The Human Element: Social Engineering in Offensive Security

Highlight the role of social engineering in offensive strategies. Discuss techniques like phishing, pretexting, and baiting, and how attackers exploit human psychology to gain unauthorized access. Share insights on training and awareness programs to bolster human defenses against such tactics.

Panel Discussion Video

AI Generated Summary

AI Generated Content Disclaimer

Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.

This CXO panel discussion at VULNCON 2025 explored “The Human Element: Social Engineering in Offensive Security.” Moderated by Divakar Prayaga, the panel featured Rex Pushparaj (Founder & CEO, Rex Cyber Solutions), Navdeep Aggarwal (Product Security Leader, GE Healthcare), and Anant Shrivastava (Founder & Chief Researcher, Cyfinoid Research).

Panelists

Rex Pushparaj: Founder & CEO at Rex Cyber Solutions, with extensive experience in offensive security engagements and red teaming
Navdeep Aggarwal: Product Security Leader at GE Healthcare, with 12-15 years of experience managing security for HR functions and healthcare security
Anant Shrivastava: Founder & Chief Researcher at Cyfinoid Research, specializing in supply chain security, hacking, and development
Divakar Prayaga (Moderator): Cyber Executive Leader, Startup Mentor & Advisor, background in building cyber defense centers

Key Themes

1. Real-World Social Engineering Attacks

Supply chain rerouting attack: Adversaries compromised a supply chain company and rerouted an entire consignment intended for South Africa — they activated compromised accounts only during approval moments, then went dormant, making detection extremely difficult
CCTV and Wi-Fi surveillance: In a Singapore case, attackers sat outside a company compound, accessed their Wi-Fi and CCTV cameras, observed keystrokes and OTP entries for over a month, resulting in $1 million in losses
Modern social engineering connects people and infrastructure — attackers target both simultaneously rather than just one

2. Healthcare Industry Vulnerabilities

Healthcare environments are uniquely vulnerable because the primary focus is always patient health — everyone in the ecosystem (patient, family, staff) is under stress and willing to share information without questioning
Hospitals collect excessive data (Aadhaar, PAN, phone numbers) even for simple OPD visits, building databases that can be exploited
Attackers can send phishing messages disguised as diagnostic reports via WhatsApp — since patients are already expecting reports, they click without hesitation
Healthcare social engineering exploits the urgency and trust inherent in medical situations

3. Evolving Attacker Techniques

Attackers adapt to newer systems faster than defenders — AI-generated profile pictures on Instagram, better-crafted phishing messages with no spelling mistakes or structural errors
India-specific: Attackers compromise servers of legitimate organizations to use their alphanumeric SMS sender IDs and message templates, making phishing SMS appear authentic
GitHub and VS Code supply chain attacks: Simply cloning a malicious repository or opening a VS Code project and trusting the author can lead to complete compromise — access to AWS credentials, home directories, and more
Default corporate passwords (variations of “welcome@123”) remain unchanged for decades, making new employee impersonation trivially easy

4. Cultural Factors in Social Engineering

India’s trust-based culture makes social engineering significantly more successful compared to other regions
Indians tend to trust people more with data than with money — personal information is freely shared at photocopy shops, delivery services, etc.
Saying “no” is culturally difficult — people need to understand that respecting privacy doesn’t mean distrusting the other person
Contrast with European culture where individuals are far more guarded about sharing personal information

5. HR, Finance, and Sales as Primary Targets

HR departments hold both PHI (Protected Health Information) and PI (Personal Information) — financial data of every employee including the CEO, and sometimes medical records
Organizations invest in securing revenue-generating products but neglect protecting HR despite it holding the crown jewels
HR’s role inherently demands receiving external communications — they cannot flag every external email as suspicious
Sales teams have even fewer limitations — anyone can approach them as a customer, vendor, or partner
Executive assistants (PAs) are high-value targets — they have access to C-suite banking details, transaction authority, and confidential conversations

6. CXO Targeting — The New Normal

Five to seven years ago, reaching a CEO or CXO was extremely difficult
Today, CXOs must be publicly presentable for brand identity — their information is readily available on LinkedIn, conference websites, and social media
This makes them easy targets for social engineering, from fake conference invitations to impersonation attacks

7. Defensive Measures and Technology Solutions

Behavioral pattern analysis: Profile normal user behavior over months — if an HR person opens PowerShell (abnormal behavior), the account gets locked automatically
Outgoing connection firewalls: Tools like Little Snitch (Mac) or OpenSnitch (Linux) that alert users when an application makes unexpected external connections
Maker-checker processes and role-based access control as outcomes of deliberate process mapping and categorization
Anomaly detection helps identify when users deviate from expected behavior patterns

8. Rewarding Good Security Behavior

Organizations should reward employees who spot phishing rather than only punishing those who fall for it
Example: A point-based system where every valid phishing email reported earns one point, with quarterly scoreboards and tangible rewards (cash, goodies)
This transforms phishing detection from a problem into an opportunity — employees become eager to spot suspicious emails
Over time, over-reporters self-correct — similar to bug bounty hunters fine-tuning their approach to maximize reward for effort

9. Pretexting and Baiting Techniques

Pretexting: Creating believable scenarios — e.g., posing as a job seeker sharing GitHub links to HR (doubly effective at organizations with referral bonuses, where employees are incentivized to engage)
Baiting: Playing on emotions, particularly ego — criticizing someone’s work role or product to provoke a reaction; using dating scams (honey traps) where victims are lured to premium cafes and stuck with inflated bills
Ego-based attacks are highly effective — when someone’s professional competence or work is questioned, defensive reactions override security awareness

10. Red Teaming Ethics and Boundaries

Reconnaissance starts with privacy and cookie policies — these reveal an organization’s security maturity before any technical testing begins
Full-privilege red teaming without consolidated scope definition is dangerous — organizations need to clearly define areas to be tested
Red teamers operate in the defender’s playground — one mistake by an attacker or one alert defender can break the entire attack chain

11. Brand Monitoring vs. Offensive Security

Large enterprises: Should invest in both red teaming and brand monitoring for comprehensive resilience testing
Startups: Web-based brand monitoring tools are a more practical starting point; red teaming requires having security baselines in place first
No red teaming firm offers insurance or 100% coverage guarantees — all reports include disclaimers about point-in-time assessment

12. Insider Threats and the CISO’s Role

The North Korean hacker hired by a European company case highlighted failures in background verification processes
Insider threats are among the most severe ways to damage an organization — regardless of level, a malicious insider will make a dent
CISO may not be directly responsible for a hiring failure, but is accountable for preparing the organization against insider threats
Clear delineation between responsibility and accountability across the organization is essential

Key Takeaways

Social engineering remains unsolved by technology — technologists have collectively failed to provide a technical solution to this fundamentally human problem
Modern attackers connect people and infrastructure — targeting both simultaneously in highly targeted, patient operations
Cultural awareness is critical — trust-based cultures are more susceptible, and awareness programs must address this at a grassroots level
Role-specific security training is essential — generic compliance-driven training is ineffective; HR, developers, sales, and CXOs each face unique attack vectors
Reward good security behavior — transform phishing detection from a burden into an incentive-driven activity
Supply chain attacks through development tools (GitHub, VS Code) represent a growing and underappreciated threat vector
Start with fundamentals — get baselines, policies, and role-based access right before investing in advanced red teaming
The eighth layer of the OSI model is the human — and it remains the weakest link in the security chain
Every organization must clearly define who is responsible and who is accountable for security outcomes
One alert defender can break an entire attack chain — invest in making the human element the strongest link, not just acknowledging it as the weakest