Simulating Social Engineering Attacks
To measure social engineering vulnerabilities, security analysts can play the role of the attacker by using various tools designed to help in this endeavor.
- Baiting and phishing attack simulations are very common
- follow the same approach as an actual attack
- Several commercial tools are available to help organizations create and track various “campaigns”
- A campaign is designed to focus on one specific metric and runs during a defined time frame
- Most commercial tools
- are cloud-based
- offer sophisticated tracking and reporting capabilities
- tools
- Social-Engineer Toolkit (SET)
- offers many capabilities
- creating a legitimate-looking webpage
- creating malicious attachments
- offers many capabilities
- Gophish
- focused on providing a user-friendly graphical interface and tools for managing campaigns
- Social-Engineer Toolkit (SET)
Phishing Campaign
A phishing campaign tests an organization’s vulnerability to this type of social engineering attack and also measures the effectiveness of security awareness training.
- campaign focuses on a specific theme and difficulty level
- uses it as a gauge to measure vulnerability
- typically correlate to security awareness training activity
- to show before and after results
- to demonstrate a reduction in vulnerability levels after completing training