Training Security Professionals in Social Engineering with OSINT and Sieve

• Main Author: Meyers, Jared James
• Format: Others
• Published: BYU ScholarsArchive 2018
• Subjects: social engineering; open source intelligence; ethics; IEEE; ACM; red team; cyber kill chain; cyber security; Science and Technology Studies
• Online Access: https://scholarsarchive.byu.edu/etd/6863; https://scholarsarchive.byu.edu/cgi/viewcontent.cgi?article=7863&context=etd

This research attempts to create a novel process, Social Engineering Vulnerability Evaluation, SiEVE, to use open source data and open source intelligence (OSINT) to perform efficient and effectiveness spear phishing attacks. It is designed for use by "œred teams" and students learning to conduct a penetration test of an organization, using the vector of their workforce. The SiEVE process includes the stages of identifying targets, profiling the targets, and creating spear phishing attacks for the targets. The contributions of this research include the following: (1) The SiEVE process itself was developed using an iterative process to identify and fix initial shortcomings; (2) Each stage of the final version of the SiEVE process was evaluated in an experiment that compared performance of students using SiEVE against performance of those not using SiEVE in order to test effectiveness of the SiEVE process in a learning environment; Specifically, the study showed that those using the SiEVE process (a) did not identify more targets, (b) did identify more information about targets, and (c) did lead to more effective spear phishing attacks. The findings, limitations, and future work are discussed in order to provide next steps in developing formalized processes for red teams and students learning penetration testing.