Every year companies lose thousands and even millions of dollars due to security breaches. Because of this, corporations may spend thousands and even millions more to build up their defenses. They may upgrade company software or increase security awareness training. With all this effort though, many security executives wonder if their resources are well spent. They may also wonder if they have addressed the most worthwhile attack vectors a malicious actor may use.
The truth is the path of least resistance that most bad actors follow to infiltrate a company does not typically center around vulnerabilities in technology. Though these may play a role in an attack, it’s the vulnerabilities in people that malicious actors will often target. Unlike machines, attackers can deceive employees, making them a company’s most unpredictable asset and weakest link IF they are not trained properly.
To better understand the avenues in which a bad actor can most easily infiltrate your company by way of your employees, an assessment is needed on current security posture. At Social-Engineer LLC, we offer a service known as the Social Engineering Risk Assessment or SERA for short. In this article, we’ll discuss the benefits of the SERA, how it can help improve your company’s security posture, and how it can lead your employees to better protect themselves as well.
Building a Profile
An attacker carefully researches the staff of the target company before attempting to infiltrate it. Often, an attacker will start by isolating specific “high value targets” in the company. These may be individuals who work in departments that deal with very confidential information or internal systems. Individuals that, if compromised, could give an attacker a variety of sensitive data. These “high value targets” could be anyone from Board Members to IT Directors, even Payroll Executives.
Once the attacker isolates their High Value Targets, the intelligence gathering phase begins. By way of Open-Source Intelligence (OSINT) gathering, bad actors can build up a dossier or profile of their target. If a target has a public social media account, this can serve as a gold mine for an attacker. They can learn about staff members the target works closely with, their work schedule, or projects on which they are working. The attacker can also learn more about their personal life such as their family, living situation, and recreational preferences. They may even find home addresses or credentials found in breach data or other web directories.
At Social-Engineer, our SERA program also begins in a similar way. Once the client gives us their High Value Targets, we then launch a full OSINT investigation. Our certified social engineers scour the internet in the same way an attacker would. They carefully document and track the kind of data found and the potential risks the data poses to the company if used by bad actors. We also provide the search terms used so that our clients can replicate the OSINT gathering themselves. Once we complete the OSINT gathering and build the profiles, then the “Attack” phase begins.
Building the Attacks
Once the intelligence gathering is complete, an attacker will then strategize how to leverage the information against their target. Perhaps they discovered through OSINT that the target is working on an important project with important clients. An attacker could create a pretext that centers around the project and create a sense of urgency. Perhaps they want to inform their target that the “deadline was moved up” or “some of the clients are having second thoughts.” This urgency may create an emotional response from the target, leading to a lapse in critical thinking.
A lot of planning goes into the method an attacker will use to deliver their pretext to the target. They may send a targeted phishing email, or “spear phish,” impersonating someone that the target may know. They may also try to launch a vishing attack to speak with the target directly. In many cases, attackers use a hybrid attack, combining vishing and phishing together. This can be very effective if executed properly. By posing as an internal source the bad actor may begin the attack calling the target about an HR or IT problem. Then while on the phone call with the target, they send the phishing email. This could create a sense of legitimacy to the attacker’s pretext.
At Social-Engineer, our SERA program’s “Attack Phase” simulation is similar to that of a real-world attacker. Once our team has gathered OSINT, they then craft effective pretexts and find the best attack vector (phishing, vishing, or both) in the hopes of compromising their target. Unlike bad actors, we will never use fear tactics in any of our simulations. We will however use specific influence tactics and rapport building techniques to make the simulated attack as real as possible. We do this to leave our targets “better for having met us.” This promotes a positive atmosphere for training and education, even when an attack leads to a compromise.
End Results and Reporting
In a real-life social engineering attack, the results can often be catastrophic depending on the information the attacker obtains. If the company does not deal with the security breach properly and quickly, the damages may be irreversible. Educating high value staff after the fact won’t help. This is why it is imperative to train all staff now to be security conscious, along with safely managing one’s digital footprint.
With Social-Engineer’s SERA Program, the final report we deliver to the client outlines the results of the simulated attacks along with the intelligence used to build them. The report outlines key areas of interest. For instance, it shows how the information as found, and how a malicious attacker may use it. As mentioned before, the report will contain easy-to-follow steps to re-create the OSINT investigation, so you can see the data for yourself.
Because the internet is often a buffet of information, there may be sensitive data out in the web that your high value targets may not have been aware of. Our SERA program helps to expose some of this information, which may have been advertently or inadvertently posted. This serves as a good reminder for your high value targets to keep social media accounts private and request sensitive information be removed from online directories. It also reinforces the need for secure work practices. The SERA shows your high value employees what a very targeted social engineering attack may look like, and to never let their guard down.
Conclusion
Social-Engineer’s SERA program will undoubtedly help you to protect your organization and its high value assets. This risk assessment is in essence a human vulnerability scan. With it you can have a clear, actionable picture of your employees’ exposure and possible vulnerabilities.
With Cybersecurity Awareness Month on the horizon, it may be very worthwhile to find those vulnerabilities now. This could help in tailoring your approach to planned security initiatives based on your organization’s specific needs and areas of interest. SERA is also a fantastic addition to Cyber Security Awareness Month itself, as well. While you educate your general population with larger scale training programs and simulated vishing/phishing, you can also implement SERA to provide a much more in-depth assessment with specific high value assets at the same time. This provides a well-rounded view of your corporation’s security posture and can identify areas to improve.
At the beginning of this article, it was stated that humans can be easily deceived and can prove to be a company’s weakest link IF they are not trained properly. However, if they ARE trained properly, humans can become one of the best lines of defenses a company can have against outside threats.
Written by: Josten Peña