The question of whether social engineering should be part of pen testing is often asked, and not an easy one to answer.
Here at CYBRI we recommend tackling the challenges of user education and awareness of social engineering attack in a multifaceted approach.
Every organization should conduct regular phishing exercises outside of pen testing.
During a pen test, or red team engagement, a more thorough and targeted social engineering campaign should take place.
Why do hackers use social engineering
Before diving deeper into social engineering pen testing, it is important to understand why hackers use social engineering.
Social engineering is one of the most effective ways of bypassing defenses.
This can be technical like a phishing email with malware or non-technical like piggybacking an employee.
This is where an attacker literally follows an employee closely enough to bypass entry blockers and where they can potentially hold the door before it closes fully.
Most commonly we see phishing emails as the main and most effective vector inside an organization. Firewalls that are setup right are difficult to get through, but having an employee click a fake email link is not.
The attackers will spend time researching their targets to create custom emails to ensure their efficacy.
What is a social engineering penetration testing
Social engineering penetration testing is where a pen test includes a social engineering component or pen testers are tasked with a specific social engineering project.
This differs from the regular social engineering testing a company may do, namely phishing tests. The focus will be a much more tailored attack to best gauge the ability for an APT to get in.
The pen testers or red teamers will create a very small focused campaign to just target a few users.
This includes research about them and their roles, who they are connected to, and what they are interested in. It will then aim to steal credentials, sneak in a malicious payload, or obtain sensitive data.
It may also include phone calls, USB drops, or other forms of social engineering combined for maximum effectiveness.
Depending on the engagement it may be done during the full pen test and can give the testers a way in or more data to work with.