Sociotechnical Tests – Checking Resilience | NFLO
  • pl

Sociotechnical Tests

The purpose of social engineering testing is to verify the real level of threats related to the possibility of penetrating an organization and gaining unauthorized access to data or carrying out criminal activities.

Social engineering tests

  • Social engineering tests are implemented using a “black box” approach,
  • The reconnaissance will cover the basics of the organization’s workforce and network security, as well as physical security,
  • A reconnaissance approach will be used, based on which penetration scenarios will be developed and approved by the organization, and then executed with minimal knowledge of them on the part of the organization,
  • The social engineering tests conducted will further verify how the organization and its employees respond,
  • The project’s pricing assumes the execution of 5 or selected social engineering test scenarios,
  • Penetration testing scenarios will take advantage of the organization’s specific operating context and include the following techniques, among others:
    • Crafted emails directed at stealing credentials (spear phishing),
    • Crafting a web application/website of a company similar to the one exposed on the Internet and sending email information to employees to steal data,
    • Installing dedicated malware on employees’ computers,
    • Exploit potential vulnerabilities in the organization’s IT infrastructure,
    • Physical security workarounds using vulnerabilities identified during reconnaissance and social engineering techniques (e.g., impersonating an employee).
    • The result of the work in this area will be a description of the developed test scenarios with information on the outcome of their implementation.

Service Description:

Implemented in a “black box” approach, our tests focus on reconnaissance and development of penetration scenarios, minimizing the organization’s knowledge of the activities carried out. We verify the organization’s response to a variety of techniques, such as spear phishing, crafted web applications, malware installation, exploitation of infrastructure vulnerabilities and physical security bypass.

Penetration testing scenarios will take advantage of the organization’s specific operating context and include the following techniques, among others:

  • Spoofed emails directed at stealing credentials (spear phishing) – This scenario will be based on sending a malicious attachment in an email that, when opened, will attempt to perform operations to collect user data, remotely perform operations, bypass installed anti-virus software, increase user privileges,
  • Crafting a web application/website of a company similar to the one exposed on the Internet and sending email information to employees to steal data – This scenario will be based on sending an email to users with an attached link to log in to a potentially similar application in the company (web mail, HR portal, or other with the ability for users to log in).

Under this scenario, the following steps will be performed:

  • Gathering information about the company, employees, infrastructure, applications. The database of information will be used to create an email list of employees to whom emails will be sent, domains to be used, application names, and attack scenarios,
  • Create a list of employees and applications to be used for the email campaign (the list will be sent to the client for confirmation),
  • Based on the collected database of information, at least 3 scenarios will be developed with a proposal of domain names and web applications to be used for spear phishing attacks (the list and scenarios will be approved by the Client),
  • A complete list of employees, scenarios and applications will be sent to the Client for approval. The start and end date of the attack scenario will be determined (information from the Client whether the SOC team will be informed – Blue Team – Red Team exercise).
  • Exploit potential vulnerabilities in the organization’s IT infrastructure – This scenario, will involve scanning the internal infrastructure network and exploiting detected vulnerabilities in the company’s internal network to extend the attack and privileges to other servers/services, or applications.
  • This scenario will include the following steps, similar to penetration testing of a company’s internal infrastructure:
    • Step 1 – Data collection
      • Attempts to gather as much publicly available information on IT infrastructure as possible,
      • Identify shared services by scanning TCP/UDP ports along with attempting to obtain information about installed software versions using fingerprinting and banner grabbing techniques
    • Step 2 – Vulnerability identification
      • Vulnerability scanning using automated tools,
      • Manual identification of vulnerabilities based on collected information about the versions of software installed on the tested devices in public databases (e.g. Bugtraq, CERT, OSVDB),
    • Step 3 – Vulnerability analysis
      • Analysis to verify and eliminate potential false positives and identify critical vulnerabilities, which we will keep your employees informed about,
      • Attempting to find software code that exploits a particular vulnerability – known as an Exploit.
    • Step 4 – Extend permissions and attacks to other systems and applications in the company’s internal infrastructure.
      • Physical security workarounds using vulnerabilities identified during reconnaissance and social engineering techniques (e.g., impersonating an employee).
    • During this type of testing, activities will be carried out to verify that the technical and organizational safeguards implemented are effectively designed, and that the Company’s security personnel or employees follow defined procedures.
      • The first element of the work will be, for each facility, a reconnaissance to gather as much information as possible about each facility, the personnel employed there, the security mechanisms and procedures used.
      • The activities carried out will simulate the actions of real criminals who are planning to carry out physical security breaches.
      • Based on the reconnaissance, action scenarios will be refined and finally approved by the Company.
      • We will then proceed with the implementation of each scenario, recording all actions and describing them in detail in the report.
      • We assume that various types of physical security mechanisms have been implemented at the Company’s locations, the effectiveness of which needs to be verified – such as:
        • burglar alarm system,
        • CCTV system,
        • access control system,
        • alarm monitoring system,
        • fire protection system.
      • Due to the fact that the activation of some of these systems may result in the intervention of third parties including the uniformed services, which may have legal and financial consequences, test scenarios in this area will require very careful arrangements and confirmations from the Company.
      • During the work, both simple tests to verify the effectiveness of security features (e.g., moving around the protected building to see if the CCTV operator pays attention) and technically complex tests (e.g., copying access control cards, using cards other than the Company’s, etc.) will be carried out.
      • A key consideration for these tests is to limit their impact on the Company’s business continuity.
      • The work will be carried out based on our accumulated knowledge
        of social engineering techniques and will be conducted based on the premise that humans as a social unit are inherently susceptible to manipulation because they want to:
        • be seen as friendly and helpful
        • avoid problematic situations
      • During the work, we will use the following recognized psychological rules used by leading fraudsters whose actions have been described in the literature:
        • authority
        • liking and affection,
        • commitment and consistency,
        • unavailability,
        • reciprocity,
        • contrast,
        • social proof of equity.

Customer benefits:

Customers get an in-depth analysis of their resilience to social engineering attacks, allowing them to effectively secure their organizations against real digital threats.

For whom it is intended:

This service is ideal for organizations looking to verify their security in a socio-technical context to improve overall data security.

Application examples:

Our tests can be used in a variety of corporate environments where it is important to protect against social engineering methods of attack.

Contact:

Contact us to discover how our end-to-end IT solutions can revolutionize your business, increasing security and efficiency in every situation.

I have read and accept the privacy policy.*

Share with your friends