SOCIAL ENGINEERING ENGAGEMENT FRAMEWORK (SEEF)
If you are observing the social engineering landscape in terms of social engineers, documentation, and frameworks out there, you will realize the topic has, as we call it, a low maturity. Low maturity means there are no well-defined processes or defined frameworks in which professionals can apply and benchmark themselves. Today’s landscape is little like the Wild West. There is lot of fear, uncertainty, and doubt (FUD).
With SEEF we want to oppose this situation. As you maybe have seen, our motto is visible on the book covers badge: Docendo – Discimus. It is a Latin proverb and means: “By teaching, we learn.” This is what we want. We want to teach anyone interested in social engineering the skills to do it properly, professionally, and ethically. This is Social Engineering Engagement Management (SEEF) — FIRST CUT. It is literally the first cut of the framework that we have pioneered and want to share.
There are many different definitions of social engineering, but none of them seemed to fit for our purpose. Therefore, we had to create our own definition of social engineering as we understand it. We feel this definition matches perfectly with what we understand about social engineering. SEEF defines social engineering as follows:
“The elicitation of information from systems, networks or human beings through methods and tools”
SEEF delivers you detailed instruction on how to execute a social engineering engagement. It incorporates risk-based engagement milestones and supports you with scoping. The framework also helps you define your attack vectors and set governance principles.
The selected chapters about the SEEF in this publication are as follows:
● Social Engineering Engagement Franework (SEEF)
● Engagement Management
● GRC++
● Intensity Levels
● Approach Selection Method (ASM)
● Attack-Vector Development (AVD)
● Interpersonal Distance: The Concept of Space
● Verbal Masking
● Experimental Content
SEEF is not finished or complete yet; it is an ongoing process. It is our goal to update the framework regularly over the following months and years with the input of all social engineers interested and willing to participate. This is where the book’s name, Social Engineering Engagement Framework (SEEF)—First Cut, has its origin: It is the first cut, literally.
The book contains newly developed methods and approaches for social engineering. It is not a repetition of well-known concepts or principles. For this, you can read Wikipedia. The knowledge in this book comes from the field based on decades of experience. The book focuses on the human part of social engineering, not on the underlying technology supporting social engineering.
Buy the book
- If you are a social engineering nerd and want to get insights on some of the latest concepts and developments in social engineering.
- If have to integrate SE into your risk framework.
- If you are seeking advice from social engineering consultancies and you want a more robust risk framework for scoping.
- If you like us and you want to support us so that we have the funds to extend our SEEF.
- If you are a team member from one of the authors’ place of work, in order to get into their good books.
- If you are curious about social engineering.
- If you are one of the authors or you are related to them.
- If you want to become a professional social engineer.
Don’t buy the book
- If you are looking for one-to-one instructions; the book has some detailed instructions and definitions on processes, but it is not an instruction booklet.
- If you expect a totally finished and polished, politically correct publication. That’s not what this book is; it’s rough, incomplete, probably biased and edited to the best abilities of non-native English-speaking authors.
- If you are a superstar social engineer and resistant to learning or advice.
- If you are a know-it-all.
- If you have no money for books, “try instead to socially engineer a copy from one of the authors.
- If you only want to complain about the authors.
- If you are a hacker; hack it somewhere or download it and then show off with it.
- If you are a publisher and you want to publish our next book; we will gift you one.
SEEF addresses different stakeholders. Not all the topics in the framework will appeal to everyone. This is the reason why we defined the three stakeholder groups. Every group has its specific interest in the framework. Whether you want to become a social engineering expert or just get yourself up to speed with the latest developments and associated risks in social engineering, you will find specific content for your needs.
The framework defines three groups of key stakeholders.
Professionals
Professionals comprise the group of individuals who have a professional interest in social engineering. This can be functions or roles requiring social engineering knowledge either for active use or for building protection against social engineering attacks. Some examples might include the following:
● Chief Information Security Officer (CISO)
● Risk Managers
● Project Managers
● Risk & Compliance Officer
● Privacy Officer
● Consultants
● Freelancer
● Hackers
Organisations
Organizations comprise the stakeholder group whose companies and other professional bodies take a vested interest in social engineering. This could be any of the following:
● Private intelligence companies
● Big 4 consulting firms
● SE companies
● International organizations
● Information-security companies
Governments
Governments include public-sector interests. These are the people who can devise, pass and enforce laws and regulations. The groups included in this stakeholder group could be the following:
● Intelligence organizations
● Military
● Universities
● Diplomatic relations
● Strategic security
● Nation-states
● Policymakers
In today’s highly complex business structures, more advanced methods for social engineering are necessary. social engineering is a relatively new discipline that is sometimes complex, relatively unstructured and has low maturity.
Aside from focus on a technical level and the occasional psychological recitation of facts, there is no comprehensive method or framework in place to describe the discipline of social engineering. SEEF has set out to close this gap and introduce a framework describing the factors and process of social engineering in a business/corporate context. This will improve social engineering as a discipline and make companies stronger in defining awareness campaigns and countermeasures. The framework will make social engineering engagements in the corporate world safer for the company executing the social engineering engagements and for the targets of social engineering.
Unlike in the past, social engineering has become an engineering discipline with precise tools, selected dynamic approaches and execution plans. This makes it also so damn hard to define counter-measures against SE attacks on the receiving end. You really never know where you could get hit next. But as with all things, the best chances of detection and defense (active/passive) are to stick to your own processes, raise awareness and train your staff, employees and especially your senior executives.
SEEF is a structured, experience-based, pragmatic and best-practice risk-based approach to social engineering. SEEF is comprised of well-defined methods, instructions, skills and definitions. SEEF offers the most comprehensive view on social engineering today and will boost you to the front of social engineering tomorrow.
