🎠What Social Engineering Testing Is and How it Enhances Regular Penetration Testing
Author: Dane Piazza @ Gotham Security
At work, you probably have received suspicious emails requesting sensitive information. You may have even taken a call from someone pretending to be technical support from your company and smartly hung up.
While you successfully dodged these scams and fraud attempts, did it ever occur to you that it could have been a cybersecurity firm—not a malicious actor—behind the exploits? In the cybersecurity industry, analysts use these tactics and others in social engineering tests. Social engineering uses deception to manipulate or convince people to divulge personal information, company data, access to systems, or anything else that might be useful to a malicious actor.
🔎 Inside Social Engineering
Social engineering can be tense, high-stakes work. For a behind-the-scenes look, check out our recent blog post, A Day in the Life of an Ethical Hacker. The post highlights just how far a skilled social engineer will go to obtain unauthorized access or to secure useful information. The utility of both can be self-evident.
For example, a malicious actor might use banking or credit card information to siphon funds from corporate accounts. Malicious actors may use other pieces of information as leverage. For instance, an exploit could yield embarrassing, confidential, or proprietary information that a malicious actor could then use as leverage for a ransomware attack. Finally, some useful information may seem trivial on the surface, like knowing the type of HR software that a company uses. But even something as seemingly innocuous as this could prove useful in a social engineering attack (more on this later).
For now, know that companies hire cybersecurity firms to conduct social engineering tests to reveal deficiencies in technical controls, employee training, policies, and procedures. A technical control could be something like an email control blocker, such as Mimecast URL Filtering, or multifactor authentication (MFA), an essential security feature that you can learn about in our blog post, Why MFA is Important (And How Hackers Bypass It). During a social engineering test, a cybersecurity analyst may attempt to send an inert web threat to an employee to determine whether URL filtering will block it, thwarting a phishing attack.
🔦 Testing End-User Awareness
Assessing the adequacy of training and policies involves testing end-user awareness—an essential component of cybersecurity. End-user awareness is how well-trained employees are at detecting and eliminating fraud and cybercrime attempts. For these portions of a social engineering test, cybersecurity analysts will pose as malicious actors and use common social engineering tactics on employees. To get a sense of just how critical end-user awareness is, and how it factors into the pentesting process, read our recent blog post: The Difference Between Vulnerability Scanning vs. Pentesting and What Makes Pentesting So Important.
But before we delve further into social engineering tactics, it’s worth underscoring the value of social engineering testing. It’s often the easiest and fastest way to identify information that a malicious actor could use, such as proprietary information or data, protected employee information, access to financial accounts, and legal records, among others. With this information, a malicious actor could extort or ransom the organization, costing the company millions and damaging its reputation.
These types of attacks are common. Recently a group named Lapsus$ socially engineered companies such as Microsoft and Okta, allegedly obtained source code for specific programs, and leaked customer data. This group used techniques such as calling an organization’s help desk to reset a user’s credentials or spamming a target with MFA prompts until the user accepted.
Breaches of that size and/or severity can have disastrous consequences. In addition to dollars and data lost, along with reputational damage, there can be legal repercussions for data breaches in regulated industries, such as healthcare and the financial sector. To learn more about some current and proposed cybersecurity regulations, read our recent blog post, What the SEC May Have in Store for Cybersecurity.
Fortunately, social engineering testing can help avoid the financial, legal, and reputational consequences of a breach. To better understand how, let’s explore how a social engineering test works, step by step.
- Step 1: Reconnaissance Whether it’s a cybersecurity firm conducting a social engineering test or a malicious actor attempting an exploit, the process begins the same way: with reconnaissance. Cybersecurity firms and malicious actors gather information about the external attack surface and employees. Scouting the external surface includes identifying login portals, company phone directories, and email addresses. All are potential ways into the company’s digital architecture. Reconnaissance tactics can include scouring an organization’s company LinkedIn page for employee profiles, searching the company’s website for bios, and obtaining company branding such as logos and email signature blocks. Gathering employee emails is also part of reconnaissance. Cybersecurity analysts do this using tools such as VoilaNorbert, Skrapp, and LinkedIn2Username, which generate possible matches for email address structure, such as first name, initial, last name, and the domain name. The reconnaissance process is lengthy because it shapes the scope and affects the overall success of the social engineering test. For example, some companies may want to test existing controls or the cybersecurity knowledge of their employees. Others may want campaigns that test employees’ reactions to common social engineering tactics. Reconnaissance identifies the avenues that would most likely achieve these goals.
- Step 2: Tactics The cybersecurity firm will use the information gathered from reconnaissance to determine what tactics to use in the test. Standard tactics include spear-phishing, phishing, SMS phishing, and vishing. Spear-phishing involves targeting individuals who are in high-ranking leadership roles, such as COO, CFO, or even CEO. Phishing is much more general and targets all employees via email. SMS phishing relies on text messaging or mobile messaging services, including WhatsApp and iMessage, to carry out exploits. Vishing may target all or select individuals by phone. Each test aims to achieve the same goal: Solicit confidential information, which can then be used for leverage against the target organization.
- Step 3: Attack With the attack surface mapped and the optimal tactics selected, a cybersecurity firm can launch its social engineering campaign. Acting like a real malicious actor, the cybersecurity firm will use everything it has learned to attempt to trick all or specific employees into supplying compromising data or information, or inadvertently granting access to sensitive systems.The resulting campaigns test human and technical defenses while providing insights as to what could happen if a malicious actor were to obtain confidential information. For example, let’s say that during a social engineering test, cybersecurity analysts, using a Russian IP address, obtain an employee’s username and password. This finding indicates that impossible travel controls should be implemented, which would stop a login attempt from an abnormal location. Not only does the company know how to protect itself and its employees better, but it also has peace of mind knowing that these are only tests, and no confidential information is being compromised. But what happens when a company doesn’t chain social engineering testing with penetration testing?
🧀 How To Go Above and Beyond Regular Penetration Testing
Penetration testing without social engineering testing provides an incomplete assessment of Defense in Depth (DiD). Using the Swiss Cheese graphic above as an example, a penetration test will assess a company’s processes and technical defenses. Without social engineering testing included, a penetration test will not test a company’s personnel, who are equally critical in threat defense.
Furthermore, a penetration test with social engineering is iterative. Just like a determined malicious actor, if GoVanguard Security can’t breach a company using one social engineering tactic, we’ll try another. We will systematically hunt for customer and employee login portals to exploit, create email signature blocks that mimic company branding for phishing messages, or even impersonate key company executives using details we’ve gleaned from the web.
Additionally, information gleaned from one social engineering campaign can inform another. For example, if we can obtain credentials and infiltrate an organization, we can use whatever we discover after infiltration to launch additional exploits, just like a malicious actor would.
Even if the stolen employee credentials don’t grant access to confidential information, they may lead to useful information. We might learn which human resource tools a company uses, such as Gusto, QuickBooks, or Hubstaff. With this information, we could launch a spear-phishing attack against the company’s HR department. Or, discovering that a company’s accounting department uses tools such as Divvy, Budgyt, or Expensya could lead to a successful spear-fishing campaign against that department.
With more details in hand, we can be more precise in our social engineering tactics. For example, if we obtained credentials for accounting software, a phishing attack using this information to target the entire company likely wouldn’t be as successful as a spear-phishing attack targeting just the accounting department.
A better approach would be to target the CFO with a spear-phishing attack by calling the CFO and posing as a representative from one of the accounting software vendors. We could even pair this vishing attack with a spear-phishing email to enhance credibility. We might even spoof the login portal for the accounting software to obtain more confidential information. To continue the accounting software example, we might spoof an email from the vendor and send it to the CFO with a malicious payload attached. The attachment could be a spreadsheet, PDF, or even a Word document that, when opened, could spawn malware on the target’s workstation.
Of course, a legitimate cybersecurity firm would never use a payload that could damage a workstation or network. Instead, we use canary tokens or other harmless verification payloads. Canary tokens are safe and can be sent in the same forms as malware, such as PDFs, Word documents, and Excel files. The canary token informs us when the attachment is opened simultaneously alerting us that if the sender were a malicious actor, the target would have been affected. The other harmless verification payloads are generally in the form of executables and are used for testing purposes to avoid damaging users’ workstations.
All these social engineering tactics, when combined with penetration testing in a coordinated manner, provide a more accurate assessment of DiD. Ignoring the human element of end-user awareness leaves an entire attack vector unexplored and potentially vulnerable.
⚔️ Simulated Hacking, Real-World Results
In short, companies that perform penetration testing in conjunction with social engineering testing can take greater confidence in their DiD and overall cybersecurity posture. By assessing your people as well as your processes and technologies, social engineering testing combined with penetration testing ensures that an organization has the proper training, procedures, and controls in place to protect itself from actual malicious actors.
These social engineering campaigns also detail the steps an organization must take to ensure that their external attack surface is secure and that their employees are adequately versed in identifying and reacting to social engineering attacks. While social engineering is only a test, the outcome has real-world consequences.
Copyright 2023 Enclave Regenerous. Unless otherwise stated, all of our work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Simply put, please share it, provide attribution and if you remix it then share generously with others. The work of others that is featured on this site is always provided with attribution and is not directly monetized.
Disclaimers:
The opinions expressed here are respectively our own and do not reflect the views of our organization or anyone else unless quoted verbatim.
We try our best to provide helpful insight to folks but there is no warranty to completeness of anything we create or post here; so please be sure to always do your own research.