Social engineering

A fox at the edge of a farmyard at dusk, still, watching. A gate stands open. A light is on. Somewhere inside, a door is being held by someone who never questioned the uniform. The fox has not moved yet. It does not need to.

Technical controls have a reasonably well-defined threat model. Social engineering does not, because the attack surface is every person in the organisation who answers a phone, opens an email, holds a door, or clicks a link while eating lunch.

The techniques here span physical presence, digital lures, and credential theft, and they share one structural advantage: they mostly exploit behaviour that is, in any other context, entirely reasonable.

The legend you build before you walk in the door
In person, uninvited
The lure, the line, and the hook
Getting past the login page
Step-by-step attack runbooks

Social engineering¶