Day two starts with what we have been told by the students, is a life changing process – debrief. Each team must get in front of the class and talk, in depth, about their achievements during the homework conducted in the field the night before. Teams must share detailed accounts of their successes, their failures, and everything in between. This debriefing is conducted without prejudice and without judgement. The purpose is to learn from others and to receive constructive suggestions on how to engage better. This is a vital part of the training.
Chris and Robin listen to the different methods, critiqued, and gave ideas for the next time. It was exciting to watch the teams come together and build confidence in each other. The big surprise came to the more reserved students, the ones who thought it was impossible. They all discovered… IT WORKED!
After much of the morning is spent debriefing, the class takes a new turn. Each person picks the type of vector that fits their social engineering engagements the most, either a phishing email or an in person/phone attack. We use this method throughout the week as we build a personal social engineering manual for each person.
Day 2 delves into some deep topics:
- Information Gathering
- Advanced Preparation tactics
- Pretexting
- Elicitation
Information Gathering
This section we dissect both physical, tech, and non-tech information gathering techniques. We look at tools that are included in BackTrack and available on the web. We discuss things like shoulder surfing, dumpster diving, various search tools, and more. We hone in on two that make any social engineer a ninja, Google Dorks and Maltego.
After taking our time to really show how powerful both of these tools are, we unleash the students with these tools to practice gathering information on their companies.
“This was the best class I have taken. The knowledge and skills I learned and developed are already showing benefits in my personal life and career.” – Leonard Isham Sr. Security Engineer at Verizon Business
After they have some time to play with Maltego, we show them some special “non-public” transforms from the folks at PacketNinja. The information gathered is compiled as we continue building our profile.
Advance Preparation Tactics/ Pretexting
This section really needs its own day, but we manage to pack some serious information from Robin’s book about how to build rapport into this section. We discussed common but effective techniques of rapport building such as artificial time constraints, eliciting help, validation, mirroring, and more.
The students are also taught all about pretexting and how to build and maintain a believable pretext. We go in depth and actually define our pretexts based on our previously defined attack vectors and information gathered.
Elicitation
Our day ends by spending some time talking about how to use all the rapport you built and all the information you gathering to produce good conversational and interviewing skills. We cover the many different types of questions as well how to use them to elicit the information we need from our targets. We actually take the time during class to build a set of questions that can be used by the students, not just as a social engineer, but in everyday life.
The day ends with the same teams together for another night of eliciting information from people they meet. Tonight, we ask for specific pieces of information and we ask them to work as a team, forcing the students to pair up and see how the dynamics change when it is 2 people together.
As Day Two draws to an end, Robin and Chris enjoy a nice meal while the students are out scheming, planning, and initiating group attack scenarios for their homework. The students are really put to the test as they are required to extract even more sensitive information all while leaving their targets happy to have met them.
Just wait until you hear what happens on day 3 – Coming Soon.