An Example Attack Scenario
To illustrate that social engineering and technical exploitation are not exclusive of each other, consider the following scenario. An attacker researches an organisation and its leaders and uses that information to draft a highly convincing phishing email. The attacker then spoofs email credentials to make it appear that the message is coming from an executive within the organisation, and sends it to employees. An employee then clicks a link within the email, which takes them to a website the attacker has set up that steals a session token stored as a cookie on the employee's machine. Session management issues in the company's portal enable this session token to be used by the attacker to access the employee's user account, bypassing passwords and multi-factor authentication. Vulnerabilities in the company's software enable the attacker to obtain remote-code execution on the company's server running the portal, e.g. through PHP injection. The attacker then uses fairly standard methods to escalate privileges, bypassing user permissions on the server. This compromised system can then be used as a proxy for attacking other systems inside the organisation, bypassing firewalls since it is already within the company's network. Many steps in this hypothetical attack are purely technical in nature, and rested on vulnerabilities that could have been addressed at a technical level. However, the step where the attacker tricked an employee into clicking on a malicious link was nonetheless a critical step in the attack process.