Over the years, social engineering attacks have become a reality for all companies, regardless of their sector of activity or size.
Beyond the technical vulnerabilities that are often exploited to gain unauthorised access to data and systems, the favourite entry point for attackers remains the employees of a company, most often via phishing attacks.
According to a study on the impact of phishing attacks: in 2021, 22% of reported data breaches would have originated from a phishing email. Furthermore, the Ponemon Institute’s 2021 Cost of a Data Breach report found that the average cost of a data breach is approximately $150 per compromised record, for a total cost of $3.86 million per breach. In addition, a single spear phishing attack is estimated to cost around $1.6 million.
In view of the disastrous financial consequences for companies that suffer these attacks, this critical component of system security, the human factor, must not be overlooked. CIOs, CISOs and CTOs must therefore take up the subject and increase risk awareness among all employees, by carrying out social engineering audits, because cybersecurity is everyone’s business.
For a cybersecurity team, it is often more difficult to change human behaviour than to implement technical protections, which are nevertheless essential. However, it is much easier for novice or experienced attackers to exploit human vulnerabilities than to carry out sophisticated ‘technical’ attacks on information systems.
Making employees aware of the risks of fraudulent emails, apparently legitimate (via identity theft), which may contain links or attachments with malware, etc. is therefore essential to effectively prevent attacks. Training, team meetings, information campaigns and cybersecurity policies, which are also essential, serve this purpose. However, the most suitable solution remains the social engineering audit.
A social engineering audit consists of evaluating the behaviour of a company’s employees when facing cyberattacks. In practice, it involves testing their reactions to different types of attacks (phishing, vishing, SMShing, physical intrusions, etc.), in order to measure their level of vigilance and to verify compliance with best security practices.
Moreover, this type of audit maximises the sharing of knowledge and the transfer of skills on the measures to be implemented and the postures to adopt to defend against common attacks and more sophisticated threats. Indeed, knowing and understanding the potential consequences of a successful attack is significant, especially for those who have taken the bait. In fact, they become more vigilant against any similar threat.
Finally, a social engineering audit can be tailored to different objectives and organisations, depending on the specific risks identified. But before returning to this central issue, a few details on the main social engineering attacks.
It would be possible to write a whole article dedicated to social engineering attacks. On this point, this one does not aim to be exhaustive. The objective here is to give a rather complete overview before presenting, without omitting anything, all the steps to carry out a social engineering campaign.
Probably the best known, the most fearsome and the most used: attacks via phishing and spear phishing emails.
Indeed, a distinction can be made between “standard” phishing and spear phishing. A phishing attack usually targets a large number of people, unlike spear phishing, which only targets a small sample, or even a specific person, and usually with more elaborate scenarios.
In both cases, the attacker’s objectives are clear: to deceive the vigilance of at least one employee in order to encourage him/her to click on a link, to download an attachment or to share sensitive information. The aim here is to take advantage of a lack of knowledge of risks or a lack of compliance with security procedures to gain access to company data or systems.
To this end, the most effective phishing and spear phishing attacks:
We said the most effective ones, but very often the most basic scenarios also have successful results. Indeed, why do elaborate scenarios, when you can just talk about a new holiday policy, a salary increase campaign or simply offer a competition with a guaranteed iPhone. These scenarios still work too often. That’s why it’s essential to improve employees’ awareness of social engineering attacks.
Vishing attacks are carried out through phone calls. Here, social skills, especially relational skills, are required. Indeed, the attacker contacts a target person orally to obtain information or to request the completion of a specific action (payment of an invoice, collection of information in the context of a recon – passwords, other data, etc.).
Indeed, vishing attacks do not usually target large numbers of people. However, with significant human resources on the attackers’ side, it is possible to launch fraudulent call campaigns targeting a single company.
Another characteristic of vishing attacks, especially the more elaborate and formidable ones, is that they are based on phone number spoofing. Most of the time, the calls seem to come from a key contact in the vertical (a manager) or horizontal (a colleague) hierarchy or from a referenced supplier. This increases the credibility of a specific request and therefore the chances of a successful attack.
SMShing attacks are similar to phishing attacks, the only difference being that they are performed using SMS.
Physical intrusions are more rare. Indeed, they are less common given the effort they require from an attacker. Nevertheless, they remain particularly effective.
In this case, an attacker has to gain “physical” access to the premises of a company. To do this, he can pose as a legitimate visitor (customer, candidate, service provider, supplier, craftsman, etc.) with the aim of accessing the internal network through a Wi-Fi Guest, an unlocked workstation or an Ethernet socket for example.
In addition, the theft of a machine, equipment, workstation, confidential documents or access to a server room can serve as a motivation for a physical intrusion.
Physical intrusion can also be based on the deposit of booby-trapped devices in the company, such as USB sticks containing malware. Most of the time, this type of attack does not require access to the target company’s premises, as the bait can be deposited in strategic locations (parking lots, doorways, etc.).
Conducting a social engineering audit involves several essential stages of preparation. From risk analysis to target definition and choice of approach, we will explain all the elements to be taken into consideration in order to build and execute attack scenarios tailored to your needs.
The first step in running a social engineering campaign is to identify the main risks and threats associated with the company’s activity or organisation.
This analysis must above all take into account the sector of activity, the processes and critical resources, which are essential for the proper conduct of the company’s operations. Then, considering all these aspects, it will be a matter of identifying all the risks that could harm the objectives of confidentiality, integrity, availability and traceability, the mantra of any cybersecurity manager.
Thus, depending on the sector and the type of organisation, a company may face different social engineering threats:
This risk analysis will facilitate the definition of the targets of social engineering tests (all employees or only a sample), the choice of approach (black box or grey box) and the techniques and attack scenarios (vishing, attempts to trigger a fraudulent transfer, phishing, sending malware, interface clones, etc.).
Usually, a social engineering audit covers all the employees of a company. However, some persons or groups of employees, given their functions and roles in the information system, may be the focus. Indeed, some risks involve all employees:
However, other risks concern more specific staff groups:
Defining the target(s) of a social engineering audit is a crucial step: should the behaviour of all employees, a group of employees or just one person be evaluated when faced with certain attacks?
In order to test different attack techniques, as well as more elaborate scenarios, it is recommended to target specific groups, although it is also possible to proceed by sampling, considering the scale of the issues. Thus, the approach chosen for the social engineering audit (simulating an external attack – black box – or the internal threat – grey box) will facilitate the definition of targets, the choice of techniques and the design of attack scenarios.
A social engineering audit can be carried out using two approaches: black box or grey box.
In black box, the team in charge of the audit will only rely on open source information about the targeted company to build the attack scenarios because it is about simulating an external threat.
This approach is based on a thorough reconnaissance phase, allowing the gathering of all types of information about the company: size of the workforce, organisational chart (people in key positions), contact information (emails, phone numbers), location, etc. A good reconnaissance also includes researching information on the software and applications used, IP addresses, technologies and components of the information system infrastructure.
In grey box, the team in charge of carrying out the audit will have access to a higher level of information to design the attack scenarios. In fact, here it is a matter of simulating any type of threat, including those originating from an employee or former employee of the company.
In this case, the scenarios are generally more elaborate. And even if this approach is far from the reality of social engineering attacks, it nevertheless allows a better awareness of all staff groups.
Indeed, a grey box audit involves gathering information from the audit contractor, at least if the testing is outsourced to a third party: list of names, functions and contact details, internal details of how some teams operate, precise information about internal tools and technologies used, etc.
Thus, the choice between a black box or grey box approach still depends on the objectives and risks inherent to the company’s activity:
A key phase of the social engineering audit is the design of the attack scenarios. It will result from the risks identified, the targets defined and the approach chosen for the tests. Let’s look at all these stages again with some additional information and tips for creating scenarios adapted to the challenges and risks identified.
In the context of a black box audit, the objective will be to identify the most critical flaws in order to make an individual or a group of employees aware of the most common social engineering risks.
To this end, the design of a credible attack scenario is necessary. Here, the team in charge of the social engineering audit, in the shoes of an external attacker, generally constructs scenarios based on interactions with a person external to the company (an avatar created from scratch: a job seeker, service provider, prospect, etc.). Indeed, in this case, identity theft from company employees is more difficult (but not impossible) given the “supposed” low level of knowledge of the organisation during an external attack.
In the context of a grey box audit, the objective will be to make all or some of the employees aware of different types of threats.
To that end, more sophisticated attack scenarios are required. Standard scenarios can also be designed to assess the risks. Here, the audit team, in the role of an insider attacker or accomplice – and therefore with a high level of information – usually builds very elaborate scenarios, related to internal news or based on reliable identity theft.
The choice of attack techniques usually depends on the chosen scenarios or the objective of the social engineering audit, if it includes exposing the targets to various attacks.
Phishing attacks are the most common and should be the first choice. To enhance credibility and increase the chances of success, spear phishing, with links to interface clones or malware attachments, should be strongly considered.
However, in order to assess all risks and to raise awareness of external threats accordingly, vishing attacks can be carried out. In addition, given the organisation of the company and the criticality of some processes or resources, physical intrusion techniques should be considered.
There are SaaS applications available to configure and launch phishing campaigns. These tools rely on different features to manage the sending of emails, to track opens and clicks on links or downloads of attachments. Implementing this type of social engineering campaign management tool is therefore one option, using a company specialised in offensive security is another.
Any social engineering audit, beyond the success or failure of the attacks, must provide indicators on the behaviour of the targeted employees at a given moment, to measure the evolution over time and to implement appropriate measures.
What are the key indicators following a phishing campaign?
Furthermore, it is particularly recommended to combine the reporting indicator with the risky action indicator, because a person who is the victim of an attack but gives the alert enables the company to react quickly and effectively.
As mentioned before, there are tools available to carry out phishing campaigns, based on pre-built scenarios that can be adapted to the needs and specificities of a company. However, a more realistic approach is to hire a company specialised in offensive security to perform a social engineering audit.
On the one hand, this allows not only for a more accurate assessment of the external threat (for black box testing), but also for a better awareness of different groups of employees (for a grey box campaign) through targeted attacks. On the other hand, the pentesters’ experience allows them to create scenarios adapted to any type of business sector and company organisation.
Furthermore, on a technical level, the pentesters rely on their skills as “ethical” attackers to autonomously build credible scenarios integrating polished interface clones or sophisticated malware.
Finally, a full report is produced following a social engineering audit. This valuable deliverable can be used to present the anonymised results of a campaign and highlight organisational weaknesses or prevention and awareness needs.
Contact us for any question related to a social engineering audit project. We will discuss your needs and propose an intervention adapted to your sector and organisational issues.
