aDvanced sOcial enGineering And vulNerability Assesment Framework

The DOGANA project focuses on the impact and the remediation of the human factor in security, which is one of the most demanding challenges of today’s security and for which no widely accepted and stable solutions currently exist.
As an example of this type of complexity, the 2015 DEFCON conference organised the sixth edition of a social engineering simulated contest, namely the SECTF (Social Engineering Capture The Flag) contest. The report issued on how the contest was organised and analysing its results contains extremely interesting conclusions, relevant on the one hand to focus the problem that DOGANA is addressing and on the other hand to underline the importance of the problem.

One of the most necessary aspects of security is the social engineering risk assessment and penetration test. When a proper risk assessment is conducted by professionals who truly understand social engineering, real-world vulnerabilities are identified. Leaked information, social media accounts, and other vulnerable aspects of the company are discovered, catalogued, and reported. Potential attack vectors are presented and mitigations are discussed.
A social engineering penetration test increases the intensity and scrutiny; attack vectors are not simply reported, but executed to test a company’s defences. The results are then used to develop awareness training and can truly enhance a company’s ability to be prepared for these types of attacks.

According to the Threat Landscape since 2015 , Targeted Attacks (TAs) are the strategy of choice during the initial phases of infiltration, and their generated revenue is usually ten times higher than that of normal attacks. Therefore, the predominant scenario today is rapidly evolving from indiscriminate massive data breaches or attacks to highly targeted breaches with severe impact on the victims’ businesses. As a direct consequence of this evolution it is today accepted that the measurement of the real impact of incidents in terms of the costs needed for full recovery proves to be quite a challenging task .

The aim of DOGANA is exactly this: to fill the gap and develop a reliable and stable social engineering penetration test framework that is also legally and ethically compliant with the European laws .
DOGANA will fill this gap by pursing three main goals:
1. Raise end-user awareness for social engineering attacks by providing adequate techniques
2. Provide comprehensive risk assessment for companies (including the tool chain needed)
3. Create a legal reference framework to allow compliant risk assessment
The project is implemented by a consortium of 18 partners, from 11 different countries, including users, technology providers of whom 3 are major world-wide cyber-security solutions market leaders as well as legal and psychological expertise. An extensive field trial plan enables the testing of the DOGANA platform with six users (4 partners and 2 supporting users) operating in the critical areas transport, safety, and public authorities. DOGANA has also created a unique consortium with a world-wide scope and a strong market presence.

As reported in the Description of Work document, during its first year the project concentrated its scientific efforts in giving a stable and updated definition of the base concepts. All these concepts have been developed by the deliverables *.1 of the founding work packages: WP2, WP3, WP4, WP5. In particular, the following base topics have been investigated:
• A precise definition of the modern social engineering, its area of application and its effectiveness.
• A detailed analysis of the current status of the existing tools existing on the internet, that can be used to perform SDVA-like penetration tests.
• A theoretic framework of how the attacks are actually created and which competences are needed.
• The ethical and legal challenges of performing SDVAs.

The above mentioned topics embody most of the scientific research performed in DOGANA during the first year integrating the knowledge of the whole consortium. The result is a stable and extensive picture of today’s SE, its role in cybercrime and the ethical and legal challenges ahead. The documents also benefit from the coordination with the CyberROAD project , to the definition of whose roadmap some partners of DOGANA participated (namely: CEF, CNIT, PROPRS, HMOD, Demokritos).
The ground foundations posed by the above mentioned deliverables are used to consistently develop the architecture and design guidelines and the details of all the components of the framework.
The influence of the focus on Legal and Ethics challenges on the work performed during the 1st year
One of the characteristics of DOGANA is that it embodies the ethical and legal constraints since the early stages of the project, thanks to two dedicated WPs and a specific task within the management WP. In practice, this means that DOGANA wants to ensure that the architecture and design guidelines reflect, from the start, the full range of ethical and legal constraints. This has had a major influence on the 1st year of the project, and in particular, has led to the consortium anticipating work to avoid misalignments between the technical stakeholders and the legal and ethical ones.

Summing up the scientific results of the DOGANA project during the 1st year, the most relevant points are:
1. a complete view of the SE, its trends, role in cybercrime and cyberterrorism
2. a compact theoretic model of the human attack vector and a framework to create attacks
3. a complete dissertation of the legal and ethical requirements and constraints
4. a survey of the existing tools landscape and the definition of the gaps to create the DOGANA framework
5. a definition of the awareness founding principles that will be explored in DOGANA.

In some situations, the deliverable produced actually anticipated trends which became a reality after the release of the deliverable: for instance, the multi-staged social engineering attacks spotted a few months after the release of the delivery of the study on “The role of social engineering 2.0 in the evolution of attacks”.

DOGANA project will now enter a crucial phase for reaching its goals. The next step, after defining the common background regarding SE, will be the design and development of a holistic framework able to measure and mitigate social-driven vulnerabilities. We identified two risks in this phase:
1. Not correctly implement the ethical and legal constraints: as described above, we managed this risk with the strong involvement of the ethical and legal committee in the early stages of the work and the anticipation of work. Moreover, we created dedicated cross-competence working groups composed by technicians and ethical and legal committee members in order to fully implement an agile process.
2. Risk of developing most of the framework from scratch. The task 3.1 identified an extreme heterogeneity of tools covering the different phases of the DOGANA framework, some areas are well covered while others are less. The consortium, in order to reduce the risk of increasing the development effort, is creating a modular and flexible architecture based on the integration of plugins in all the phases. The aim is to create a robust DOGANA backbone that can be extended by a contributors’ community.