Social Engineering Penetration Testing: Attacks, Methods, & Steps
There are many different methods for performing penetration testing, which evaluates the security posture of a company, but in this article, we are going to focus on one: social engineering.
Social engineering penetration testing focuses on people and processes and the vulnerabilities associated with them. These pen tests typically consist of an ethical hacker conducting different social engineering attacks such as phishing, USB drops, or impersonation that a person could face during the course of their work. The goal of this test is to identify weaknesses in a person, group of people, or process and identify vulnerabilities with a clear path to remediation.
In this article, we will discuss what a social engineering attack is, why companies should perform these tests,?common methods used to deploy social engineering attacks, and how to perform a social engineering penetration test.
In this article, you will learn more about:
What Are Social Engineering Attacks?
Social engineering attacks come in a variety of forms, but the most common are phishing, vishing, smishing, impersonation, dumpster diving, USB drops, and tailgating.
Phishing
Phishing is a method that occurs via email and attempts to trick the user in to giving up sensitive information or opening a malicious file that can infect their machine.
Vishing
Vishing is similar to phishing but occurs via phone calls. These phones calls attempt to trick the user into giving up sensitive information.
Smishing
Smishing is similar to phishing but occurs via sms text messages. These text messages have the same intent as phishing.
Impersonation
Impersonation is a method where the attacker attempts to fool a person into believing they are someone else.
For example, an attacker could impersonate an executive with the goal of convincing employees to provide financial payments to fictitious vendors or to grant access to confidential information.
An impersonation attack could also target a user with the goal of gaining access to their account. This could be accomplished by requesting a password reset without the administrator verifying their identity.
Another example of this attack would be pretending to be a delivery person. In some cases, delivery personnel have few restrictions and can gain access to secure areas without question.
Dumpster Diving
Dumpster diving is a method where an attacker goes through not only trash but other items in plain sight, such as sticky notes and calendars, to gain useful information about a person or organization.
USB Drops
USB drops is a method that uses malicious USB’s dropped in common areas throughout a workspace. The USBs typically contain software that, when plugged in, install malicious software that can provide a backdoor into a system or transfer files with common file extensions.
Tailgating
Tailgating is a method that is used to bypass physical security measures. You typically see this method used in locations that require a person to scan a key fob to gain entrance.
In this type of attack, the attacker will follow closely behind an employee and enter the room when they scan their key fob and open the door.
Why Should You Perform A Social Engineering Test?
Users are commonly referred to as the “weakest link” when it comes to security but yet users still have more than the necessary permissions to perform their jobs.
So it would only make sense to pen tests those users. These pen tests can show who within a company is susceptible to the attacks previously discussed and more.
Social engineering pen tests are typically done in a hybrid fashion combining on-site and off-site tests.
On-site Tests
On-site tests are used to test the physical security of a building and to policies in place, like a clean workstation policy.
The typical methods of attack you would use for an on-site test are:
领英推荐
Off-site Tests
Off-site tests are used to test users’ security awareness during their normal day. During this type of test, the pen tester will research the company and use information that is publically available to test the company.
These tests are conducted remotely and commonly consist of the following attacks:
Methods Used To Perform Social Engineering Attacks
There are three main methods used to perform a social engineering attack including information gathering, victim selection, and engagement with victims.
Information Gathering
Before testing a target, you need to become familiar with them. To do this, you need to collect all publically available information about the target as possible.
It doesn’t make sense to test a target with medical phishing attacks when the target is a financial company.
You can gain information about a target in numerous ways, but the most common social engineering methods are active and passive reconnaissance and open-source intelligence (OSINT).
Active reconnaissance
Active reconnaissance is an attempt to gain information about a target while engaging with the target. This could be by calling the target and impersonating someone else to gain information or could be more subtle by conducting port scans.
Passive Reconnaissance
When an attacker is conducting passive reconnaissance they often turn to popular social media sites like Facebook or LinkedIn. This is a great way to quickly gain general information about the target in search of a threat vector.
For example, an attacker could use the information about a planned vacation posted on Facebook to know when you’ll be out of town. Once gone, they could search your home for ways to access the company’s network.
Next to being free, one of the main advantages of passive reconnaissance is that the attacker does not have to interact with the target to collect information, thereby reducing the risk of being detected.
Open-Source Intelligence (OSINT)
Open-source intelligence (OSINT) refers to the type of data that has been collected.
OSINT data is data that has been collected from publicly available sources and is deemed “open”.
Thinking back to Passive reconnaissance, passive is the method in which the data was collected and OSINT would be the type of data that was collected.
Victim Selection
?In order to perform a successful test, you need to select your “victims” carefully. You will want to choose victims, or groups of victims, that are easily tricked.
These typically consist of:
You may be wondering how you would identify employees in each of these categories. Websites like Glassdoor is an excellent source.
Glassdoor allows current and former employees to review the company and leave comments about their experience, pay, and benefits.
From these reviews, you can easily identify people who may be less aware and more willing to share information about the company.
You would be surprised how money can influence an employee’s loyalty, especially if they feel they are underpaid or undervalued.
Engagement With Victims
This is the step where you will begin engaging with your victims. Once you have identified your victims, begin planning out the methods of attack that will work best against each person or group of people.
To plan accordingly, you may need to do more targeted active and passive reconnaissance.
Again, the goal here is to collect as much data about people without triggering any alarms. You do not want to tip your hat and reveal to the person that an attack or test might be looming.
We help enterprises with 360 cybersecurity services.
Follow PurpleSec for more vulnerability management and penetration testing content.