Social Engineering Testing

The process of obtaining information from others under false pretenses is, in essence, manipulation. Any attempt to gain entry to a site using a bogus pretext is called penetration. Both processes are a form of what is commonly known as ‘social engineering’. They are based upon the building of an inappropriate trust relationship with individuals and can be used against those within an organization.

Social engineering attacks are either dispersed or direct. Dispersed attacks – also known as ‘mosaic’ attacks –are where one or more people pose as a co-worker, new employee, delivery person or workman, for example, and attempt to collect information from different sources over an extended period.

A directed attack is generally aimed at a specific individual within an organization who has access to valuable information. The social engineer will pose as a business contact at a conference, for example, and may spend some time building a close relationship with the targeted individual before using the trust established to access information.

Social engineering attacks can be either dispersed or direct. Attackers prepare well, learning about an organization’s structure and language in advance.

  • Take advantage of an employee’s poor use of the internet to introduce malware.
  • Use information unwittingly provided by individuals on the internet, particularly on social media.
  • Exploit freely available useful information on organizational websites, such as details on security, personnel, and physical access.
  • Acquiring Information (Company website, Social media, Surveillance, Exploiting the natural tendency of people to assist others, Email)
  • Establishing a relationship (Making a connection, Building a relationship on a false pretext)
  • Exploitation (Manipulation of others, Exploiting personal vulnerabilities or weaknesses in organizational security).

Our Approach

1. Information gathering

A critical phase and often determines the success of the rest of the social engineering campaign. Even when basic information is provided, such as names and emails, more in-depth research on the organization and its departments can be critical to the success of social engineering.

2. Design pretext scenarios

During this phase, after client and employee enumeration, Pretext scenarios are defined and implemented to falsely impersonate authority resulting in the target trusting and disclosing sensitive information. This information can then be used for malicious attacks. Specific emails are designed to lour targets in the opening, clicking links, responding, or downloading attachments.

3. Engagement

Using the designed pretexting scenarios, we engage with the target audience to assess their security awareness, actions taken, and information disclosed. Depending on the outcome, additional pretexting can be tailored to obtain sensitive information and trust further.

4. Reporting

After the assessment and aggregating test results, a social engineering report is provided, outlining both an executive summary and detailed findings. Remediation and training guides are also provided in resolving the issues identified.
Once the report has been reviewed, a debrief meeting can be scheduled, allowing a walkthrough of the details and answering any questions.

Discuss How We Can Assist You?