Over the years, social engineering attacks have become a reality for all companies, regardless of their sector of activity or size.
Beyond the technical vulnerabilities that are often exploited to gain unauthorised access to data and systems, the favourite entry point for attackers remains the employees of a company, most often via phishing attacks.
According to a study on the impact of phishing attacks: in 2021, 22% of reported data breaches would have originated from a phishing email. Furthermore, the Ponemon Institute’s 2021 Cost of a Data Breach report found that the average cost of a data breach is approximately $150 per compromised record, for a total cost of $3.86 million per breach. In addition, a single spear phishing attack is estimated to cost around $1.6 million.
In view of the disastrous financial consequences for companies that suffer these attacks, this critical component of system security, the human factor, must not be overlooked. CIOs, CISOs and CTOs must therefore take up the subject and increase risk awareness among all employees, by carrying out social engineering audits, because cybersecurity is everyone’s business.
What is a social engineering audit?
For a cybersecurity team, it is often more difficult to change human behaviour than to implement technical protections, which are nevertheless essential. However, it is much easier for novice or experienced attackers to exploit human vulnerabilities than to carry out sophisticated ‘technical’ attacks on information systems.
Making employees aware of the risks of fraudulent emails, apparently legitimate (via identity theft), which may contain links or attachments with malware, etc. is therefore essential to effectively prevent attacks. Training, team meetings, information campaigns and cybersecurity policies, which are also essential, serve this purpose. However, the most suitable solution remains the social engineering audit.
A social engineering audit consists of evaluating the behaviour of a company’s employees when facing cyberattacks. In practice, it involves testing their reactions to different types of attacks (phishing, vishing, SMShing, physical intrusions, etc.), in order to measure their level of vigilance and to verify compliance with best security practices.
Moreover, this type of audit maximises the sharing of knowledge and the transfer of skills on the measures to be implemented and the postures to adopt to defend against common attacks and more sophisticated threats. Indeed, knowing and understanding the potential consequences of a successful attack is significant, especially for those who have taken the bait. In fact, they become more vigilant against any similar threat.
Finally, a social engineering audit can be tailored to different objectives and organisations, depending on the specific risks identified. But before returning to this central issue, a few details on the main social engineering attacks.
What are the main social engineering attacks?
It would be possible to write a whole article dedicated to social engineering attacks. On this point, this one does not aim to be exhaustive. The objective here is to give a rather complete overview before presenting, without omitting anything, all the steps to carry out a social engineering campaign.
Phishing and spear phishing attacks
Probably the best known, the most fearsome and the most used: attacks via phishing and spear phishing emails.
Indeed, a distinction can be made between “standard” phishing and spear phishing. A phishing attack usually targets a large number of people, unlike spear phishing, which only targets a small sample, or even a specific person, and usually with more elaborate scenarios.
In both cases, the attacker’s objectives are clear: to deceive the vigilance of at least one employee in order to encourage him/her to click on a link, to download an attachment or to share sensitive information. The aim here is to take advantage of a lack of knowledge of risks or a lack of compliance with security procedures to gain access to company data or systems.
To this end, the most effective phishing and spear phishing attacks:
- Rely on one or more identity theft(s) (people and brand).
- Gathering information from a company’s website, social networks and other publications before launching an attack (known as “reconnaissance” in cyber jargon) is very useful for an attacker. Indeed, having information of all kinds on people in key positions (to spoof their identity), knowing the internal processes and validation chains, or, even better, having architecture documents (to build a credible scenario), etc., optimises the chances of success of an attack.
- Buying a domain name as close as possible to that of the target company, such as social-enginering.com instead of social-engineering.com. This is a very common practice, which makes it easier to reinforce the credibility of a request or demand by email and thus to abuse the credulity of the targeted people.
- Include links or attachments.
- Redirecting to an interface clone (usually an authentication page) to request a password reset or an application clone (to request any type of information such as bank details) through a seemingly credible link further increases the chances of a successful attack.
- Designing malware or ransomware to be executed on a workstation following the download of an attachment allows an attacker to easily achieve his goals: paralyse a company’s information system (for ransom demand), or simply obtain access.
- Are based on human psychological springs. Indeed, with great social skills, and only a sprinkling of technical skills, one can carry out the most significant cyberattacks.
We said the most effective ones, but very often the most basic scenarios also have successful results. Indeed, why do elaborate scenarios, when you can just talk about a new holiday policy, a salary increase campaign or simply offer a competition with a guaranteed iPhone. These scenarios still work too often. That’s why it’s essential to improve employees’ awareness of social engineering attacks.
Vishing attacks (voice phishing or phone attacks)
Vishing attacks are carried out through phone calls. Here, social skills, especially relational skills, are required. Indeed, the attacker contacts a target person orally to obtain information or to request the completion of a specific action (payment of an invoice, collection of information in the context of a recon – passwords, other data, etc.).
Indeed, vishing attacks do not usually target large numbers of people. However, with significant human resources on the attackers’ side, it is possible to launch fraudulent call campaigns targeting a single company.
Another characteristic of vishing attacks, especially the more elaborate and formidable ones, is that they are based on phone number spoofing. Most of the time, the calls seem to come from a key contact in the vertical (a manager) or horizontal (a colleague) hierarchy or from a referenced supplier. This increases the credibility of a specific request and therefore the chances of a successful attack.
SMShing attacks (phishing via SMS)
SMShing attacks are similar to phishing attacks, the only difference being that they are performed using SMS.
Physical intrusions are more rare. Indeed, they are less common given the effort they require from an attacker. Nevertheless, they remain particularly effective.
In this case, an attacker has to gain “physical” access to the premises of a company. To do this, he can pose as a legitimate visitor (customer, candidate, service provider, supplier, craftsman, etc.) with the aim of accessing the internal network through a Wi-Fi Guest, an unlocked workstation or an Ethernet socket for example.
In addition, the theft of a machine, equipment, workstation, confidential documents or access to a server room can serve as a motivation for a physical intrusion.
Physical intrusion can also be based on the deposit of booby-trapped devices in the company, such as USB sticks containing malware. Most of the time, this type of attack does not require access to the target company’s premises, as the bait can be deposited in strategic locations (parking lots, doorways, etc.).
How to carry out a social engineering audit?
Conducting a social engineering audit involves several essential stages of preparation. From risk analysis to target definition and choice of approach, we will explain all the elements to be taken into consideration in order to build and execute attack scenarios tailored to your needs.
Analyse the social engineering risks inherent in your business and organisation
The first step in running a social engineering campaign is to identify the main risks and threats associated with the company’s activity or organisation.
This analysis must above all take into account the sector of activity, the processes and critical resources, which are essential for the proper conduct of the company’s operations. Then, considering all these aspects, it will be a matter of identifying all the risks that could harm the objectives of confidentiality, integrity, availability and traceability, the mantra of any cybersecurity manager.
Thus, depending on the sector and the type of organisation, a company may face different social engineering threats:
- Embezzlement of funds
- Unauthorised access to the information system
- Taking control of machines or applications
- Access to sensitive data and documents
- Paralysis of the information system and the business operation
This risk analysis will facilitate the definition of the targets of social engineering tests (all employees or only a sample), the choice of approach (black box or grey box) and the techniques and attack scenarios (vishing, attempts to trigger a fraudulent transfer, phishing, sending malware, interface clones, etc.).
Define the targets of social engineering tests
Usually, a social engineering audit covers all the employees of a company. However, some persons or groups of employees, given their functions and roles in the information system, may be the focus. Indeed, some risks involve all employees:
- Access to the information system: the objective from an attacker’s point of view will be to find a way in, through at least one person. To do this, the most common strategy is to target all staff with phishing attacks via the sending of malware or the use of interface clones.
- Information system paralysis: In this case, usually via phishing attacks, an attacker only needs one person to execute a malware to achieve his or her goals.
However, other risks concern more specific staff groups:
- Embezzlement: here, an attacker’s strategy will be to target authorised persons, in most cases the accounting-finance function, to obtain payment of a fraudulent invoice for example. In this case, vishing coupled with phishing attacks often do the trick.
- Access to sensitive data and documents: for an attacker, obtaining some sensitive information (architecture documents, financial data, etc.) implies targeting people in key positions (general management, CFO, CIO). To do this, the most common attacks are also phishing, vishing and, for the most “diehard” attackers, physical intrusion.
Defining the target(s) of a social engineering audit is a crucial step: should the behaviour of all employees, a group of employees or just one person be evaluated when faced with certain attacks?
In order to test different attack techniques, as well as more elaborate scenarios, it is recommended to target specific groups, although it is also possible to proceed by sampling, considering the scale of the issues. Thus, the approach chosen for the social engineering audit (simulating an external attack – black box – or the internal threat – grey box) will facilitate the definition of targets, the choice of techniques and the design of attack scenarios.
Carry out a black box or grey box social engineering audit
A social engineering audit can be carried out using two approaches: black box or grey box.
In black box, the team in charge of the audit will only rely on open source information about the targeted company to build the attack scenarios because it is about simulating an external threat.
This approach is based on a thorough reconnaissance phase, allowing the gathering of all types of information about the company: size of the workforce, organisational chart (people in key positions), contact information (emails, phone numbers), location, etc. A good reconnaissance also includes researching information on the software and applications used, IP addresses, technologies and components of the information system infrastructure.
In grey box, the team in charge of carrying out the audit will have access to a higher level of information to design the attack scenarios. In fact, here it is a matter of simulating any type of threat, including those originating from an employee or former employee of the company.
In this case, the scenarios are generally more elaborate. And even if this approach is far from the reality of social engineering attacks, it nevertheless allows a better awareness of all staff groups.
Indeed, a grey box audit involves gathering information from the audit contractor, at least if the testing is outsourced to a third party: list of names, functions and contact details, internal details of how some teams operate, precise information about internal tools and technologies used, etc.
Thus, the choice between a black box or grey box approach still depends on the objectives and risks inherent to the company’s activity:
- To be as close as possible to a real attack or to raise awareness of the most common threats, a black-box audit will be more suitable.
- To ensure that all staff are exposed to social engineering tests with various scenarios, a grey box audit will be more appropriate.
- For companies with a high turnover, it is also more appropriate to choose a grey box approach.
Design and execute attack scenarios
A key phase of the social engineering audit is the design of the attack scenarios. It will result from the risks identified, the targets defined and the approach chosen for the tests. Let’s look at all these stages again with some additional information and tips for creating scenarios adapted to the challenges and risks identified.
External attack simulation in black box
In the context of a black box audit, the objective will be to identify the most critical flaws in order to make an individual or a group of employees aware of the most common social engineering risks.
To this end, the design of a credible attack scenario is necessary. Here, the team in charge of the social engineering audit, in the shoes of an external attacker, generally constructs scenarios based on interactions with a person external to the company (an avatar created from scratch: a job seeker, service provider, prospect, etc.). Indeed, in this case, identity theft from company employees is more difficult (but not impossible) given the “supposed” low level of knowledge of the organisation during an external attack.
Insider threat assessment in grey box
In the context of a grey box audit, the objective will be to make all or some of the employees aware of different types of threats.
To that end, more sophisticated attack scenarios are required. Standard scenarios can also be designed to assess the risks. Here, the audit team, in the role of an insider attacker or accomplice – and therefore with a high level of information – usually builds very elaborate scenarios, related to internal news or based on reliable identity theft.
Choice of attack techniques
The choice of attack techniques usually depends on the chosen scenarios or the objective of the social engineering audit, if it includes exposing the targets to various attacks.
Phishing attacks are the most common and should be the first choice. To enhance credibility and increase the chances of success, spear phishing, with links to interface clones or malware attachments, should be strongly considered.
However, in order to assess all risks and to raise awareness of external threats accordingly, vishing attacks can be carried out. In addition, given the organisation of the company and the criticality of some processes or resources, physical intrusion techniques should be considered.
Insourcing or outsourcing the audit
There are SaaS applications available to configure and launch phishing campaigns. These tools rely on different features to manage the sending of emails, to track opens and clicks on links or downloads of attachments. Implementing this type of social engineering campaign management tool is therefore one option, using a company specialised in offensive security is another.
How to exploit the results of a social engineering audit?
Any social engineering audit, beyond the success or failure of the attacks, must provide indicators on the behaviour of the targeted employees at a given moment, to measure the evolution over time and to implement appropriate measures.
What are the key indicators following a phishing campaign?
- Emails opening: This indicator is not very reliable because reading an email is not a risk if no other action is taken afterwards.
- Clicks on a link or attachment: This indicator is reliable and provides very important information to take into consideration. Even if the user does not enter his/her credentials or execute a file, a click is still a risky behaviour that must be addressed by an appropriate prevention measure.
- Risky action (entering credentials or executing a payload): This indicator is the key data. It is evidence of a critical or important flaw and therefore of a lack of risk awareness of those who have taken the bait. It is in fact the most important indicator in a social engineering audit.
- Attack reporting: This indicator is also one of the most important because it provides information on the ability of users to share information about their success in identifying an attack without having fallen into the trap or not, which in any case helps to protect the company. Indeed, the more the targeted individuals report attacks, the more they participate in the spread of a cybersecurity culture within their company.
Furthermore, it is particularly recommended to combine the reporting indicator with the risky action indicator, because a person who is the victim of an attack but gives the alert enables the company to react quickly and effectively.
Performing a social engineering audit with Vaadata, a company specialised in offensive security
As mentioned before, there are tools available to carry out phishing campaigns, based on pre-built scenarios that can be adapted to the needs and specificities of a company. However, a more realistic approach is to hire a company specialised in offensive security to perform a social engineering audit.
On the one hand, this allows not only for a more accurate assessment of the external threat (for black box testing), but also for a better awareness of different groups of employees (for a grey box campaign) through targeted attacks. On the other hand, the pentesters’ experience allows them to create scenarios adapted to any type of business sector and company organisation.
Furthermore, on a technical level, the pentesters rely on their skills as “ethical” attackers to autonomously build credible scenarios integrating polished interface clones or sophisticated malware.
Finally, a full report is produced following a social engineering audit. This valuable deliverable can be used to present the anonymised results of a campaign and highlight organisational weaknesses or prevention and awareness needs.
Contact us for any question related to a social engineering audit project. We will discuss your needs and propose an intervention adapted to your sector and organisational issues.