A social engineering pentest enables to assess the reflexes of a company’s staff when faced with cyber-attacks (phishing, clones, malwares, impersonation, etc.).
Download our white paper: Social Engineering Pentest – How To Create A Campaign?
Social engineering consists in manipulating people to obtain sensitive information or to perform actions that could lead to a security incident. It is a formidable method of attack which makes it possible to bypass technical protections even if they are solid
The aim of a social engineering audit is twofold: to assess the reflexes of employees in order to find out the company’s degree of vulnerability, and to make them aware of this type of attack through concrete situations that can make an impression.
The specific objectives of this type of audit are to be defined before the audit:
The first stage consists in defining the objectives of the audit: identifying risks, choosing targets and conditions. All the conditions can be set according to the client's preferences concerning: the degree of information given to the pentesters, the right to monitor scenarios, the languages used, sending instructive messages following the attacks, the level of reporting, etc.
In the case of a black box audit, no information is provided to pentesters, and they conduct the audit independently without informing the client of the details of the attacks. In the case of a grey box audit, it is necessary to plan time to exchange information on the company, to validate the attack scenarios built by the pentesters, and even to feed back information on the progress of the audit gradually as the attacks are carried out.
The audit itself is based on a series of well-defined stages: reconnaissance, creation of attack scenarios, execution of attack scenarios, and reporting.
A social engineering pentest can include instructive messages to make the targets aware of the ways to elude the attacks of which they were victims, or they may be supplemented by a tailor-made training course.
There is a wide range of social engineering techniques. Attacks can be carried out by e-mail (phishing), telephone or physical intrusion. They are generally based on a set of different techniques combining IT and relational skills: phishing and spear phishing, clones of interfaces, malware, malicious devices, impersonation, spoofing of phone numbers, manipulation and persuasion, dumpster diving, etc.
Phishing is the most common type of attack. It is both simple to implement and potentially very effective.
It is an e-mail attack, which can be sent to a large number of people (phishing) or to a much smaller number of targets (spear phishing). Phishing e-mails usually contain links that redirect the recipient to fake web pages (clones) or malware that can be sent as an attachment or a download link.
The most sophisticated phishing emails are personalised to be credible: a realistic situation for the targets of the email, identity theft in order to pretend to be a trustworthy person, a phone call accompanying the email in order to reinforce the legitimate appearance of the request, etc.
A social engineering audit can include different phishing scenarios of progressive difficulty in order to train employees to detect increasingly sophisticated threats.
Vishing (voice phishing) is the telephone equivalent of phishing. This type of attack does not usually target a large number of people, but it can provide sensitive information that victims would not have normally agreed to communicate by e-mail (for example: passwords).
The basic principle is to establish a relationship of trust through conversation. This requires the attacker to have capacities for listening, argumentation and persuasion. The most sophisticated attacks are based on identity theft as well as spoofing the number of the person the attacker claims to be.
A social engineering audit may include vishing to complement phishing attacks. This makes employees aware of other types of threats that are more insidious and more difficult to detect. Phishing and vishing attacks are major threats because they can be carried out by a large number of attackers as they do not require physical access to the premises of the targeted company.
Physical intrusion is an even more sophisticated form of attack, by an attacker who is willing to spend more time and take more risks to target a company.
In this type of attack, the principle is to break into the company by posing as a legitimate visitor: technician, service provider, employee, etc. The attacker may then seek to obtain confidential information by various means: stealing machines, connecting to the internal network, distributing USB keys infected by malware, manipulating employees, accessing a server room, etc.
In a security audit, physical penetration tests can be used to evaluate physical access systems, control procedures, information barriers, and employees’ reflexes when they are faced with an unknown person.
Our white paper “Social Engineering Pentest: How to create a campaign?” outlines all the elements to consider before launching a social engineering audit.
The value of a social engineering audit lies in the fact that it makes an impression on staff in order to raise their awareness of the risks. Presenting the results of real attacks, with statistics on the behaviour of staff members and the concrete impact of “successful” attacks, is the best way to remove the doubts of the people who are most reluctant to accept the security procedures.
During a social engineering audit, the awareness objective can be achieved by several levers:
Vaadata's experience shows that awareness is more effective when employees are informed that an audit will take place (without further details) for training purposes, because the tests are then better accepted by those who are victims.
However, it is possible to conduct audits with a strict evaluation objective, by informing as few people in the company as possible, in order not to bias the results.
Key numbers
83%
83% of infosec professionals said they experienced phishing attacks in 2018, and 64% experienced spear phishing.
2019. State of the Phish. Proofpoint. (p. 10).
33%
33% of breaches included Social attacks.
2019 Data Breach Investigations Report. Verizon. (p. 5).
48%
48% of all advanced email attacks involved brand impersonation this quarter.
Q3 2019. Email Fraud and Identity Deception Trends. Agari. (p. 17).
Our range of pentests
We cover a wide technical scope, with specific tests for each type of target. The exact area to which the pentest is applied is to be defined directly according to your security priorities, or after a reconnaissance audit phase for identifying the parts that are most at risk from the viewpoint of an attacker.