This reads like it is more from a physical penetration testing perspective. Which is less about "social engineering" and more about 1) knowing what you are doing and having overt confidence and 2) being a responsible adult.
The first you are best served by learning trades and developing skills. I became a locksmith, trained as a private investigator, hung out on subreddits related to trades and skills to learn insider lingo, read books and watched YouTube channels dedicated to relevant job functions. Basically you can spend 3 days practicing mentalism and faking confidence to try and convince a facilities manager you are a vending machine repair person, or you can spend 3 days learning the basics of vending machine repair.
The later is applicable to all red team/pen testing engagements. Think long and hard about what you are about to do at every step and how it will impact your client and your ability to continue working both on this engagement and in the industry in general. You should go in being prepared to "lose" and accepting that as a desirable outcome - you'll win more often than not but it isn't a bad thing when the client has good security.
Yes, seems very specific to seeing if someone can get into the building; most social engineering attacks are remote, like bullying someone into providing login credentials by pretending to be a Very Important Exec who needs that info now.
Yep, being able to talk the lingo really helps you BS when challenged. And you're spot on that being able to project the confidence that you are there because you need to be there is critical.
In Christchurch New Zealand, after the 2011 earthquake, there were a lot of officials from insurance companies, government departments etc. inspecting properties.
And the criminal elements quickly cottoned onto the fact that if you wore a hi-viz and carried a clipboard or iPad, and could talk about foundation subsidence with a moderate level of confidence, you could case and/or burgle houses with ease while multiple potential witnesses just ignored you because hey, hi-viz and an iPad, obviously there on earthquake related issues, right?
I think there is a slight tension here between what you can ethically test and what an attacker is likely to do. I've worked for a company where armed forces stormed one of the offices and made the workers perform certain actions at gunpoint. A good security audit should be able to find out which people have unfettered access to systems, and should be able to report on how to prevent that access being abused.
But, as the post says, you can't really simulate blackmailing a staff member into committing a crime.
I'm reminded of this bizarre story about an "active shooter drill" which ended up traumatising staff and getting the "trainer" arrested
If your threat model includes "armed forces storming our office" it seems like you should just tell the people in that office that you're running a drill, and that they're to help out the red team to the same extent that a more cowardly version of them would if they were held at gunpoint.
Outside of military / national security or if your agreement with your employer stipulates that you would give up your life before corporate secrets (and you are compensated accordingly) it's not reasonable to characterize cooperating at gunpoint as "cowardly"
I agree, I still think it's a reasonable word to include in the instructions though.
What you don't want is them holding back how much they co-operate with the red team in the drill because they think that's how they would act, or they'd like others to think that's how they would act. Even if it is how they would act, you'd presumably like to know that your security measures would still work even if someone else was in their positions. But also, it's pretty obvious that no-one (or very very few people) know how they'd really act in that sort of situation.
I thought (edit: And still think, but acknowledge that it is not yet a well thought out plan) putting that word in was a nice short form way of achieving that goal, though in a real drill you'd want to communicate a whole lot more about that than the 3 words I used. And probably also communicate that were this to happen in a non-drill form, that you don't expect them to resist.
Incidentally, it's hard for me to imagine that there are many organizations outside of the military / national security that include armed invasion of their offices in their threat model, though I suppose some multinational corporations might.
I can see the engineering appeal in this idea: testing beyond the expected operational envelope will tell you which parts of the process break first.
As for applicability, every now and then you hear a disturbing story of some office being raided by the police / anti-corruption force - this is not unrealistic if you're e.g. a news agency in a country whose government doesn't always respect the freedom of press.
Spending four paragraphs justifying how well a word communicates something when you could just replace it with the phrase “to simulate not brown-nosing (I would die for this job)”.
You know the saying "I didn't have time to write a short letter, so I wrote a long one instead" (Mark Twain, maybe). Ya, that's what I did, your version is just better.
I think GP meant "tell employees that there's going to be a drill with men carrying fake weapons, act as if you were too terrified to defend yourself".
Er, definitely no fake weapons either, that seems like a massive unneeded risk and stress factor. Tell them that there is a drill and they're supposed to work with the red team to the same extent that someone might if being coerced with guns. They're not actually on the red team since they aren't working as trusted team members, but they are also helping the red team/not working against them. It's more like they're part of the environment and their job is to help run the simulation.
The adversary for the red team is the rest of the company that isn't being occupied, not the office that they did "occupy".
> where armed forces stormed one of the offices and made the workers perform certain actions at gunpoint.
Either the workers weren’t supposed to have enough knowledge to perform those actions or they were expected to have suicide pills hidden in their mouths.
reply