One of the important aspects of a red team engagement is Social Engineering (SE). It often paves the way for initial compromise within the target organization network (assuming that the engagement is not following assumed breach methodology). However, most texts on red team engagements delve only briefly into this subject.  Therefore, I chose social engineering as the topic for my next read. This review is for the book Practical Social Engineering by Joe Gray. It was published in June 2022 by No Starch Press.

Content Overview

This book covers how to conduct a social engineering engagement end-to-end (i.e. from scoping to reporting). It also talks about certain SE tools and tactics. However, it focuses more on the process aspect of SE and adapts common penetration testing phases to it (referred to as the Social Engineering process in the book). It provides a 360 degree view of a social engineering engagement.  It does not come with a lab but includes ample of examples for demonstration purposes.

Book Layout

The book is divided into three parts + appendices:

• The Basics - This section encompasses first two chapters. The first chapter briefly covers various SE concepts such as Pretexting, OSINT, Phishing, Spear Phishing, Whaling etc and psychological concepts such as Influence, Manipulation, Rapport and Dr. Robert Caldini's six principles of persuasion (check out his book Influence:The Psychology of Persuasion, it's a very interesting read on psychology). The next chapter talks about ethical considerations that one should keep in mind while on a social engineering engagement. The considerations being, employee privacy,  establishing boundaries, legal considerations, responsible debriefing / reporting.

• Offensive Social Engineering - This section encompasses chapters three to nine. It talks about how to conduct a social engineering engagement end-to-end. Starting from scoping, building pretexts, preparing the toolkit, preforming social engineering attacks to reporting and debriefing. Chapters four to six cover various tools and techniques to collect OSINT on an organization and people. Chapters seven and eight cover setting up the infrastructure for conducting phishing exercise and cloning websites that will be used in the phishing exercise (I have also covered certain social engineering attacks in my course Red Team Adversary Emulation). Chapter nine talks about the metrics to measure the success or failure of the engagement and how to report them.

• Defending Against Social Engineering - This section encompasses chapters ten to twelve. As the section name suggests, it talks about various strategies and security controls that can be used to defend against malicious social engineering campaigns. Awareness programs, reputation monitoring, incident response, email security controls (SPF, DKIM, DMARC, TLS, email filtering etc.) and identifying IOCs and producing threat intelligence that can be shared with the industry for proactive defense.

• Appendices A - E - This section encompasses Appendices A - E. Appendices A, B and C provide templates for scoping, reporting and information gathering respectively. Appendices D and E provide some pretexting samples and exercises to help readers improve their social engineering skills.

Salient Features

• It contains a lot of metrics (such as open report distance, click to input distance, input click ratio etc.) to measure the effectiveness of a social engineering campaign. In my opinion, chapter nine is the most important chapter of this book and also what sets this book apart from other texts on the subject.

• It talks about process aspect of social engineering engagements. This is helpful for professionals who want to include social engineering in the security testing program of their organization.

• The author has included samples and templates that will be helpful to those doing this for the first time.

• It contains multiple case studies from real-world attacks, incidents and author's own professional experience.

• A good read for cyber security professionals at all levels.

Not so salient Features

• I picked up this book expecting it to cover a lot more technical text than it does currently.

• Apart from the process aspect and metrics, there's nothing unique that this book offers.

My rating 4.0 / 5.0

Join our book club on Discord and share your views on this book (or any other security book of your choice).

Other book reviews

• How to Hack Like a GHOST by Sparc Flow

• Ethical Hacking by Daniel G. Graham

• How to Hack Like a LEGEND by Sparc Flow

• CCSP for dummies by Arthur J. Deane

• Cyber Warfare – Truth, Tactics, and Strategies by Dr. Chase Cunningham

• Practical Threat Intelligence and Data-driven threat hunting by Valentina Costa-Gazcón

• Hacking APIs by Corey Ball

• Pentesting Azure Applications by Matt Burrough

• Penetration Testing Azure for Ethical Hackers by David Okeyode, Karl Fosaaen

• Red Team Development and Operations by Joe Vest and James Tubberville

• Container Security by Liz Rice

• Web Application Security by Andrew Hoffman