Social engineering pentest

web_platform

A social engineering pentest tests the reflexes of a company’s staff when faced with cyber-attacks (phishing, clones, malwares, impersonation, etc.).

picto_cible

Aim of a social engineering pentest

Social engineering consists in manipulating people to obtain sensitive information or to perform actions that could lead to a security incident. It is a formidable method of attack which makes it possible to evade technical protective measures that are nevertheless robust.

The aim of a social engineering audit is twofold: to evaluate the employees’ reflexes, to know the company’s degree of vulnerability, and to make its staff aware of this type of attack, by means of concrete situations that can make an impression on them.

The specific objectives of this type of audit are to be defined before the audit:

  • What are the main risks for the company? (threat modelling)
  • Is there a preference for a black box approach (external attacker) or a grey box approach (internal attacker or attacker helped by an accomplice)
  • In the case of a grey box audit: Who in the company has access to such information or such a privilege? What are the categories of staff who are the most at risk?
  • In all cases: are there specific restrictions for the audit? (methods of attacks or categories of scenarios to be excluded)

Contact us

Stages of a social engineering audit

The first stage consists in defining the objectives of the audit: identifying risks, choosing targets and conditions. All the conditions can be set according to the client's preferences concerning: the degree of information given to the pentesters, the right to monitor scenarios, the languages used, sending instructive messages following the attacks, the level of reporting, etc.

In the case of a black box audit, no information is provided to pentesters, and they conduct the audit independently without informing the client of the details of the attacks. In the case of a grey box audit, it is necessary to plan time to exchange information on the company, to validate the attack scenarios built by the pentesters, and even to feed back information on the progress of the audit gradually as the attacks are carried out.

The audit itself is based on a series of well-defined stages: reconnaissance, creation of attack scenarios, execution of attack scenarios, and reporting.

The social engineering pentest can include instructive messages to make the targets aware of the ways to elude the attacks of which they were victims, or they may be supplemented by a tailor-made training course.

Ask for a quotation

Social engineering techniques

There is an enormous range of social engineering techniques. Attacks can be carried out by e-mail (phishing), telephone or physical intrusion. They are generally based on a set of different techniques combining IT and relational skills: phishing and spear phishing, clones of interfaces, malware, malicious devices, impersonation, spoofing of phone numbers, manipulation and persuasion, dumpster diving, etc.

Phishing and spear-phishing tests

Phishing is the most common type of attack. It is both simple to implement and potentially very effective.

It is an attack via e-mail, which can be sent to a large number of people (phishing) or to a much smaller number of targets (spear phishing). Phishing e-mails usually contain links that redirect the recipient to fake web pages (clones) or malware that can be sent as an attachment or as a link to a download platform.

In order to be credible, the most sophisticated phishing e-mails are personalized by various means: a situation that is realistic for the targets of the e-mail, impersonation in order to pretend to be a trusted person, a phone call accompanying the e-mail to reinforce the legitimate appearance of a request, etc.

A social engineering audit can include various phishing scenarios, of increasing difficulty, to train employees to detect increasingly sophisticated threats.

Vishing tests

Vishing (voice phishing) is the telephone equivalent of phishing. This type of attack does not usually target a large number of people, but it can provide sensitive information that victims would not have normally agreed to communicate by e-mail (for example: passwords).

The basic principle is to establish a relationship of trust, through conversation. This requires the attacker to have capacities for listening, argumentation and persuasion. The most sophisticated attacks rely on impersonation as well as spoofing of the telephone number of the person that the attacker claims to be.

A social engineering audit may include vishing to complement phishing attacks. This makes employees aware of other types of threats that are more insidious and more difficult to detect. Phishing and vishing attacks are major threats because they can be carried out by a large number of attackers since they do not need to physically visit the premises of the targeted company.

hp_consulting_security

Physical penetration tests

Physical intrusion is an even more sophisticated form of attack, by an attacker who is willing to spend more time and take more risks to target a company.

In this type of attack, the principle is to intrude into the company by posing as a legitimate visitor, such as a technician, a service provider, an employee, etc. The attacker can then seek to obtain confidential information by various means: theft of machines, connection to the in-house network, distribution of USB keys infected by malware, manipulation of employees, access to a server room, etc.

In a security audit, physical penetration tests can be used to evaluate physical access systems, control procedures, information barriers, and employees’ reflexes when they are faced with an unknown person.

Staff awareness

The value of an engineering audit lies in the fact that it makes an impression on staff in order to raise their awareness of the risks. Presenting the results of real attacks, with statistics on the behaviour of staff members and the concrete impact of “successful” attacks, is the best way to remove the doubts of the people who are most reluctant to accept the security procedures.

During a social engineering audit, the awareness objective can be achieved by several levers:

  • Presentation of the results of the audit to the people concerned
  • Sending explanatory messages gradually as the audit progresses, in order to increase the transfer of knowledge concerning the risks
  • Post-audit training to make staff aware of the specific issues identified during the security audit
  • Vaadata's experience shows that awareness is more effective when employees are informed that an audit will take place (without further details) for the purposes of training, because the tests are then better accepted by those who are victims.

Key numbers

83%

83% of infosec professionals said they experienced phishing attacks in 2018, and 64% experienced spear phishing.
2019. State of the Phish. Proofpoint. (p. 10).

33%

33% of breaches included Social attacks.
2019 Data Breach Investigations Report. Verizon. (p. 5).

48%

48% of all advanced email attacks involved brand impersonation this quarter.
Q3 2019. Email Fraud and Identity Deception Trends. Agari. (p. 17).

Our range of pentests

We cover a wide technical scope, with specific tests for each type of target. The exact area to which the pentest is applied is to be defined directly according to your security priorities, or after a reconnaissance audit phase for identifying the parts that are most at risk from the viewpoint of an attacker.

Contact us