As a penetration tester and Adversarial Engineer, sometimes it feels like there are many variations on social engineering (SE). This post is a general catch-all to help answer some of those common questions and variations.
The official dictionary definition of SE in terms of cyber/information security is:
the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
As a penetration tester/adversarial engineer, we're not looking to take our SE anywhere near that far. Let's be honest, yes, we can't SE easily without "deception" and that's something that any person looking to get into SE might need to make peace with. We're not looking to be fraudulent, we're looking to test the "human" aspect of a company's cyber security defences. That's a really important distinction, as a penetration tester and Adversarial Engineer, our job is to test cyber security. It's not our job to be fraudulent, but certain areas of our job sail close to the wind.
So let's talk about the different types of SE:
Physical Access: my favourite type of SE, gaining physical access into "something", could be an office, a facility, a site etc. We would pretend to be an employee and attempt to gain access. A lot of this blog post series will focus on this aspect of SE because it's where I have the most experience. Physical access could include lock bypassing, lock picking, and electronic ID badge cloning.
Vishing: this involves typically someone making a phone call to a target. Usually, to gain some information that is useful. It could be something simple like, what browser are you using, to something much more complex like, please visit this website to download this software update (which likely isn't a real software update, but part of a command and control framework).
Phishing: sending emails to a target (a spear phish), or a whole company, pretending to be something they aren't, usually to get the target to click a link, open an office document or something else. Often the emails will be designed to look legitimate but again, are most likely trying to install some kind of command and control framework.
There are many different types of SE, however, as a penetration tester/adversarial engineer, the above list is the most commonly used in our day-to-day jobs. We're not intending to cover the other areas in too much detail because they are often used in genuine malicious attacks.
This blog is part of a SE101 series, and originally appeared here: