If you’ve read our previous blog, you may be aware of what social engineering penetration testing is. But if you haven’t, we advise that you give a quick read to that blog here.
There are three main methods used to perform a social engineering attack including information gathering, victim selection, and engagement with victims.
In order to test a target, it is important to become familiar with it. For this, you require collecting all the possible information about the target. There are multiple ways to collect and the most commonly used are active & passive reconnaissance and open-source intelligence (OSINT).
- Active reconnaissance
In this method, the attacker gains information about a target while engaging with it. This could be via a call and impersonating to be someone else or subtly through port scans.
- Passive Reconnaissance
Passive reconnaissance takes place via social media platforms such as LinkedIn or Facebook. It is an effective way to gain quick and genuine information about the target.
For instance, if an individual has made a Facebook post regarding a vacation he/she is planning, the attacker could use this information. And once the individual is out of town, the attacker could search their home to get access to the company’s network.
An advantage of passive reconnaissance is that it does not require direct interaction with the target and thereby reduces the risk of getting detected. You will learn this method in detail when you pursue the certified ethical hacker course.
- Open-Source Intelligence (OSINT)
The type of data that is collected by the attacker is known as Open-Source Intelligence. It is the data that is publically available and is ‘open’. Now, you may be wondering that it’s the same as passive reconnaissance. But no, the difference here is – passive reconnaissance is the method that is used to collect data and OSINT is the exact type of data that is collected.
Selection of Victims
In order to perform a successful test, you need to select your “victims” carefully. You will want to choose victims, or groups of victims, that are easily tricked.
For ensuring a successful test, it is essential to select the ‘victims’ carefully. It could either be a single victim or a group of victims. It is easy to trick people who fall in the following categories:
- Less Aware Employees
- Mistreated or ill-treated employees
- Employees who were fired recently
If you’re thinking about how you can identify such employees, then the answer is simple. There are many websites that take reviews from existing and past employees. Such sites are an amazing source for the attacker as they can get exact information about their experience and pay.
Engagement with the Victims
The last method where in the attacker finally starts engaging with the victims. After identifying the victims, the attacker starts planning the method of attack that will be beneficial against that person or team of people.
The goal here is to gather as much information as possible without giving an idea to the person/people about why you’re doing this.
Steps to Perform a Social Engineering Penetration Test
There are four major steps to perform a certified ethical hacker course, let’s talk about each of them one by one:-
Step 1: Test Planning and Scoping
This is the most crucial step during the social engineering penetration test. In this step, you recognize the scope of the test and how it will be conducted.
Since this is the very first step, it requires a meeting between the professional performing the test and the management. An essential point to remember here is that you need to ensure that the number of people attending this meeting should be as minimum as possible. The more the people, the higher is the risk of information related to the test getting leaked.
The objective of the meeting is to get permission to perform the test and make the management aware of how you’re going to conduct the entire procedure.
Step 2: Attack Vector Identification
After scoping out the test, you must have a well-defined contract stating what and who you are permitted to test. The tester needs to identify all the methods that he/she will be using during the test.
Different methods should be used for different groups and users. For instance:
- The security personnel will be tested through impersonation tests. Here, the tester will impersonate as a delivery guy attempting to make a delivery to an IT employee. Another way that can be used for security personnel is Tailgating where the tester will closely monitor the employees entering the building while a large volume of people are entering.
- An IT employee will be tested by utilizing an impersonation test. Here, the tester will request a password reset for an employee and impersonate as an employee from the accounts department.
- Accounting personnel will be tested via a phishing test. In this test, the tester will send a phishing email as the CEO of the company and request past month’s expense report for review purposes.
Stating examples like the ones mentioned above gives the management a clear understanding of what you’re going to do. Every test can also be scored on the basis of the response you attain. Scoring always helps in determining the success rate of the penetration test.
Each test can be scored based on how well the users respond and will help with the overall final score of the penetration test.
Step 3: Number of Penetration Attempts
This step involves executing the tests that you planned in the previous step. A point to remember here is documentation. These documents will serve as evidence in the report later on.
Evidence can be in the form of:
- Phone Call Recordings: These are vital evidence as there is no other way to prove that the attack happened and the user shared important information.
- Phishing Emails: As you know this type of social engineering test involves sending emails. Keeping these emails as proof allows the attacker to later prove how far a user goes before giving up sensitive information.
In addition to the evidence, the test also needs to include – the beginning and end time for each test, name of the employee being tested and name of the person conducting the test.
Step 4: Reporting
The reporting step of a pen test is where you bring all of the results in together. While writing the report remember who your audience is.
Bringing all the outcomes together in a single report is called reported. You must create the report while keeping your audience in mind. The audience is generally the senior management. In the report, the tester needs to mention the concerns that lead to these tests as well as the vulnerabilities you came across during the test.
Along with that, you must share some recommendations on mitigating the vulnerabilities. A report generally contains the following points:-
- A summary
- A list of all the technical risks
- Impact of the vulnerabilities
- Options Available for all the vulnerabilities identified
- Conclusion of the penetration test
- Elimination of vulnerabilities
Social engineering penetration tests are an exceptional way for a company to test its security. Either the internal auditing team or an external team of experts that specialize in this area can perform these tests.
To get more details related to pen tests, get in touch with us. If you wish to build your career as a Penetration Tester, we suggest you take a look at our Penetration Tester Career Path Program and enroll in it.