How do you conduct a penetration test to assess the human factor of an organization's security posture?

Before starting a penetration test, it’s important to define the scope and goals of the test. This includes identifying the systems to be tested, the methods to be used, and the specific vulnerabilities to be assessed. The goals should be aligned with the organization’s overall security objectives.

- Knowing how personnel at the target organization interact with the target of the penetration test. Having clarity on how interaction happens with target systems can help a penetration tester add relevant test cases while conducting the test. - Access validation checks. As penetration testers, we often interact with people at target organizations and it is people who are responsible for providing us with relevant access to the artifacts in scope. Many times, this access can take up to several hours to be actively implemented. So, having a time buffer dedicated to validating access can help penetration testers avoid any access delays rather than immediately starting the test after a scoping call.

In my experience, understanding the target organization's internal dynamics and how their personnel engage with the systems under test is crucial. This insight allows a penetration tester to tailor test cases effectively, aligning with real-world scenarios. Additionally, validating access is pivotal. In our role, we frequently rely on individuals within the target organization to grant us necessary access to designated assets. This process can sometimes take hours to implement effectively. Allocating a buffer time specifically for access validation post-scoping discussions can preempt access delays, ensuring a smoother start to the test without unnecessary hiccups.

I've learned that defining the scope and goals of a penetration test is paramount to its success. One particular project stands out, where the client initially sought to assess their network's external perimeter but later expanded the scope to include internal assessments due to recent security incidents. By collaborating closely with the client stakeholders, we clarified the objectives, identified critical assets to target, and established ethical and legal boundaries for the test. This comprehensive scoping exercise ensured that our efforts were aligned with the organization's security objectives and provided a roadmap for conducting the test effectively. Sharing this experience underscores the importance of clear communication in PT

As a penetration tester working for a cyber security company you will likely not have to deal with getting permissions, scoping, time frame and so on. Your job will merely be to get the target list from the client, decide whether a domain name needs to be bought for the campaign, discuss with the client whether whitelisting has to be in place and lastly building a strong campaign based on your client's needs.

This involves collecting as much information as possible about the target organization and its employees. This could include information available on public websites, social media platforms, and other online sources. The goal is to understand the organization’s structure, culture, and technology, which can help identify potential vulnerabilities.

In some cases, you can use OSINT and Digital Footprint techniques to collect information from people within the organization or the organization in general, so after collection, set up a whiteboard and structure the information collected to facilitate a more in-depth investigation or direct vectors of specific attacks such as Spear-phishing or even pretexting to collect some confidential information

OSINT is one factor for consideration as is researching, modelling and executing TTPs (Tactics, Techniques and Procedures). Not all human systems (orgs) operate in the same way and different industries face difference use / abuse cases with respect to the human layer. A successful project will carefully understand the organisation, its assets, its people, its context. But it will also model / execute specific threats to that industry or the org itself. Interestingly, we see more collaboration and partnership around this now and less responsibility sitting purely in the Pen Testing group. I specifically refer to leveraging the tacit knowledge of the organisation teams themselves too. This is valuable and drives another level of quality.

Some great techniques to gather information for a Human Factor Penetration Test: - Review the Companies Website - Review the Companies Website on the wayback time machine - Google Dorking - Review Social Media Accounts - Review the 'likes' on the businesses social media profile, this will likely lead you to employees or former employees. - Look for any pictures inside the workplace. There is always valuable information in the background and this can help establish a sense of the culture within the business

To craft an effective phishing campaign, thorough Open Source Intelligence (OSINT) and organisational intelligence gathering is essential. This is especially critical for precision in spear phishing campaigns. While phishing exercises may require less time on OSINT, and mainly focusing on identifying the right person for impersonation, Red Team operations demand more extensive data collection. LinkedIn proves to be a valuable resource for professional insights, and tools like "LinkedInDumper" expedite this process.

Ensure results are accurate! It’s crucial to rule out false positives to ensure the integrity of the data. With AI content filtering, link following it’s almost impossible to definitively know using traditional safe listing. PhishingBox is the only solution on the market to date, that has a AHD (Advanced Human Detection) that fully remediates this issue. PhishingBox Advanced Human Detection uses different sources and indicators to figure out if someone clicking a link is using anti-virus or spam-protection software. AHD learns your network’s topography and system. Some obvious indicators are mouse movements, link traps, timing, and data from other sources to help accurately identify if someone clicked on the link in the email or not.

This is the part where you have to be creative. For phishing campaigns Gophish is the way to go, easy to use and open source. For Vishing or Smishing you may want to spoof your number or could even use a virtual phone number from Skype. In most phishing campaigns my results were always accurate as each campaign has its own identifier and pixel tracking so you can see when an email was opened, a link was clicked or data was submitted however when an organisation has email security such as Mimecast this could taint your results so it's best to double check this. Looking at the raw results and exclude any Microsoft IPs belonging to Mimecast for example.

Social engineering campaigns are designed to exploit the human factor in an organization’s security posture. This could involve phishing emails, pretexting calls, or physical security tests. The campaigns should be designed to mimic real-world attacks as closely as possible.

Having conducted numerous penetration tests, I've found that designing and launching social engineering campaigns is both challenging and fascinating. One memorable experience involved crafting a targeted phishing email tailored to mimic the organization's internal communications. By analyzing public information and employee behaviors, I identified a recent company-wide initiative and leveraged it to craft a convincing pretext. The success of the campaign underscored the importance of understanding the organization's culture and communication patterns when designing social engineering attacks. Sharing this experience highlights the nuanced approach required for effective social engineering campaigns.

GoPhish is a great resource to use for phsihing campaigns. Additional tips would be to consider buying expiring domain names to reduces the chances they will be blocked by mail filters and installing a Google Plugin called Single File that enables you to clone any webpage. This helps make effective landing pages.

To assess an organization's security posture, exploiting the human factor is key. Using credentials or sessions from social engineering, along with identifying weak passwords and misconfigurations, allows for a deeper penetration test. Tools like Metasploit and Nmap are instrumental in scanning and exploiting vulnerabilities, highlighting the critical need for robust security training and awareness programs. In my experience, this approach not only uncovers technical weaknesses but also emphasizes the importance of cultivating a security-minded culture. Demonstrating the real-world impact of potential breaches encourages proactive measures and strengthens overall security.

I have always preferred a social engineering test along with physical security/policy test and a general network system pentest. This will account for several factors. I like pretending and acting as several job functions. Some examples janitor, delivery person, telco guy, service guy hvac/electrical. I even test as a common consumer. I will just walk into a place to see how far I can go. I also see if I can get someone to break a policy. I will always go hard on people as they are unfortunately the weakest link.

If the social engineering campaigns are successful, the next step is to exploit the vulnerabilities identified and attempt to escalate privileges. This could involve gaining access to sensitive systems or data, or gaining physical access to secure areas.

The realm of social engineering is probably one of the most exciting with respect to pen testing currently. Specifically authentication bypass. Bypassing SSO, having a user join another tenant etc is incredibly effective but there are ways to drive ROI here too for our client. One is to use this method with a security engineering mindset and approach the efficacy of controls hot topic. Do the defensive controls in place still detect and respond to our efforts in social engineering? Does the SOC gain visibility to the simulated hacking that’s happening? What can we do to improve this? Social engineering can be beautifully paired with purple teaming to yield a greater outcome with respect to value. A very powerful combination!

Exploiting the human factor involves using social engineering to obtain credentials or exploiting vulnerabilities like weak passwords. Tools like Metasploit and Nmap can then escalate privileges, demonstrating the impact of your attacks by gaining deeper access to systems.

Document test results, mainly for gathering KPIs regarding To the people who fell for phishing Who did not interact in phishing People who reported phishing And high-ranking people who have fallen

Document and report your penetration test findings by including evidence, analysis, and suggestions for improvement in a clear, concise manner. Present actionable recommendations to stakeholders, address feedback, and provide guidance for enhancing the organization's security posture.

After the test is complete, the findings should be documented and reported to the relevant stakeholders. The report should include a detailed description of the vulnerabilities identified, the potential impact, and recommendations for remediation.

A concise report documenting each issue that was gathered through the exercise. The report should entail if and which users clicked on the URL or opened the attachment, if and which users were vulnerable to credential harvesting. Other social engineering related issues to consider reporting could be missing DNS security entries such as SPF,DKIM and DMARC or even descriptive details on social media or document metadata leaks.

Documenting and reporting penetration test findings is crucial for ensuring that stakeholders understand the scope and severity of identified vulnerabilities. One notable instance involved uncovering a critical privilege escalation flaw that could have granted unauthorized access to sensitive systems. By meticulously documenting the attack vector, including screenshots and logs, I was able to provide clear evidence of the vulnerability's existence. Additionally, I outlined actionable recommendations for remediation, emphasizing the importance of implementing robust access controls and regular security training. This experience underscored the importance of thorough reporting in driving meaningful security improvements within organizations.

It’s important to conduct penetration tests ethically and responsibly. This includes obtaining proper authorization before conducting the test, respecting the privacy and rights of individuals, and ensuring that the test does not disrupt the organization’s normal operations. Remember, the goal of a penetration test is not just to identify vulnerabilities, but to help the organization improve its security posture. This includes raising awareness of the human factor in security and promoting a culture of security within the organization. It’s important to communicate the findings in a clear, understandable manner and to provide actionable recommendations for improvement.

An example I've seen, is where a fake phishing email is generated and sent to all users and then when they click on the links within, the data is gathered to assess the level of awareness of the organisation. This can then form the basis of further education on the subject.

Continuously evaluate and update the penetration testing approach to reflect evolving threats and security trends. Incorporate feedback from previous tests to improve the effectiveness of future assessments. Ensure compliance with legal and ethical guidelines throughout the testing process, and prioritize the protection of sensitive information and individual privacy. Collaborate closely with stakeholders to foster a culture of security awareness and accountability within the organization.

Involve your client or sponsor. Put them in the white team driving seat! We have seen very powerful results from this where we take a group approach to steer the decision making in red or purple teaming that involves social and human engineering. The tacit knowledge that our clients have can be extraordinary in driving outcomes. The old model of an external doing it better is outdated. We are after results. We are looking for effectiveness as a team; not to prove how good we look at a challenge. Hacking is all about making sure we help our clients defend themselves. We need them to also thus engage and use what they know to drive a powerful outcome. Such simulations induce error and with that we are in the position to make change.

I would like to add a second perspective here based on a whole raft of client conversations of late and working the problem with them and other peers. For many orgs, beaches are now happening in areas that traditional pen testing approaches don’t necessarily reach via a scope. Examples are; 3rd and 4th party, cloud (in lieu of testing an application), OSINT (the number of oauth2 and private keys we have seen in postman!!), but most importantly; 1. Controls failure (prevent, detect and respond) 2. The human engineering and culture layer And we see these breaches or incidents at an alarming rate of increase yet the orgs do pen testing and invest heavily in cyber. Enough to make us think right? We need to carefully direct our approach.