A social engineering pentest tests the reflexes of a company’s staff when faced with cyber-attacks (phishing, clones, malwares, impersonation, etc.).
Social engineering consists in manipulating people to obtain sensitive information or to perform actions that could lead to a security incident. It is a formidable method of attack which makes it possible to evade technical protective measures that are nevertheless robust.
The aim of a social engineering audit is twofold: to evaluate the employees’ reflexes, to know the company’s degree of vulnerability, and to make its staff aware of this type of attack, by means of concrete situations that can make an impression on them.
The specific objectives of this type of audit are to be defined before the audit:
The first stage consists in defining the objectives of the audit: identifying risks, choosing targets and conditions. All the conditions can be set according to the client's preferences concerning: the degree of information given to the pentesters, the right to monitor scenarios, the languages used, sending instructive messages following the attacks, the level of reporting, etc.
In the case of a black box audit, no information is provided to pentesters, and they conduct the audit independently without informing the client of the details of the attacks. In the case of a grey box audit, it is necessary to plan time to exchange information on the company, to validate the attack scenarios built by the pentesters, and even to feed back information on the progress of the audit gradually as the attacks are carried out.
The audit itself is based on a series of well-defined stages: reconnaissance, creation of attack scenarios, execution of attack scenarios, and reporting.
The social engineering pentest can include instructive messages to make the targets aware of the ways to elude the attacks of which they were victims, or they may be supplemented by a tailor-made training course.
There is an enormous range of social engineering techniques. Attacks can be carried out by e-mail (phishing), telephone or physical intrusion. They are generally based on a set of different techniques combining IT and relational skills: phishing and spear phishing, clones of interfaces, malware, malicious devices, impersonation, spoofing of phone numbers, manipulation and persuasion, dumpster diving, etc.
Phishing is the most common type of attack. It is both simple to implement and potentially very effective.
It is an attack via e-mail, which can be sent to a large number of people (phishing) or to a much smaller number of targets (spear phishing). Phishing e-mails usually contain links that redirect the recipient to fake web pages (clones) or malware that can be sent as an attachment or as a link to a download platform.
In order to be credible, the most sophisticated phishing e-mails are personalized by various means: a situation that is realistic for the targets of the e-mail, impersonation in order to pretend to be a trusted person, a phone call accompanying the e-mail to reinforce the legitimate appearance of a request, etc.
A social engineering audit can include various phishing scenarios, of increasing difficulty, to train employees to detect increasingly sophisticated threats.
Vishing (voice phishing) is the telephone equivalent of phishing. This type of attack does not usually target a large number of people, but it can provide sensitive information that victims would not have normally agreed to communicate by e-mail (for example: passwords).
The basic principle is to establish a relationship of trust, through conversation. This requires the attacker to have capacities for listening, argumentation and persuasion. The most sophisticated attacks rely on impersonation as well as spoofing of the telephone number of the person that the attacker claims to be.
A social engineering audit may include vishing to complement phishing attacks. This makes employees aware of other types of threats that are more insidious and more difficult to detect. Phishing and vishing attacks are major threats because they can be carried out by a large number of attackers since they do not need to physically visit the premises of the targeted company.
Physical intrusion is an even more sophisticated form of attack, by an attacker who is willing to spend more time and take more risks to target a company.
In this type of attack, the principle is to intrude into the company by posing as a legitimate visitor, such as a technician, a service provider, an employee, etc. The attacker can then seek to obtain confidential information by various means: theft of machines, connection to the in-house network, distribution of USB keys infected by malware, manipulation of employees, access to a server room, etc.
In a security audit, physical penetration tests can be used to evaluate physical access systems, control procedures, information barriers, and employees’ reflexes when they are faced with an unknown person.
The value of an engineering audit lies in the fact that it makes an impression on staff in order to raise their awareness of the risks. Presenting the results of real attacks, with statistics on the behaviour of staff members and the concrete impact of “successful” attacks, is the best way to remove the doubts of the people who are most reluctant to accept the security procedures.
During a social engineering audit, the awareness objective can be achieved by several levers:
Vaadata's experience shows that awareness is more effective when employees are informed that an audit will take place (without further details) for the purposes of training, because the tests are then better accepted by those who are victims.
83% of infosec professionals said they experienced phishing attacks in 2018, and 64% experienced spear phishing.
2019. State of the Phish. Proofpoint. (p. 10).
33% of breaches included Social attacks.
2019 Data Breach Investigations Report. Verizon. (p. 5).
48% of all advanced email attacks involved brand impersonation this quarter.
Q3 2019. Email Fraud and Identity Deception Trends. Agari. (p. 17).
Our range of pentests
We cover a wide technical scope, with specific tests for each type of target. The exact area to which the pentest is applied is to be defined directly according to your security priorities, or after a reconnaissance audit phase for identifying the parts that are most at risk from the viewpoint of an attacker.