The best cybersecurity defenses still share one common weakness — human error. Knowing this, bad actors often exploit your employees' fragility via social engineering. With social engineering testing, though, companies are able to test their people's susceptibility to persuasion or manipulation.
Your people are the lifeblood of your organization, but while they are busy generating revenue and helping your company compete, they can be susceptible to mistakes. There are three common approaches in a social engineering campaign:
Also known as "people hacking" social engineering attacks see those with ill intent using the phone, email, or in-person appeals to steal passwords or confidential data, install malware, damage the company's reputation, or profit illegally.
Only about 3% of malware aims to exploit a technical flaw. The other 97% uses social engineering.
The number one rule of social engineering testing is "keep it quiet." Don't tell anyone you don't need to tell. Why? The fewer people know about the testing the better, says RedTeam Security consultant and social engineering expert Marco Cardacci.
If someone sends out a memo in advance saying "we'll be doing social engineering testing soon!" it puts people on their guard. That's not an accurate test!
This rule doesn't mean that no one should know about the test. One CIO deciding to test everyone, and not letting one else know, could cause problems too. Throughout the process, it helps to be "super-communicative."
The social engineering team will want to discuss objectives with the client's selected few in-the-know. The goal of a kickoff meeting is to determine what assets and data are deemed most valuable and what the client is afraid of happening. This helps the security team tailor their efforts to get the most valuable information for you. Give the testers as much information as possible.
"The more transparency the better," Cardacci says.
Ideally a client hasn't been attacked before and is just worried about what they are trying to keep safe, Cardacci saya. But, when there has been a previous attack, it helps to know that too. The testers can try to mimic what has happened already to ensure that the people know what to do differently and that the procedures and policies will be effective under a new attack. Or, if there are specific types of attack common in your industry, it helps to communicate that to the testing team as well so they can work up their pretexts appropriately.
It's also really useful to provide the testing team with a list of targeted personnel's email and phone information. After all, the security team can find all this information using open source intelligence, but it saves the client time and money to offer it upfront. As Cardacci puts it, "the question is not if we can find it, it's how long it takes us to find it."
Typically the client will also approve the modes of attack in advance. On the day of the testing, someone should be monitoring what's going on (e.g. how many exploits are opened, number of email clicks). Ultimately, it's important that someone aware of the testing be available at all times during the testing — yes, even at 1 a.m. Things can get a little sticky with police or security if the team trying physical pretexting gets caught and the client isn't picking up the phone!
Companies at different levels of maturity will already have some people, processes, and procedures in place to react to social engineering attacks. For instance, a security operations team may have an established protocol for pushing a malicious exploit into a sandbox (a secure space where it can't damage the network or systems, but the team can further test what the exploit is meant to do or how far it will go, perhaps even reporting it to the FBI).
Or, after the first person reports a phishing email, there would a plan already to take the link in the email and block anyone on the network from being able to access that webpage. Plus, a plan to send an alert could go out company-wide to tell everyone an attack attempt has been thwarted.
That's obviously much better than seeing staff forwarding the phishing email around the office and everyone clicking on the link! Those users might go into a website phishing for credentials and go to a site that stores their username and passwords for later use or enable an attachment that when opened allows the attacker to access and control the users' computer.
A good testing team is going to have a high success rate for compromising clients. That's not all bad for you. After all, their report should set you up for follow-up discussions, training, and help your organization develop or strengthen its future social engineering strategy from a place of awareness.
RedTeam Security has extensive experience in social engineering testing. Business Insider embedded with us during a social engineering engagement and published a major story on it. Company founder Jeremiah Talamantes is the author of The Social Engineer's Playbook: A Practical Guide to Pretexting.
We want to apply our expertise to help strengthen your organization's security. Contact us by clicking the button below and schedule your social engineering testing today.