Stef, mijn contactpersoon bij OrangeCon, vroeg mij alvast een globale agenda te maken van mijn twee trainingsdagen. Geen makkelijke taak omdat de training een grote upgrade krijgt en ik nog midden in het schrijfproces zit. Aan de andere kant is het natuurlijk handig om potentieel geïnteresseerden een beetje te vertellen wat ze eigenlijk kunnen verwachten. Dus speciaal voor de twijfelaars, en zij die niet kunnen wachten om erbij te zijn: The Program (in English).
Day one: Setting the scene
During this day we wil first cover some essentials. After all, there are a lot of misconceptions about this topic, leading to unwanted situations such as declaring social engineering “out of scope” when planning a pen-test. Showing you what it is actually about will not only strengthen your understanding but also help you better inform decision makers of the importance of this many times overlooked security risk. First we’ll look at what social engineering is, what is is not, and how it relates to other subjects in human factor security. This includes looking at victim- and perpetrator profiles, motivations, methods, but also a dissection of the act of lying. Next we will delve into the different forms we can observe such as CEO fraud, romance scams and (s)extortion but also some ways to use social engineering with good intentions. Lastly we will cover defense and see how to prevent, detect and respond to a social engineering attack. This module will likely overflow into the next day. Also during the first day we will introduce our interactive game that is played throughout the entire course.
Day two: Mostly offensive
During day two we will recap and start where we left off the previous day. We will likely finish the defense module before the first coffee-break. After that we start looking at offensive social engineering as used by pentesters and criminals alike. We will explore the social engineering kill-chain consisting of target investigation, preparation, introduction, execution and exit, looking at all stages in great detail, again illustrated by some juicy ‘war stories’. After some small assignments we will discuss the various aspects to improve your understanding of the process. The goal here is giving you the correct mindset to create a working pretext and improve it until there is a high likelihood of succes. For those who like, we will also offer a chance to practice acting and stress management. Valuable skills when you end up in “the field”. Lastly we will also discuss some techniques that can never be used in ethical application, not even in testing scenarios. Although you should always exclude these from your pretext you will want to discuss them or write about them in your report as it is something your client should be aware of and take countermeasures against. .