Social Engineering Testing Services
Delivered through our Managed Detection and Response (MDR) program, our team of specialists will physically and digitally test your company’s exposure to current real-world threat actors’ Tactics, Techniques and Procedures (TTPs), testing and evaluating your employees’ susceptibility to such tactics and adherence to your information security policies.
Our social engineering services will enable your business to physically test your enhanced information security policies, together with your employees’ adherence to those specific policies. In turn, your business can quickly identify failure points, enabling re-education of your staff in order to prevent an actual breach. During an onsite engagement, CAT will also use various techniques to gain physical access to obtain records, files, and/or equipment that may contain confidential information.
What Is Social Engineering?
Social engineering is an attack vector that relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations, or for financial gain.
Threat actors use social engineering techniques to conceal their true identities and motives and may present themselves as a trusted individual or information source. Their objective is to influence, manipulate or trick individuals/users into divulging privileged, confidential or sensitive information, or gain access within an organisation.
Tailored Social Engineering Techniques
CAT has devised highly elaborate and convincing social engineering techniques that emulate current Tactics, Techniques and Procedures (TTPs) used by genuine threat actors. Our range of tailored social engineering services are cleverly designed to raise awareness, whilst thoroughly assessing your systems and personnel in detecting and responding to targeted physical and digital attacks. These services will assist you and your business in testing your staff’s awareness and susceptibility to such attacks, whilst assessing you company’s defences. Furthermore, these services assist in identifying potential data leaks, highlight weaknesses in human behaviour and enhance employee cyber awareness. Delivered as part of our MDR services, CAT will identify any failure points and recommend refresher training for staff to mitigate potential future breaches. The results obtained provide valuable insight into how effective your company’s policies and procedures are at mitigating social engineering threats.Physical Engagement
Our onsite engagements typically include any of the following:- Physical Location Breaching (walking into the building or office and seeing if the receptionist can be engineered to leave the front desk unattended and computer open etc.).
- Employee Impersonation (IT provider, New Hire, Auditor etc.).
- Trusted Authority (attempting to gain access to premises pretending to deliver goods, impersonating fire inspectors, business repair person, pest control etc.).
- Physical honey-traps (USB Keys – planted to lure employees to run payloads).
- Old Fashioned Dumpster diving.
Onsite Engagements Can Test For The Following Vulnerabilities:
- Proper Disposal of Sensitive Data
- Privacy Policy Awareness and Implementation
- Institution Policy Adherence
- Violation Reporting
- Access Privileges
- Sensitive Area Security
- Device/System Compromise
- Technical Preventive and Detective Controls
Digital Engagement
Our digital engagements typically include any of the following:
- Remote Social Engineering – manipulation of the organisation by telephone or email in an attempt to get employees to divulge user names, passwords, customer NPPI (Non-Public Personal Information) or other confidential information.
- Pretext Calling (e.g. calling employees, Call Centre, Help Desk Teams to gain company or client information that can then be used to steal sensitive information at a later stage).
- Spear-phishing (pretending to be a colleague, client or supplier in an email to elicit sensitive information, carry out a financial transaction or open an infected file).
- Caller ID Spoofing (causing the telephone network to indicate to the receiver of a call that the originator of the call is someone that they know, trust or recognise and then sending a follow up spoofed email requesting sensitive or confidential information).
Digital Engagements May Include Tests For The Following:
- Privacy Policy Awareness and Implementation
- Institution Policy Adherence
- Violation Reporting
- Access Privileges
- Privacy Filtering
- Technical Preventive and Detective Controls