Read not to contradict and confute; nor to believe and take for granted; nor to find talk and discourse; but to weigh and consider.
What's the one thing persistence needs to exist?
It's a goal.
Persistence needs a pursuit. It could be argued that it also needs curiosity as its momentum, although I can concede there are exceptions to that rule—not all persistence is fueled by curiosity. Some forms of persistence rely on dogged beliefs and unwavering prejudice or narrow-mindedness. For instance, malicious attackers do not use curiosity as a tool. Instead, they team their persistence up with malevolent intent and pedal their beliefs that way. These two things—curiosity and persistence—don't always go hand in hand, but the combination is vital for the mindset we are seeking.
Curiosity itself is a driving force of progress within an attack scenario, but it will not pay off without persistence. There's also another point that can't go unmentioned here: you will have nothing to persist in if you cannot take in information and leverage even the most ordinary information properly. If you jump on the wrong pieces of information and try to use them persistently to your advantage, the operation will misfire early on. This is where another cognitive skill intersects: mental agility. There are two times it is pertinent. One is when you've leveraged good information against a target or environment but still end up with a less-than-adequate result and need to pivot quickly. The other is when you've leveraged the wrong information and need to pivot quickly. I will lay out an example of each, which should help you conceptualize.
There are times when you will have gathered solid data. You will know everything about your target in order to get you in the door and on the way to achieving your objective, but something out of your control will thwart you, and you will have to pivot. Imagine lining up the perfect vishing call for a target. You have her name, number, department and position, job details and responsibilities, the times she works, and her clearance level. All you have to do is call her office and convince her to give you portal access. You finally dial the number, spoofing your number to appear as if internal to the very organization you're trying to penetrate. The ringing stops and someone picks up. But it's not your target. For one thing, the voice sounds as if it's the wrong gender. Then they introduce themselves and sure enough, the person you are talking to is not the person you were hoping for. However, they are within scope.
If it were me, imagining a proxy for my target answered, I would springboard into my new attack on the same call. I would explain the predicament through the veil of my pretext and push on, wrapping my new target into the same web and aiming for the same outcome. “Oh, I wonder if you can help—I still need my portal access reset. When I talked to her a few days ago, she said it takes a while, but I need in today!”
There's a chance this approach will work, and the odds will be far more in my favor if I am agile enough to twist the information to suit the new set of circumstances I've found myself in this hypothetical situation.
Of course, there are also times where you inadvertently leverage the wrong information. Imagine entering a target's workplace with the information they are enjoying time off. Let's say you were posing as maintenance, there to fix something in the target's office that they'd scheduled you for. Imagine your surprise if it turned out they were in their office at that very moment, and the receptionist was calling them to verify you were indeed supposed to be there.
Well, you would have to be agile enough to produce an issue of your own. You might enlist the help of a teammate by calling them in front of the receptionist and/or target to say you'd ran into an issue. You'd have to explain it like someone confused about why you'd been sent out at the wrong time. You might even go as far as to get “new information” from your office, perhaps stating you had been scheduled by someone else at the company and had confused the situation. I'd apologize and I'd likely act quietly mortified.
I'd push this as far as I could and likely have a teammate spoof a call from a legitimate source within the company that fits the role of maintenance scheduler. Without an ounce of fear or unease, I'd ask if they still wanted me to perform the work or if they wanted to book me at a later time. If they opted for a later time, I would make sure it was within the timeframe the scope allowed and I'd go back again, trying to game the system.
Mental agility is possible with real-time interactions, like the ones laid out here. However, you cannot save an operation if you use bad information where communication is asynchronous, such as a phish. If you send a spear phish as the target's spouse's divorce lawyer only to find out they were divorced 30 years ago, you will likely not come back from that. You will have to start from scratch, keeping in mind that the target is probably a little more on edge given your previous play.
Mental agility is as much about making fresh connections between different things as it is teasing out problems and thinking on your feet to solve them in the most efficient way possible. It's taking in information and applying it to your current circumstances. There is one more thing that can't go unnoted about mental agility—it's bred by calmness. If you're too anxious, there's a good chance you will miss the opportunity to pivot well. If you are too uptight, there's a good chance you'll want to do what's been done before. AMs is less about traditional thinking and more about forward thinking.
As an ethical attacker, you will also require two more things for perfect potency: common sense and morals, both of which we will briefly cover in this chapter, too. But before we discuss that, let's look at how your curiosity can pay off in the first place.
Spoiler alert: It's through OSINT.
Curiosity is a basic element of our cognition, yet its biological function, mechanisms, and neural underpinning remain poorly understood. It is nonetheless a motivator for learning, influential in decision-making, and crucial for a functioning and prevailing attacker mindset. Moreover, for the ethical or malicious attacker, curiosity serves as a driving force in the pursuit of information and knowledge. Cultivating it is fundamental, and the best way of baiting it is to ask questions.
Curiosity, however, can be viewed on a spectrum. You may have more or less than someone else, but the amount you have doesn't preclude or facilitate your ability as an ethical attacker (EA) for obvious reasons. The most evident is that curiosity doesn't guarantee you'll find your way to useful or valuable information or that you'll know when to stop searching for information.
Lastly, there will always be someone less curious than you, and there will also always be someone more curious than you. To help foster your own curiosity, let's perform two exercises. The first will be to foster an agile curiosity, and the second will be to build an understanding of it through the AMs lens.
To cultivate curiosity, you will also have to start building on your persistence and agility. To eventually use all of them together, you must look to information. Find a news article on any company of your choosing. Identify the key bits of information and start down the mental agility course I am about to lay out. The first step is to ask yourself how you could use this information to form an objective and possibly even the beginnings of a pretext. The rub is that you can use only one article, so pick wisely.
I will start with Apple because they are my favorite company on Earth, and I want them to be secure. I would be distraught if they were attacked and they didn't have time to turn back their keyboard from butterfly to scissor-switch before the next MacBook Air comes out.
For this, exercise, I typed Apple into Google and selected the News tab. I was offered many articles to choose from. I went to an NBC article by David Ingram, with the title “Facebook and Apple are in a fight. Your browsing history is in the middle.” Here's an excerpt from the article:
There are two points I care about here:
The article then goes on to say:
If I had to build a pretext out of this article, I would likely use the Electronic Frontier Foundation (EFF), founded by none other than Steve Wozniak, John Perry Barlow, Mitchell Kapor, and John Gilmore. I would build the attack around growing concern that Apple might be hedging its bets on a subscription-based Internet and information model, citing that the EFF would be willing to continue support as long as Apple could categorically state that it did not intend to profit from pseudo-privacy. An attack like this would best be served via vish (voice phishing call) and pish (email meant to gain access or at the very least certain details, such as that the account is active).
It could be something as simple as sending a request for comment on an article the EFF is releasing on its stance with regard to Facebook and privacy. There is no correct sequence, I could send the phish and chase a reply the next day by vish, or I could call first, portending the phish.
I might also attempt something more complex and wily such as a notice about information that has been leaked by to the EFF concerning a vulnerability in Apple's AppTrackingTransparency framework, which is a consent interface that notifies an Apple iOS user when an app requests access to your microphone, camera, or location. A call to warn them followed by the link in an email, potentially while I am still on the call, might suffice. However, in cases such as this, curiosity might kill the cat, and I might only have to send one phish and wait for the click.
Stay with the same target as before or pick a new one and write down 10 or more questions you'd like to know the answers to. The true skill of an EA at this stage is to form more questions based on the first round of answers. An experienced attacker will continue this cycle until they feel they have complete knowledge on which to mount their attack. Most of the time, it's not enough to know about the company or individual you're attacking—you must have in-depth knowledge to complement both your pretext and the facilitation of objective achievement.
There are 11 rudimentary questions I'd start with for any target I had no existing knowledge of. For this exercise, I will use Nespresso, because (a) I know little about them other than their main product is coffee, and (b) I would also hate for them to be attacked and not have enough time to put a caffeinated mocha capsule into production. So I'll give them a head start by outlining how an attack might be built up against them. Here are the questions I'd start off with when considering an in-person social engineering attack:
The answers to these would, for me, spawn the following questions:
Those questions will typically be followed by more questions, and they would start to narrow in on the pretext, which I would have started to identify with the answer to question 6 for this particular search. This process is cyclical in nature and will yield new questions with new answers that, in massive plot twist, will end up with more questions… The one other thing that I'd like to note here is that the further you get into this process, the more you will have to rely on Google dorks and efficient disregarding of information not critical for your needs.
If you are doing a night break-in, you will have to build a different pretext and look at different questions. For instance, if I were to be breaking into Nespresso headquarters at night, I would likely not show up as a vendor. My first 11 questions would differ slightly, too, with more concern placed on their security, security vendors, building layout, and shift patterns. Without listing them here, I'd likely turn up as a vendor spraying for pests overnight.
Also, the questions you first ask when building an attack rely heavily on the type of attack you expect to perform or are contracted to perform. If the client wants you to vish them, your questions will be greatly directed by the flags, which are pieces of information or assets, the client wants you to obtain as well as target numbers and other contact information. If your attack includes all vectors—vishing, phishing, and in-person—you will start to build a more intricate attack where all the vectors functionally overlap, allowing progress with every email, call, and step taken.
One other significant consideration will help you know when to stop an intensive search for information: it's when you have a solid pretext—when all the questions related to your pretext are answered—and when you have enough insight into the business's environment that it feels almost familiar to you. With this in mind, always remember that a pretext is to conceal your identity as a threat based on your objective.
A pretext is a narrative in which you are the details. Additionally, your pretext may have the air of a threat to it without it being a conscious decision, which is something people struggle with time to time—a lawyer could be perceived as a threat, for example. A lawyer showing up in a rush for an appointment apparently no one knows about won't always portend brilliant and joyful things to come for the people within an organization. But that's not the job; the job of a pretext isn't to leave people feeling any particular way. Its job is only to protect you as a threat. So sometimes you will have to let your pretext lean on society's biases and do the heavy lifting for you. Your presence doesn't have to induce feelings of happiness from everyone you meet within the organization. It simply has to divert attention away from your true intentions as an attacker.
My last point on pretexts is only to stress that you must never actively try to scare or bully someone while in character. You will not leave any room for a teachable moment if you opt for that sort of performance. You can show up as a firefighter without telling everyone you meet they are about to burn to death.
Finally, I would be remiss if I didn't state that the questions I've listed aren't magic. They may not be the right questions for your target, but I have more often than not found them to be a good start.
Ultimately, the questions they build up to answer are “What is your objective?” and “Where is this target weakest?” Also, the first stage of this cycle takes everyone a notably different amount of time to get through. I can generally achieve this over 4 to 5 hours of rigorous searching. Some people will be much faster and some, possibly, a little slower.
Our curiosity will not pay off without persistence. We aren't talking about heroic persistence, laughing in the face of danger and defying all odds. We are leaning toward a persistence recognizable as not giving up on finding and using information against your target. Curiosity and persistence in the pursuit of knowledge mean that you are forever aiming for the Goldilocks effect—consuming information that's not too long, detailed, and complex, yet not too short, simple, and watered down. This takes some time to get perfect, and I still slip now and then. (Remember in Chapter 3, “The Attacker Mindset Framework,” I described how I went in as a satellite specialist there to renew a license and literally started to inspect the equipment on the roof. There was also a time I walked into a building pretending to be a Swedish convoy only to realize that I was in the presence of people who actually spoke Swedish (I do not). So, I was quickly escorted out.) Striking the balance of using the information you have suitably is not easy. There are times, however, where persistence is critical to a mission's progress. I found this out via a restroom cubicle in New York.
Last we left off on this story, I was pinballing in and out of turnstiles, pretending to be baffled each time my fake card didn't work in front of a security guard who was not at all moved by my pleas of running late for a very important meeting. Each time I tried a new reader and it failed to read my card and grant me access, mainly because my card was a complete dud, I looked at the security card with a bemused look on my face.
“He is going to hit the roof!” I said trying my card on the last turnstile reader. “I am now so late, I'm pretty much just early for next week's meeting,” I added in jovial defeat. “What should I do?” I asked as he looked me up and down. I love asking people questions like this, because it speaks right to their responsibilities, and it places an onus on them that is hard to fight. It also leaves them uneasy with the new pressure of having to decide something quite quickly with little information. Not this person, though.
“What exactly are you here for?” the guard said, staring back at me with a certain indifference to his tone.
“I am delivering the paperwork for the …” I lowered my voice, and leaned closer to him (with the glass gates separating us). “…the thing that's not going too well,” I finished, still looking at him directly. He cocked his head slightly to the side, as if he wasn't sure what I was telling him. “The merger,” I said briskly, still acting like I was sharing a secret with him.
“Oh, that,” he said quietly as if he, too, wanted to keep it a secret. Naturally, this made no sense seeing as it was across multiple media outlets. There was absolutely no poverty of information regarding this merger, but I was about to give him information that only he would know. Making people feel trusted will generally help them trust you.
“Yeah, look!” I said, unclipping my briefcase. “There's so much to be negotiated and signed that even just this will take us days to go through, but it will all get signed by Friday!” Before he could ask me more, I made the most genius move I've ever made and went with chaos as a companion. I accidentally dropped all of the paper onto the floor. On his side of course. “Oh my gosh!” I yelled in alarm. “This is not good!” I continued yelling. “Can you help me?” I said, petitioning for access from the other side.
Completely ignoring me, he said only, “Other way, please” as he now tried to ward off a group of three people walking toward the gates from stepping on the paperwork.
“No one can see those!” I said, straining my voice. “They are very confidential!”
“Oh, please don't stand on that!” I urged the passersby. As the guard turned his back on me to redirect the group, I hurdled the lower turnstile meant for access and hurriedly made my way to scoop up the papers. “I should get them back into order before I go up there. Do you mind if I just sit on those sofas there and regroup?”
“Let me see your badge,” the guard responded as he made his way to silence the now beeping gate sounding the alarm of circumvention a little obnoxiously for my liking.
“Here!” I snapped, pushing it in his hand. “I need to sort these,” I asserted, one last time.
“I have to look at this. Do you have ID on you?”
“Of course—one second,” I explained, reaching into my pocket. I handed him my ID. Thankfully we are allowed fake ones for the job—although it should be noted that they are sanctioned, and if they showed up as being used on an airline or in a traffic stop (which would be my two preferred uses), I would probably be ejected from this country. “I will just phone up to James, I am sure he can come down and sort this.” As I said it, I continued sorting the paperwork back into its proper order.
“Don't go anywhere. I will be at the desk checking into this.”
Literally the minute he turned the corner, I darted into the elevator. This move was my least brilliant idea of the operation. Of course, you needed a card to get the elevator to move so much as an inch. My saving grace was that the security guard probably wasn't at his desk to see my idiocy on CCTV. As I sat back down, though, resuming my position as a hurried lawyer, now dialing her boss, luck came rolling through the turnstile in a three-piece suit. As a six-foot, brown-haired, shiny-shoed man made his way to the elevator bank, so did I. “Yep, I am on the way up!” I said into the phone.
We stood in the elevator with me praying social norms would prevail. After what in hindsight was probably 5 seconds, but at the time felt like 3 weeks, this elevator hero said, “35 as well?”
“That's the one,” I said back as smoothly as I could.
It was not the one. It was three floors short of my intended destination. But it seemed close enough to the target and far enough from the security guard.
After some small talk, the elevator doors opened, and I was greeted by yet another set of turnstiles that I most definitely did not have a fake card for now. I let my elevator companion go ahead as I stayed back, again pretending to be on the phone. “Hey, James. I won't be long. I just have to make one call out here, and I'll be straight in … yeah, I know. I'm sorry, I will apologize profusely when I get in. See you in a few!” After correctly assuming the coast was clear, I did what any respectable female social engineer would: I sucked in my belly like I was expecting to get punched, tilted my pelvis, and slid through a rather tight gap between the turnstile and the side gate.
It wasn't ideal, but I was at least able to move about somewhat freely now. I darted 30 feet down the corridor toward a sign beckoning me with its little stick figures. The bathrooms. I took out my phone and, for the first time that day, attempted to make actual contact with someone other than my imagination. When my teammate picked up, I offered him what I thought was a fair solution to a potentially growing problem 35 stories beneath me: “You're going to have to spoof an internal number and tell that security guard I am up here and that ‘you’ will escort me down later for my badge and ID.” After a little back and forth on the details, he agreed. Now I was left with finding the solution to my newest problem: getting three stories up without a key card for the elevator.
There was one thing that would definitely help me: continued persistence.
There's generic common sense, and there's professional common sense. A good measure of both is often advantageous. However, it's somewhat a dual modality for an ethical attack. Let's consider what “professional” common sense is.
Professional common sense diverges from traditional common sense only slightly; the latter dictates you use practical judgment concerning everyday matters or have a basic ability to perceive, understand, and judge—this is common to nearly all people. Professional common sense dictates that we do that all of those things, but at work.
Professional common sense is essentially a collection of buzzwords that are meant to transcend personality types. Most organizations would list trustworthy, competent, respectful, courteous, dependable, cooperative, committed, approachable, accountable, steady—the list goes on and on. However, much of this is the antithesis of our jobs as attackers, right? How can we be trustworthy, competent, respectful, courteous, dependable, cooperative, and steady when our jobs boil down to being dishonest, not having a clue about our pretext's job, influencing another human for our own gain, and pivoting at any given opportunity? Well, there's another way to look at common sense: from the viewpoint of the attacker. It starts with a hard-and-fast rule: stick to the scope of the job as given by the client. You apply the rest to yourself as follows:
Finally, to compartmentalize, you have to be able to stomach the idea that, no matter what you do, you are not the only person who can do that job. There are literally backups for brain surgeons. That's not meant to make you feel lesser; it's not to say you won't do the job better or differently, but sometimes compartmentalization means isolating yourself from the project when need be.
Curiosity is a strong driving force of any attack—ethical or malicious. It serves as a driving force in the pursuit of information and knowledge. Persistence cannot exist without a goal. Morals are at play for the sake of the greater good, and they influence each moment in your intentions as an ethical attacker.