Assess end users’ awareness to coercion attacks with social engineering assessments.
End users are a common target for malicious threat actors. Organizations spend a considerable amount of time and money securing their logical assets, however end users are oftentimes the weakest link in a security program due to social engineering tactics.
Social Engineering (SE) Assessments use real-world scenarios and tactics to try to demonstrate the level of end user’s awareness to coercion attacks. These engagements can also highlight areas wherein organizational security policies, and technical controls, can be enhanced or used more efficiently to detect and prevent SE attacks.
Train your people to be wary of malicious actors by subjecting them to real-world coercion attacks.
Phishing Engagements are one of the most common types of social engineering (SE) assessments. These projects simulate malicious threat actors that send emails to personnel, in an attempt to gather information, or gain control of end systems, and otherwise gain unauthorized access to systems and data. Phishing engagements can be tailored to fit the needs of the organization; everything from simply measuring the number of clicks on a phishing URL, to capturing user credentials, even so far as attempting to gain command and control of end user systems, are all available options for remote SE engagements.
Rotas will leverage voice calls or SMS text messages, even voicemails as the attack method. Engaging in phone based coercion attacks often catch people off-guard. We use the same techniques that have led to some of the largest data breaches in history; simple social media intelligence gather (open source intelligence – OSINT), caller ID spoofing, voice changing applications. All of these techniques can be abused to try convince end users to reset passwords, or provide information that can lead to an initial foothold.
These engagements are used to assess personnel’s awareness regarding onsite interaction with unauthorized persons. The goals of onsite social engineering engagements are typically to gain unauthorized access to facilities, systems and data by actively engaging personnel. These engagements differ from physical penetration testing in that the assessor actively attempts to coerce personnel into performing an action. Examples of onsite SE scenarios include impersonating service personnel or employees, scheduling meetings to gain access to facilities, or otherwise actively engaging personnel to grant access to buildings, systems, or data.
These engagements are useful for ensuring visitor access procedures are followed, and to gauge personnel’s willingness or awareness regarding reporting suspicious persons.
Rotas can leverage media drops, or media mailing campaigns to thwart security controls. Rotas may create CD/DVDs or USB thumb drives that are designed to connect back to a Rotas controlled computing environment when the data on the media is viewed. The media can be customized based on the target research to provide a believable scenario. Rotas consultants will leave this media strategically in public areas to determine whether an employee will pick up the media and insert it into an internal computer.
In media mailing attacks the command and control software will be presented and disguised using various file formats and/or executable programs. For example, a USB mouse could be mailed that contains malicious data on an embedded thumb drive, or the device itself. Alternatively, a package could be mailed with a media containing “software updates”, or information and presentations for an upcoming conference. The mailed packages are custom built based on target research. These packages can contain flyers instructing users to scan QR codes or follow instructions, all in an effort to gain initial access.