Manipulating the Mind: The Strategy and Practice of Social Engineering

TL;DR: The blog explores the intricacies of social engineering, explore its various forms, and describe how adversaries set, define, and achieve objectives leveraging social engineering tactics and strategies.

Advice is also offered to defenders as to how they can prepare organizations to defend against social-style attacks and guard against these using a blend of human and technical defensive strategies.

In the realm of information security, social engineering is the sophisticated art of manipulating people to divulge confidential information or perform actions that benefit the attacker. As a seasoned social engineer and red team penetration tester, the Bishop Fox Red Team have honed skills in the subtle, yet powerful techniques that can unravel the most robust security protocols.

This article will cover the intricacies of social engineering, explore its various forms, and describe how adversaries set, define, and achieve objectives leveraging social engineering tactics and strategies. We will also offer advice to defenders as to how they can prepare organizations to defend against social-style attacks and guard against these using a blend of human and technical defensive strategies.

What is Social Engineering?

In the context of cybersecurity, social engineering is focused on leveraging human psychology and behavioral tendencies to elicit information, influence humans to take actions on behalf of attackers and ultimately to breach security systems. The primary tactics include:

• Email Phishing: Crafting deceptive emails to extract information or credentials, or to compromise the victim’s systems.
• Voice Phishing (Vishing): Using phone calls to gather intelligence or gain system access under the guise of legitimate inquiries.
• Text Message or SMS Phishing (Smishing): Deploying SMS messages to lure victims into revealing sensitive information or clicking malicious links.
• Impersonation or Pretexting: Pretending to be someone else, often during physical engagements, to infiltrate a system or facility.

Setting Social Engineering Objectives

When Bishop Fox conducts Red Team engagements where social engineering is included in the scope of the engagement, defining clear objectives is crucial for any social engineering campaign. Typically, these goals are twofold: raising security awareness and identifying gaps in security policies and procedures. Specific targets (such as obtaining sensitive or proprietary information, obtaining user credentials, or gaining remote access) guide the approach and tactics used by security consultants during the campaign.

Typically, these goals are discussed with the client and set by the Red Team in advance of the project kick off, and then the Red Team will create an attack path to that trophy or objective. The path to that objective may take a variety of routes, and it may take several attempts and a number of unique vectors of social engineering to accomplish.

This type of engagement more closely emulates a real-world scenario; however, it occurs in a more condensed timeframe as Red Team engagements are timeboxed to the scope of a project, whereas real-world attackers have no limiting factors.

Defining Social Engineering Targets

A successful social engineering engagement starts with well-defined targets. Security consultants often request:

• A client-provided list of names, roles, departments, and contact information.
• Clarification on out-of-scope targets to ensure ethical boundaries are respected.

When such lists aren’t available, consultants conduct their own reconnaissance, leveraging platforms like LinkedIn and sales lead generation tools to gather necessary contact details.

This can create ethical challenges for consultants as clients cannot authorize security companies to test employee-owned devices and accounts. If consultants are tasked with sourcing all contact information for employees who will be targeted in the social engineering campaigns to replicate a ‘no knowledge’ style attack, this may add additional time and cost to the engagement. It could also require another phase of information validation by the client to ensure that the security consultants do not leverage personally owned employee phone numbers, email addresses, social media accounts or other personal methods of contacting the employees as these are generally considered out of scope for ethical reasons.

Most clients elect instead to take advantage of the potential cost savings and time efficiency advantages of providing a list of intended recipients for the social engineering campaigns along with approved methods of contact, such as company-issued email addresses and company-owned mobile phone numbers. This further allows for more targeted campaigns that test specific job functions within the client organization, producing a better outcome and more robust reporting which is a product of the assessment.

Creating Social Engineering Scenarios

Scenarios are crafted narratives designed to exploit human tendencies. These often employ influence tactics like authority—impersonating a superior to compel compliance—and scarcity, which prompts urgent actions like responding to an imminent password expiration.

Common scenarios include:

• Suspicious Email Log-in Attempts: Fake alerts about login attempts direct users to counterfeit webpages to steal credentials.
• Expiring Passwords: Phony prompts for password changes intercept credentials and gain account access.
• IT Help Desk Credential Resets: Impersonating employees to request password resets, claiming lost or compromised work phones.
• Remote Access: Pretending to be IT support to gain remote access to employee workstations.

Social Engineering Tools

Successful campaigns employ a mix of public and proprietary tools:

• Phishing Frameworks: Tools like GoPhish, Lucy, Modlishka, and evilginx2 can help consultants to create convincing phishing campaigns.
• Reconnaissance Tools: Skrapp.io, LinkedIn Scrapper, and SalesIntel RevDriver assist in gathering target information, crucial for vishing or smishing efforts.

Enhancing the legitimacy of attacks involves innovative and advanced techniques such as:

• Exploiting Microsoft Teams: Using Teams’ external communication features to create credible, malicious chats.
• Reconnoitering the External Attack Surface: Identifying login pages for SaaS applications and other services through subdomain discovery.
• Leveraging Domain Weaknesses: Analyzing domain configurations for weaknesses that facilitate email spoofing and registering lookalike domains.

A few real-world examples include:

• Microsoft Teams Attack: Compromising an account and impersonating a high-level manager to extract MFA codes.
• Vishing the IT Help Desk: Using phone-based deception to masquerade as an employee and obtain MFA codes to gain system access.
• Email and Vishing Combo: Combining email and phone tactics to deceive the staff of an organization to click on malicious links using rapport building and pretexting.
• Executive Impersonation: Attempting to gain an executive’s password by impersonating them in a high-stakes scenario.
• Ransomware via Vishing: Gathering information from LinkedIn to impersonate a privileged IT staff member and deploy ransomware.

Measuring Success as Red Teamers

Success ranges from a single successful phishing click to compromising an entire company network depending on the goal of the red team engagement. The ultimate goal, however, is to identify and mitigate security vulnerabilities. Key lessons include:

Educating, Not Punishing: Security assessments should aim to improve policies and training, not blame employees.

Continuous Awareness: Regular training, especially for new hires, is critical as human error is often the weakest link.

Beyond MFA: Multi-factor authentication alone isn’t foolproof; physical security tokens like YubiKeys and Universal Second Factor (U2F) authentication offer stronger protection.

Conclusion

Understanding the methods and tools of social engineering is vital for enhancing security awareness and identifying vulnerabilities. Regular training, robust security measures, and a proactive approach can significantly mitigate the risks posed by these sophisticated attacks.

The best defense for any organization is the layering of physical, human, technical, tool-based, and policy-enforced controls to minimize any risk that could be fatal for an organization.

To provide reassurance that an organization is prepared to defend against a social engineering attack, testing is crucial. It’s also quite difficult to identify your own vulnerabilities when security teams often make assumptions and have too much inside knowledge to provide a truly unbiased and accurate test of an organization’s defensive strategy, detections, alerting and response during a suspected incident.

Failing in the course of an assessment is always a best outcome scenario as it gives the organization a chance to mitigate any vulnerabilities and reduce the risk prior to them being exploited by a malicious attacker.

For a deeper dive into our social engineering methodologies, explore Bishop Fox’s comprehensive approach to security engagements.