Social Engineering

Detect & mitigate Social Engineering attacks

Get our e-book

Social Engineering

Find out how susceptible employees are to email phishing, telephone vishing and physical attempts at getting access into areas of the office or building

Overview

Social Engineering is a technique that relies on exploiting weaknesses in human nature, rather than hardware, software, or network vulnerabilities.

RedTeam Security offers four core Social Engineering areas to test human susceptibility to persuasion and manipulation:

  • Email Phishing
  • Telephone/Text
  • Fax
  • Onsite/Physical Pretexting

RedTeam is highly skilled at conducting Social engineering tests and has publicly released tools and published a book (The Social Engineer’s Playbook: A Practical Guide to Pretexting) to improve the process. We frequently conduct these assessments for clients and have a very high success rate of compromise as well as eliciting sensitive or confidential information.

Recently, correspondents and a film crew from Business Insider / Tech Insider wrote a story on their experience as they were embedded with RedTeam Security during some of our Social Engineering engagements. Read the full story here: How hackers smooth-talked their way past the security of a power company

The Social Engineer’s Playbook: A Practical Guide to Pretexting

The Social Engineer's Playbook

Buy: Amazon.com
Pages:
200
Format: Paperback, Kindle
Author: Jeremiah Talamantes (RedTeam Security)
Publisher:
Hexcode Publishing

The Social Engineer’s Playbook was written by RedTeam Security’s founder, Jeremiah Talamantes. The Social Engineer’s Playbook is a practical guide to pretexting and a collection of social engineering pretexts for Hackers, Social Engineers and Security Analysts. Build effective social engineering plans using the techniques, tools and expert guidance in this book. Learn valuable elicitation techniques, such as: Bracketing, Artificial Ignorance, Flattery, Sounding Board and others.

MORE INFORMATION

  • Service Types
    SEE SOCIAL ENGINEERING IN ACTION

    Business Insider Rides Shotgun as RedTeam Security Hacks the Power Grid

    WATCH THE VIDEO

    Email Phishing

    Exchanges of sensitive information over email happen almost constantly, day in and day out. Yet, nearly all of these exchanges don’t go through the proper channels for authentication and authorization. RedTeam Security uses email phishing and spear phishing social engineering to target staff into visiting unknown websites, divulging sensitive information or getting them to perform an action they otherwise should not be.

    Telephone/SMS

    Much like email, exchanges of sensitive information over the phone happen at an almost constant rate. These days, the mindset that a telephone call is enough to authenticate a person is all too common. However, bad actors are moving away from email toward telephone social engineering. RedTeam Security uses telephone social engineering to target staff into divulging sensitive information or otherwise getting them to perform an action they should not be.

    Fax

    Requests for information via fax is a crucial of exchanging information and sometimes these faxes contain sensitive information. Too often these exchanges of information happen without fully authenticating or authorizing the requesting party. Fax social engineering aims to identify weaknesses in how faxes are managed and exchanged within an organization.

    Onsite/Physical

    During a physical social engineering engagement, RedTeam engages staff directly (overt) or indirectly (covert) in an effort to identify weaknesses in the way they physically handle visitors and those pretending to be employees, vendors or business partners. RedTeam consultants masquerade as vendors, new employees, business partners and even employee family members in order to entice staff into divulging sensitive information or permitting access to sensitive areas of the facility.

  • Approach

    Social Engineering

    Approach

    RedTeam Security’s social engineering service utilizes a comprehensive, risk-based approach to manually identify critical vulnerabilities in staff’s adherence to best practice and organizational policies.

    1. Information Gathering
    2. Threat Modeling
    3. Vulnerability Analysis
    4. Exploitation
    5. Post-Exploitation
    6. Reporting

    Tools

    In order to perform a comprehensive real-world assessment, RedTeam Security utilizes commercial tools, internally developed tools and the same tools that hacker use on each and every assessment. Once again, our intent is to assess systems by simulating a real-world attack and we leverage the many tools at our disposal to effectively carry out that task.

    Reporting

    We consider the reporting phase to mark the beginning of our relationship. RedTeam strives to provide the best possible customer experience and service. As a result, our report makes up only a small part of our deliverable. We provide clients with an online remediation knowledge base, dedicated remediation staff and ticketing system to close the ever important gap in the remediation process following the reporting phase.

    We exist to not only find vulnerabilities, but also to fix them.

    Remediation & Re-testing

    Simply put, our objective is to help fix vulnerabilities, not just find them. As a result, remediation re-testing is always provided at no additional cost.

  • Deliverables

    Social EngineeringDeliverable

    At RedTeam Security, we consider the Delivery / Reporting phase to be the most important and we take great care to ensure we’ve communicated the value of our service and findings thoroughly. The deliverable consists of an electronic report that includes several key components including, but not limited to: Executive Summary, Scope, Findings, Evidence, Tools and Methodology. In addition to the report, a raw file in comma-separated value (CSV) format is also provided in an effort to optimize the remediation and management of any identified findings.

    Findings are communicated in a stakeholder meeting and typically presented in-person or virtually via Webex — whichever medium is most conducive for communicating results effectively. During this time, RedTeam Security consultants will walk through the report, in detail, to ensure all findings and their corresponding description, risk rating, impact, likelihood, evidence and remediation steps are thoroughly understood. While this typically involves a single meeting, there is no limitation to that number. The key underlying message is that all information is clearly understood and that a roadmap toward remediation / mitigation is crystal clear.

    Components

    Some of the key components to our social engineering service deliverable include, but are not limited to:

    * Scope
    * Control Framework  (ie: OWASP, PCI, PTES, OSSTMM)
    * Timeline
    * Executive Summary Narrative
    * Technical Summary Narrative
    * Report Summary Graphs
    * Summary of Findings
    * Findings (Description, Business Impact, Recommendation, Evidence, References, CVSS, Risk Rating Calculation)
    * Methodology and Approach
    * Risk Rating Factors
    * Tools

  • FAQ

    Frequently Asked Questions

    Why should should I conduct a social engineering test?

    A social engineering test is a simulated attack from the perspective of a bad actor, such as a malicious hacker. The objective is to simulate a cyber security attack and attempt to uncover security vulnerabilities that might otherwise be discovered by hackers. In doing so, you would gain valuable insight into the security posture of the assets and be able to fix them before hackers are able cause serious damage by exploiting them.

    How long does it take to conduct a social engineering test?

    The overall time depends on the size and complexity of the in-scope targets. That said, most tests take anywhere from one week to four weeks, start to finish.

    How much does a social engineering test cost?

    We get this question a lot and it’s not easy to answer until some level of scoping has been performed. Our scoping process is quick, online and painless. But overall, the complexity of the operation will ultimately determine its cost. For example, when determining the work effort, we take the following into account: number of targets (email, telephone) and the number of physical locations (onsite/physical), and travel time between physical locations, if applicable.

Services Datasheet

Learn more about RedTeam Security's advanced Application, Network and Physical Penetration Testing, Social Engineering and Red Teaming services.

REQUEST

TRUSTED BY TODAY’S LEADING ORGANIZATIONS

Our Penetration Testing, Social Engineering and Red Teaming services go beyond the checkbox to help prevent data breaches

Secure Your Organization Today

Contact Sales