🎭 What Social Engineering Testing Is & How it Enhances Regular Penetration Testing

At work, you probably have received suspicious emails requesting sensitive information. You may have even taken a call from someone pretending to be technical support from your company and smartly hung up.

While you successfully dodged these scams and fraud attempts, did it ever occur to you that it could have been a cybersecurity firm—not a malicious actor—behind the exploits? In the cybersecurity industry, analysts use these tactics and others in social engineering tests. Social engineering uses deception to manipulate or convince people to divulge personal information, company data, access to systems, or anything else that might be useful to a malicious actor.

Social engineering can be tense, high-stakes work. For a behind-the-scenes look, check out our recent blog post, A Day in the Life of an Ethical Hacker. The post highlights just how far a skilled social engineer will go to obtain unauthorized access or to secure useful information. The utility of both can be self-evident.

For example, a malicious actor might use banking or credit card information to siphon funds from corporate accounts. Malicious actors may use other pieces of information as leverage. For instance, an exploit could yield embarrassing, confidential, or proprietary information that a malicious actor could then use as leverage for a ransomware attack. Finally, some useful information may seem trivial on the surface, like knowing the type of HR software that a company uses. But even something as seemingly innocuous as this could prove useful in a social engineering attack (more on this later).

For now, know that companies hire cybersecurity firms to conduct social engineering tests to reveal deficiencies in technical controls, employee training, policies, and procedures. A technical control could be something like an email control blocker, such as Mimecast URL Filtering, or multifactor authentication (MFA), an essential security feature that you can learn about in our blog post, Why MFA is Important (And How Hackers Bypass It). During a social engineering test, a cybersecurity analyst may attempt to send an inert web threat to an employee to determine whether URL filtering will block it, thwarting a phishing attack.

Assessing the adequacy of training and policies involves testing end-user awareness—an essential component of cybersecurity. End-user awareness is how well-trained employees are at detecting and eliminating fraud and cybercrime attempts. For these portions of a social engineering test, cybersecurity analysts will pose as malicious actors and use common social engineering tactics on employees. To get a sense of just how critical end-user awareness is, and how it factors into the pentesting process, read our recent blog post: The Difference Between Vulnerability Scanning vs. Pentesting and What Makes Pentesting So Important.

But before we delve further into social engineering tactics, it’s worth underscoring the value of social engineering testing. It’s often the easiest and fastest way to identify information that a malicious actor could use, such as proprietary information or data, protected employee information, access to financial accounts, and legal records, among others. With this information, a malicious actor could extort or ransom the organization, costing the company millions and damaging its reputation.

These types of attacks are common. Recently a group named Lapsus$ socially engineered companies such as Microsoft and Okta, allegedly obtained source code for specific programs, and leaked customer data. This group used techniques such as calling an organization’s help desk to reset a user’s credentials or spamming a target with MFA prompts until the user accepted.

Breaches of that size and/or severity can have disastrous consequences. In addition to dollars and data lost, along with reputational damage, there can be legal repercussions for data breaches in regulated industries, such as healthcare and the financial sector. To learn more about some current and proposed cybersecurity regulations, read our recent blog post, What the SEC May Have in Store for Cybersecurity.

Fortunately, social engineering testing can help avoid the financial, legal, and reputational consequences of a breach. To better understand how, let’s explore how a social engineering test works, step by step.

Penetration testing without social engineering testing provides an incomplete assessment of Defense in Depth (DiD). Using the Swiss Cheese graphic above as an example, a penetration test will assess a company’s processes and technical defenses. Without social engineering testing included, a penetration test will not test a company’s personnel, who are equally critical in threat defense.

Furthermore, a penetration test with social engineering is iterative. Just like a determined malicious actor, if GoVanguard Security can’t breach a company using one social engineering tactic, we’ll try another. We will systematically hunt for customer and employee login portals to exploit, create email signature blocks that mimic company branding for phishing messages, or even impersonate key company executives using details we’ve gleaned from the web.

Additionally, information gleaned from one social engineering campaign can inform another. For example, if we can obtain credentials and infiltrate an organization, we can use whatever we discover after infiltration to launch additional exploits, just like a malicious actor would.

Even if the stolen employee credentials don’t grant access to confidential information, they may lead to useful information. We might learn which human resource tools a company uses, such as Gusto, QuickBooks, or Hubstaff. With this information, we could launch a spear-phishing attack against the company’s HR department. Or, discovering that a company’s accounting department uses tools such as Divvy, Budgyt, or Expensya could lead to a successful spear-fishing campaign against that department.

With more details in hand, we can be more precise in our social engineering tactics. For example, if we obtained credentials for accounting software, a phishing attack using this information to target the entire company likely wouldn’t be as successful as a spear-phishing attack targeting just the accounting department.

A better approach would be to target the CFO with a spear-phishing attack by calling the CFO and posing as a representative from one of the accounting software vendors. We could even pair this vishing attack with a spear-phishing email to enhance credibility. We might even spoof the login portal for the accounting software to obtain more confidential information. To continue the accounting software example, we might spoof an email from the vendor and send it to the CFO with a malicious payload attached. The attachment could be a spreadsheet, PDF, or even a Word document that, when opened, could spawn malware on the target’s workstation.

Of course, a legitimate cybersecurity firm would never use a payload that could damage a workstation or network. Instead, we use canary tokens or other harmless verification payloads. Canary tokens are safe and can be sent in the same forms as malware, such as PDFs, Word documents, and Excel files. The canary token informs us when the attachment is opened simultaneously alerting us that if the sender were a malicious actor, the target would have been affected. The other harmless verification payloads are generally in the form of executables and are used for testing purposes to avoid damaging users’ workstations.

All these social engineering tactics, when combined with penetration testing in a coordinated manner, provide a more accurate assessment of DiD. Ignoring the human element of end-user awareness leaves an entire attack vector unexplored and potentially vulnerable.

In short, companies that perform penetration testing in conjunction with social engineering testing can take greater confidence in their DiD and overall cybersecurity posture. By assessing your people as well as your processes and technologies, social engineering testing combined with penetration testing ensures that an organization has the proper training, procedures, and controls in place to protect itself from actual malicious actors.

These social engineering campaigns also detail the steps an organization must take to ensure that their external attack surface is secure and that their employees are adequately versed in identifying and reacting to social engineering attacks. While social engineering is only a test, the outcome has real-world consequences.