DTS has conducted more than 50 social engineering simulations over the last couple of years and the results are incredible. The level of cyber security awareness amongst employees across different industries, varies from one spectrum to another, on average, more than 60% of users fall for the bait by clicking on a link on a highly crafted email from our covert operations team. This not only demonstrates there is a lack of employee engagement in training and raising awareness of cyber security threats that are most commonly used, but also employees not having the ability to identify the good and the bad. The core benefits of running a social engineering simulation are to;
The majority of recent high profile cyber-attacks against top tier organizations have been successful because they have breached the perimeter through targeted social engineering attacks, otherwise known as ‘spear phishing’.
These attacks identify the contact details of potentially vulnerable people within the organization and use a specially targeted attack vector which is likely to result in the execution of malicious code. Typically, this involves crafting an email which would be of interest to the victim incorporating embedded malware, in the email itself or as an attachment.
Once the code has been executed, it will then use network architecture weaknesses to establish command and control connections with the attacker who can then commence attacks on internal network resources. It is then generally straightforward to identify accessible stores of internal information assets (given access will have been gained with the credentials of the compromised user) and export them over the internet using usually benign and innocuous protocols such as web connections over encrypted channels to bypass security controls.
Furthermore, other attack vectors often include using phone calls to staff, usually under the guise of IT personnel or a senior member of staff and attempting to entice them into performing a task that would also have adverse consequences for the organization’s information security.
A defense-in-depth strategy for the protection of information assets should include all elements of security controls, including physical, procedural and technical. As such, it is essential that personnel within the organization are adequately briefed on information security awareness, how to identify and report potentially malicious emails and the inherent risks associated with opening them.
Social Engineering simulation by DTS, will effectively identify an organization’s susceptibility to social engineering attacks, whether delivered via email, instant messaging, telephone calls or face-to-face within the client’s premises. As part of the assessment, we can use open source intelligence gathering to attempt to identify people within the organization or target a specific team or function that the client determines should be the subject of the investigation.
We will then systematically target those individuals with a bespoke attack which we believe (in co-ordination with the client) has the highest probability of success. All attempts will incorporate a means to measure the success and may also determine whether it would be possible to breach the architecture and establish outbound command and control connections.
The output of the exercise shall position the effectiveness of information security awareness within the organization, statistics on successful and unsuccessful attempts, details on whether it was possible to compromise the perimeter and to provide a detailed set of issues alongside pragmatic remedial activities that can be used to make improvements.
Our covert testing team in DTS, has undergone training from third party agencies to develop social skills and structure these types of assessments. This combined with their personal attributes enabling them to convincingly assume the roles they adopt and their experience in Information Security make them an ideal team for this type of exercise, some of the tests conducted during this assessment is as follows: