Professional Services and Product Brochure

Prepared for Public Distribution

Physical Penetration Services

Physical penetration testing aims to highlight the areas within an organisation that can be besieged by malicious attackers. A combination of telephone scams, phishing emails and login credential harvesting can discover weaknesses within an existing security policy or operation of a business. This information is later used in person to gain access and replicate a real physical assault on your building.

The assessments will discover weaknesses before a criminal would exploit these gaps in security. A well experienced and trained consultant will use a combination of attack vectors to develop a tailored attack based on the defined scope of works that will culminate in an assessment based inside your organisation.

Different scenarios can be created to test for access to a secure area, to test the effectiveness of security or to analyse your organisations resilience to terrorism. Typical Penetration Tests include:

•Gaining access to a private section of a high street bank, planting small remote access tools.•Bypassing traffic security to park an unchecked car at a security sensitive event.•Gaining access to a companies head office and accessing workstations, planting remote audio/video equipment.

Physical Penetration Services

CTF – Capture The Flag Style Engagements“Object Orientated Penetration testing is the way forward”Companies can assign a ‘flag’ or target within their organisation and our social engineering assessment will try to gain access to it. The client can specify what kind of attacks will be deemed in scope and gets the options to exclude potentially damaging activities such as lock picking or direct employee interaction.

This style of testing works well if you are concerned about someone gaining access to a sensitive area, a specific computer or something of financial value.

You’re always in control – Prior discussion to potential concerns are defined with a scoping stage.Define an area, Computer, Task, Person, Building – the list is endless!Complex scenarios are utilised with prior planning and knowledge of your organisation.Ideal for measuring counter terrorism security controls

Physical Penetration Services

Consultant Led Redteam EngagementA team of two or more consultants will physically try to gain access to your building, office or place of interest.Onsite physical access will be tested using methods agreed by you. Lock-picking, Wireless network attacks, tailgating, impersonation and complex scenarios may be used as agreed.• Pretexting, elicitation, diversion theft and complex fraud strategies are used.

• Replicated staff Identification• On site access systems tested• Rouge network access – Can we plant a dropbox, can we exfiltrate data?• Removal of assets Where this differs dramatically from CTF style engagements is Redteam Engagements actively look to discover weaknesses. We are not told what to look for, we tell you what we can do.

No two assessments are the same and our priority is meeting the requirements of our clients. You will be in total control at every step of this rather offensive testing method. We know how to do this without error or disturbance within your working environment. We normally attend your building dressed in formal wear – not military camouflage!

Company Reconnaissance

'Recon’ is normally the first stage of a complex targeted attack. Used to gain knowledge of your business, gathering as much information as possible in order to exploit weaknesses in security. This assessment will analyse your company in a similar way, we will be able to identify areas of concern and advise on realistic solutions for defense. We will do this by covering basic details like company location, publicly available financial information and monitor staff social media to discover 'ghost' staff and people posing as staff in the wild. This information can then be used to access buildings, financial control or to commit a further act - In the case of the assessment scenario, Reconnaissance is vital in order to assist realistic phishing simulation and physical penetration testing.

At The AntiSocial Engineer we use methods such as, OSINT - Open Source Intelligence, on site inspection, enhanced due diligence and corporate monitoring to gather maximum information. To see how testing might look to your organisation please review a blog post on this topic:

Bask in the glory of the binEverybody on the floor, this is a data breach

Company Reconnaissance

OSINT - Open Source Intelligence Social engineers can discover details such as company location, supplier information, metadata, employee staff lists, email addresses, internal security measures, staff identification etc. We go further to develop unique information data sets. We hunt through paper records, we utilise publicly obtainable paywall type data sets, we will monitor your company to build up a portfolio of information, attackers will work slowly to compile useful information and in a similar fashion we work to understand everything there is to know about the target company.

On Site Inspection Physically being on site gives us a much richer supply of information, suppliers and clients can be noted visiting, vehicle registrations can be observed, physical access controls can be investigated.On site inspections are normally carried out before penetration testing because the information gathered can be utilised fully in a meaningful manner contributing to Realistic Phishing Simulations and On-Site Physical Penetration Testing.

Enhanced Due Diligence and Corporate Monitoring Our enhanced due diligence and corporate monitoring gives us access to over 600 Million global records, covering: Proprietary information on one million Politically Exposed Persons (PEPs) including Adverse Media Data, Proprietary sanctions data updated every 30 minutes, Over four million records on High Risk Individuals and Organisations, growing by 25-40k profiles per month, Corporate registry data, ID data. Which gives us the ability to: Monitor the ‘dark web’ for employee credentials being offered for sale, Compile detailed portfolios of company information - Own business, competitor or due diligence, Monitor and alert when key staff members are discussed online, Screen potential business partners for fraudulent transactions.

Telephone Attacks

Social Engineers will frequently target people verbally over the phone. This faceless exchange can be the perfect way to obtain information or instruct an employee to do something. Testing and training your organisation will not only stop social engineering being able to cause harm, it will harden all aspects of telephony. Telephone attacks or ‘Vishing’ Calls are just one of the ways people will look to exploit your organisation. Increasingly mobile phones are being targeted with ‘SMShing.This SMShing assessment report we can provide can be used by companies to highlight training effectiveness and monitor your company's procedures. Giving you the advantage in a real life attack situation.

The AntiSocial Engineer has pioneered work in the fields various telephone attacks, including SMShing. We invite you to look at our blog posts covering in depth forms of testing:

Sim Swap Fraud – Porting your digital life in minutesIntroducing SMShing AssessmentsiMessage Preview ProblemsAbusing automated call handlers

Telephone Attacks

Vishing Our Vishing assessments focus on human interaction that can be combined with other technical methods to really engage the employee in a well constructed pretext. With an added layer of reassurance that comes from talking to a real person, an employee is more likely to comply with the demands of an attacker and provide crucial details needed for information gathering.Undergoing this assessment will provide you with the ability to test the effectiveness of staff training and see clearly the kind of information that is obtainable over the phone. These assessments prove to be useful when used in conjunction with other kinds of social engineering assessments such as on-site Physical Penetration Testing or Realistic Phishing Simulations.

War-Dialing / PhreakingWar-Dialing is a technique of using a program to automatically scan a list of telephone numbers, usually dialling every number in a local area code to search for computers, bulletin board systems and fax machines. This is normally a technical issue that staff awareness won’t help with. Large companies often use blocks of phone numbers. By revealing 0300 111111 and 0300 111130 for example, we can start to look at the numbers in-between. Normally fax machines are revealed and also the telephone numbers for different departments.

Using tools designed for this purpose, we can record and analyse the response to our calls - adding human responses into further manual Vishing campaigns.

SMShing

SMShing is a common attack method used in the wild to target companies, using targeted text messages towards staff mobile phones. These messages can be generic or a more focused ‘spear’ type message, depending on how much information is already known by the attacker.The sender ID of any SMS can be edited to use a custom name resulting in an alarming situation where any message can be masked to appear from colleagues, managers, company names, network providers – The list of possibilities is endless.In a real life SMS attack, usually a click through link is provided in the message, which could give those with malicious intent, browser and device information, IP addresses and locations. If you are then directed to a portal, passwords can even be obtained. A pop up box on your mobile can also be included to retrieve your iCloud password.

Very few businesses adopt SMShing assessments in their testing habits, this would be hugely beneficial to any company wanting to defend against these attacks and to identify vulnerabilities and staff training needs.

The AntiSocial Engineer has pioneered SMShing assessments. We invite you to look at our blog posts covering in depth forms of testing:

Introducing SMShing AssessmentsiMessage Preview Problems

SMShing

We are the only company in the UK to offer a full SMShing campaign, by combining consultant managed campaigns with the carrier level contacts we have we can offer you a truly unique service.

Product benefits:• Bulk text messages can be sent – Covering 1 member of staff to 1 million.• Custom sender ID – We can mask the sender with a custom name or number.• Full data analytics – Every text message traced, Every click and time saved.• Guide users to reply with information – To click a link or even navigate to a custom login portal that will harvest credentials, right from their mobile phone in seconds.• Secure data – Your staff data is in good hands every step of the way. We work directly with the nations safest SMS centres and have a face to face data transfer procedure.

Every assessment is completed with a report, detailing all information including: confirmation delivery/pending/failed reports, times and dates of when text messages were sent and delivered, country locations, a breakdown of technical data and a full remediation including recommendations.This SMShing assessment report can be used in companies to highlight training effectiveness and monitor your companies procedures. Giving you the advantage in a real life attack situation.

Phishing Campaigns and PaaS

Phishing is the act of sending an email designed to exploit someone. It can be a simple email designed to invoke a response or they can be a little more complex - guiding people to malicious login portals that clone credentials or distribute malware. All it can take is one press of a link or the disclosure of one set of valid employee credentials to bring an organisation into a crisis.

The AntiSocial Engineer will baseline an organisation, giving you the analytics of just how resilient your company is to phishing attacks. The statistics that are revealed from this kind of testing can align with targeted training within an organisation.We work with you to provide every aspect of a phishing campaign, we test aggressively - but you are in control!

Blog posts covering some insightful phishing information:

How to nearly buy Google.com for £8

Phishing Campaigns and PaaS

Realistic Simulated Phishing Attack Assessing who is susceptible to these techniques and who requires training can be a managed over a period of time in a simulation of a real phishing attack campaign. Full real-time analytics will be used within our assessments to report which users have logged on to a cloned portal or clicked on a link inside an email. Our consultant led phishing campaigns are notorious for impact analysis.

Product benefits:

• Externally facing login portals cloned

• Credentials harvested and reported on

• Several levels of Phishing email simulations.

• Can be combined with other kinds of Social Engineering assessments.

• A focus on user training and staff induction programs.

• Increased training available to VIP and key personnel within an organisation

We can also adapt our testing style to focus on click rate statistics and employee benchmarking. A real attack is significantly different from user testing so it will be essential to gather further information before commissioning work.

PaaS - Phishing as a Service PasS brings a high quality phishing service to your business and can be scaled out in plans suitable for your testing needs. A one off setup fee per organisation, per year is charged and unlimited phishing assessments can be conducted free of charge after this point on a DIY basis.

Unlike our consultant led Realistic Simulated Phishing Attacks, PaaS is a semi DIY solution offering you the chance to meaningfully test your staff on a regular cost efficient basis.

• Full Phishing portal setup • Unlimited* Phishing Emails (Fair use applied <250,000 P/A) • Includes 5 company bespoke designs for phishing emails • Includes 3 company bespoke phishing portals • Individual VPS that has been hardened and is regularly tested • Full documentation and support • 3 domain names of your choice (Not exceeding £50 P/A)

Incident Management

The perception of breaches can be very different especially from an outsider looking in. Our incident response team can provide a confidential and objectionable view of an incident, providing advice and guidance on the best way to analyse and respond to a breach to best protect the organisation and individuals involved. The AntiSocial Engineer can help smooth these troubles and even make it a positive experience for you customers. With experience of working closely with organisations in times of need, we can offer more than advice, we can be there on hand during the toughest times.

Let us help you when you need help the most.● Analysis of Phishing Emails● Post breach advice and incident response● Piecing together a Phishing campaign to see the impact this has had from recorded data● Media and press release guidance● Negative media suppression We can also advise on breach reporting, ensuring a breach event doesn’t become a media spectacle. Your customers deserve to know – we will ensure this is done right, contact us don’t ‘TalkTalk’ your data breach as seen with blogs below:Social Engineering & TalkTalkTalkTalk, one year later.Sage UK Payroll Data BreachHow to Handle A Data Breach

Consultancy

Our Consultancy provides support and information to enable your business to adapt new and improved security measures.The AntiSocial Engineer Limited can offer our specialised consultancy services and report on events that are affecting your organisation, using our knowledge can decrease the likely hood of a data breach or financial loss.

Our consultancy service can profile the attackers, analyse their motives and gain a greater understanding of the attack. This can then be used to focus ongoing work. Our consultant can share the knowledge that has been gained from driving change within large FTSE companies.

Vulnerability Scanning, Web App Testing

Vulnerability ScanningAn important part of defending your organisation is keeping up to date with new vulnerabilities. Keeping on the forefront of this constantly changing landscape The AntiSocial Engineer Limited can help you gain a clearer picture of your organisations weaknesses through regular vulnerability scanning. Monthly reports can be prepared and delivered securely giving you a much needed over view. Manual verification of all faults discovered will illuminate false positives and avoid unneeded concerns, fear uncertainty and doubt. If we email at 3am you can have the confidence to action further action. Our Vulnerability scanning can include OSINT recon to really search for registered IP’s and domains we combine this data into your scope for you to review.

Web Application TestingOur service is delivered by world-class security consultants and provides you with a thorough analysis of your entire network from an attackers perspective. The tests are carried out from both the authenticated and un authenticated perspective and will offer an evaluation of the sites security posture from both valid users who aim to escalate access privileges, and unauthorised users, identifying not only vulnerabilities and exploits but key aspects of the Web Application crucial to you.

Reports are hand written and will include an executive summary along with a more in depth technical summary and a table of applications tested with the total number of vulnerabilities identified at each severity level with hand written remediation advice. The methodology we adopt is based around the OSSTMM and OWASP testing methodology, this is to ensure all attack vectors are covered.

Specialist Training

The AntiSocial Engineer Limited offer training that aims to teach employees right from wrong. Training and user awareness are the best preventions from social engineering attacks. Increasing user knowledge will improve employee confidence in being able to spot these malicious attempts in a ‘Business as usual’ environment. Help your staff take hold of the security of your organisation and grow stronger together as a result.

• Teach staff to defend against Inbound Calls • Reduce your organisation click rate • Educate C-Level company executives to help develop a security culture • Public informational seminars • Test staff with training portals • Interactive classroom based learning, additional advanced content available for senior employees

Specialist Training

Security Culture Development Employees of all levels and sectors will actively work to secure the organisation from the inside out. Utilising all they can in their allocated roles to work together, to secure. • Heads of IT are praised for finding vulnerabilities and their superiors act on issues that are presented to them. • Employees are trained and made aware of risks, this drives further staff education – Not because they have to, but because they are logical caring people. • Staff report incidents without hesitation, knowing that these fast reports benefit the business and they will be trained further in response – Not disciplined. We can work with your business to train staff of all levels, CEO to Starters! We encourage organic cyber security culture development .

Click Rate Reduction Whilst security is almost always multifaceted, sometimes your organisation is tasked with one simple task – Get the click rate down!

Working in response to employee testing we can assess your organisation’s ‘click rate’ this benchmark allows us to analyse just how many people would click the link within an email, then we can work on getting it down and improve upon it. Training can be supplied in many formats; 1-2-1 Sessions, Teacher-Class, Online assessment and Literature. Bespoke solutions are tailored to fit your business and educate your staff in the best ways possible. After training we believe in retesting to monitor training effectiveness. • Combined effectively with ‘Professional Services - Phishing’ • Always the best training medium for your employees

Classroom Based Learning Personal and interactive training for employees with in-depth information about different attack vectors used by those with malicious intent and how to recognise the signs of an attack on the organisation. The training sessions will cover different topics, such as, what employees need to look out for in their email inbox/text messages, how to report on any suspected malicious activity, to raise awareness and to make a focus of social engineering within their teams to create a strong insider defense.We can offer one to one classroom based learning to make the advanced training more understandable and engaging,

Specialist Training

E-Learning Training PortalsWe provide online cyber security awareness campaigns that teach employees how to safeguard data and protect business critical information. Specialising in developing and delivering security training in a fun and entertaining way that engages the user and results in a true culture change within the workforce.

Teaming with Bob’s Business - one of the UK’s most successful e-learning content providers. We provide a fresh, modern take on cyber security training and compliance. There are no complicated textbooks or unnecessary technical explanations - their narrative-based approach is designed to create memorable scenarios that you and your colleagues can relate to and learn from.

The illustrative animation style has proven to create natural long-term behavioural change for our clients as they simulate reality in work-related scenarios, making them more relatable to everyone.

Product Benefits● Employees will be able to detect and mitigate security risks effectively● Managed service ensures minimal input is required from a client perspective● Compliance with industry standards is made easy with modular content, written in line with best practise guidance outlined in

industry standards● Advanced and automated reporting features allow you to track completion for compliance reporting purposes● Modular approach ensures that learners can complete the modules at their own pace

To discuss any further information or to start implementing these structures into your business, please contact us today!