Social engineering refers to any technique used by a threat actor that focuses on people and process, rather than on technology. The objective of a social engineering attack typically includes manipulating people into divulging confidential information or performing an activity that benefits the attacker, preferably without those people realizing. It is a common requirement of information security programs to replicate the threat of social engineering attacks through regular penetration tests.
Benefits of social engineering testing
People are often more susceptible to compromise, compared to technology, as they represent a direct entry point into a target network. Consequently, threat actors often find success when targeting people and processes. In the meantime, it’s common for organisations to focus on securing their technology. While technology is very important, it doesn’t represent the entire attack surface of a given organisation. Including social engineering tests in an information security programme gives more complete assurance against real world threats.
A successful social engineering testing programme has well defined objectives and covers several approaches. These include remote techniques including leveraging email, text message, phone call and even post. For complete coverage, in person techniques that achieve physical access should also be conducted. When all these approaches are included in a social engineering test, a true picture of strengths and weaknesses, as relates to people, begins to emerge.
Benefits of social engineering tests include:
- Identify vulnerabilities relating to attacks that leverage people and process.
- Understand the likely impact of an attacker that uses social engineering.
- Gain insight into what people and process defences are currently working well.
- Get assurance that includes consideration of real-world threats such as phishing.
Organisations that include social engineering threats in their assurance programme tend to receive greater insights into their overall information security posture. It is becoming increasingly common for assurance programmes to require that people and process are thoroughly tested on a regular basis, because that’s what attackers are targeting too.
In the past, it was common for attackers to focus on Internet facing infrastructure for their attacks. Technology was generally not well defended and focusing on it was low risk and high reward for most attacker objectives. Times have changed. Technology is typically better defended, and attackers are finding more success when targeting people and process. This shift has occurred, but many organisations have failed to keep their threat model up to date.
Did you know:
- Social engineering attacks were responsible for the theft of over $5 billion worldwide during a recent three-year period.
- 55% of all emails are spam.
- 97% of all attacks use some form of social engineering.
It’s clear that social engineering is a real-world threat. The impact and likelihood of such an attack succeeding against an organisation typically needs to be understood. A social engineering test hands that knowledge to an enterprise and helps feed into a robust cyber security strategy.
About the Service
Social engineering attacks are commonplace and take various forms.
- Phishing – Anyone who has used email has almost certainly received a phishing attack at some point. These are email based solicitations designed to entice a person into doing something for an attacker, e.g. installing malware, capturing credentials, wiring money, etc. More targeted forms of this attack are known as spear phishing. This variant typically involves a target pretext: the target person is researched, and a convincing looking phishing email is crafted that is prepared for that person specifically. More targeted emails have a higher chance of success from the attacker’s perspective, but they do take more time, effort and skill to craft.
- Vishing – This is the voice variant of phishing and it happens over the phone. There is typically a strong pretext for the call. It is common for a savvy attacker to collect individual pieces of information across multiple calls. Individually, each piece of information is low value and attempting to get it is unlikely to raise suspicion. Collectively, the information becomes much more valuable and can be used to execute a social engineering attack with high impact.
- Baiting – This is where a user is enticed to do something for the attacker based on bait. For example, a USB stick could be left in a parking lot with the hope that a target person will pick it up and plug it into their laptop. The stick could be of high value and contain interesting looking files, which are really malware. A more targeted version of this could be using snail mail to post something like a target person, perhaps with a pretext of it being a prise (nice packaging goes a long way) or having been sent from someone they know.
- Tailgating – This is one of many forms of physical social engineering. Physical social engineering often has the objective of introducing something malicious to a building, such as malware, or removing something valuable, such as sensitive paperwork. Tailgating is the act of waiting for an authorised person to access a restricted area and following them through closely before the restriction e.g. a door reengages.
There are many other types of social engineering, and these are designed to give a flavour of what attackers typically do.
A social engineering test will use one or more techniques like those described in order to test the protections provided not only by technology, but also by people and process. There must be clear objectives and rules of engagement, and it must be carried out by a reputable firm that understands risk reduction and is familiar with local laws.
At Nettitude, we have a dedicated team of social engineers who always practise and constantly refine their craft. We work with some of the largest organisations in the world and pride ourselves on being able to target people in production environments physical and digital in a way that is compliant with local laws and minimises risk to the target people and their organisation.
Our service is very bespoke. We don’t just send a few templates-based emails in, tell you the click through rates, and call it a day. Rather, we work with you from the very beginning to understand your threat model. From there, we design a test that will assess your people, process and technology. We work with you to define strict rules of engagement and well-defined objectives, and we adapt our methodology and output to meet your requirements.
We effectively and safely conduct reconnaissance against our targets, and we build attacks that meet specified objectives. For example, it may be appropriate to conduct a credential harvesting attack in one scenario, while in another we may attempt to gain command and control over an employee laptop all via social engineering. For more advanced requirements, we can even laterally move through the network after obtaining an initial foothold, and attempt to act on a more advanced objective such as access to a central database, source code, etc.
We generally recommend a white box methodology if you’ve never had a social engineering penetration test before. This allows us to assess your technology first and give you a matrix of the success of different attacks vs different parts of your defensive technology. You then know what’s possible in theory. With that out of the way, we put the theory to practise and use known weaknesses against people. It is unwise to think of people, process and technology as unrelated, and by using the approach you get a sense of security posture over the three as a whole. This type of approach typically gives more thorough assurance levels.
For organisations that are more concerned with what a particular threat actor could likely do without any prior or inside knowledge, a black box approach can be more appropriate. This may give you less information at the end of the engagement, but it will more closely replicate an outside threat.
At Nettitude, we take all of this and more into account. We ensure that you get a robust, safe, efficient and effective social engineering test; the output of which you can bring back to your organisation and make important decisions with.
We are CREST accredited as an organisation, and each one of our employees is highly certified. The certifications we believe are most relevant to social engineering are shown below. Most of these require a rigorous practical demonstration of skill to obtain.
- CREST CCT – We have many testers with the Infrastructure and the Application variant of this certificate; some even hold both. It is a more specialised and advanced certificate compared to the CREST CRT. For your social engineering test, the Infrastructure variant is more relevant.
- CREST CCSAS – We have several testers that hold this the CREST Certified Simulated Attack Specialist certification. Testers must hold the CCT Infrastructure certificate to even attempt this exam, and as with all CREST certificates, it expires after three years to ensure skill currency.
- CREST CCSAM – We have several testers that hold this the CREST Certified Simulated Attack Manager. This is an advanced certification that ensures simulated attacks such as social engineering is run in a safe and controlled manner, are respectful of your people, and are compliant with the law.
- Offensive Security OSCP – Obtaining the OSCP requires the successful completion of a 24-hour practical exam that assesses a broad range of penetration testing skill. Testers with this can really think like an attacker.
- Offensive Security OSCE – Obtaining the OSCE requires the successful completion of a 48-hour practical exam that assesses a more specialised set of skills, including binary exploitation.
This is not an exhaustive list of our certifications – that would take up a lot more space!
As we often get asked many questions about social engineering attacks, we have compiled and answered the most frequently asked one’s below.
- What is your lead time for a social engineering test?
We have a team of expert social engineering testers and they are always in demand. We match internal training and recruitment with external demand as efficiently as possible. Our aim is to be able to commence social engineering tests within two weeks. Where there’s urgency, we can usually do what it takes to meet your deadlines.
- How long does a social engineering test take?
This depends on the objectives of the engagement as well as the methodology chosen. We can typically provide value starting from four days of service, but it often takes longer. We will discuss your organisations specific circumstances and requirements before proposing a bespoke social engineering proposal.
- What is your social engineering methodology?
Our social engineering methodology varies depending on the requirements of the test. To give you an idea of the typical stages, our approach typically starts with open source intelligence (OSINT) gathering. We will do all that we can to find out about your people, process and technology. From there we identify appropriate targets and develop an appropriate set of attacks. If, for example, it’s spear phishing, we’re likely to create a custom pretext targeting a specific individual identified during the OSINT phase. The actual payload of the attack will vary depending on objectives: it might be a credential harvesting attack, malware delivery, etc. Post exploitation will depend on the rules of engagement.
- How will I find out the results of my test?
We are communicative and consultative. During the engagement, we’ll periodically update you with the findings so far both positive and negative. Where we identify critical severity flaws, we will let you know via telephone immediately, and follow up in writing. At the end of the engagement, you’ll receive a summary of all findings. By the time you receive your in depth reports a few days later, you’ll have no surprises: we communicate as we go. After delivery of the reports, we’re more than happy to give you technical and executive level debriefs. Finally, you have full access to our team of social engineering specialists after the engagement has completed. We’re here to answer any security questions you may have into the future.