We are regularly conducting social engineering penetration tests for our clients.
Our pentesters (security experts) tried various techniques, scenarios and pretexts.
We have learned lessons from our experience, and our clients shared with us what they learned too. We are sharing them now with you.
Before starting, let’s remember what social engineering is:
Social engineering consists of manipulating people to obtain sensitive information or to make them do actions that could lead to a security incident.
Most of the time, people don’t notice they have been manipulated, or when they do, it is too late: the information has been given, the access has been obtained, etc.
Social engineering attacks exploit the workings of human behaviour to reach the goals of the attackers, which can be various:
To be effective, scenarios are created to each specific context. Social engineering attacks challenge the awareness of teams to security risks through realistic scenarios, using various techniques and tricks.
Harder to spot than a pretended inheritance or winning the lottery, current phishing seems to be coming from a colleague within the company, from a trusted supplier, etc.
One current trend is to create a fake e-mail exchange history between members of the company and then send it to a third employee. This email can either directly ask for an action (e.g. “Please pay this invoice asap”) or arouse curiosity with a document (“Information about annual bonus”), which contains a malware.
➔ From our clients’ perspective: Phishing can take multiple forms and are now harder to spot than before. Teams have to remain suspicious of anything that deviates from the procedures.
The danger of phishing attacks is often underestimated: they can be very effective to gain further access to the IT system or to collect confidential information
➔ From our ethical hackers’ perspective: Most employees don’t fall for phishing emails, but one person is enough to make the attack success. This article gives you the keys to detect suspicious emails.
Similar to phishing, the scenarios of phone attacks are adapted to each situation. The creativity of the attackers is the limit for the attacks.
A classic attack is calling employees impersonating someone from the IT team. The attacker explains that due to the implementation of a more secure connection service in the company, they need to know their current password to create the new account, otherwise they won’t be able to access the service anymore [an important service for the target].
➔ From our clients’ perspective: In order to prevent vishing, people must remember to never give sensitive information by phone. In case of suspect phone call, it is recommended to ask to call back the person in 2 minutes or to ask elements to be sure who is on the line.
➔ From our ethical hackers’ perspective: Vishing enables to collect sensitive information as most people don’t dare to say “No” to assertive questions. Vishing also prepares targets to receive a suspicious email that they would not have opened otherwise, because a call builds trust.
The techniques of social engineering are more effective when combined together. For raising staff awareness, it is interesting to conduct trainings with realistic scenarios which combine different social engineering techniques, in order to toughen the attack and to complicate the detection.
After having collected information about a company, a relevant scenario could be:
➔ From our clients’ perspective: Preventing elaborated social engineering attacks requires a strong collaboration between all people in a company (Management, team leaders and all staff). It is also important to create a no fear culture to allow people dare to say when they have been tricked. This is the number 1 condition for allowing the company to quickly respond to a security incident.
➔ From our ethical hackers’ perspective: As information systems of companies are becoming more secure; social engineering is becoming more relevant to attackers. Some attacks are almost impossible to detect unless staff get regular awareness campaigns in order to keep their reflexes and to know the latest threat trends.
Social engineering penetration testing can be adapted to different objectives, different types of companies, and different organisational specificities.
In addition to the risk measurement aspect, this type of audit allows security awareness training to the company’s employees: indeed, seeing the concrete ‘consequences’ of attacks that worked is striking. Most people will not fall into the same traps when they’ll face similar threats again, because the psychological impact is much stronger than with traditional risk training.
