In recent years, social engineering attacks and phishing attempts have become increasingly prevalent as cybercriminals recognize their effectiveness in compromising businesses. According to the Verizon Data Breach Investigations Report, approximately one in every six attacks includes a social engineering component. As a result, the Red Team industry, which focuses on testing and improving organizations’ security defenses, is expanding its services to include social engineering attack emulation.
Alethe Denis, a security consultant at Bishop Fox, explains that even when targets are aware of the email templates used in these attacks, they still often fall victim to them. Denis frequently presents her targets with the exact email templates her team intends to use during red team exercises. Despite this transparency, at least one person tends to click on the malicious links or attachments in these emails.
To address this growing threat, Bishop Fox recently announced an expansion of its red team offerings. The firm now offers social engineering attack emulation, more comprehensive reporting on human-focused attacks, and the option for customers to observe and learn from these exercises. The goal is not just to demonstrate the potential danger of social engineering attacks but also to help companies develop effective response strategies following a successful attack.
Today’s red team engagements and penetration testing differ significantly from those carried out a decade ago. Instead of solely focusing on outmaneuvering defenders and finding vulnerabilities, consultants now prioritize emulating attackers’ tactics. Additionally, penetration testing is now more integrated with other security tools and practices, such as those used by security operations centers and application security teams. Furthermore, as crowdsourcing has become more prevalent, businesses can engage in more frequent penetration testing engagements.
By including social engineering in penetration testing, companies gain valuable insights into their specific weak points. This includes identifying lax security protocols, a lack of security awareness among employees, and other vulnerabilities within their training and environments. Chris Scott, managing partner at Unit 42 at Palo Alto Networks, emphasizes that these tests go beyond assessing the potential success of an attack. They aim to discover how an attack could succeed within a company’s unique framework and, importantly, how to detect and respond to such attacks to minimize their impact.
Experts emphasize that attackers gather significant amounts of passive intelligence on their targets before launching an attack. While traditional penetration tests uncover easily exploitable vulnerabilities, focusing on social engineering tactics increases the difficulty for attackers to succeed. Moreover, it sheds light on how individuals react to urgent situations and whether they are willing to disclose sensitive information. Andrew Obadiaru, Chief Information Security Officer at Cobalt, stresses the importance of mitigating endpoint security such as social engineering to minimize risks.
The primary objective of including social engineering in red team exercises and penetration testing engagements is to expose the unexpected ways an attacker could exploit a seemingly harmless email or message. Internal tabletop exercises have limitations, which is why Erich Kron, a technical evangelist at KnowBe4, advocates for the “purple team” approach. This involves coordination between penetration testers (the red team) and the internal security team (the blue team) to identify vulnerabilities and develop effective mitigation strategies.
Ultimately, companies need to ensure that their security operations can respond adequately to successful social engineering attacks and prevent initial compromises. Implementing browser rules that block access to newly registered domains and adopting multi-factor authentication are effective measures for strengthening an organization’s IT environment against social engineering attacks. While regimented compliance-driven phishing exercises are valuable for training and raising awareness, they should not be solely relied upon for protecting organizations from social engineering threats, according to Alethe Denis of Bishop Fox.
As social engineering attacks continue to evolve, red teams and penetration testing services are at the forefront of helping organizations detect vulnerabilities, improve their security defenses, and respond effectively to such threats. By simulating real-world attack scenarios, businesses can better understand their weaknesses and take proactive steps to safeguard their sensitive data and systems.