Two years ago, Dave Kennedy, a penetration tester, social engineering expert and contributor to the website social-engineer.com, wanted to create a tool for pen testers to simulate social engineering attacks.
With this in mind, he built the first social-engineering toolkit, a free download on the sites companion, educational resource, social-engineer.org. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.
Kennedy, now CSO at security systems vendor Diebold, says the popularity of the toolkit has been remarkable. It is considered by many to be the standard for companies using social-engineering-based attacks as part of their pen testing. The SET, which is added to and updated frequently, is downloaded approximately one million times after each new release, according to Kennedy.
Kennedy spoke with CSO about his advice for maximizing results when using the social engineering toolkit.
Learn more about social engineering tricks and tactics
Do your research and prep work
"As simulated adversaries for companies, as pen testers, we always to run the latest and greatest and sexiest software exploits out there. But now when I do a pen test, I don't even run exploits anymore. The techniques that are built within the social engineering toolkit dont leverage exploits. They utilize legitimate ways that Java works, legitimate ways that email works, to attack a victim," said Kennedy.
But the onus is on you, said Kennedy, to do the research into the company you are pen testing, first, in order to have the best chance for success. "Focus on learning the company you're going after for the pen test and building the attack off of that. We like to look at how the company does business, their subsidiaries, and the path of least resistance. A lot of times, browsing through the company website, looking through LinkedIn are valuable ways to understand the company and its structure. We'll also pull down PDF's, Word documents, Excel spread sheets and others from the website and extract the metadata which usually tells us which version of Adobe or Word they were using and operating system that was used."
Chris Hadnagy, founder of social-engineer.com, agrees.
"Information gathering is the most important part of any engagement. I suggest spending over 50 percent of the time on information gathering," said Hadnagy. "Quality information and valid names, emails, phone number makes the engagement have a higher chance of success. Sometimes during information gathering you can uncover serious security flaws without even having to test, testing then confirms them."
Teach, don't scold
Kennedy said he advises pen testers using the kit prepare the company in advance that the success rate of the pen test is likely to be high. But even with some warning, that may not be welcome news to the organization. This can be a chance to teach them, rather than point out problems, said Kennedy.
"One thing that drives me nuts in security community is the rating of users. Somehow it is supposed to be the user that understands this stuff. But for those of us in security, it is our job to teach and not to scold. When you do these kinds of engagements, it is an education opportunity, not a "you-did-something-wrong" opportunity."
Kennedy recommends letting the organization know that when a user makes a mistake and falls for a social engineering scam, this is perfectly acceptable and happens to everybody.
"Tell them: "This is something we learn from, and here is why it was bad," and point out some things they can learn from in the future," he said.
Also assure them the likelihood of a better score in future pen tests using the kit is likely.
"Users will start to recognize these things with repetition," he said.
Embarrassing a company due to its flaws is a horrible idea, said Hadnagy.
"Any time an audit is done the results should be used as part of employee education. This can be done without embarrassment by educating the employees first at point of failure. For example, when I do phishing for my clients, I do not just include their names in the report, but when the employee clicks they are automatically sent to an education page about phishing."
Hadnagy said during the mass education an employee should not be mentioned and no jokes should be made. A tool like SET allows a tester to track who clicks and who responds, this can be beneficial because in larger organizations it can point out areas of weakness and where education can be more beneficial.
Critique your approach, not just the employees
"I think the biggest challenge for folks using the kit sometimes is understanding the concept of social engineering and how you go about attacking an organization. You really have to understand how a company ticks in order to pull off a successful social engineering attack," said Kennedy.
So, when once you've completed your pen test, look back on what worked and what might not have to not only offer information that will help the organization shore up defenses--but also to see where you yourself may have come up short on researching your company.
"A lot of failures come as the result of pen testers who haven't done the research. The folks often just have a shock and awe mentality where they go in and just see if anything sticks. That almost always guarantees failure."