Recognize manipulation early on

Social Engineering Assessments

Professional industrial espionage often involves physical attacks or insiders, even if the target is in cyber space. Nevertheless, this attack vector is frequently underestimated.

Request a social engineering assessment

 

500+ customers place their trust in us – from startups to large companies

 

Question

Could attackers break into a (high) security area? Could they sabotage production or steal company secrets? How do employees behave during such social engineering attacks?

 

Approach

We define the threat scenario, develop attack routes that focus on employees, and carry out the attacks on site. However, the target to be reached may well be access to IT resources.

 

Result

You get a detailed documentation of the attacks with identified vulnerabilities and a benchmark to the industry standard. And a lot of security awareness in the management presentation.

Social engineering: attacks via unexpected paths


Many companies focus on protecting themselves against attacks from cyber space by securing their systems, setting up security monitoring and sensitizing their employees to phishing e-mails.

However, attackers can also take unexpected paths, depending on their motivation and capabilities: on site, it is easy for an attacker to obtain internal information, and if things get complicated, they can simply ask.

Manipulating people by using psychological tricks is called social engineering. We scout your location and observe the corporate culture. We cleverly change disguises and identities, gain access by tailgaiting or lock picking, and distribute infected USB sticks. As IT employees, we distribute new keyboards with keyloggers or directly ask for the password - always with a plausible reason, of course. Since our social engineers are also good hackers, we use the information gained on site to abuse your IT, issue our own access authorizations or register additional visitors.

Over the past 20 years, we've stolen prototypes via social engineering, penetrated sealed-off research areas, planted bugs in the CEO's office, or smuggled dummy bombs into high-security data centers. All on behalf of customers, always on the good side of the force.

Benefits of social engineering assessments

Top management awareness

The results of a social engineering assessment are very well suited to sensitize top management to the topic of security, because the risks are very tangible and generate a high level of personal concern. If your CEO sees his or her own target agreement in the management presentation, security becomes a top priority. That's a promise!

Measuring your physical security

You get a very realistic impression of whether your physical security measures are effective and how your employees react to manipulation attempts. We use a combination of hacking and social engineering to uncover flaws in access processes that were thought to be secure and provide many recommendations for optimization.

Convergence of disciplines

Social engineering assessments very often create a change of perspective, away from IT security in one corner and physical security in the other, toward an interlocked, holistic approach to information security, today also called cyber security. This often results in a constructive networking of these two important security disciplines.

Procedure and background information

Approach and content

Approach and content

Success factors


Crucial to a successful assessment is good preparation. One small mistake and the situation can get out of control or we fly off the handle and have to quit. Then we would have invested a lot of time and effort for little gain in knowledge.

That is why we prepare the assessment thoroughly together with you:

  • We define goals that are simultaneously challenging, but also realistic and that generate concern. This increases the acceptance of the measures derived.
  • The circle of those informed must be well considered; the situation must not escalate, nor must there be too many insiders.
  • Clearly defined rules and boundaries are also important. You remain in control throughout the assessment and are informed of our steps at all times. You can define 'no gos' and stop individual actions.

  • We respect ethical principles: Attacks on interpersonal levels are an absolute no-no for us, as is personal exposure of individual participants.

     

The phases of social engineering


Preparation

  • Meeting to agree on the scope
  • Kick-off meeting
     

Execution

  • Workshop to define objectives and rules of the game
  • Information research (HUMINT, OSINT, on-site inspection)
  • Attack planning and preparation
  • Execution of the attack with physical attacks and social engineering and hacking (if necessary)
  • Regular status meetings
     

Evaluation

  • Clear documentation of the attack path
  • Replay workshop with the project team
  • Management presentation
A look into our toolbox

A look into our toolbox

Social engineering
  • Spear-Phishing
  • Voice Phishing Calls (Vishing)
  • Fake identity cards
  • Disguises
  • Infiltration of employees (via job applications)
  • Tailgating
  • ...

 

Physical tools
  • Lock Picking
  • Keylogger
  • Bugs
  • Dropbox with mobile internet (remote access/exfiltration)
  • Screen Grabber
  • prepared USB Sticks
  • ...

Do you want to know how well you are equipped against a "visit" by us?

Let's get to know each other in a web meeting and talk about your objectives.

Yes, I'm interested

More adversary simulations

Red vs blue and purple teaming preview

The training camp for incident response teams. How quickly does your Blue Team recognize attacks? Is the severity correctly assessed and how long does it take to successfully defend against them? Send your team to training camp!

Read more
Red teaming assessment preview

How well can you detect and defend against real cyber threats? Our Red Teaming Assessment simulates attacks to uncover vulnerabilities and improve detection.

Read more
Security stress test Preview

Test your IT security with a security stress test! Find out how quickly attackers can infiltrate your network and what damage an attack could cause.

Read more