At the 2018 conference, some of the feedback that we got was that it would be helpful to have a glossary of terms for people who may be new to social engineering and/or OSINT. So here we go!
Campaign: A specific social engineering attack against a target, from beginning to end.
Dork: A method of using specific search engine operators to find sensitive data. The Google Hacking Database is an excellent source of dorks: https://www.exploit-db.com/google-hacking-database
Lockpicking: Using specific tools that are not a key, to open a lock.
OSINT: Open Source INTelligence. Information that is free. Information that does not require payment to access. LinkedIn, Facebook, Twitter, Instagram are just a small number of examples of OSINT sources.
Penetration Test/Pentest: Testing your company’s security posture by hiring security experts for the part of your posture you want to test. If you want to find out how well educated your staff is in detecting and preventing a phishing attack, you could hire penetration testers to perform a phishing campaign against your staff and then receive a report on the results.
Phishing: Using email to perform a social engineering attack. Often used to get a user to click a link, download a malicious file or give information back to the attacker.
Pretext: The story or justification used in a social engineering attack. In the Nigerian Prince Email scam the pre-text is that the prince needs to move money into a US bank. Some social engineers may use a pre-text that they are an inspector and need access to a sensitive area inside a building.
SECTF: Social Engineering Capture the Flag. A competition that was created by social-engineer.org’s Chris Hadnagy and held each year at the Defcon conference in Las Vegas and the Derbycon conference in Louisville. Competitors are selected and given targets before the conference. The competitors will then gain as much information as they can about their target using OSINT. Then at the conference, each competitor is put in a glass booth on stage where they have 20 minutes to make phone calls to their target in an effort to gain additional pieces of information. These pieces of information are referred to as “flags”. Each flag has a point value assigned. Whichever competitor has the most points at the end of the competition wins, and has historically been issued a “black badge” to the conference. A black badge confers lifetime free admission to the conference.
Layer 8 attendees/speakers who have won:
2017 Defcon: Chris Kirsch (Layer 8 2018 Speaker)
2017 Derbycon: Joe Gray (Layer 8 2018 Speaker)
2018 Defcon: Whitney Maxwell (Layer 8 2018 Speaker)
Smishing: Phishing by text messaging (SMS). Usually attempts are to get the target to click on a link.
Social engineering: Any act that influences a person to take an action that may or may not be in their best interest. (h/t Chris Hadnagy)
Spear phishing: Targeted phishing. Most phishing is done where the same message is sent to a number of people. Spear phishing is done when there is a single intended target, and the message is written with information about or for the specific target.
Vishing: Voice phishing. Usually done with a phone to get the victim to take an action or give information.
Whaling: A social engineering attack against a high-profile or high-value target. Example: Attempts to gain access to a system with the same privilege level as a CEO or CFO, or a network administrator.