Benefits of learning components of social engineering for social interaction and pentesting

There are tons of tools and resources to learn and use social engineering, and personally I think the more you dive into it, the more you get addicted to it, because you start to see more and more possibilites in everyday life and social interactions.

But first of all, what’s the goal?

Basically, social engineering is the understanding of human weaknesses and how to exploit these. The goal is clear , at least in the field of cybersecurity and hacking, it is to make the target click a link, open an email, open you the door to the building or giving you critical information etc…

The thing is, for most of us working in the field, we are… geeks and nerds.Technical people who love computers and hacking are usually not the best at communicating and in some cases show signs of social anxiety.

Learning social engineering helps us to become better at communicating, and a more interesting person for others.

Some of us prefer to send targeted emails, with a clickbait title and content with a beautiful link to our malicious servers. In most cases it works, (unfortunately for blue teams) but in some cases we have to use other approaches.

As a good social engineer wrote on the SE category on Dread (reddit for the deep web), there a 6 fields of study that can help us getting better at social engineering:

• Cold reading
• Body language
• kinesics
• Proxemics
• Micro expressions
• Neuro linguiustic programming (NLP)

I really like this approach, and I will add something:

• Some people dive directly into Micro expressions, they watch the TV series “lie to me” (which is great by the way), and they train on watching videos of people closely. I started out like that, and I think I should have learned the basics first. People learn the “juicy stuff”, and they do not pay attention to the other basic components of social engineering.

As for cybersecurity/hacking, you can learn to copy/paste and use tools, but to become good you must learn the basics of computer science, systems and networks, programming, etc… or else you will become a script kiddie.

In social engineering my feeling is the same, it is a complex field of study made of multiple components, and people should also learn other fields:

• Psychology
• communication
• human behavior
• The art of conversation
• Cognitive biases

Sure, you can learn specific human behavior to understand what are the various factors that encourage a user to click on a link and that’s all. The thing is, if you learn also the psychology and behavior behind your target, you can craft the perfect mail and add that to your understanding of what makes someone click on something. If you know the art of conversation, you know that some people really lose it when others interrupt them when they are talking, so if you know that you can avoid it.

Some of these things are really Obvious, or “simple”. But If we look closely we all do some kind of mistakes when we communicate, or we could do some things better.

Learning all this stuff has also multiple other advantages. Each time you have any kind of social interaction you will be able to respond appropriately, and your non-verbals, posture and the way your talk will make it easier for you to deliver your message or payload.

I believe the two most important things I gained with reading all these books and studies about manipulation, SE and deception is to actually protect myself from people trying to deceive me , and also to help people when they are trying to deceive themselves. You won’t become a lie detector with 100% accuracy for sure, but when you can see some little things that people are hiding, it gives you information and information is key.

You also see the effects yourself quickly in real life. If I take a basic example such as going to work with a tailored suit, you can see the difference in how some people will interact with you. If you go to work with a shirt and your tattoos visible, you will also see a difference in how some people will talk to you. Unfortunately you cannot change the way people see you, they are BIASED. But you can change how you appear to others, and this is why learning this stuff is helpful if we want to appear the way some people want us to appear.

Learning this stuff helps you to protect yourself, and to sometimes predict when someone is going to do something. Information is key, and this stuff allows you to get so much more information and details.

The most confusing thing when learning and applying this is that sometimes you will know the person’s feelings but you will not know the why she is feeling that way before talking about it. Cold reading, body language and micro-expressions are really helpful, but without the context, you cannot get much information.

To conclude, I think learning the basic components of social engineering and other related areas of study has many benefits for yourself and other people, and it is a shame we do not have enough people interested in it, because it is helpful in any social interaction and it gives you some kind of power.

Some learning materials (No product placement)

Deception

Especially about vishing:

• https://www.amazon.fr/Art-Deception-Controlling-Element-Security/dp/076454280X
• https://www.amazon.com/Dark-Psychology-Books-Manipulation-Intelligence/dp/1801114889

Must read and almost creepy:

• https://www.google.com/search?client=firefox-b-d&q=elipsis+manualchase+hughe

Chase hughe gives insanely good frameworks and tools for SE:

• https://www.chasehughes.com/copy-of-one-year-mastery

Applied to cybersecurity

• https://www.amazon.com/Social-Engineering-Science-Human-Hacking/dp/111943338X

Communication

• https://www.amazon.com/How-Win-Friends-Influence-People/dp/0671027034
• https://www.youtube.com/watch?v=tPk1h2VZ2DI&list=PLID58IQe16nFcsed5sqo0VfQUZ7EF8rqY
• https://www.amazon.com/Art-Conversation-Twelve-Golden-Rules/dp/1629041416

Cognitive bias

• https://www.youtube.com/watch?v=HCr53yu56Dc&list=PLUBU-DCzad1ZnN41dPSu7ShBnBFb-RdYs&pp=iAQB
• https://www.visualcapitalist.com/50-cognitive-biases-in-the-modern-world/

Body language

Joe navarro is a pioneer in this field:

• https://www.amazon.com/What-Every-Body-Saying-Speed-Reading/dp/0061438294
• https://www.amazon.fr/Dictionary-Body-Language-Field-Behavior/dp/0062846876

Cold-reading

Mentalists and some “mediums” are insanely good at cold reading, If you can see some of them that explain their tricks, go check it out.

Papers

• https://www.ssrn.com/index.cfm/en/social-sciences/ Or just go to pubmed or sci-hub , there are so many good papers and shocking information in psychology and human behavior science.

Micro-expressions

Honestly there are too many paid videos or programs to learn this, and it is quite advanced and dificult to become good at this without real world experience, I don’t have good resources for this field, if you have some I would apreciate it.

Other interesting fields of study that can be used for SE:

• Learning rethoric
• Learning humor (appropriate for the right target)
• color theory
• Social structures and behaviors

Frameworks:

Personality tests and frameworks, the more you know yourself the more you can understand others:

• OCEAN, HEXACO (best framework)
• DISC (still used by lots of companies, accuracy is still discussed) Do not use the 16 personalities test, as it is not backed up by papers or real world testing, this framework is purely marketing.