Social Engineering

Social Engineering within a company or organization occurs when someone in your company is manipulated, influenced, or deceived by hackers to gain control over their computer system.

Hackers commonly use the phone, mobile devices, email, websites, or direct contact to gain illegal access. Social Engineering differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.

NTP performs the following exercises to promote general security awareness and “end user” security training. These attempts gather confidential information that would allow an unknown actor to commit fraud or gain unauthorized access to a system or facility.

Pretexting

Either by phone or email, an invented scenario is used to increase the chance that a potential victim will bite. Our social engineer will impersonate a person of authority and use real knowledge like date of birth, social security number, or a password in an attempt to get even more information.

In one scenario, our team makes random calls to the target company’s employees as a “service provider” or help desk technician to offer help/support for an issue that would require system access.

Email Phishing

We conduct a target email phishing campaign simulating a real-world attack. Our email campaigns are crafted with steganography and are designed to convince a user to respond, click a link, or download malicious payload. In this exercise, we leverage an automated email delivery system that keeps statistics on all aspects of the effort.

Spear Phishing

This email attack is smaller and more targeted, focusing on a particular person or organization to get their sensitive data. A spear phishing attack requires research on the target and has a specific personalized component designed to make the target do something against their own interest. Again, the open rate and CTR is tracked and addressed with the target.

Water-Holing

For this form of hacking, we gather information about a targeted group of individuals to find out what websites they are regularly visiting, then test those websites for vulnerabilities. Over time, individuals in the targeted group will get infected, and we gain access to the secure system.

Baiting

For baiting, we leave a USB flash drive laying around and label it something interesting, like “Promotions Approved,” and see who opens it (or who turns it in). Once the device is used, a malicious file is downloaded, and the victim’s computer is infected, allowing us to take over the network.

Quid Pro Quo

This form of deception provides a benefit to the victim in exchange for their information. Often, we’ll impersonate IT support and call everyone working to say we have a problem with a quick fix and ask them to disable something that happens to be a key security component. Those who fall for it get malware/ ransomware installed on their machine.

Tailgating/Human Compliance

This method is used to gain access to a building or other protected area, bypassing security to gather confidential or proprietary data. We commonly pose as a vendor, service provider, or in some other official capacity.

Here are a couple of examples of how we have used and continue to use this type of exercise:

• NTP was successful in gaining access to a company computer and took a full image of the hard drive.
• An NTP specialist posed as a repair person and was escorted by a company's employee and introduced to another employee for the purpose of troubleshooting a printing problem. We had full network access, as well as remote access to the network printer.
• We gained access to a secure facility by mingling with the cleaning crew after hours. NTP gained access to a secure data center where we were assisted by company employees to take photos of labeled assets.