This blog outlines Triaxiom Security’s social engineering methodology, which is used to guide our engineers during these types of engagements. Social engineering engagements are designed to target and take advantage of the human-element to gain access to your network. During the engagement, a variety of methods are used to get an employee to click on something they shouldn’t, provide their credentials to an unknown individual/website, or divulge information that may assist an attacker in breaching your network. The goal for the engineer performing this assessment is to gain information that may assist in future attacks, gather valid user credentials, or gain a foothold on the internal network. This document outlines the standards, tools, and processes that Triaxiom Security’s engineers will follow while completing this assessment.
Triaxiom Security’s social engineering methodology is based on the following industry standards:
- Technical Guide to Information Security Testing and Assessment (NIST 800-115)
- The Penetration Testing Execution Standard (PTES)
- Payment Card Industry (PCI) Penetration Testing Guidance
The lead engineer for any social engineering engagement shall at a minimum meet the following:
- Have a minimum of 5 years of experience in Information Security.
- Hold the Offensive Security Certified Professional (OSCP) certification.
- Hold the Certified Information System Security Professional (CISSP) certification and be in good standing.
- Have completed all social engineering training requirements and been formally approved.
Sample of Tools Used
Although our social engineering methodology cannot list every tool we may use, the following is a sample set of tools that may be used during social engineering:
|· Social Engineering Toolkit||· theHarvester||· Spoofcard|
|· Netcat||· Metasploit Framework||· Maltego|
|· Powershell Empire||· Veil-Evasion||· Recon-ng|
|· Bloodhound||· Custom Scripts||· GHDB|
Our social engineering methodology can be broken into 3 primary stages, each with several steps.
1. Gather Scoping Information
After initiating the project, scoping/target information will be collected from the client. In the case of social engineering, this information includes the targets (names, emails, phone numbers, departments, physical locations) and compromise goals to help us focus our attacks. It is also possible to perform a zero-knowledge social engineering engagement, in which the test team discovers the targets on their own using open source intelligence they are able to gather.
2. Review Rules of Engagement
This process will involve a brief meeting with the client to review and acknowledge the rules of engagement, confirm project scope and testing timeline, identify specific testing objectives, document any testing limitations or restrictions, and answer any questions related to the project.
Once the test has officially begun, a start notification will be sent to the client. The first phase will involve open-source intelligence gathering, which includes a review of publicly available information and resources. The goal of this phase is to identify any information that may help during the following phases of testing, which could include email addresses, usernames, phone numbers, information about the company that can be used to make us look like insiders, job titles, organization charts, third parties you work with, specific technology in use, etc. Additionally, this step will include searching for sensitive information that should not be publicly available, such as internal communications, salary information, or other potentially harmful information.
Tools may include: Recon-ng, Maltego, Google Hacking, Custom Scripts
2. Threat Modeling
For this assessment, the threat modeling phase serves to evaluate the types of threats that you are most likely to encounter based on the information we can find during the reconnaissance stage. Our attacks are designed to emulate the real-world methods that attackers are using, based on recent data breaches and threat intelligence. Additionally, our attacks will typically scale in sophistication throughout the assessment. This means, Triaxiom will start with a very sophisticated attack that is unlikely to be detected, and then progressively reduce the sophistication with the goal of discovering where your threshold of detection is.
By default, Triaxiom will include three styles of campaign as part of a social engineering engagement. The first will be “vishing,” or phone-based social engineering. The second will be a spear phishing campaign that leverages emails targeted at specific individuals. The final campaign is a bulk phishing campaign that will be a more generic email campaign sent to a large batch of employees, in the hopes that some will be compromised.
During the threat modeling stage of the assessment, the engineering team will develop all three campaigns so they can be deployed quickly during the attack phase, lowering the chance of detection. This may include purchasing domains and designing websites that impersonate a trusted resource, developing backdoors to bypass antivirus, and creating email templates.
Tools may include: Social Engineering Toolkit, Custom Scripts, Veil-Evasion
3. Vulnerability Analysis
The vulnerability analysis phase of a social engineering engagement entails delivering the campaign and seeing if the victim falls for it. For phone calls, this is pretty straight-forward as Triaxiom is on the phone with the victim during the delivery. However, for email-based phishing attacks, Triaxiom uses hidden images and tracking technology to determine how many targets opened the email, clicked the link, entered their password, etc. This allows us to track if an employee fell for it, even if our backdoor or exploit didn’t work due to technical controls in place. This data will be used to provide statistics in our final report.
Tools may include: Spoofcard, Email Provider, Metasploit Framework, Custom Scripts
The exploitation part of social engineering is incorporated into each campaign and is developed during the threat modeling stage of the test. Depending on the campaign, the exploit may be a credential harvester on a fake login portal that captures employee passwords as they log in, a backdoor that reaches out to a Triaxiom-controlled server, or simply information the engineer is able to capture from the employee. Based on the tracking information the engineer receives during the vulnerability analysis phase of the test, the campaigns may have to be tweaked to be more effective. For example, the backdoor may need to be further obfuscated in order to bypass your particular antivirus product.
Tools may include: Metasploit Framework, Veil Evasion
5. Post Exploitation
After successful exploitation, the engineer’s primary goal is to quantify the risk a successful compromise presents to your organization. Now that an employee divulged information or clicked on a link, what can an attacker do. In the event that the employee inputs their password into a fake portal, can the engineer re-use that password to login to the VPN, their email, or a SharePoint site? For backdoors executed, the engineer will take screenshots of the desktop, attempt to locate and exfiltrate sensitive data, and attempt to pivot to other portions of the internal network. The goal for the engineer will be to elevate permissions and gain access to sensitive information to quantify the risk to your organization.
Tools may include: Metasploit Framework, Bloodhound, Powershell Empire
After completing the active potion of the assessment, Triaxiom will formally document the findings. The output provided will generally include an executive-level report and a technical findings report. The executive-level report is written for management consumption and includes a high-level overview of assessment activities, scope, most critical/thematic issues discovered, overall risk scoring, organizational security strengths, and applicable screenshots. The technical findings report, on the other hand, will include all vulnerabilities listed individually, with details as to how to recreate the issue, understand the risk, recommended remediation actions, and helpful reference links.
2. Quality Assurance
All assessments go through a rigorous technical and editorial quality assurance phase. This may also include follow-ups with the client to confirm or deny environment details, as appropriate.
The final activity in any assessment will be a presentation of all documentation to the client. Triaxiom will walk the client through the information provided, make any updates needed, and address questions regarding the assessment output. Following this activity, we’ll provide new revisions of documentation and schedule any formal retesting, if applicable.