Thursday 

Room 2 

13:40 - 14:40 

(UTC+01

Talk (60 min)

Social engineering pentesting. - How it is done, and what you should think about

If we look at the US, we see that testing the human element occurs more frequently in cyber security. In recent years, there has been an increase in phishing exercises in several organizations in Norway, and more and more people want to test the human element through physical pentests. In 2020, GoDaddy launched a phishing exercise targeting 500 employees, using a Christmas bonus as a lure. Those who failed the test were punished with an extra workload. This caught international media attention and begged the question: Is it morally sound to target people?

Over the years, pentesting humans leveraging social engineering techniques have become increasingly important to many organizations, and rightfully so. While many focus on the performance of a social engineering engagement, fewer deal with the post-engagement process. How do we deal with the results of a social engineering engagement? How does a target feel afterward knowing they have been duped, and who is helping them?

Taking care of those affected by social engineering engagements is pivotal in making an engagement a positive learning experience, and avoiding negative outcomes. If the post-engagement process were poor, and it turned into a blame-game, one could argue that the pentest itself was futile, as there would be no room for creating a learning environment.

A social engineering pentest puts humans (and not systems as seen in technical pentests), to the test. By doing so, the people affected can feel they have failed as humans and not just failed professionally. Distress, psychological strain, and self-blame are just some of the factors that can affect a human not being treated correctly in the aftermath of a pentest.

Together, we will take a deep dive into the processes of how a physical social engineering test is carried out by walking through a previous test and reviewing the tools that were used and what you have to think about before and after a social engineering test.

When we want to test the human element, it is easy to make mistakes and end up with dissatisfied employees or with a test where the results are not useful for the company. It is, therefore, important to evaluate what the desired value is from performing a social engineering test and to think about how it should be carried out.

This presentation seeks to highlight the possible pitfalls in handling the aftermath of social engineering engagements and explores various challenges and proposed solutions to problems that may arise. This will hopefully help companies make the right choices and ask the right questions before ordering a cyber security test of their employees.


Ragnhild "Bridget" Sageng

Ragnhild “Bridget” Sageng has several years of experience in the IT (Information Technology) industry, working with IT support, network, and managing IT projects before transcending into a career within pentesting and further into cyber security culture. She considers her IT experience as a strength that aids her in seeing correlations between systems and the people using it. Prior to her IT career, “Bridget” educated herself within the field of human psychology and healthcare due to her interest in understanding the human mind.

Due to her interest in both the human mind and IT security, "Bridget” specializes in social engineering and Open-source investigation (OSINT). In 2020, she won an international social engineering CTF hosted by Temple University. In 2021, "Bridget” became a Certified Social Engineering Pentest Professional (SEPP) and has since dedicated her focus towards social engineering pentesting. Her hands-on experience with social engineering pentesting has prompted her to further research the topics of ethically handling people affected by the tests. She has spoken about this topic on conferences such as Black Hat Europe and at the Social engineering community village at DEF CON, hoping to enlighten people and create a discussion on the topic within the industry.