Should Social Engineering Be In-Scope For An External Pentest?
The short answer is yes; social engineering should be included in the scope of any serious external penetration test. Any test of the perimeter defense of an organization’s network without social engineering excludes the most prolific means of compromise. That said, when defining the scope of an external penetration test there are some social engineering parameters that should be considered. In this article we will explore the benefits and drawbacks of social engineering during an external pentest and how to best include this tactic in your scope.
A Traditional And Evolving Tactic
Social engineering is a mix of psychology and technology used to gain trust or otherwise trick, entice, or compel someone to take action or reveal information. This tactic can be performed through means as low-tech as a conversation up to cutting-edge AI-generated calls or elaborate fake websites. While it is one of the oldest tricks, it is still used with great success today and is often the initial access to an organization’s network.
One famous example includes David Kennedy’s demonstration during a CNN interview where he compromised an organization in two minutes with a phone call to their help desk. Many companies that are security-minded have policies in place to help prevent such occurrences, but there is a broad range of methods, and an attacker only has to get lucky one time.
As technology advances, even well-trained employees may find it difficult to distinguish between legitimate requests and a scam. Early in 2024, scammers used generative AI to deepfake a video call and imitate a company’s CFO with enough accuracy to trick a finance worker into transferring $25 million dollars into the scammer’s account.
As these attacks increase in sophistication, testing security policy and the training of frontline staff becomes even more important.
What Should Social Engineering During A Pentest Look Like?
Using a standard TCM Security pentest as an example, before the engagement begins, permission is explicitly obtained, and the scope will set the parameters of the social engineering that will take place. Considerations such as which employees can be targeted and the methods that will be used are revealed. Many of the tactics for gathering intelligence and the methods used for creating fraudulent correspondence are not specialized and available to anyone, but using them effectively is a talent.
What Are The Methods Used?
The average person does not really understand 1) how much of their personal data is exposed to anyone with a web browser and 2) how effectively that data can be used to manipulate them in some fashion. Some companies maintain strict policies concerning what information an employee can share concerning their professional life, but personal social media accounts and other online presences can provide enough information for a clever OSINT analyst to leverage into a potential breach.
OSINT (Open Source Intelligence)
The first step in a modern-day social engineering campaign is gathering open-source intelligence. Testers use public information published by the individuals themselves on social media, forums, public profiles, and other channels to develop a dossier. With this information the tester is able to make much more focused password guesses, craft personalized phishing emails, or otherwise manipulate a user into taking some action.
“Phishing” for Information
Phishing generally refers to a fraudulent communication that attempts to evoke some reaction from the recipient. This can include emails (phishing), phone calls (vishing), text messages (smishing), etc., designed to persuade one to click a link, open a document, visit a website, or other actions. Some scammers are functional experts at playing on the range of human emotions to compel their victims to act. The goal is to make the target “Act without thinking,” and it works many times.
The Benefits Of In-Scope Social Engineering
The purpose of a penetration test is usually two-fold: achieve or maintain compliance and secure an organization against data breaches. Depending on the level of security an organization has implemented, various methods for penetrating the external network defenses may prove successful, but both attackers and testers usually open with some social engineering. Here are a few reasons why social engineering should be included in the scope of a pentest.
Real World Assessment
While zero-day exploits and unpublished vulnerabilities steal a lot of the spotlight when it comes to breaches, the majority of successful attacks (68% of breaches in the last year) include some element of social engineering. A penetration test is usually viewed as an assessment of the high-tech defenses of an organization, but those defenses can be bypassed entirely by open-source research and a well-crafted email with a malicious link. An engagement without some social engineering is arguably not providing the best representation of a real-world threat.
Efficacy of Policy And Training
Social engineering can be mitigated through some technical controls such as MFA (Multi-Factor Authentication) or tighter email filters, but no control is perfect, and in some cases, such controls may be difficult or impossible to implement or enforce. The best line of defense is reinforcing the weakest point in the system, people, with policy (guidelines and playbooks) and training (information and experience). Having professionals spend some time probing an organization’s strength of policy and training by employing social engineering can expose, and thereby reduce, the widest avenue used by attackers.
The Pitfalls Of In-Scope Social Engineering
It is difficult to make a case for no social engineering whatsoever, as it is such a common attack vector. A better perspective would be “how much” social engineering should be pursued during an engagement. Here are a few things to keep in mind when defining the scope of a pentest.
Tester Rabbit Hole
This is a problem that a well-scoped engagement (such as those provided by TCM Security) would solve, but if a tester is given little guidance by an organization, they could spend an inordinate amount of time researching employees looking for the easy way into a network. For a typical five-day engagement, one day should be sufficient for social engineering, depending on the size of the organization.
Use Of Specialized Talent
While social engineering is an important aspect of an engagement, the mitigation efforts essentially boil down to policy and training. There are other methods of attack that require specialized technical knowledge to leverage, such as misconfigured settings, default passwords on forgotten machines connected to the network, or insecure web applications, and a tester can find these and make remediation suggestions. While time should be devoted to OSINT to best represent an attack, there should be a balanced approach to the methods and tactics used.
Additional Employee Stress
There are various levels of targeting, from a broad shotgun spread of generic emails sent to an entire organization (phishing) or a phone call to a specific employee from a well-informed “client” or “associate” (spear phishing). It is important that the targets and degree of targeting be established before the test and that employees learn from the experience without feeling punished. People are still the last line of defense, and an informed person with a positive testing experience is a better defender.
Next Steps
An external pentest can be eye-opening for some organizations that have never experienced the ease with which a network can be breached through relatively low-tech means. In some cases the passwords that guard their information may already be compromised (14 billion and counting) without them even knowing. But once policies are updated, training conducted, and proper technical controls have been put in place, the organization is on a much better footing to defend its network.
If you are considering a professional external network penetration test where social engineering is handled with tact and professionalism, TCM Security will deliver.
If you are looking for quality training in social engineering techniques, our Practical Phishing Campaigns course offers techniques taught by TCM’s Red Team Lead, Aaron Wilson.
About the Author: Josh Daniels
Josh is an avid storyteller and writer who loves learning about the behind-the-scenes of the digital world we live in. While his professional experience is in content marketing, Josh began pursuing a career in cybersecurity in 2022, gaining a Sec+ certificate along with other training from industry professionals and a life long learner attitude.
When he is not writing, Josh enjoys outdoor adventures with his family, watching movies, reading, and an unofficial (unpaid) side gig as a Game Master Consultant for several friends who play table top RPGs. At TCM, Josh has found a home where his passion for storytelling and cybersecurity meet.
“Once men turned their thinking over to machines in the hope that this would set them free. But that only permitted other men with machines to enslave them.”
– Frank Herbert
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Email List | LinkedIn | YouTube | Twitter | Facebook | Instagram | TikTok
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.