Vishing Drill
Service Overview ⫘
This drill uses voice-based (telephone call) social engineering techniques to elicit information about your organization’s computer systems, and influence human action to test your organization’s human resistance against vishing threats.
Service Methodology ⫘
Pre-Engagement ⫘
The rules of engagement for testing are established during staging and initial sessions. Topics to be discussed include the following:
- Goals and objectives for the test
- Definition of scope and validation of targets
- Rules of engagement, levels of effort, and risk acceptance
- Timelines and schedules for the test
- Requirements, timelines, and milestones for reporting
- Key personnel, roles and responsibilities, and emergency planning
- Tools and techniques
After completion of all staging tasks and the initial meeting, Secureworks will send a confirmation email to ensure agreement on the above-listed items. Secureworks will assume that all targets provided are English-speaker. However, the Adversary Group has multiple bi-langual consultants, please get in-touch if other languages are required.
Scenario Development ⫘
Secureworks will tailor the Engagement to align with Customer's needs, developing customized scenarios from a set of standard scenarios or custom vishing pretext. In a typical scenario, Secureworks will impersonate internal staff (or a third party if appropriate), calling target users (as provided by Customer) to entice them to provide sensitive information and perform actions that circumvent Customer's cybersecurity controls and awareness training efforts. For all engagements, Secureworks works with customers to develop appropriate scenarios and test delivery mechanisms to ensure accurate execution
Execution ⫘
Secureworks will initiate calls with target users and perform the scenarios developed. Secureworks will attempt to contact each target user a maximum of three times. Unreachable target users will be specified in the final report. All interactions with the target users will be documented in the final report. To increase the credibility of Vishing calls, 3rd party tools enabling phone number cloning may be used.
Reporting ⫘
Secureworks will perform a thorough review and analysis of data and information that was collected during the Engagement, and will produce and deliver to Customer a final report that includes the following:
- Executive summary and Recommendations
- Scenarios Used
- Interactions with target users, including timestamps, names, results, and dialogs.
- Pass/fail percentage for the entire Engagement
Scoping Information ⫘
Scope | Description |
---|---|
Vishing - Small | Up to 20 targets; up to 2 pretexts (one pretext will be used per target) |
Vishing - Medium | Up to 50 targets; up to 3 pretexts (one pretext will be used per target) |