Social Engineering Solutions by DeepSeas RED
July 1, 2023
What is social engineering, and why is it important to use solutions from DeepSeas RED?
Social engineering is a cyber security attack which uses deception via social engagement to convince your team to provide confidential information. To catch a cyber criminal, you must think like one. As part of social engineering testing with DeepSeas RED, our cyber security experts will act as cyber criminals to assess your people, processes, and procedures and gain company information by attempting to breach your safeguards via email phishing, telephone vishing, SMS smishing, or on-site physical attempts.
What types of social engineering solutions does DeepSeas RED offer?
Physical social engineering
A physical social engineering engagement will evaluate the effectiveness of your internal training and communication. This is accomplished by testing whether employees follow procedures related to admitting visitors and questioning unknown persons on the premises or in the building. Once access is gained, specified goals will be pursued, and evidence will be gathered of your organization’s security vulnerabilities in real-time. This evidence could include the presence of sensitive information left in the open, workstations left logged on, and nonadherence to clean desk policies.
Our tests for breaching physical safeguards can also include access card cloning, baiting, and tailgating. The goal of our physical social engineering assessment is to simulate an attack by a real-life malicious actor attempting to breach vulnerabilities in physical security to ultimately gain confidential information that could damage the company or its clients.
The DeepSeas RED crew offers a multitiered email phishing solution ranging from the most basic approach in which a customized email is created for your team, while our crew works with you to ensure it passes through your organization’s email filters, to a more robust option that will test your organization’s email filters and antivirus protection. The email pretexts are company-specific but can be broadly relevant or spear-phishing emails targeted to specific individual roles. Any of these solutions will test your team’s ability to identify a phishing email and how well procedures for reporting phishing emails are followed.
Voice-based phishing, commonly called vishing, is a form of social engineering that uses the telephone as an attack platform that seeks to elicit sensitive information or influence action from an individual via the telephone. Vishing provides a more personal touch than text message phishing (smishing) or email phishing, making it an effective attack vector for bad actors to target businesses and obtain sensitive information, including:
- Email addresses
- Physical addresses
- Leadership contact details
- Employee contact information
- Social security numbers
- Administrative credentials
- User credentials
- Specific technology or systems used by the organization
- Company organizational chart
- Direct phone numbers
- Employee IDs
Simulating vishing attacks is an effective way to assess current vulnerabilities and can give your organization an accurate idea of how employees would stand up against real-world threats. Vishing also provides detailed reporting on test performance specific to departments and individual employee performance. This information can help create actionable next steps around training and awareness initiatives to combat vishing attacks.
Smishing is a form of phishing that uses SMS text messages to trick people into giving away sensitive information or clicking on a malicious link. The messages often appear from a trusted source, such as a bank or government agency. They may ask the recipient to provide personal information or click on a link to resolve a problem, access an account, or claim a prize. Note that smishing campaigns are for company-owned devices unless your organization’s policy outlines this type of testing on employees’ personal devices as acceptable.
For a simulated smishing campaign to be successful, several preconditions must first exist within the target organization.
- The organization should have a policy that outlines acceptable use of the bring-your-own-device (BYOD) and/or corporate phones for company purposes.
- The organization should utilize a platform that leverages those devices for SMS notifications, communication, or verification. One example would be multi-factor authentication (MFA) verification, notices, and alerts from an application.
- The organization should have a valid business case for initiating smishing (SMS) campaigns.
A strong defense against SMS phishing attacks can only be established through comprehensive cyber security awareness training and consistent smishing simulation. The DeepSeas RED smishing attack simulation helps your organization assess real-world risk against these types of social engineering attacks and gauge the progress and improvement of employees through repeated awareness and testing.
What are benefits of the DeepSeas RED methodology?
When security rules are broken, it allows cyber criminals access to your sensitive information. Social engineering testing assesses employees’ adaptation and adherence to the security policies and practices you put into place. DeepSeas RED social engineering testing solutions provide you and your organizations with the deep truth about how easy it would be for an attacker to convince your employees to break security rules. With testing solutions from DeepSeas, you will know firsthand how successful your security training and procedures are working for your company.
We start by threat modeling, which identifies what information the criminal would need and what part of the network he/she would target to obtain it. After the appropriate reconnaissance, our crew then creates a pretext (a scenario) to use in the execution of the “attack” and scripts and executes as necessary. If an initial attempt is unsuccessful, our “attackers” may try again using a different pretext or script, or they may target a different individual.
What are the outcomes of social engineering testing with DeepSeas RED?
Each social engineering testing engagement concludes with a detailed, actionable report to help improve the overall security posture of your organization. This information will provide a roadmap for next steps to reduce risk. Any follow-up engagement will allow the social engineer to check improvements in security and training.