chicory, (an old deputy played by Richard Jenkins) found himself in quite the predicament. He was determined to read literature in the bathtub, because he’d heard people do it all the time. However, every time he tried to do it, he ended up with a ruined book because he either splashed it, got it wet when turning the page, or accidentally dropped it in. After seeing how determined ole’ Chicory was to read in the bath, Sheriff Franklin (played by Kurt Russell) offered a suggestion: get a music stand, put the book on it to read, and keep a towel nearby for dry fingers. Voila! An example of an interesting way film reveals character. One of the characters is more resourceful than the other, so which character would you bet on to survive?
To me, resourcefulness is less about intelligence and more about adaptability. Resourcefulness means finding a way, even if it requires a completely bizarre solution. Sometimes it means linking two things together which may normally seem unrelated, such as a bathtub and a music stand. And quite often, it requires creative thinking. However, this can be difficult for us to do when we’ve been educated to be critical, logical thinkers evaluating thoughts based on past experiences. When we think this way, ambiguity can be interpreted as something negative, and our ability to be creatively resourceful is stifled.
While there are many different categories of social engineers, the one thing which unites us all is the unique ability to pull off a task which may seem impossible with the resources available. Social engineers must apply critical and creative thinking to find a loophole, and exploit it. Sometimes a vulnerability is glaringly obvious. Sometimes it takes a lot of effort to find, but at the end of the day, we must remember that we are up against real world attackers. And these attackers are extremely motivated. This motivation drives them to try things that are out of the ordinary. Therefore we, too, must be able to must be able to do extraordinary things, even in instances where tools are limited. It’s no surprise that different people think differently. The ability to be resourceful definitely comes easier to some than others, but fortunately with a little practice, anyone can learn to be more resourceful.
Free your mind, and the rest will follow
To become more resourceful you have to start with an open mind. You must be willing to move out of your comfort zone. When you’re in your comfort zone, information comes from predictable sources. So often we experience confirmation bias where we, as decision makers, will actively seek out and assign more weight to evidence that confirms our hypothesis. This can sometimes cause us to ignore things that might not seem to fit with what we’re doing and limit our ability to make new discoveries. But once you move outside of your comfort zone, things are more chaotic. You may suddenly be faced with unexpected findings and uncertainty. It can seem scary at first, but this is where insights and creative breakthroughs are born.
If you don’t venture outside of your comfort zone, you run the risk of reconfirming ideas you’ve already had or worse: giving up. We’ve all had that one target where we just couldn’t figure out the perfect attack vector, but if we waited for someone else to do it for us, we’d never get to experience that amazing moment. You know the one I’m talking about: that moment where you did some extra research and learned something new about a different industry or location, tried something totally bizarre and it WORKED!
Resourceful efforts are hardest at the beginning. However, the only thing a resourceful individual needs is a clear goal. From there it’s just a matter of determining how to bring that goal into fruition. Start where you want to be and work backward. From there a combination of planning, perspective, problem solving and just a little creativity will guide you on the path of resourcefulness. Remember: there isn’t always going to be a yellow brick road just waiting to take you there. If you’re lucky you’ll have a dirt path that’s covered in leaves, sometimes there’s no path at all. The good news is: the more creatively you think, the greater the number of paths that can become available to you.
Conceptualizing your yellow brick road (planning)
The first step in resourceful planning is recognizing the possibility that the plan might not work. I know it sounds contradictory, but have some ideas in the back of your mind for alternative solutions before you’re slammed with the fact that you’re going to have to move to plan B, C, or D. A great example of this is when you’re conducting OSINT. Everyone is different, but I always start with social media. We live in a culture, which heavily values sharing, so I often think, “Who ISN’T on social media?”
It turns out, more people than you’d think. It can also be difficult to locate social media accounts for targets in different countries. What will you do in that case? Be prepared for the proverbial bump in the road because they’re just unavoidable. Go ahead and think about what you’ll do in the event you can’t find someone’s online footprint. A backup plan can be checking out local news. Search for hot topics in your target’s industry or location and use those. Did the first organic market in the entire city open up down the street? How’s the weather? Mentioning a heat wave, torrential downpour or the fact that the President is in town and causing traffic delays helps establish instantaneous credibility when you’re pretexting in the same geographic location as your target. When it comes to barrier busting, resourcefulness wins every time!
Deciding the way your path should go (perspective taking)
Sometimes information on a target may be bountiful, so bountiful that you have difficulty narrowing the data to select a theme. In this instance you can be a resourceful social engineer by placing yourself in the target’s shoes. The goal is to create a situation that plays on the target’s emotion and drives them to do what you want. It’s important to think about the target’s personal and professional role in life. The strongest attack vectors will appeal to both. Do you know the target’s belief system? How does this fit into the proposed theme? How can you create an attack, which appeals to both the belief system and job responsibility? The answer may not always be immediate. You may have to spend some time thinking and conducting additional research.
What to do when you run out of supplies (creativity)
Sometimes additional searches may turn up no new information. You may have sent a target 5 different phishing emails, and none of them worked. However, what seems to be a setback, error or limitation is often valuable for fostering resourcefulness and creativity. It’s times like these when you can practice two things that will make you a resourceful social engineer. The first is your ability to make the most out of the resources you do have. Do you own limited domains? Figure out a way to make the domains you have work. My favorite example of this is when we once used our PHaaS®.com domain to engage a specific target within the healthcare industry. As you know PHaaS® stands for our Phishing as a Service® offering. However, for this particular engagement, we created a fake organization using the same PHaaS® acronym that could be applicable to the healthcare industry: “Promoting Strong and Healthy Seniors.” While it certainly took some time to think of, the creativity paid off.
The second way you can be resourceful in a setback is by practicing your capacity to fuse together topics, which are traditionally unrelated. I once was conducting OSINT for a target when I discovered that he was a member of a particular organization, and had been for the last fifteen years. While this may seem like a great attack vector, the target had served as former president of the board, and was still heavily involved in the organization. Because he had been a member of the organization for so long: I was hesitant to use the angle, fearing he’d instantly catch any discrepancies in the communication. The only other valuable piece of information I discovered was that his favorite movie was the story of Lou Gehrig. By fusing the two unrelated pieces of information together, I was able to appeal to the target’s personal and professional side in a single attack by offering exclusive VIP tickets to the target’s organization for a Lou Gehrig themed event, which raised money for ALS (Lou Gehrig’s disease).
Be your own wizard
Sometimes the answer is waiting right in front of you, but all it takes is a second look. Resourceful social engineers make the most of opportunities. There will be many times when the path is undiscovered, and we’re charged with creating something out of nothing. This is sometimes difficult when we’ve been taught to be exclusionary thinkers and accustomed to leaving out anything that’s not immediately related to our subject. However, this exclusionary way of thinking limits your ability be resourceful. Remember: you are in charge of creating your own yellow brick road. We have to keep in mind that although we are the good guys, we still have to think like the bad guys. This makes the job of a professional social engineer even more challenging. Trying to creatively think, plan our attacks and come at the problem from multiple angles all while remembering that we want to expose vulnerabilities in the human network without causing irreparable damage – this is not an easy feat. Because of this, many may choose the safest route possible, but the safest route might not be the best for your client. It’s important to find the perfect balance that’s right for both you and your client. Keep in mind that anyone can have a great idea, but not everyone can find a creative way to execute that idea.
Written by Jesssssssss Clark
Sources:
https://www.social-engineer.org/newsletter/social-engineer-newsletter-volume-4-issue-55/