Testing for Lapses in User Education
While necessary for any security program, technical assessments alone are an incomplete simulation of a real world cyberattack. Technology does not exist in a vacuum – people are the central component of any company process, and are often the primary gateway to sensitive data and processes.
White Knight Labs offers a range of expert-driven social engineering assessments s for organizations looking to test their employees and associated security policies. Whether traditional email phishing testing, vishing (voice calls) engagements, or on-site assessments and attempting access into the physical building, we have trained social engineers at the ready.
What is Social Engineering?
Social engineering is a deceptive attack where an attacker attempts to persuade users into performing an action, such as providing a password or clicking a link.
While social engineering is typically assumed to be delivered via phishing emails, these attacks can come in many forms, including phone calls, SMS messages, social media, and even personal interactions. Oftentimes these pretext techniques are enhanced using personalized information on the target – users are more likely to engage an email which refers to some information about them specifically. This critical research phase is what differentiates simple automated phishing tools and professional social engineering.
Why Get a Social Engineering Assessment?
Social engineering assessments are a major aspect of many real-world cyberattacks. From highly targeted spearphishing engagements to vishing support calls, hackers use a range of attacks aimed at employees to gain unauthorized access.
White’s phishing engagements go far beyond the automated tools found in many comparison services, providing highly targeted, sophisticated scenarios for each client. Using research on both the client organization and its employees, our security experts create sophisticated campaigns which ensure the best assessment of user education.
Vishing (Voice Call) Assessments
Vishing attacks utilize voice phone calls to similarly coax a user into performing an unauthorized access, such as providing sensitive information or downloading an untrusted file. While these attacks are less common in the wild, vishing can be more effective when the attacker can establish an immediate, personal connection with the target users.
While less well-known than email or phone social engineering, White Knight Security’s on-site assessments utilize specialized security professionals to perform engagements in person. Specific techniques include ‘baiting’ the area with infected USB drives, tailgaiting employees through locked doors, and creating fake company badges to gain access to sensitive areas.
Similar to technical assessments, White Knight Security Labs utilizes a structured series of steps in a social engineering assessment for structured, repeatable assessments. This step-by-step format ensures consistency in key areas, while providing flexibility in the specific pretext and scenarios created. This customization helps ensure a successful, effective engagement.
1 – Information Gathering
Reconnaissance is the start to any social engineering assessment. While often neglected in many commercial services, information gathering is a critical phase and often determines the success of the rest of the social engineering campaign.
While many clients offer to provide basic employee data, we recommend starting with no information at all. This ‘black box’ approach better replicates the research process of live attacks and provides useful intelligence on the information which can be found online – value which is missed when that information is provided.
2 – Create Pretext Scenarios and Payloads
Once full enumeration of the client organization – and its employees – has been completed, focus turns to the pretext scenarios and payloads for the social engineers.
These details should answer the following questions:
- Pretext scenarios – Which will raise interest / reduce concern?
- Source information – Which domains/phone numbers are needed?
- Validity – What else can be done to improve pretext legitimacy?
- Payloads – What’s the target information/access to obtain?
3 – Engage Targets
Using the specified tactics and pretext, White Knight Security Labs’ assessors begin engaging specified employees with the appropriate emails or phone calls. For on-site assessments, a series of tests are started, including tailgating users and ‘baiting’ with USB drives left in parking lots or other common areas. For advanced engagements – which can incorporate social media or SMS to build rapport – the first of multiple interaction stages begins.
4 – Reporting and Debrief
After completing the social engineering assessment and aggregating results, the social engineering report is written, outlining both an executive summary and specific engagement details. Remediation steps and training guidance is also providing, directing the client in resolving the training and policy issues identified.
Once the client’s team has reviewed the closeout report, a debrief meeting is scheduled, walking through the details and answering any questions.
5 – (Optional) Employee Education
As an optional addition to the standard assessment, White Knight Security Labs provides user training session for client employees. Whether hosted in a recorded online webinar or an in-house training session, provide quality security awareness training – by the same experts who performed the original engagement!