How can you use social engineering tactics to test the effectiveness of your security awareness program?

Security awareness programs are typically scheduled after social engineering campaigns such as phishing or vishing however they can be done beforehand as well. The programs can be taught through videos, exercises or plain slides with information. If the security awareness training is done after a campaign finished, selected staff can be enrolled perhaps users who have clicked on links or depending what the scope of the SOE campaign was allowing to prioritise which users would be most susceptible for these types of attacks.

A security awareness program is an organized effort to educate individuals within an organization about cybersecurity risks, best practices, and the importance of safeguarding sensitive information. It aims to enhance employees' understanding of potential threats, encourage responsible online behavior, and ultimately strengthen the overall security posture of the organization.

I think from the perspective of social engineering, the best technique is phishing especially the use of email. This is because, one, human trusts easily and second, most technique used by malicious actors in social engineering is phishing. This will help you have a good base on where to improve, is it the HR or the finance. It also gives you a baseline on how much level of security awareness does the employees need.

Conduct simulated phishing campaigns emulating real-world social engineering tactics to test security awareness. Craft compelling phishing emails or messages, tracking user responses and actions. Analyze click rates and engagement to identify vulnerabilities and areas for improvement in the security awareness program. Provide immediate feedback and targeted training to employees who fall victim to the simulated attacks. Regularly vary the scenarios to continually evaluate and strengthen the organization's resilience against social engineering threats.

Statistics show that the most (Initial Access, Tactic TA0001 - Enterprise) techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers so this is why it's important to train your staff to recognise these types of attacks. In an analysis of 50 billion emails across 3.5 million mailboxes, Barracuda researchers uncovered nearly 30,000,000 spear-phishing emails. While these emails make up less than 0.1% of all emails sent, but they are responsible for 66% of all breaches.

As a junior in cybersecurity, I see the value of using social engineering to test a security awareness program. It offers a real-world scenario, helping to understand how employees react to common tactics like phishing or pretexting. This approach not only tests our training effectiveness but also highlights our vulnerabilities, especially in human behavior which is often the weakest link in security. It's a practical way to ensure our defenses are well-rounded, not just technically, but also in terms of employee vigilance and preparedness against deceptive tactics. Plus, it aligns with regulatory standards in some industries, making it an essential part of maintaining comprehensive security.

Social engineering assessments provide valuable insights into the human element of your security posture. Beyond technical defenses, understanding how your employees respond to social engineering attacks helps you tailor training to address specific behavioral patterns. It's not just about recognizing phishing emails; it's about instilling a mindset of skepticism and caution. Consider simulating evolving threats, such as deepfake voice calls or sophisticated pretexting scenarios, to ensure your security awareness program evolves in tandem with the dynamic landscape of cyber threats.

Il est primordial de tester et évaluer les procédures mises en place dans les organisations ainsi que le niveau de formation des collaborateurs. Une sensibilisation aux bonnes pratiques en matière de gestion des emails et de protection contre le phishing ne sera efficace que si elle est régulièrement testée. Les campagnes de ??faux phishing?? sont un bon moyen de tester le niveau de maturité des équipes et de réadapter les besoins en matière de formation/sensibilisation.

In my experience, using social engineering tactics can effectively test the robustness of a security awareness program. For instance, I’ve conducted physical security tests by impersonating an IT staff member to gauge employee vigilance. Additionally, I’ve employed voice phishing and department-specific email phishing campaigns. These real-world simulations have proven highly effective in identifying vulnerabilities and enhancing our overall security awareness.

From a penetration tester perspective, the stages such as approval, legal and even the scope and objectives are already provided and what's left is to agree on a set scenario with the client, discuss potential need of whitelisting domains (if it's for a phishing campaign). Then what's left is the technical and creative part to build the scenario e.g. create phishing content such as an email letter and a landing page.

Test your security awareness program with simulated phishing emails, phone calls, and physical security scenarios to gauge employee responses and identify areas for improvement. Ethical and clear communication is essential throughout the process.

To plan a successful social engineering test, it's essential to set clear objectives. It's important to research the organization's culture to determine which social engineering techniques will be most effective. After that, realistic scenarios and communication materials should be created. During the test, it's crucial to conduct it ethically, stay within established boundaries, and document all findings for a detailed improvement-focused report. After the test is complete, it's important to debrief with stakeholders and implement training programs based on the test results. Finally, the insights gained should be utilized to proactively enhance cybersecurity measures over time.

This step would be easy to accomplish, most platforms offer a lot of metrics, this is done through tracking in the emails. Each email has a 1 pixel image that is hidden and a unique ID and when opened this is registered in the metrics showing which user and the action. Based on the amount of emails sent/opened/clicked/submitted data a calculation is made to give you a percentage across each piece of data. The data can be also raw exported showing further information such as timestamps, user agent, IP address.

From a penetration tester perspective, this job would fall onto another person such as the account manager. They would have to discuss with the client scheduling security awareness training. Highly likely if the report for the campaign will have critical or high risk issues part of the strategic recommendation will be to get security awareness training for the staff.

Think carefully before conducting a social engineering red team exercise. Yes, it’s a common tactic for criminals — but by doing so, you’re also lying to your own employees. Assess your security controls and the “common sense” measures you’re training your employees to take. Is there a way you can make your network more resilient to social engineering attacks without deceiving your workforce? Trust is a valuable commodity, and those planning social engineering red team exercises should carefully consider the trust impact it will have on the workforce.