Well, I'll give the truncated version, and also point out there isn't a one size fits all answer to this question. Most SE's exist to help safeguard a businesses data, whether that is making calls to a bank to ensure tellers don't give up a password, sending a phish or attempting to gain access to a physical location. Now, it doesn't HAVE to be data, I've stolen cars, deeds to homes and other tangible assets, but most jobs as a SE are going to be in the information technology sector. Long story short, if this is something that interests you, you should obviously start in that field. That can be in the form of self study, a certificate like the OSCP, taking part in hack the box, there is so many ways to get started. From there it's all about self study, having good mentors that have experience and then it's about pushing boundaries and trying new techniques and attacks.
The most important thing people usually look for when hiring into an offensive role is passion.. is this something you REALLY want? If so, what have you done on your own to show your desire to learn? Lot's of people would LOVE to simply be an SE, and those positions are available, but typically you don't get hired on without experience, and you typically wont get experience unless its as an offensive security (person).
Those are the bare bones basics, we could get into the actual psychology of things, how and why they work, but alas, that would be a VERY long post.
In the interim, some GREAT books to start you on your journey are A Burglars Guide to the City, How to Win Friends and Influence People, and anything that does a deep dive into sales and marketing. While you're at it, if you haven't watched The Social Dilemma on Netflix.. go watch it right now. I suggest these books over "Social Engineering books" because you should learn HOW and WHY manipulation techniques work as well as how to think outside of what is "normal". Businesses have spent billions on how to get people to do things they don't want to, spend money they don't have and interact with things they shouldn't. So if all this work has been done, researched, perfected and used on most of YOU daily... why not use it to learn how to use it professionally (and while you're at it, to start recognizing that same manipulation by companies)? Social Engineering isn't so much about learning how to run a con, it's about reading people, knowing the most likely outcome, playing those odds and throwing in some charisma and doing what you can (looking like you belong, having a badge, being in the right place) to gain trust without having to earn it.
Or....
I could be lying to you....
Comments