How to ethically conduct pen testing for social engineering

Companies are under constant attack from malicious actors seeking to exfiltrate critical business data. One popular attack vector is social engineering, which a recent report claimed plays a part in all cyber attacks.

Many companies conduct penetration tests to ensure software and networks are secure but should also use pen testing for social engineering attacks to prevent phishing, vishing, pretexting and more.

In Practical Social Engineering: A Primer for the Ethical Hacker, author Joe Gray, senior investigator at SpyCloud, covered how security professionals should conduct pen testing for social engineering and how to do so without going too far, legally or ethically.

Here, Gray explains why pen testing around social engineering interested him enough to embark on a career focused on it, as well as restrictions ethical hackers should follow and how one might begin their career in a social engineering pen tester role.

Editor's note: This transcript has been edited for length and clarity.

What interested you in pen testing specifically around social engineering?

Joe Gray: I got into social engineering specifically thanks to security podcasts, like Chris Hadnagy's. They made me aware of the concerns that involve social engineering. At the time, I was enrolled in a Ph.D. program. I was at a colloquium session to determine my problem statement for dissertation. We had to review academic journals and find our specific discipline. As I went through journals, I found a lot of focus on cryptography, zero-trust architecture and similar topics but not much on ransomware, specifically in regards to Locky. Its exploit kit used automatic phishing to propagate. From there, I started pulling resources together and ended up with my 'binder of doom' -- a three-inch binder packed with nothing but scholarly work on social engineering, phishing and vishing. That spawned my passion.

Who would benefit most from your pen testing for social engineering book?

Gray: I wrote the book with several audiences in mind. It's broken into three sections. The first section is foundational material anyone could benefit from. The second part is on how to conduct operations, which is more beneficial to pen testers. The final part of Practical Social Engineering is more for blue teams. CISOs may also be interested in the third section. In comparison to caring about how many people open an email or click an email, you can't say something's efficient without reading it. Looking at that through a set of metrics would benefit CISOs and give them something more operational to work with their incident response teams with to build better playbooks.

Click here to learn more
about Practical Social
Engineering by Joe Gray.

More on Practical Social Engineering

To get started with pen testing for social engineering, check out an excerpt of Chapter 10 of Practical Social Engineering.

What made you realize that ethical hacking meant hands off employees' personal social media and knowing where to draw a line?

Gray: Chris Hadnagy has a motto: 'Leave them feeling better for having met you.' I chose to adopt that as well. I've seen instances of companies sending out emails mentioning bonuses or layoffs that are test phishing emails. Those are companies I would not work for. I've also heard of pen testers bragging about taking it too far and targeting a personal account during a work engagement. I've run into a close situation that made me see what can go wrong. It's one of the case studies in the book. During a vishing engagement, I called a woman and was asking invasive questions. She told me something about cornbread, which hit home because of my relationship with my grandfather. It came up because her husband, who had just passed away a year ago, always crumbled up cornbread and put it into buttermilk as his favorite snack. As she was sobbing on the phone, I was like, 'OK, I've got to maintain my character as good as I can. But, at the same time, I need to make sure she's in a good psychological state.' I stopped asking invasive questions and had a chat. I made sure that she was in a good place. Afterward, I went to my practice lead and explained what had happened. I said I didn't think it was a good idea for me to do more calls that day. Sometimes, you open doors you don't expect to open, and you see things you don't expect to see. Pen testers have to be prepared to address that.

Do you think having restrictions around ethical hacking for social engineering reduces the accuracy of testing, given adversaries wouldn't do the same?

Gray: Have you ever heard of mainstream red teaming and pen testing that authorize denial-of-service ransomware or distributed denial-of-service attacks? No, but adversaries do those. We don't implement them because they could cause harm. Stopping there degrades the quality of the simulation, but at the same time, we don't do every single thing an adversary does. I'm not going to say there are no pen tests, companies or red teams that aren't doing at least small-scale denial-of-service or ransomware simulation attacks, but it's not mainstream.

Do companies ever try to get the scope of the project to exceed ethical guidelines?

Gray: I've heard of instances but have never been involved in any scoping like that. If I asked, I would respond that I will look at employees' social media accounts for open source intelligence [OSINT] to gain context to have an excuse to talk to them. However, I wouldn't share anything I found with the company. If I'm doing an OSINT engagement for an individual person, I'll share every single password I find with them -- no big deal. But, if the engagement is for a company, I tend to not share the passwords I find. I might tell them to prohibit anyone in their organization from using certain passwords, but I won't assign a password to a person. More often than not, I'll say something to the effect of: 'Here are the statistics associated with passwords: Your average password length is 8.4 characters, use[s] 2.3 typefaces and [is] reused four times.' I'll include personal email addresses for the whole reuse statistic, but I won't say who is using what because I have no way to know that the company I'm providing a report to is going to be altruistic about it. I don't know if someone's going to be an abusive supervisor and try to harm a person or log in to their personal account. Since password reuse is such a problem, that's the main reason why I try to avoid it.

Where do you recommend someone interested in a career in social engineering pen testing start in both their education and when looking for a job?

Gray: It's tricky with social engineering. If you're working for someone like Chris Hadnagy, you could start out entry level with less experience. Beyond that, you have to navigate your way into it. There's no singular path in terms of how to land an entry-level pen testing role. Every junior pen tester has probably been a system or network engineer or possibly even a [security operations center] analyst.

I recommend pen tester candidates read my book, as well as other books -- anything by Hadnagy or Dr. Robert Cialdini. Additionally, join Toastmasters to improve communication skills. Get used to having conversations with people, and learn how to strike up a conversation with someone for any reason.

Academically, take English composition 1 and 2 and technical writing, if it's offered. I would also recommend taking psychology or sociology classes. Maybe learn a foreign language, too -- knowing a foreign language might help you understand other cultures to work globally.

To be a high-efficiency social engineer, especially when it relates to phishing, understand email security protocols, like Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication reporting and conformance. This enables you to better structure emails to ensure they make it through most email filtration tools.

Reading up on threat intelligence, such as anything from the Anti-Phishing Working Group, is also helpful. You can read the phishing sections of the Verizon [Data Breach Investigations Report]. Also, take on-demand courses from Udemy, Coursera and others. Just go off and read things; maybe even find hashtags associated with social engineering, and see what the industry is talking about.