The Social-Engineer Frameworkdefines social engineering as "any act that influences a person to take any action that may or may not be in their best interest".
A social engineer could be a:
Scammer who sends out phishing emails asking you to reveal your banking details or to transfer money to foreign accounts.
Penetration tester who is trying to gain access to the company by pretending to be an elevator technician.
Spy who takes on different identities in order to infiltrate an organization.
Salesperson who is using human emotions to influence sales.
In a typical social engineering engagement, an attacker uses social skills to obtain or compromise an organization’s assets.
With companies transitioning back from remote to in-person work, teams will need to be mindful of the changing threats their organization faces and how social engineers will try to exploit this opportunity. You can equip your team to detect and respond to the interactions where social engineers thrive by regularly conducting your own social engineering exercises.
To help prepare your team for its next exercise, we’ve recapped the four phases that define a social engineering engagement.
Phase One: Reconnaissance
Social engineering reconnaissance involves collecting the necessary information to plan and execute the engagement. The more information a social engineer can collect, the better prepared they are for later stages of the engagement, as they’ll be able to act more naturally. The information collected during this phase forms a foundation for success during the rest of the exercise.
The goals need to be kept in mind so that relevant information can be collected effectively. Collecting and analyzing irrelevant information will hinder the success of the exercise.
Information gathering can be roughly categorized into three methods:
Technical sources make use of technical tools. This includes phone calls, online searches, social networks, websites, and watering holes.
A relevant concept here is Open Source Intelligence (OSINT). This refers broadly to any information or knowledge that can be obtained from openly available sources, e.g., Google Search or Street View, government databases for building structures, etc.
The U.S. Intelligence Community book by Jeffrey T. Richelson divides OSINT sources into six different categories: media, internet, public government data, professional and academic publications, commercial data, and grey literature. It’s important for an organization to consider widely-accessible information that could expose vulnerabilities.
If the exercise is going to be partly conducted onsite, it is imperative to familiarize yourself with that environment.
Some questions to bear in mind while doing physical reconnaissance:
What are the employees wearing?
What are the normal office hours?
What sort of jargon do the employees use?
Which third-party services are they using?
Where are the main access points to your client's buildings?
The typical social engineering exercise is tightly intertwined with the rest of the security evaluation. Therefore, it makes sense to also bear in mind the physical security aspects in the physical reconnaissance phase. For example, consider what sort of doors and security mechanisms the target has in place.
While conducting physical reconnaissance, you should be careful not to arouse suspicion by the security staff as this may compromise the further steps of the exercise.
Dumpster diving means collecting relevant information or knowledge from the trash of the organization. Sometimes all you need for a successful backstory or entry is already covered in the documents you find from the trash.
Phase Two: Engagement
During this phase, the social engineer interacts with the target to build a rapport and gain enough access or knowledge to move forward with the exercise.
There are several methods of engagement developed over the years. Some of these methods are executed remotely.
A large number of emails sent to the employees of a company that, when opened, seek to infect the device or retrieve credentials.
A targeted email sent to a specific person with privileged access that seeks to infect a system or retrieve credentials.
A telephone call used to gain access or information, often by Caller ID spoofing.
SMiShing is using SMS text messaging for social engineering. The sender ID may be spoofed.
Impersonation is acting in person with a thoroughly crafted pretext. It is important to carefully think through all of the aspects of the pretext, such as name, date of birth, origin, education, hobbies, etc.
Remote methods provide less feedback on the target's emotions and are more difficult in terms of reading people. Physical proximity provides more social cues, but also demands better social skills and keeping one’s composure throughout the exercise.
Phase Three: Exploitation
Assuming the reconnaissance and engagement steps have been successful, you have access to the organization. During this phase, the goal you set is achieved. This could be extracting some information or getting access to a specific room or machine. Keep in mind that this goal needs to be agreed upon before the engagement begins.
Phase Four: Closure
If the goal is achieved in the exploitation phase, the interactions need to be closed down without arousing any suspicions. The objective is to end the engagement without getting noticed by the target. It’s important to end the interactions as naturally as possible.
Being able to detect incidents that happened in the past is an important part of any organization's security composure. Therefore, this aspect needs to be examined as well.
Using this framework, you can create a working structure for your own social engineering exercise. Now is an especially important time to try this at your organization. More and more offices are returning to in-person work for the first time in over a year, and it’s possible your team has forgotten some of the security practices that traditionally safeguarded the organization before. Conducting your own social engineering exercise can help you identify points of vulnerability in your organization, educate your employees on warning signs, and prepare your team to defend against social engineering threats.