Social engineering is an attack that requires human interaction, persuading employees of the target company to act, such as opening a malicious document, or providing authentication credentials.
While the social engineering delivery method is usually assumed to be email, many other channels such as SMS messages, calls, or social media may be used in the assessment. During the test, spearphishing attacks are preferred, where a user’s personal information and position in the company are used to enhance a pretexting scenario, improving the success rate.
Usually, social engineering attacks are carried as a part of an adversary simulation assessment.
Social engineering assessments are very different between customers, but we use a repeatable and reliable structure for our tests. The step-by-step approach ensures consistency in key areas while being flexible enough to account for different attack environments and scenarios.
During the initial stage of the social engineering assessment, a list of potential targets is created, detailing phone numbers, names, emails, positions in the company, and any available additional info. Also, a list of applications and services suitable for cloning to use in phishing attacks is developed. The company’s infrastructure is researched to learn about used phishing countermeasures, antivirus programs, and potential vulnerabilities in the infrastructure that require social engineering to exploit.
Utilizing the knowledge gained at the previous stage, attack scenarios are developed. Preparing an attack scenario requires creating unique email templates, malicious payloads, phishing websites, and call scenarios. The attack infrastructure is set up to support various listeners, file transfer services, email servers, and phishing backend. Each scenario is then thoroughly tested on a virtual infrastructure emulating the customer’s security setup. For onsite assessments, payloads and exploitation devices are created and tested.
Using the target lists and specified attack scenarios, the attacks are carried out with the appropriate emails and voice calls. For onsite assessments, a series of tests are started, including ‘baiting’ with infected USB drives, setting up onsite wireless Evil Twin attacks, delivering Keystroke Injection attacks via prepared devices, and more.
If the social engineering test is carried out as a part of an adversary simulation, initial access is used to obtain persistent access to the network to carry out further attacks.
After the social engineering test is complete, we create a report that outlines both the executive summary and assessment-specific details. We also provide remediation steps and training recommendations for any vulnerability we exploit.
Once the report is reviewed, a debrief meeting is scheduled to answer any questions and elaborate on the details in the social engineering report.
Infrastructure penetration testing focuses on the security of both the application environment and the supporting infrastructure, including third-party services and applications. The testing is performed with a combination of manual and automated techniques, tailored for the specific environment.
Tenendo specialists discovered an unattended staging environment and leveraged its vulnerabilities for sensitive information disclosure. This information was later reused in an attack against the main application, that allowed us access to the payment API on behalf of other customers of our Client.
Adversary simulation assessments allow to completely emulate the actions of a malicious individual and trigger proper security team response.
