Bishop Fox Expands Social Engineering Adversarial Emulation Services
PHOENIX, AZ – June 28, 2023 – Bishop Fox, the leading authority in offensive security, today announced an expansion of its Social Engineering testing services, which are an integral part of the company’s comprehensive Red Team portfolio. In contrast to narrow and rudimentary security awareness solutions, Bishop Fox’s services emulate complex, multistage and multilayer adversarial attack behavior, provide in-depth results and actionable guidance for organizational improvement, and offer a unique ability for internal teams to participate in “ride along” observation of the process — from Open Source Intelligence (OSINT) and pre-text development, to attack execution.
The 2022 World Economic Forum’s Global Risks Report estimates 95% of all cyberattacks involve human error. Compounding the concern, Gartner cites that while 90% of cybersecurity functions have a user security awareness program, 69% of employees admit to intentionally bypassing their organization’s guidance. The issue is exacerbated by the fact that awareness programs – from “lunch and learns” and training materials, to automated phishing campaigns – not only miss the mark but fail to adequately educate organizations about their largest exposures or provide evidence of downstream impact to inform security programs at large. This is why a recent study conducted by the Ponemon Institute placed Social Engineering as the #2 reason enterprises are investing in broader offensive security assessments and robust Red Team engagements, second only to ransomware. and robust Red Team engagements, second only to ransomware.
“Too many organizations are trying to throw technology at something that isn’t exclusively a technology problem,” said Alethe Denis, senior security consultant for Bishop Fox. “You can contain software and data in a virtual machine, but you can’t contain a user in an office. The universe of technology, functional tasks, and on/offline interactions in which individual employees engage, each represent either a potential point of intelligence or compromise – and that doesn’t even account for intentional acts. That’s why cookie-cutter security awareness programs, largely designed to satisfy lowest-common-denominator and compliance requirements, fail. Getting into the context of a particular attack is not as effective as getting into the mind of the attacker. Our expanded team and testing options provide the most comprehensive view of how attackers view your employees and truly assess your vulnerability.”
On a positive note, the recent Ponemon report also finds that enterprises are aware of the risk, with nearly two-thirds already deploying Red Teams in some capacity, and more than half planning to increase that investment over the next 12-24 months.
Since Social Engineering is arguably the most impactful and weakest link in security programs, Bishop Fox designed their new services to expose every aspect and angle of attack tactics, techniques and procedures to users and security teams. This ensures full understanding of both what is possible and what is probable. The services and activities are tightly integrated with other Red Team activities to provide a complete environmental view of risk and exposure – and to prioritize the most urgent needs to address.
The new Social Engineering services include:
- True Social Engineering Adversary Emulation: Activities are flexible and crafted to each organization’s unique context and environment, including logistics, user targeting/OSINT, pretext/payload development, and more. Then a multi-vector attack is simulated, including, email, enterprise chat, phone, and physical attack vectors to provide a more accurate assessment of exposure and resilience to a skilled adversary.
- Full Reporting of Human Vulnerabilities: In-depth, post engagement reporting demonstrably improves user awareness and security culture. Reports provide detailed breakdowns of attack narratives and actions, defensive performance, and results against target objectives. They also include a complete stakeholder walkthrough of findings and recommendations for program improvement.
- Security Team “Ride Along”: Internal practitioners have the ability to observe and monitor the full attack process and effects as they play out – with the ability to adjust activities to make sure they are effective, but also sensitive to a proper workforce balance. This gives practitioners valuable insight into attacker methods to strengthen their own skills and knowledge.
“An attacker will look for and exploit any opportunity presented to them, and an endless amount of industry data and evidence underscores the rampant opportunity presented by a disparate and unsuspecting employee population,” said Trevin Edgeworth, Red Team practice lead at Bishop Fox. “Red Teaming without a strong and comprehensive Social Engineering component leaves a massive blind spot and increases exposure for an organization. Bishop Fox has seen a surge of more than 60% annually for its Red Team services over the past three years, indicating that organizations understand the value of an offensive mindset and perspective. Offering this new service is critical for us to answer the need and demonstrably improve organizational security posture.”
Bishop Fox’s Red Team portfolio offers a modular approach to testing both individual and inter-related elements of an enterprise attack surface. The company offers advanced attack emulation and readiness exercises designed to measure the efficacy of security teams and their ability to respond to attackers before sensitive systems and data are compromised. With the largest and most diverse private sector team of offensive security specialists, Bishop Fox assimilates a broad range of specialists for each engagement. Assessors have extensive knowledge of their targets and conduct thorough testing with a state-of-the-art arsenal of open source and privately developed security tools. The company follows industry best practices and proprietary methodologies that exceed even the most stringent frameworks and regulatory requirements, enabling more thorough and effective communication of attack readiness to senior business leadership to drive strategic security decision making.
About Bishop Fox
Bishop Fox is the leading authority in offensive security, providing solutions ranging from continuous penetration testing, red teaming, and attack surface management to product, cloud, and application security assessments. We’ve worked with more than 25% of the Fortune 100, half of the Fortune 10, eight of the top 10 global technology companies, and all of the top global media companies to improve their security. Our Cosmos platform, service innovation, and culture of excellence continue to gather accolades from industry award programs including Fast Company, Inc., SC Media, and others, and our offerings are consistently ranked as “world class” in customer experience surveys. We’ve been actively contributing to and supporting the security community for almost two decades and have published more than 16 open-source tools and 50 security advisories in the last five years. Learn more at bishopfox.com or follow us on Twitter.