What is social engineering?
According to social engineering expert Christopher Hadnagy in his book titled “Social Engineering”:
“I feel comfortable stating that in 2017, more than 80% of all breaches had a social engineering element to them.”
He also goes on to say that:
“I believe that we see [social engineering] being used by everyone […] because it is not only the easiest attack vector […], but because it’s now also meriting the largest payloads for attackers.”
“The cost to set up an attack is low. The risk is even lower. And the potential payout is huge.”
Social engineering predates computers. It’s as old as the human race, and it works off of one basic principle: manipulate a person into doing something that they wouldn’t have otherwise done, without them realizing that they’re being manipulated.
The best way to do this is to help someone make a decision without them thinking about it. Because if they think about it too much, then they’ll eventually catch on to the fact that something isn’t right.
To successfully pull this off, attackers can use multiple different principles that work off of human behavior. That’s why we’ll start off this section of the course by discussing these principles.
Next, we’ll explore a number of different attack vectors that can be used to launch malicious social engineering attacks. The four main attack vectors are:
Using these primary four vectors, either individually or in combination, attackers can then use multiple different techniques or approaches to try and trick you. These are things like:
- Spear phishing
These are all topics that we’ll explore in this section of the course.
Another key ingredient to successfully pull off a social engineering attack is performing reconnaissance. Part of reconnaissance is using public sources of information, which is collectively known as open-source intelligence, or OSINT for short.
While OSINT is an important part of social engineering, it’s explained in a lot more detail further on in the course under section 1.5, where we’ll discuss threat intelligence sources. Just wanted to mention that up-front since I know a lot of people are interested in OSINT as a topic.
Other aspects of reconnaissance require using non-public sources of information or more active approaches. Techniques for this include:
- Dumpster diving
- Eliciting information
- and others
These are all topics that we will explore in this section of the course, and as you learn about each topic, focus on understanding the differences between each key term, attack vector, and techniques or approaches that attackers might use, as well as how to defend against those types of attacks.
With that, let’s get started!