Social Engineering Adds Depth to Red Team Exercises

When Alethe Denis conducts a social engineering attack as part of a red team exercise, the Bishop Fox security consultant often presents the targets with the exact email template that her team intends to use — such as a dress-code missive from human resources — and yet the attack almost always succeeds.

"They've literally seen the email template, and I've highlighted the fact in my training that HR-based pretexts are extremely common and incredibly successful — 'Here's an example of a dress-code e-mail template,'" she says. "And they go, 'Yes, yes, yes.' And then on the day that I send the campaign, at least one person clicks."

Pretext attacks and phishing have taken off as attackers have come to rely on them as an effective approach to compromising businesses, with about one in every six attacks including a social engineering component, according to Verizon's recently released "2023 Data Breach Investigations Report" (DBIR). For that reason, social engineering has also become a necessary part of red team exercises and penetration tests, and more providers are expanding their service offerings. Bishop Fox, for example, announced on June 28 that the firm had expanded its red team offerings to include social engineering attack emulation, more in-depth reporting on human-focused attacks, and the ability for customers to "ride along" to both learn from and oversee any exercises.

The goal is not only to show the potential threat that the social engineering vector poses for initial access, but to highlight how companies can react effectively following a successful attack, Denis says.

"We don't rely simply on testing humans when we're conducting social engineering," she says. "Our goal is to understand the weaknesses and then make recommendations that would allow the organization to put technical controls in place to prevent phishing and social engineering."

The shift is another way that today's red team engagements and penetration testing differ from those of a decade ago. Consultants are more focused on emulating the attackers, not just outfoxing the defenders and finding the easiest way to a business' crown jewels. In addition, penetration testing is more integrated with other security tools, such as those used by security operations centers and application security teams. And because more companies have grown accustomed to crowdsourcing, penetration-testing services now offer more frequent engagements.

Understanding the Impact of Social Engineering

By including social engineering in a penetration-testing engagement, companies gain the opportunity to learn about specific weak points in their training and environments, such as lax security protocols and a lack of security awareness among employees, says Chris Scott, managing partner at Unit 42 at Palo Alto Networks.

"These tests are more than just seeing if an attack could succeed, but also to discover how it could succeed within your environment," he says. "Social engineering is part of the early phases of an attack, and being able to detect and respond to these attacks is key to limiting their impact."

Attackers continue to gather more passive intelligence on their targets, prior to an attack, according to experts. While a penetration test can help you discover easily exploitable vulnerabilities, focusing on social engineering tactics will make it that much harder for an attacker to succeed, says Andrew Obadiaru, chief information security officer at crowdsourced pen-testing service Cobalt.

"Threat actors understand what motivates people to enter their credentials, reply to an email, or click a link," he says. "Mitigating endpoint security, such as social engineering, is important because it shows how people react to urgent situations and whether or not they are willing to disclose personal or intellectual information."

Purple Is the New Black

The ultimate reason to add social engineering to a red team exercise or penetration-testing engagement is to allow companies to uncover the unexpected ways that an attacker could parlay a simple email message into a significant compromise. Conducting tabletop exercises internally has its limits, says Erich Kron, a technical evangelist at security awareness firm KnowBe4.

"Testing yourself for vulnerabilities is a lot like grading your own homework, so it is important to have an outside view and approach to finding vulnerabilities in your organization," he says.

Thus, the "purple team" approach — where penetration testers, or red teams, work with the internal security team, or blue team — is critical, Kron adds.

"A penetration test that provides the organization with a list of vulnerabilities is far less useful than coordinating with the defensive team so they understand the vulnerabilities and how to mitigate them," he says.

Overall, companies need to make sure that their security operations can respond in the right way to a successful social engineering attack and find ways to prevent the initial compromise. Putting rules in the browser that prevent people from visiting newly registered domains and rolling out multifactor authentication are two good ways for businesses to harden their IT environments against social engineering, Bishop Fox's Denis says.

"Regimented, compliance-driven phishing exercises are great to support training efforts and security awareness training to help individuals identify when they're being manipulated," she says. "But while they're great for training purposes, they should not be relied upon for protection of the organization against social engineering."