Bishop Fox expands social engineering adversarial emulation services

Bishop Fox has expanded its social engineering testing services, which are an integral part of the company’s Red Team portfolio. In contrast to narrow and rudimentary security awareness solutions, Bishop Fox’s services emulate complex, multistage and multilayer adversarial attack behavior, provide in-depth results and actionable guidance for organisational improvement, and offer a unique ability for internal teams to participate in “ride along” observation of the process — from Open Source Intelligence (OSINT) and pre-text development, to attack execution.

The 2022 World Economic Forum’s Global Risks Report estimates 95% of all cyberattacks involve human error. Compounding the concern, Gartner cites that while 90% of cybersecurity functions have a user security awareness program, 69% of employees admit to intentionally bypassing their organisation’s guidance.

The issue is exacerbated by the fact that awareness programs – from “lunch and learns” and training materials, to automated phishing campaigns – not only miss the mark but fail to adequately educate organisations about their largest exposures or provide evidence of downstream impact to inform security programs at large. This is why a recent study conducted by the Ponemon Institute placed social engineering as the #2 reason enterprises are investing in broader offensive security assessments and robust Red Team engagements, second only to ransomware.

“Too many organisations are trying to throw technology at something that isn’t exclusively a technology problem,” said Alethe Denis, senior security consultant for Bishop Fox.

“You can contain software and data in a virtual machine, but you can’t contain a user in an office. The universe of technology, functional tasks, and on/offline interactions in which individual employees engage, each represent either a potential point of intelligence or compromise – and that doesn’t even account for intentional acts. That’s why cookie-cutter security awareness programs, largely designed to satisfy lowest-common-denominator and compliance requirements, fail. Getting into the context of a particular attack is not as effective as getting into the mind of the attacker. Our expanded team and testing options provide the most comprehensive view of how attackers see your employees and truly assess your vulnerability,” Denis continued.

On a positive note, the recent Ponemon report also finds that enterprises are aware of the risk, with nearly two-thirds already deploying Red Teams in some capacity, and more than half planning to increase that investment over the next 12-24 months.

Since social engineering is arguably the most impactful and weakest link in security programs, Bishop Fox designed their new services to expose every aspect and angle of attack tactics, techniques and procedures to users and security teams. This ensures full understanding of both what is possible and what is probable. The services and activities are tightly integrated with other Red Team activities to provide a complete environmental view of risk and exposure – and to prioritise the most urgent needs to address.

The new social engineering services include:

• Social engineering adversary emulation: Activities are flexible and crafted to each organisation’s unique context and environment, including logistics, user targeting/OSINT, pretext/payload development, and more. Then a multi-vector attack is simulated, including, email, enterprise chat, phone, and physical attack vectors to provide a more accurate assessment of exposure and resilience to a skilled adversary.
• Reporting of human vulnerabilities: In-depth, post engagement reporting demonstrably improves user awareness and security culture. Reports provide detailed breakdowns of attack narratives and actions, defensive performance, and results against target objectives. They also include a complete stakeholder walkthrough of findings and recommendations for program improvement.
• Security team “ride along”: Internal practitioners have the ability to observe and monitor the full attack process and effects as they play out – with the ability to adjust activities to make sure they are effective, but also sensitive to a proper workforce balance. This gives practitioners valuable insight into attacker methods to strengthen their own skills and knowledge.

“An attacker will look for and exploit any opportunity presented to them, and an endless amount of industry data and evidence underscores the rampant opportunity presented by a disparate and unsuspecting employee population,” said Trevin Edgeworth, Red Team practice lead at Bishop Fox.

“Red Teaming without a strong and comprehensive social engineering component leaves a massive blind spot and increases exposure for an organisation. Bishop Fox has seen a surge of more than 60% annually for its Red Team services over the past three years, indicating that organisations understand the value of an offensive mindset and perspective. Offering this new service is critical for us to answer the need and demonstrably improve organisational security posture,” Edgeworth concluded.