The art of deception: social engineering in red teaming

In the world of cybersecurity, people are often the weakest link in the chain of digital defences. Social engineering targets people, manipulating individuals into divulging confidential information or performing actions that compromise security. For red teams trying to establish a foothold on your network, social engineering is a crucial tool in their arsenal. It allows them to demonstrate how threat actors can bypass technical safeguards through human manipulation, emphasising the need for security awareness training and robust technological defences for endpoints.

Traditional penetration testing often incorporates social engineering. But, while a regular pen tester might ‘shoot for the stars’, aiming to escalate their privilege as highly as possible in a limited timeframe, Red Team exercises provide more in-depth and realistic simulations. Beyond the metrics of ‘who clicked what’, there’s a plethora of objectives that an adversary might pursue once they have gained a foothold on your systems.

Considering and planning ‘what comes next' is exactly what separates Red Team engagements from traditional penetration testing. By considering the full context of the attack chain that a threat actor might pursue over a prolonged period, the social engineering techniques used by Red Teams demonstrate greater realism.

Modern social engineering

Social engineering isn’t all about opening dodgy emails pertaining to what you’ve been doing when you thought your webcam was turned off. Although delivering payloads via email continues to bear fruit for many adversaries, there is a plethora of defensive technologies to help prevent malicious emails from arriving or from wreaking havoc if a user tries to open them.

Red Teams (and the threat actors they imitate) don’t just rely on basic techniques to compromise systems; gone are the days of including a macro in an Office document and waiting patiently for pwnage to ensue.

Sophisticated approaches increasingly rely on more direct interaction with potential victims, with protracted exchanges over longer periods of time. There may be many more steps required to ‘hook’ a victim. Attackers will directly converse with potential victims, who might even be aware of the attacker’s malintent but are coerced into action, or in some cases are partially or even fully complicit.

Once a foothold has been established, adversaries can act cautiously, not always moving directly to the conventional objectives that people might expect, such as administrative access or public-facing server defacement. For this reason, the social engineering techniques used by attackers (and Red Teams) will be chosen both for their stealthiness and effectiveness in the broader attack chain.

Common social engineering techniques used by red teams

Red teams mimic the tactics, techniques, and procedures (TTPs) of real-world attackers as best as possible within the constraints of being ethical. By using social engineering, we can uncover potential vulnerabilities that might not be apparent through automated testing or traditional security assessments.

Red teams employ a variety of social engineering techniques to test an organisation's defences, including:

• Phishing: Sending emails that appear to be from reputable sources to induce individuals to reveal personal information, such as usernames, passwords and credit card numbers. Captured credentials on sites you don’t control could be re-used on ones you do, or have some basic similarity that an attacker can identify to better inform password-guessing attacks.
• Spear Phishing: A more targeted form of phishing where the attacker customises the message to fit the victim, often using information gathered from social media or other sources. Captured personal information can be used to add legitimacy to later requests i.e., we might call posing as a representative from the target’s bank, and confirm some specific details such as their date of birth and a few recent purchases. Spear phishing isn’t an alternative to regular phishing; it could be a follow-up, with a more targeted approach based on information you have already obtained about the individual. It is worth noting that the targets for spear phishing aren’t always high-profile personnel at the target organisation.
• Vishing (Voice Phishing): Using the telephone system to scam the user into surrendering private information. I’ve worked on Red Teams where we set up help-desks consisting of trained help-desk staff who talk to targets trying to persuade them to perform actions or reveal information that we might want.
• Smishing (SMS Phishing): Using text messages to interact with users and achieve a similar effect to what we might try to achieve with voice communication. Although called Smishing you might use other messaging technologies besides SMS, like WhatsApp or iMessage.
• Physical Security: Social engineering isn't limited to digital interactions. Red teams can test physical security measures by attempting to gain unauthorised access to restricted areas through identifying unprotected entry points or tailgating (following an employee through an open door into a secure area). Entry points can be physical locations such as server rooms, but many organisations also expose network entry points. For example, network connection ports or even public areas where the organisation’s wireless internet is accessible (to which attackers can log in with credentials captured using other social engineering tactics).

Common manipulation techniques

Ethical penetration testing and Red Teaming stops short of any ‘threats’ against a group of users or anything that might be considered extortion. However, when attempting to manipulate users into giving information, the following techniques are the most common:

• Pretexting: Creating a fabricated scenario to persuade a victim to divulge information or perform an action. This could involve impersonating a co-worker, IT support or a figure of authority.
• Baiting: Offering something enticing to the victim in exchange for login credentials or confidential information. Or as my kids say, FOMO! (Fear Of Missing Out) This has to remain ethical and typically we can’t expense bribes! Baiting is more likely to subtly influence any risk-versus-reward deliberations made by the target, encouraging them to act without questioning the situation more thoroughly.
• Quid Pro Quo: Offering a benefit in exchange for information. This could be as simple as providing free IT assistance in return for login credentials. This might be used to have a user ‘sign-up’ to a service in the hope they may use credentials similar to those used for other services.

Best practices for defending against social engineering

Organisations can take several steps to protect themselves against social engineering attacks:

• Comprehensive Training: Regular, interactive security awareness training can help employees recognise and respond to social engineering tactics.
• Simulated Attacks: Conducting simulated social engineering attacks can help test the effectiveness of training and identify areas for improvement.
• Clear Reporting Procedures: Employees should know how to report suspected social engineering attempts quickly and easily. These reports should be monitored by defensive teams to identify any spikes that might indicate a targeted campaign is underway.
• Multi-Factor Authentication (MFA): Implementing MFA can add an extra layer of security, even if credentials are compromised. Protect against the enrolment of MFA devices that might be an unauthorised third party.
• Least Privilege Principle: Limiting user access rights to only what is needed for their job role can minimise the damage from a successful attack. Even if you trust your user community, any code running under their login is generally able to do everything that they can do.
• Regular Audits and Reviews: Continuous evaluation of policies and procedures ensures that defences remain effective against evolving social engineering tactics. Your defences, policies and procedures should update in line with changes to your IT estate that might present new targets for attackers, as well as with the techniques they are likely to use.

Conclusion

Social engineering will always be an effective method for attackers. In part, this is because it relies on the psychology of influence and manipulation. Social engineering attacks rely on using credibility, authority, social proofing, time pressure, and the threat of negative (and sometime positive) consequences, to encourage what Daniel Kahneman calls System 1 thinking – near instantaneous decision-making without considering the long-term consequences. Slow and effortful questioning of the situation, as well as the possible risks and consequences of a user’s action (System 2 thinking) is the approach promoted by awareness training.

However, the problem of social engineering can be tackled not just by increasing people’s awareness, but also with better processes and technology. Regular audits and reviews, as well as clear reporting procedures are examples of effective processes that will help stifle social engineering attacks. Meanwhile, implementing the principle of least privilege and MFA will provide an additional layer of defence. Using just one method to defend against social engineering attacks will only be fractionally as effective as building a multi-layered defence. However, building a multi-layered defence will help secure your organisation against a range of attack types, not just the increasingly convincing dodgy emails.

Get in touch to find out more about how Red Team exercises can help identify gaps in your security.