A social engineer’s methodology to test a client’s physical security consists of multiple phases, including data collection, reconnaissance, remote attacks (optional), pretext creation, execution, and report creation. Some clients will choose to provide some information to the social engineer to reduce the amount of data collection that is needed and ultimately reduce costs, i.e., dress codes, the approximate location of a target within a building, front desk procedures, company policy information, or things like everyone is remote on Friday.
Once an assessment is scheduled, a social engineer will review the client’s website and other publicly available data. The purpose of this process is to develop an initial opinion of the challenge to expect when attempting to compromise the facility’s physical security. Some clients also want a spot check of the first steps the engineer will take, along with an explanation of common risks. The steps for performing a physical, social engineering assessment also depend on whether the client is receiving its first physical assessment or is already in the process of honing its policies and procedures through regular assessments.
Open-source intelligence (OSINT) is a crucial part of the process for gathering data on a client. The types of OSINT that are most valuable in social engineering include building images, company officer names, paid services, DNS records, and NMAP data. Social media platforms and search engines are indispensable tools for discovering information about a company that automated search programs will miss. For example, tools like Spiderfoot have large data sets, but it requires a manual search to compile an employee list from LinkedIn.
Social engineers must also perform reconnaissance before attempting to enter a building for the first time. This step typically involves covertly surveilling the facility to identify traffic patterns, dress codes, vendors that visit the location, where employees may prop doors open, and assessing front desk procedures. Reconnaissance may include monitoring of the facility's Wi-Fi network, provided a sufficiently strong signal is available from a discrete location. A walk around the building’s perimeter may reveal a break in the fence that the engineer can use to access the site, often for dumpster diving.
Occasionally, a social engineer performs remote attacks to obtain confidential information about a building—especially an email phishing, spear phishing, and telephone vishing - or to assist in developing their pretext. Attackers are moving away from email and towards phone calls as a means of obtaining sensitive information due to the common perception that a call is sufficient to authenticate someone. RedTeam Security uses attacks that include phishing emails and vishing to receive information from staff members and convince them to perform actions that compromise security.
These techniques usually provide beneficial results, such as access to Exchange accounts and third-party software. Obtaining access to a SharePoint account used to onboard new employees is particularly useful for getting acquainted with the company.
Using the information collected, the social engineer will develop multiple pretexts to attempt to accomplish the goal set with the client. These may include things like posing as a client to attempt to obtain a refund without proper documentation, trying to gain access to a building through an open door by spending time in an outdoor break area, posing as a vendor, or attempting to tailgate. These pretexts will be shared with and approved by the client contacts. The social engineer will also gather the props needed to support the pretext (access badge that does not work, appropriate costume, etc.)
Once on-site, the social engineer will put the pretext into action. While on-site, they may gain additional information while talking to employees or observing other details previously unknown to the social engineer and use this information to move forward to accomplish their objectives. The social engineer will attempt to take photos, videos, or other evidence to be presented in a report to the client. Lastly, the social engineer will try to leave the premises safely.
Creating a comprehensive report is a critical part of the engagement. It provides the client with the details of the process, the information gathered, the results and observations of the social engineer, any photos taken, and any recommendations. This will create a plan for improving training, updating procedures, and making any structural changes.