Why personnel attacks are an important part of any penetration test

Many IT professionals associate personnel attacks with the simple act of phishing. Yes, phishing is a part of the personnel attack but there is so much more. Let me explain why.

I typically hear “I know my users are susceptible to phishing attacks so it would be a waste of time to test them” or “I’m starting a cybersecurity awareness program in the future and I want to wait until that’s in place before I do personnel attacks”. 

 If you ask IT professionals what is the biggest risk to their security, you’ll most likely get “users” as the answer. Phishing remains the number one way organizations are compromised so why would you want to leave out such an important part of a penetration test?

Phishing services have their place. Using the dentist as an analogy  - phishing services serve as the hygiene part and personnel attacks serve as the checkup. While the goal of a phishing exercise is to test users' susceptibility to providing credentials, the question becomes, what can be done with those credentials once obtained? 

With the Covid pandemic of 2020, IT departments were tasked with providing companies a remote workforce solution quickly. In doing so, the time and effort required to provide the same level of security that the typical onsite workplace had until the pandemic was largely overlooked in the interest of companies being able to ramp up the ability to keep users working remotely. In short, the established security practices in place for an onsite workforce had largely been moved to the outside of the network. 

In real world attacks, once a user’s credentials have been obtained, an attacker will try from the outside (externally) to obtain access to the internal network. If those credentials prove successful this could allow an attacker to gain a foothold in the internal network. From that point forward an attacker will attempt to move laterally inside the network, exploiting any weakness or overlooked configurations that will allow the potential to obtain domain admin privileges from an external perspective, which is the ultimate achievement of any attacker. This tactic also has the potential to defeat any monitoring or incident response in place as the activity often resembles a legitimate user. Since the onset of Covid,  penetration tests we have performed resulted in a high success rate in breaching networks externally from personnel attacks.

What does this all mean?  By overlooking personnel attacks during your penetration test you open yourself to a blind spot that could allow compromise of your network from an external perspective, potentially become susceptible to ransomware, malware or have your harvested user  credentials sold on the dark web. If you are still not in the position to have personnel attacks performed on a company wide basis during a penetration test, consider performing an exercise where you provide credentials that would mimic a compromised user. This way you at least know what your security risks are from this type of attack.