Chris Pritchard - The Basics of Social Engineering
Speaker: Chris Pritchard, Security Consultant specializing in Critical National Infrastructure
Background: Extensive experience testing ICS, rail, air, maritime, utility sectors, and nuclear sites
Key Focus: Practical social engineering techniques for gaining access to highly secure facilities including casinos, airports, and CNI
Chris Pritchard shares his experience conducting security tests on some of the most secure facilities in the industry, including critical national infrastructure (CNI), airports, and casinos. His approach focuses on practical, accessible techniques rather than complex psychological theories.
Use Google, Street View, company websites, and social media to understand company culture, dress code, and operational patterns. This builds the foundation for believable pretexts.
Visit the target location and walk around it. Look for weaknesses while being aware that there will be witnesses. Common areas to assess include back entrances, smoking areas, and shared offices.
Spend hours in communal reception areas with a laptop, observing staff behavior, dress codes, busy times, and security procedures.
"Most security is built around people coming in the front entrance - it's not built around people coming in the back entrance." Often less monitored with weaker physical controls.
"I bought a vape machine just so I can go and stand in a smoking shed and build rapport with people... then walk back into the building with them because you're part of them." Natural social entry points.
In high-rise buildings, identify the specific floor and office. Use communal reception areas for extended observation without raising suspicion.
Note badge colors, lanyard types, metal attachments, and wearing styles. Build a collection of authentic-looking accessories.
"Fit that pretext around what you know... I often pretend I'm an IT network engineer because I know that stuff. If people challenge me, I know how to talk IT network stuff." Use familiar domains to avoid cognitive load.
"If you surround a story in part truth, it becomes believable - not just to you but to the person you're telling it to." Blend factual elements with the fabricated narrative.
"Get your outfit... if you're going to pretend to be an alarm engineer, dress like an alarm engineer." Match the observed dress code from reconnaissance.
"Bring some props because again props help you reinforce that idea you should be there." Laptops for IT engineers, toolboxes for maintenance staff.
Look for poorly designed barriers with gaps, low heights, or weak construction. Many gates are "pathetic" and can be stepped over, under, or around.
Identify security office positioning - they often focus on front entrances while side and rear approaches remain unmonitored.
"Put a laptop bag directly behind someone and trick the system into thinking there is someone still there." Blocks gate sensors to enable tailgating without detection.
Tailgate during busy periods for social entry. Use quiet times for physical bypass attempts at secondary entrances.
"Keep calm because you have this massive adrenaline buzz... if you have that adrenaline buzz you kind of give yourself away." Recognize and control physiological responses.
"Hiding in a toilet is brilliant... a colleague has actually printed out a laminated 'out of order' sign." Use restrooms for regrouping and adrenaline recovery.
Identify push-button vs swipe-card controlled exits. Plan escape routes and alternative exit methods before beginning operations.
"Think about that target and how you're gonna get from where you are now... to where that thing potentially is." Maintain objective focus amid environmental complexity.
"Don't be afraid to ask for help... 'Hi I'm from the other office and my badge doesn't work on this particular door, would you mind helping me in?'" Simple, direct requests often succeed.
"Engage in polite conversation... don't make them your best friend." Normal workplace interactions build authenticity without over-engagement.
Identify and interact with powerful individuals. "Talking to somebody in power like that builds acceptance... everybody around thought that I should be there because I was talking to this lady of power."
"If I say 'don't think about pink elephants' - everyone starts thinking about pink elephants... If I said 'don't worry I'm not here to hack the network' - what's the first thing that person is going to be thinking?" Frame statements positively.
"We all have this inner voice building all these bad and negative things... don't listen to it." Recognize fear-based thinking and maintain operational focus.
"Tell yourself you're acting and it makes it okay-ish." Use professional mindset techniques to manage personal ethics during authorized testing.
Instead of "I'm not here to hack," use "I'm here to make your internet faster." Positive framing creates cooperation rather than suspicion.
"SE is exhausting... the adrenaline ups and downs and crashes, pretending to be somebody else for an entire day is absolutely exhausting." Plan for recovery time after operations.
Consider tactical placement of authorization letters. "If I get stopped by police with guns and I have a letter in my jacket pocket... that's probably not a good place to put it." Think through emergency scenarios.
"You're gonna fail at some point - don't worry, treat it as practice." Build resilience through iterative learning and experience.