Auditing Social Engineering: A Practical Approach

Have you heard it said, “Attackers don’t break into a network, they log in?” In reality, they do both.

Bad actors still exploit vulnerabilities found on public facing devices of course. However, that’s almost never the easiest way to gain access to a protected network. That’s because security implementations such as FIDO2, Multi-Factor Authentication (MFA), longer password requirements, cloud technologies, managed devices, encryption, smarter firewalls, endpoint protection, and overall security intelligence and practices have evolved. As a result, it requires a certain level of technical know-how and brazenness for bad actors to execute these exploits.

Further, in many cases when these types of exploits are discovered they are patched and so are only available for a limited time. Social engineering, however, can’t really be patched. It is a much less technical method of gaining initial access and thus provides a lower barrier of entry. Naturally, because of this lessened barrier, the volume of bad actors that try their hand at it has increased, which in turn increases the number of attacks.

There are tools now available to anyone that make it much more cost-effective to either automate or semi-automate some types of social engineering attacks.

According to Verizon’s 2023 Data Breach Investigation Report (DBIR), Phishing and Pretexting continue to be the primary method of social engineering with over 50% of social engineering attacks using pretexting. Of those surveyed, 84% said their companies experienced at least one successful phishing attack while over half, 54%, had faced three or more successful attacks. A simple search of “2023 Social Engineering Hacks and Breaches” and one doesn’t have to look very far to see examples of successful social engineering attacks. In 2023, we saw the effects of this with the MGM hack.

Forbes, referencing VX-Underground, reports that ransomware Group ALPHV utilized voice phishing or “vishing” to great effect and caused severe disruption, financial risk and potential ongoing reputation damage in 2023, reportedly all with a 10-minute phone call.

The US Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) illustrates the damage social engineering attacks do in terms of phishing, including variants, and Business Email Compromise (BEC). Notice the difference in the number of complaints reported vs. the financial damage. Over the five-year period there is a total of 1,112,195 received attacks but financial losses of $10,335,924,697. A few successful social engineering attacks can cost outsized losses. These numbers do not include other forms of social engineering such as romance or lottery scams.

(Note, the IC3 statistic represent complaints received. It’s highly probable these are very low numbers in both terms of actual attacks and money lost as many people do not report. Other sources report that social engineering attacks are in the hundreds of millions).

Another reason making social engineering attractive is its versatility of application. Know that social engineering isn’t just limited to BEC, phishing, vishing, smishing and so forth. Already a cellular customer lost $17,000 due to a successful social engineering attack that involved the bad actor simply walking inside a store under the pretense of being the actual customer and having a new phone activated, and then taking over her texting-based MFA in a SIM-swap.

As an auditor, you’ll want to do everything you can to provide the best assurance possible to your clients. Even though social engineering is likely a subsection within a larger audit, you’ll add more value by diving deep in this part of the audit.

Now, let’s look at auditing social engineering from a practical approach. This is through the lens of people, processes and technical controls. With that in mind, here are some specific activities for which you should be able to obtain evidence or documentation.

People

Role based training – simply checking for generic, general anti-social engineering or anti-phishing training – doesn’t cut it in today’s environment. Bad actors research their targets using publicly available information such as social media, search engines and corporate websites. Accounts Payable may be targeted for “aging reports” while IT support staff may be asked to reset a password for an imposter. An HR staff member could be phished to change direct deposit information that would deposit an unaware employee’s next check into a fraudulent account, or a recruiter could be working with a bad actor unknowingly.

Guiding Questions (People):

1. Do you provide specific social engineering training to employees based on their roles?
2. Which roles receive training for their specific roles? HR | IT | Accounts Payable | Customer Service Representatives | Administrative Assistants are examples.
3. In what form? Newsletters, phishing simulations, webinars, meetings?
4. Is the phishing simulation the same for all or is it customized for different departments?
5. How often do these newsletters, phishing simulations or other trainings occur?

Processes

Processes are the procedures that people should know how to do or reference if they encounter a suspected social engineering attack.

Guiding Questions (Processes):

1. Do employees know how to report a suspected phishing email?
2. What actions would an employee perform if a USB stick was found lying on the floor of the company or just outside the door? Does guidance exist for this in the organization?
3. What is the process of resetting passwords for different roles? Can IT Support Desk reset the password for an IT administrator? What if an executive calls in to have their password reset – how is that handled?
4. Do IT administrators have separate, elevated accounts when performing admin tasks? Their primary account, much like for other employees, should not have admin rights to prevent accidental execution of malicious files.
5. How does the security team analyze phishing, smishing or vishing? On a segmented network? A sandbox? Virtual machine?

Technical

Technical controls will help prevent social engineering attacks from either reaching the target employee in the first place or attempt to prevent a malicious action from occurring once it has. For example, an employee opens a malicious email attachment, or inserts an unknown malicious USB storage disk but does not have administrator rights, and the attack could not properly execute.

Guiding Questions (Technical):

1. Is endpoint protection in place to mitigate damage from the source asset should a malicious file execute?
2. Is web filtering/content in place to block suspicious or bad domains, should someone click a malicious URL? Is there an alerting system in place if a potentially malicious link is clicked?
3. Least privilege: Are “administrator rights” removed from users and computers from those that don’t require it to prevent someone from downloading a malicious file from phishing and executing it?
4. Does the company have any automated anti-spam and quarantine controls in place?
5. What about look-a-like domains? Has the company purchased them to protect itself? For example, a company called yellowbankfirst.com may be interested in purchasing or protecting against .biz .info. .tv .us .org .net, etc. and may consider purchasing domains such as yel1com or yell0wbankfirst.com or even yellowbarnkfirst.com to head off the purchasing domains by a bad actor and being used in social engineering attacks.

Keep in mind bad actors who employ social engineering as a method of attack will use creative tactics. They aren’t bound by scope or rules like we are. When defining your scope, consider this: auditors must also be creative when performing social engineering audits. Put yourself in the place of a bad actor and think about what you would do to break into this company using social engineering.

About the author: Ricky Hamilton CISA, CRISC, CCSK, Lean Six Sigma is a practicing Senior Information Security Analyst with a wide range of experience in IT Infrastructure, Information Security, Auditing and Process Improvement. He has a keen interest in the psychology of cybersecurity, in particular social engineering and enjoys mentoring others looking to break into the profession. You can find him over on the Engage Information and Cybersecurity community or connect with him on LinkedIn: http://www.linkedin.com/in/ricky-hamilton/