Social Engineering Penetration Testing – Part I (Attack Cycle)
Social Engineering – Attack Cycle
Attack vectors are determined by the information gathered. Information from the target/victim can be inferred and assembled in various ways that include potential and probable passwords, catalog and distinguish likely responses from multiple individuals, cultivate and refine goals, develop relationships and become familiar and accessible with the target, and formulate strong pretense(s)
Stabilize Rapport and Alliance
A strong functioning association is being established with the victim/target at this phase. The association built during this stage become the foundation for the attacker to leverage personal/professional information from the target. The amount of erudition that can be used to the advantage is directly proportional to the quality of alliance built by the attacker. This determines to what extent the target/victim will collaborate with the attacker to achieve his/her ultimate goal.
With information collected during the first 2 phases, and by utilizing the relationships developed, the attacker deliberately invades the target/victim. The attacker carefully maintains and sustain the association without raising any doubt, and then exploit victim through knowledge acquired or access conferred.
The successful execution and the end objective(s) are achieved at this phase, and most commonly the attacker concludes his/her malicious intent without raising any immediate suspicion. It might take days or months, sometimes target/victim may not even realize that they have been exploited by the so-called ally, and the personal or professional information is in jeopardy. Usually, attackers try their best to eliminate their digital footprints and tie all the loose-ends, leave an impression to the target/victim, that they were the well-wisher; which allows them to exploit the victim again in need. A well-laid, successfully executed clean exit with zero trails would be the ultimate goal and the culmination in the attack.