Red team exercises against social engineering attacks
How can you take a proactive approach to your organization’s cybersecurity strategy? Scoping the threat landscape and having a solid incident response plan is a good start. But you also need to continuously seek out vulnerabilities and weaknesses to remediate or mitigate. These vulnerabilities and weaknesses aren’t just limited to systems and processes – the human factor plays a prominent part in many cybersecurity breaches.
This article examines social engineering attacks that exploit flaws in human psychology and outlines how red teaming simulations help you improve resilience against social engineering attacks.
A social engineering attack is when a threat actor manipulates individuals into taking certain actions or disclosing private information by preying on flaws in human psychology. Instead of targeting system vulnerabilities, these attacks take advantage of a targets’ fear, curiosity, trust, or cognitive biases.
A common observation within cybersecurity is that the human element is the weakest link in the chain. The following statistics demonstrate the extent to which today’s opportunistic cybercriminals rely on social engineering attacks:
- The average organization gets hit by 700 social engineering attacks each year.
- Between 70 and 90 percent of data breaches involve some type of social engineering technique.
- An analysis of 2,249 security incidents involving social engineering found that almost half resulted in the disclosure of confidential or sensitive data.
While most modern social engineering attacks occur digitally, direct manipulation of targets can occur in physical environments, such as office locations. The perpetrator must be present at the target location for physical social engineering attacks to work.
How do social engineering attacks happen?
The majority of social engineering attacks involve four distinct steps:
- Reconnaissance: Social engineering attacks typically start with an information-gathering phase in which the perpetrator seeks to find out as much info as possible about a target to maximize the likelihood of success in a socially engineered attack. This step includes trawling through social media profiles, company websites, public records, and other online sources. Physical attacks might involve observing a target location to determine patterns of employees entering and leaving the office at specific times and noting their behaviors.
- Hook: This critical point sets out the starting point for psychological manipulation. Sometimes, the hook is as simple and quick as impersonating a person or company that the victim trusts in an email, text message, or phone call. More sophisticated attacks involve extensive steps to build a rapport with particularly high-profile targets over a long period of time.
- Exploit: The third step is where the attacker uses the engagement or rapport they’ve fostered with a target to achieve their goals. Common types of exploits include emails containing malicious attachments, requests for sensitive information, or even getting a victim to hold the door open so that the attacker gains unauthorized access to a physical location.
- Exit: The final step is where the interaction with a victim comes to an end, ideally without raising any suspicion. A smooth exit ensures that the victim doesn’t even realize an attack has taken place and that the perpetrator’s identity remains unknown.
Threat actors have many social engineering techniques at their disposal. Here are some of the most common types of social engineering attacks carried out against organizations.
Phishing is a type of cyber-attack in which a fraudster sends messages to a victim purporting to be from a reputable company or trusted person. The intention of a phishing attack is to trick the target into disclosing valuable information, such as their login details, or into taking a desired action, like opening a malicious attachment. Messages most commonly arrive via email, although certain types of phishing use text messages (smishing) or phone calls (vishing).
Baiting is a type of social engineering that appeals to victims’ curiosity. Many baiting techniques involve offering enticing digital media to a target, such as a free music or movie download, in exchange for login information or private data. Some baiting attacks focus on exploiting human curiosity via the use of physical media, such as flash drives left in parking lots or elevators. The bait is usually infected with malware, which gives the attacker access to the victim’s system or your wider IT environment.
Aside from media baiting with flash drives, a common physical social engineering attack is tailgating, where an attacker seeks entry to a restricted area without proper authentication by following an authorized person closely behind. Another physical social engineering technique is Impersonating a contractor, employee, delivery driver, or another apparently trustworthy person to gain physical access to an area.
Social engineering countermeasures and mitigation strategies
Social engineering poses a significant threat to all businesses. From financial and reputational damage, to data breaches, and operational disruptions. By addressing the vulnerabilities that these types of attacks exploit, organizations can mitigate risk, safeguard their assets, and ensure business continuity.
- Improve employee training and awareness: defending against social engineering starts with improving employees’ ability to notice the techniques and tactics commonly deployed to trick them. Treat training and awareness as an ongoing task rather than an annual box to tick.
- Strengthen authentication: implement multifactor authentication for logins to your systems to counter the impact of phishing and other socially engineered attacks that steal employee passwords.
- Use email security tools: use email security solutions with strong email filters to catch phishing attempts and prevent them from reaching end users. Some of the latest tools employ AI algorithms to help accurately detect the signs of phishing scams.
- Simulated attacks: test your organization’s resistance to social engineering attacks using simulated attacks. Consider hiring an external red team to assist with these exercises.
A red team is a group of security professionals known as ethical hackers who mimic the tactics, techniques, and procedures of potential attackers. Their goal is to assess and improve the effectiveness of your security measures simulating attacks to see how well your company might stand up against real-world hackers.
Red team engagements are different from penetration testing in that the latter focuses on identifying all the vulnerabilities in a specific system, application, or network. Red teaming, on the other hand, is a broader, more adversarial approach that simulates real-world attacks, deploying the same creativity and flexibility as real-world hackers do to achieve their goals.
The key elements of an effective red team engagement are:
- Clear Objectives: Before any red team exercise, define what you aim to achieve. The objectives could range from testing specific systems, evaluating staff responses to an attack, or assessing overall levels of security awareness among employees.
- Realistic Attack Scenarios: Red teams should tactics, techniques, and procedures (TTPs) that mimic actual threat actors relevant to your organization. The closer your exercise is to the real-world threats you face, the better prepared your organization will be.
- Proper Reporting and Debriefing: After the engagement, you need a comprehensive report detailing the red team’s actions, the vulnerabilities discovered, and recommendations for improvement. A debriefing meeting is also beneficial to discuss the findings and next steps in person.
- Independence: While some companies have their own internal red teams, the best approach takes a truly outside-in view that only comes from an independent team. Ideally, this team will be very familiar with your company’s industry, regulations, and threat landscape.
Red teaming engagements are intrusive by nature. Any good red team accounts for ethical considerations in their work (they are called ethical hackers after all). One such consideration is obtaining proper consent from your company’s management and other important stakeholders. Ethical considerations must also play into cases where a company asks a red team to hack into services that the company doesn’t own, such as a public cloud environment.
Red teaming should also comply with regulatory requirements that apply to companies and industries. Certain activities may be illegal, and a breach of law can lead to legal consequences, damaging your organization’s reputation.
How Outpost24’s red teaming engagements build resilience against social engineering
Outpost24’s offers businesses extensive red teaming assessments by our in-house team of skilled ethical hackers. We’ll craft custom phishing emails to target users, weaponize documents/files to pique curiosity, and even try to access your premises (with your permission) to gauge the level of social engineering awareness. Our in-depth reports produce actionable insights for your business to become more resilient against the most widespread social engineering attacks.