Description

This curriculum spans the design, execution, and governance of social engineering assessments at the scale of an enterprise-wide, multi-phase red team program, covering legal compliance, operational security, and organizational change management comparable to ongoing internal adversary simulation initiatives.

Module 1: Defining the Scope and Boundaries of Social Engineering Assessments

Determine whether phishing simulations will target all employees or be limited to specific departments based on risk profiles.
Obtain signed engagement letters that explicitly exclude blackmail, coercion, or unauthorized data exfiltration.
Define which communication channels (email, phone, SMS, social media) are in scope and document approval for each.
Establish rules for pretexting depth, including whether impersonating executives or external vendors is permitted.
Coordinate with legal counsel to ensure compliance with wiretapping and privacy laws in multi-jurisdictional environments.
Document thresholds for aborting engagements if psychological distress or escalation to law enforcement is likely.

Module 2: Designing Realistic Attack Scenarios with Measurable Outcomes

Select lures based on current organizational events (e.g., mergers, payroll changes) to increase pretext credibility.
Develop tiered email templates that escalate from generic spam to spear-phishing with harvested employee data.
Integrate time-based triggers, such as simulating urgent requests during peak workloads or vacation periods.
Embed tracking mechanisms in payloads to log open rates, link clicks, and attachment executions without data collection.
Define success metrics per scenario, such as click-through rate versus credential submission rate.
Map scenarios to MITRE ATT&CK techniques (e.g., T1566, T1614) for alignment with broader red team reporting.

Module 3: Gaining and Managing Stakeholder Approvals

Present detailed test plans to the CISO and legal team for sign-off, including exact message content and delivery timing.

Negotiate opt-in requirements for high-risk roles such as HR or legal staff who handle sensitive data.

Coordinate with HR to prepare for potential employee incidents, including panic responses or disciplinary confusion.

Secure exception approvals for testing third-party contractors or supply chain partners.

Establish a communication protocol for notifying internal IR teams without compromising test integrity.

Document decisions to exclude specific individuals due to mental health accommodations or recent security incidents.

Module 4: Executing Phishing and Vishing Campaigns with Operational Security

Use isolated infrastructure with non-attributable domains and IPs to prevent blacklisting of corporate assets.
Rotate sender addresses and spoof display names in accordance with email security bypass testing goals.
Conduct vishing calls using VoIP numbers that mask geographic origin and avoid toll-free or traceable lines.
Log call durations, caller confidence levels, and information disclosed without recording audio to comply with privacy laws.
Implement real-time monitoring to halt campaigns if phishing URLs are indexed by search engines.
Ensure payload delivery mechanisms (e.g., macro-laden documents) do not trigger widespread EDR alerts that disrupt operations.

Module 5: Physical and Digital Pretexting Techniques

Plan tailgating attempts during shift changes or high-traffic periods to exploit natural access patterns.
Develop fake badges and uniforms consistent with facility service providers, avoiding known vendor designs.
Use USB drops with autorun disabled but named to entice manual execution (e.g., "Q4-Bonus-Details.exe").
Coordinate rogue Wi-Fi access points with SSIDs mimicking corporate or guest networks near public areas.
Test helpdesk response to password reset requests using partial employee data to assess verification rigor.
Measure dwell time for planted devices and track access to decoy files to assess insider monitoring effectiveness.

Module 6: Data Handling, Reporting, and Attribution Controls

Aggregate results using pseudonymized identifiers to prevent linking individuals in reports without authorization.
Store captured credentials in encrypted containers with time-limited access for assessment leads only.
Exclude personally identifiable information from dashboards shared with department managers.
Attribute successful compromises to roles or teams rather than individuals unless required for remediation.
Generate executive summaries that emphasize systemic gaps over individual failures to support policy change.
Define data retention periods and destruction procedures for logs, recordings, and test artifacts.

Module 7: Integrating Findings into Security Awareness and Controls

Align training refresh cycles with campaign timelines to measure behavior change over consecutive tests.
Customize follow-up training modules based on which lures were most effective (e.g., gift card scams, IT alerts).
Recommend technical controls such as URL rewriting, attachment sandboxing, or call verification workflows.
Advocate for role-based filtering rules for high-risk groups like finance or executive assistants.
Propose adjustments to email gateway policies based on observed bypass techniques.
Facilitate tabletop exercises using actual campaign data to improve incident response coordination.

Module 8: Maintaining Program Maturity and Avoiding Attack Pattern Saturation

Rotate attack vectors quarterly to prevent employees from recognizing recurring templates or domains.
Track historical campaign data to avoid repeating the same pretext within 12 months for the same group.
Introduce novel delivery methods (e.g., QR code phishing, collaboration tool messages) as communication platforms evolve.
Measure baseline improvement trends and adjust difficulty to maintain a minimum 10–15% failure rate for relevance.
Conduct adversarial reviews of past campaigns to identify detection gaps in logging or monitoring tools.
Update threat models annually to reflect changes in attacker TTPs observed in industry intelligence feeds.