How to conduct a social engineering penetration test

Types of social engineering attacks

Malicious attackers use a variety of social engineering attacks to steal data from employees and third parties. Common types of social engineering attacks include the following:

• Phishing. Attackers indiscriminately contact users via email, text message, phone call or voice call through a web application to trick them into revealing credentials and secrets.
• Spear phishing. A more targeted phishing attack, spear phishing involves malicious actors personalizing correspondence to a particular employee to gain access to credentials, accounts, etc.
• Pretexting. Attackers create a fake but urgent-sounding scenario -- for example, pretend there's an emergency or they're a company executive -- to get people to provide personal or company information and access.
• Tailgating or piggybacking. Attackers physically follow employees closely into restricted areas they would otherwise not be allowed to access -- for example, someone following an employee through an area that requires an access key.
• Scareware. Cybercriminals trick employees into visiting malicious websites, purchasing or downloading malicious software, or even just believing they are infected with malware, whether they are or not.

How to prepare a social engineering assessment

The first step is to assemble a team to execute the pen test. Members might include internal employees, but the team could also benefit from external third-party support -- for example, from ethical hackers or pen testing services.

Depending on how in-depth the assessment is, consider setting up or using a red team and blue team. The red team focuses on where vulnerabilities might exist, while the blue team identifies how well defenses mitigate an attack, as well as how to improve defenses.

Next, determine the scope of the social engineering pen test. For example, should it focus on internal, people-based vulnerabilities, such as phishing attacks, or include external situations involving unauthorized access into a building or individual user systems?

As part of this step, identify the prospective attack vectors to examine:

• Unauthorized system access.
• Delivery of suspicious attachments on email messages.
• Use of phone calls to obtain personal information.
• Unauthorized persons getting access to buildings or floors.

Also, determine how to examine the identified attack vectors:

• Electronic pen testing to identify suspicious code.
• Cameras that monitor activity at building or floor access points.
• Data captured by firewalls and intrusion detection and intrusion prevention systems.
• Software, such as secure email and web gateways, that examines email and other messages for suspicious code.
• Antimalware, antiphishing, antivirus and antiransomware software that identify possible attacks.

Next, design assessment attacks that simulate a social engineering breach. Determine if the attacks will be active or passive. An active attack might involve a member of the team, or perhaps an external third party, interacting with employees and persuading them to provide information they might not normally release. Active attacks also include various ethical hacking activities. A passive attack might involve the results of security camera surveillance or suspicious data captured by pen test software.

Finally, prepare an assessment plan that includes the following activities:

• Discovery and examination of suspicious data captured by security software.
• Ethical hacking that further identifies attack vectors.
• Visual recordings of building access points and office work areas.
• Reports of observations by team members moving around the building.
• Data analysis of events and their characteristics.
• Development of actions to prevent future events.
• Identification of specific ongoing activities to monitor systems for possible attacks.
• Definition of ongoing activities -- for example, training, awareness and software patching.
• Compilation of findings and recommendations into a report.
• Presentation of the report to key parties and stakeholders.
• Follow-up activities identified from the assessment.

How to execute a social engineering assessment

Take the following steps to perform a social engineering pen test:

1. Schedule the assessment. Schedule the assessment attacks at various times during a one- to two-week period to minimize suspicion. If senior management is among the assessment attack victims, it might not be appropriate to announce the assessment. Conversely, it might be useful to release an announcement that obliquely references the assessment -- for example, identifying it as a review of security practices.
2. Conduct the assessment. Consider establishing policies or procedures that govern an assessment -- for example, ensuring no information is volunteered about the test, using prepared responses to people asking questions and issuing regular updates to senior management.
3. Discover, capture and analyze data. As data is discovered and captured from the assessment attacks, carefully examine each event, and determine its origin, how it was discovered, how it bypassed security measures, how it progressed, what impact it made and how it was resolved.
4. Report on findings and recommendations. Compile results of the assessment into a report that presents the findings and recommended actions to fix vulnerabilities. Schedule a meeting to present assessment findings and recommendations to senior management. Share results with key IT employees and others.
5. Post-assessment activities. Use the social engineering pen test results to launch initiatives, such as regular employee training on security; greater diligence monitoring physical and electronic security systems; weekly IT security team meetings; security patches that are consistently applied and tested; and establishment of a formal, companywide security program.

Paul Kirvan is an independent consultant, IT auditor, technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.