Social Engineering Reconnaissance Mapping

S
Written By Threat NG Staff

Social Engineering Reconnaissance Mapping is a specialized, proactive phase of cybersecurity intelligence gathering in which an attacker systematically identifies, collects, and organizes information about an organization and its employees to understand the human vulnerabilities that can be exploited. The goal is to create a detailed "social map" or profile of the target environment to inform a highly customized social engineering attack, such as spear-phishing or pretexting.

Key Mapping Objectives

This process moves beyond general network scanning and focuses intently on the human element, seeking specific data points that reveal trust relationships, authority, and behavioral patterns.

  1. Organizational Chart and Authority Mapping: Identifying key roles, reporting structures, and names of high-value individuals (executives, finance, IT administrators). The attacker maps who has access to sensitive information and who possesses the authority to bypass standard procedures.

  2. Trust and Relationship Mapping: Determining who reports to whom, who is new to the company, or who is trusted by senior management. This allows the attacker to select the most believable "pretext" or forged identity (e.g., impersonating a trusted colleague from a different department).

  3. Digital Footprint Profiling: Collecting PII, contact details, personal aliases, and professional history from public sources (like LinkedIn, corporate websites, news articles, and social media). This data is used to craft highly personalized and convincing communication.

  4. Technology and Procedure Mapping: Identifying the specific software, tools, and vendors used by employees (often found in job postings or public professional discussions), as well as common internal terminology, which makes fraudulent communications seem legitimate.

  5. Behavioral and Emotional Trigger Mapping: Gathering information on personal interests, travel schedules, recent company news, or internal events that can be used to elicit an emotional reaction (urgency, helpfulness, or fear) to ensure the target complies with the attack's demands.

Defense Against Mapping

Defense against this type of reconnaissance involves controlling the outflow of information. This includes implementing strict policies on what employees can share on professional networking sites, using generic titles in public directories, and continuously monitoring the open and deep web to discover and remove exposed personal and organizational PII proactively.

ThreatNG is highly effective at neutralizing the threat posed by Social Engineering Reconnaissance Mapping because it is purpose-built to execute the same intelligence-gathering process an attacker would use, thereby exposing the organization's human vulnerabilities first. ThreatNG enables the organization to proactively discover, map, and remediate the exposed PII and relationship data that attackers use to craft convincing social engineering attacks.

ThreatNG's Role in Social Engineering Reconnaissance Defense

External Discovery

ThreatNG performs purely external, unauthenticated discovery with no connectors, mimicking the passive reconnaissance an attacker uses to build the "social map" without detection.

  • Example of ThreatNG Helping: The discovery process uncovers all Archived Web Pages. An attacker maps the organizational structure by finding old employee directories or press releases on archived pages that contain Email Addresses and User Names. ThreatNG identifies this historical PII first, enabling its removal from public indexes and frustrating the attacker's initial reconnaissance efforts.

External Assessment

ThreatNG quantifies the risk associated with human-centric information exposure, guiding the defense team on where to break the reconnaissance map.

  • BEC & Phishing Susceptibility Security Rating (A-F): This rating is driven by findings across Compromised Credentials (Dark Web Presence), Email Format Guessability, and Domain Name Permutations.

    • Example in Detail: ThreatNG confirms that the organization has high Email Format Guessability via its Email Intelligence module. An attacker uses a publicly known employee's name (found via social media mapping) and this format (e.g., first.last@company.com) to generate a list of valid corporate email addresses. ThreatNG's poor rating flags this specific exposure that enables large-scale spear-phishing.

  • Data Leak Susceptibility Security Rating (A-F): This rating is heavily influenced by Compromised Credentials.

    • Example in Detail: ThreatNG's assessment finds that a key executive's credentials have been leaked and are present in its Compromised Credentials intelligence. An attacker could use this proof of compromise as the basis for a highly believable pretext (e.g., "I'm locked out, here's my old password, please help me") in a social engineering call to the IT service desk. The poor rating mandates an immediate change to credentials and a security review.

Reporting

ThreatNG's reporting ensures that human-centric risks, often overlooked, are clearly communicated and prioritized.

  • MITRE ATT&CK Mapping: ThreatNG automatically translates human exposure findings (like leaked PII or exposed ports) into a strategic narrative that correlates them with the Initial Access technique, showing security leaders exactly how an adversary would use the collected reconnaissance data to gain a foothold.

  • Prioritized Reports: These reports flag high-risk exposures, such as exposed Private IPs or NHI Email Exposure, as critical, guiding remediation efforts to break the links in the reconnaissance map.

Continuous Monitoring

Continuous Monitoring of the external attack surface ensures that the organization is immediately alerted to new, unexpected exposures of human data, preventing the attacker from completing a current reconnaissance map.

  • Example of ThreatNG Helping: A new employee inadvertently posts a photo of a whiteboard to social media, exposing the names and personal aliases of a project team. Continuous monitoring detects this new social footprint, allowing the security team to act immediately to remove the image and prevent the data from being used to map internal project relationships.

Investigation Modules

ThreatNG's specialized modules provide the necessary tools to trace and neutralize the specific data used for social engineering reconnaissance mapping.

  • Social Media / Username Exposure: This conducts a Passive Reconnaissance scan for usernames across a wide range of social media and high-risk forums, including LinkedIn, Facebook, and GitHub.

    • Example in Detail: An analyst uses this module to search for a developer's common alias and finds it active on a technical forum and on GitHub. This confirms the person's identity and professional role, which an attacker would use to launch a technical spear-phishing attack.

  • LinkedIn Discovery: This module identifies employees who are explicitly most susceptible to social engineering attacks.

    • Example in Detail: By identifying these susceptible employees, the organization can target them for mandatory security awareness training, which directly mitigates the risk identified in the reconnaissance mapping phase.

  • Email Intelligence: This module provides insights on Format Predictions and Harvested Emails.

    • Example in Detail: The module confirms that the target organization uses a predictable email structure. This is a key piece of information for the reconnaissance map, as it enables the attacker to generate a list of valid email addresses from a handful of known names. ThreatNG provides this intelligence to the defense team so they can increase awareness around spear-phishing.

Intelligence Repositories (DarCache)

The intelligence repositories provide the real-world evidence and threat context needed to prioritize the highest-risk human vulnerabilities.

  • Compromised Credentials (DarCache Rupture): This repository is the definitive source for confirming if an employee's identity has been successfully compromised, which is the ultimate goal of reconnaissance mapping.

  • Dark Web (DarCache Dark Web): This monitors for organizational mentions and associated ransomware events.

    • Example of ThreatNG Helping: ThreatNG discovers chatter on a dark web forum where an actor mentions having a list of the organization's NHI Emails and a plan to target the recruiting department (human target) for an attack. This provides an early warning of a social engineering reconnaissance effort.

Complementary Solutions

ThreatNG's high-fidelity intelligence on human exposures creates a powerful signal for automating defenses in other platforms.

  • Cooperation with Security Awareness Training Platforms: When ThreatNG's Compromised Credentials module detects a surge in leaked employee passwords (Identity Contamination), this metric can be sent to a complementary Security Awareness Training Platform. This integration automatically enrolls the affected employees in a targeted course on password reuse and spear-phishing recognition, directly mitigating the risks found during reconnaissance mapping.

  • Cooperation with IAM Solutions: Findings from the LinkedIn Discovery module indicate that high-risk, susceptible employees can be pushed to an Identity and Access Management (IAM) solution. The IAM system can then be configured to automatically enforce stricter access controls, such as mandatory Multi-Factor Authentication (MFA) and geographical access restrictions, for the accounts of high-risk individuals, protecting them from compromised identities identified during the reconnaissance mapping phase.

Threat NG Staff
Previous

Lack of External Employee Visibility
Next

Human Attack Surface Delta