In his new book, “Social Engineering: The Science of Human Hacking, 2nd Edition,” Chris Hadnagy really hits the mark by providing a great overview of social engineering techniques, explaining how and why they work, and giving the reader plenty of real-world examples to back it all up. The target audience is humans as Chris explains. If you are human, I guarantee you’ll take something away from this book regardless of your personal experience with social engineering.
You may be new to the topic of SE, you might be a veteran, or you may be in an entirely different profession and just have an interest in the topic. Whatever your background or reasons may be for checking out this book, you’ll definitely learn something from reading it. Chris has really done a terrific job with this book, and, in my opinion, he has achieved his stated goal of motivating the reader.
Free Webinar: The Future of Social Engineering with Chris Hadnagy
Sign up now for this free event on August 16, 2018 at 1:00 EDT
Overview of “The Science of Human Hacking”
Let me share a few things about this book that are different from the first edition, although admittedly I did not read the first edition in its entirety. Although the title of both books is “Social Engineering”, the subtitle of the first edition of the book is “The Art of Human Hacking,” whereas this second edition is subtitled “The Science of Human Hacking.” So to state the obvious, the first observation is that we’ve moved from an art to a science. This is an interesting topic and discussion in and of itself. Is hacking an art? Or a science? No, really. If you haven’t thought about that before, think about that for just a moment. Mind blown? Debating with yourself? Good. A good argument could be made either way. Art is interpretive and subjective. Science is methodical and based on experimentation. As such, the book, and social engineering as a discipline within penetration testing, has moved from interpretation to knowledge based on experience.
Secondly, Chris makes a few promises to the reader including not quoting Wikipedia, telling many stories, providing references for further study, and welcoming all suggestions and criticism. While I can’t speak for the fourth (yet?) I can confirm the first three. With the exception of maybe one image sourced from Wikipedia, there were no real references pointing there. There were, however a whole bunch of references to additional books and websites for further learning.
Stories? Oh yeah. There are a lot of them. They are excellent real-world examples based on experiences in social engineering engagements. A few of the things I learned from these stories: 1) Sea cucumber is likely something to stay away from, 2) Don’t trust anyone named “Paul,” 3) Sometimes even Chris gets caught, and 4) There’s way more to social engineering than saying “Hi, I’m here to fix your computers.” Maybe a couple of those are just a reference to some of the humor that’s tossed into the book (although, I’m not sure if the “Paul” thing was purposefully done or not, but he always seems to use this name in his examples). I will now always be skeptical of anyone that introduces themselves as Paul.
When Chris discusses malicious social engineering, he specifically covers four different vectors: SMiShing, Vishing, Phishing, and Impersonation. Each of these topics is discussed and analyzed in sufficient detail, with enough examples to give both new social engineers and seasoned veterans some great new ideas. The concept of the social engineering pyramid is introduced and each layer (OSINT, Pretext Development, Attack Plan, Attack Launch, and Reporting – yes, reporting) is covered throughout the books’ chapters. In regards to OSINT (Open Source Intelligence), both technical and non-technical methods are discussed. While Chris does specifically mention he doesn’t want to provide an abundance of tools, there are a few honorable mentions tossed in. These include SET (the Social Engineering Toolkit), IntelTechniques (website), FOCA (Fingerprinting Organizations with Collected Archives), and Maltego. All of these are great tools and should be included in your toolkit or arsenal. One item I was surprised not to see included or mentioned is the OSINT Framework which is essentially a repository of sources for finding information (and does point to IntelTechniques for several categories). I highly recommend you check out each of these tools if you haven’t. They are essentials you should have experience and familiarity with.
Right about now you’re thinking “this is all well and good, but are you going to tell what’s in the book?” I’m certainly not going to tell you everything, but given the large amount of cooking analogies used in the book, let me see if I can whet your appetite a little bit.
In Chapter 3, “Profiling People Through Communication,” Chris discusses four natural thoughts that typically run through your head as you spot someone approaching that you anticipate will try to communicate. These thoughts include: who are you, what do you want, are you a threat, and how long will this take. This is just the natural human thought process at work. This is similar to what I’ve explained to my kids regarding their guinea pigs, “each time you approach them, they’re thinking what are you, and are you going to eat me?” The human thought process isn’t too much different. The point is that if you, as the social engineer, can answer those four questions in your initial interaction, you can put the person at ease and direct the conversation from there.
To do this successfully, you need to have an understanding of several different types of communication styles presented in the book using the DISC acronym: Direct, Influencer, Supporter, Conscientious. First, you need to know yourself and your own communication style. These are not “one size fits all,” and, while there are many websites out there where you can do a self-assessment, Chris provides some suggestions on how to determine your communication style and why the assessment websites aren’t necessarily accurate. The chapter ends with a terrific example of two conflicting communication styles experienced at one of his book signings. Having an understanding of these communication styles is not only useful for social engineering but there are plenty of other uses, such as company psychology for managing people, as well.
Pretexting is largely emphasized throughout the book as an important and integral part of social engineering. This is essentially the story, and all of its associated details, that you’re trying to play out. Will you be a delivery driver? A safety inspector? Perhaps a pest control specialist? Whatever scenario you choose, which should be derived from your information gathering and open source intelligence collected on the target, you need to ensure that you have the details to go with it. If your target doesn’t normally allow delivery drivers to walk around the office, how do you intend to explain that you need to do so? In a lot of the examples of social engineering engagements presented in the book, there are plenty of times where Chris and/or his team just barely seem to squeak by (e.g., about to walk right into a security guard that already kicked them out just as an elevator door opens allowing for a quick escape). Those close encounters aside, by not having a thorough pretext, he does get caught once or twice and explains the how and the why. In discussing pretexting Chris breaks it down into six different principles, some of which include thinking through your goals, determining how far to go (with the details), and avoiding short-term memory loss.
As the book moves from pretexting into the actual interaction with people, there is some specific focus on building rapport with your target, principles of influencing others, and the difference between influence and manipulation. In discussing the ten principles of building rapport, Chris mentions using a slower rate of speech to avoid “word whiskers,” or words such as “um,” “like”, and “uh.” I want to reinforce this recommendation, because not only is it highly important for social engineering but it’s important any time you are speaking with someone. You can quickly lose credibility if you’re pausing with an “um” in every sentence. The recommendation in the book is to focus on your RSVP – rhythm, speed, volume, and pitch. Paying attention to these items can help you speak more clearly while presenting yourself in a professional manner. “Perfect practice makes perfect.” These skills take practice, lots of practice, to perfect. You can practice with friends and family or look into finding a local improvisation class offered in your area. The more you practice your communication skills, the more comfortable you’ll be during social engineering engagements.
Once you’ve started engaging with your target and building rapport, you can begin influencing the direction of the conversation or the person. Chris breaks influence down to eight separate principles. Reciprocity can be used to elicit an individual to do something for you after you’ve done something for them (e.g., I hold the first door open for you, you’ll likely open the second door for me). Authority is used to express some level of power over the target. Another principle is obligation – such as when you feel obligated to answer a question. When this principle is presented, Chris suggests a challenge to the reader. He suggests that the next time you are in a conversation and the other person asks you a question, don’t answer or acknowledge it. Instead, just stare at them. If they ask whether you’re okay or not, respond “yep” and nothing further. Generally, you’d feel obligated to answer the question so this makes it an awkward situation. As he recommends this, he then goes on to suggest that most readers are likely letting out a nervous weird laugh or smile while picturing that scenario. Yep! That was me. I couldn’t help but chuckle about this as I read it.
This reminded me of an experiment we once conducted in an interpersonal communication class. One person was to think of a topic that they are very excited about – maybe a sport, hobby, or any other interest. They were told they’d have some amount of time to explain this to the second person. The second person was to, at some time shortly into the conversation, hang their head down and seem genuinely uninterested. As you can imagine, the person talking about the topic they’re excited about could get a little upset or downright angry.
The idea presented behind influence is getting someone to want to do something you need for them to do. This is the whole “make them think it was their idea” thing. That’s the power of influence. Chris goes on to explain how this is different from manipulation, and how he prefers to stay away from manipulating targets. He explains that manipulation is just getting them to do something you want them to do. Do you see the difference? Manipulation generally leads to people feeling angry, or otherwise bad, once they find out they’ve been tricked. This is not the goal. As social engineers, we want to teach people how to identify these attacks. Manipulation doesn’t often lend itself well to being teachable.
The book then goes further into emotions and non-verbals used during communication. This was one area of particular interest to me, because I remember being taught when I was very young that folding your arms usually represented some sort of disgust, disinterest, or otherwise standoffish behavior. I disagree. Why? I am usually comfortable folding my arms while standing. It doesn’t mean that I’m not interested, or mean anything at all. Chris points this fact out and advises the reader not to use preconceived ideas as it relates to body language like this. Instead, he recommends that you create a baseline of the person as you begin communicating with them. For example, the person may twitch their leg frequently. This may be normal behavior and doesn’t necessarily indicate nervousness. However, if you ask an interesting question and the person stops twitching their leg, this is now different from the established baseline and something you should pay attention to during the conversation. The same goes for folded arms, face scratching, and other items. Don’t think about these things upon initial interaction but look for changes and deviations. As Chris puts it, “focus on the what, not the why.”
Body language and emotions, such as anger, fear, sadness, and happiness, must have your attention. You, as the social engineer, may need to adjust your approach or the conversation based on the emotion being shown by the target. It’s around this area of the book where I have a slight disagreement. Chris suggests several specific statements that may be used to elicit certain emotions or soften a person’s body language. One statement, in reference to speaking to your wife, goes like this: “Hey, honey, you look super tired. Was your day okay?” Whoa. I’ve been married a few years and one of the phrases you should never (ever) say to your wife is “you look tired.” I definitely do not recommend it. Either Chris has a very forgiving wife, or he just wants to see how many readers will try this out and report back to them after they’ve received a black eye.
The last few chapters focus on professional social engineering in penetration testing (pentesting) and recommendations on career advancement within the social engineering field. These chapters provide some excellent example scenarios and some very important topics related to social engineering. This includes everyone’s favorite thing to do – create reports. Just as with any other type of pentesting engagement, the report from a social engineering engagement is one of the, if not the most, important parts of the engagement. Chris indicates that your report needs to be professional, and it should be checked and proofread for spelling and grammar mistakes. Most importantly, the report needs to tell the client how they can fix the issues observed. If you can’t explain to your client how to address the problem, you should anticipate that they won’t be your client much longer.
Chris draws from past personal experience here about writing a report and explaining all of the cool things he was able to do. What did he forget? The client doesn’t particularly care about that. They want to know how to mitigate their risk. What can they do to improve? How can they adjust their security awareness program so that attacks from real attackers aren’t successful? This would be the difference between reporting your kewl h@cking adventures to your friends at the bar as opposed to the ROI of a paying customer.
To address this, Chris says you need a MAPP – Mitigation and Prevention Plan. Your MAPP should explain how to actually prevent the attacks and uses a four-step process: identification, actionable policies, checkups, and awareness programs. This also includes some specific advice for organizations on selecting vendors and for social engineers on working with clients. One important piece of this advice I think is worth mentioning is for the social engineer. If the customer is too difficult to work with, doesn’t have the interest in improving, or their general values, beliefs, or ideals do not align with yours, as the tester, then you need to know when to cut ties. There will, undoubtedly, be times when the best decision is to just walk away. This is often easier said than done, but it is nonetheless poignant advice.
The book concludes with recommendations on how to gain entry to a social engineering position, the types of companies worth looking at, how and where to gain further experience, and additional suggestions on becoming a professional social engineer. This is a welcome addition, as it is a natural extension of the focus of the book.
Chris Hadnagy in his book, “Social Engineering: The Science of Human Hacking,” makes it abundantly clear that he’s not looking to arm the bad guys with ideas, but properly prepare the next generation of practitioners. There’s enough involved in the field of SE now that you can most certainly specialize in just being an awesome social engineer. As he quips, there’s just too much work for him to take on by himself and wants to help train as many other people as possible to be successful social engineers, so that we, as a collective whole, can help our clients and businesses secure their organizations. To quote Chris directly, “you cannot really defend against social engineering until you know all sides of its use.”
Having been in the information security field for a while, and having conducted social engineering tests before, I always knew there was a lot more to it than what you see at the surface level. After reading this book… “Wow!” Not only do I have a bajillion (no, Word didn’t even autocorrect that) new ideas running through my head, but Chris has definitely motivated me to take a closer look at all of the science involved in social engineering.
I also want to recognize some of the other work Chris is doing in this space with his Innocent Lives Foundation, which is dedicated to saving children from predators trying to hide on the Internet. Working often with law enforcement, Chris and other volunteers use their social engineering skills to assist in fighting the bad guys directly. There are a few mentions about the organization throughout the book, but I think this is a very commendable endeavor worthy of your attention.
Chris welcomes your feedback about the book, good or bad, and you can reach him via his website at social-engineer.org or Twitter @humanhacker. I recommend going out and grabbing a copy of the book for yourself. You won’t be disappointed. I’m pretty excited about doing some further reading and study to improve my skills. I hope this review has been helpful, has piqued your interest, and answered any questions you may have about the book. I also welcome any feedback and will be watching for comments or posts in the EthicalHacker.net forums.
See for Yourself at SE Villages
Chris Hadnagy also runs Social Engineering Villages at both DEF CON and DerbyCon which each feature a Capture the Flag (CTF) Contest. Participating is a great way to get real experience without getting into any trouble. Watching the competitors as well as the speakers is also an education. So either compete with the best or learn from the best. Here’s a little extra info on each.
DEF CON SE Village
Established at DEF CON 18 the SE Village has been the one-stop shop for all things social engineering at DEF CON. From our humble beginnings with a small room and our sound proof booth to now running 4 events and the “Human Track” where all the social engineering talks are given. The SE Village is the place for not only our flag ship event, the Social-Engineer Capture The Flag (The SECTF), but also Mission SE Impossible, the SECTF4Kids and the SECTF4Teens!
DerbyCon SE Village
DerbyCon is one of our favorite places. In the past 4 years we have been the place to go for all things social engineering at Derby Con. And for the third year in a row we will be again holding an entire SE Village at DerbyCon! This will include not only the old favorite “Can you beat the polygraph?” but we will be bringing back Mission SE Impossible AND the ever popular SECTF!
Bill Varhol has been an IT professional for 15 years, with most of them in information security. He is currently a VP with AlixPartners, a management consulting firm, where he leads the security assessments team. He holds certifications from ISC2, ISACA, Offensive Security, EC-Council, GIAC, Microsoft, CompTIA, LPI, and IACRB and has a BSc in IT, MSc in Cybersecurity and Information Assurance, and is finishing an MBA in IT Management (08/18).Tags: book review career defcon derbycon hadnagy se social engineering