Inside social engineering tests

The social engineer may rip off an individual with a simple scam, or defraud a multi-million dollar organisation with relative ease. That’s because to the social engineer, an organisation is not a unified defensive machine, but a collection of individuals with different levels of awareness, gullibility and privilege.

 

Even as far back as 2004, analyst firm Gartner had called social engineering the most significant threat of the decade. 

 

In 2010, a local security tester demonstrated how susceptible organisations are to social engineering attacks when he conned a staffer at one of the world’s most recognisable beverage companies into handing him the keys to the castle. Wayne, a penetration tester from Sydney firm Securus Global, donned a well-worn disguise as a timepoor auditor as he dialled the company’s IT helpdesk. He knew staff there would have access to the sensitive information he sought.

 

Wayne the auditor held a higher position than the helpdesk operator who, after a bit of schmoozing and a few jokes over the phone, bent over backwards to give him details of the company’s operating systems and web browsers, its anti-virus solution, radio frequency identification software and telephony platform. Lucky for the company, Wayne was competing in the DEFCON 18 social engineering capture the flag competition, overseen by the FBI. But he could have been anyone.

 

Others haven’t been as lucky. The most prolific social engineering attack vector is phishing which hooks innumerable victims each year. Users are just as likely to click phishing links in the office as at home, a fact that led to high-profile breaches at security giant RSA, marketing firm Epsilon, Mitsubishi Heavy Industries and the Oak Ridge National Laboratory. In many breaches, social engineers had sent staff at the organisations crafted emails with malicious attachments thatwhen executed provided access into corporate networks.

 

News of the breaches and a series of large coordinated phishing campaigns targeting chemical and defence industries have increased demand for phishing penetration tests. Companies can test their vulnerability to phishing by using services such as PhishMe.com which delivers fake targeted phishing emails to staff and measures how many open would-be malicious content. “Phishing tests provide valuable insight if they are run after security awareness training,” Nick Ellsmore, veteran pen tester and head of business development at StratSec says. “It provides a measurement from which to gauge whether training has sunk in.”

 

Companies undergoing social engineering tests should brace themselves for some scary results. One StratSec pen tester who masqueraded as a rogue employee with access to a segregated network breached security controls and stumbled on company merger plans, known only to top executives. “We couldn’t put it in the report, because the guys who would read it had no idea about the merger,” Ellsmore says. Over four days, the tester hauled in sensitive product source code, domain account passwords, router credentials, hardware schematics, and control of the BlackBerry Enterprise Server and CCTV system.

 

Securus Global managing director Drazen Drazic had similar success during a social engineering test that is one of his company’s most notable. A large company had conducted a sweeping security review ahead of tender contracts worth more than $20 million and requested an engineer walk through its Australian office and attempt to obtain access to restricted areas. “I was able to waltz into the offices, past reception, find an empty office, plug in my own computer and download hacking tools which were used to attack and own the internal systems and data,” Drazic says.

 

He walked around the office chatting to staff, and entered the server room while being watched by the IT staff without challenge. He had pretty much free rein to bring a corporate to its knees in the space of a few hours. The company baulked at the results and overhauled security, including running regular sweeps of boardroom for listening bugs ahead of sensitive business meetings.

 

Next: Bang for buck

Australian penetration testing firms have seen a rise in demand for their customised and targeted social engineering tests, but the volume is still low compared to technical penetration tests. Drazic says his company runs its multi-faceted ‘Red Cell’ social engineering tests and training about once a month for typically large companies with Australian offices. Other penetration testers report similar figures, with social engineering accounting for less than half of all tests.

 

Once the tests are completed, clients trained to defend against real world attacks. “In our experience, if done right, businesses do improve. We stay close with them and in all cases clients we have worked with have been very keen to expand upon the work.” Drazic says testers should mimic how “smart criminals” operate, and have intimate knowledge of previous data breaches that result from social engineering attacks. “Any monkey can make a phone call and try to get a password.” 

 

But Ellsmore warns there are sometimes better ways spend security budgets to get bang for buck, namely in understanding the information perimeter of the business, testing the security of applications and testing and training staff. He notes that few organisations could prevent staff from stealing data and that the threat of a physical social engineering intrusion is low. “Is someone walking through the office a likely compromise? No, and there should be video footage of an intruder. There are many more lower-risk avenues of attack to look into.”

 

Tools of the trade

The social engineer isn’t a whimsical liar, but a methodical analyst. Both penetration testers and malicious attackers research a target organisation using public information including staff Facebook profiles, scans of IT infrastructure and documents left in rubbish bins.

 

HackLabs director Chris Gatford recently proved how lucrative humble dumpster diving could be when, on a job, he gave the receptionist of a Sydney business a friendly wave as he wheeled out a bin full of sensitive documents from the executive’s office and into an adjacent hotel. In the apartment, Gatford sifted through the bin of documents marked for shredding and pulled out usernames and passwords, staff salaries and a spreadsheet listing critical systems. “They were owned,” he says.

 

Gatford wasn’t simply handed the bin. On his journey to the executive’s office, Gatford swiped an unattended staff badge and used a publicly-known duplication method to clone the card and assign it sufficient privileges to enter restricted areas.

 

Open source tools including Maltego are used by attackers and penetration testers to help determine data relationships between information sources. It could reveal, for example, that a target’s phone number or email address was published on motorcycle web sites. This data builds a so-called pretext, which is background information that engineers use to con targets more effectively. The information is often used to craft targeted phishing emails or used as a conversation topic to build rapport. 

 

The aim of the pretext is to make a target feel comfortable and familiar and to ease the elicitation of information. It is a tactic used by many professionals including sales staff, doctors, lawyers and clairvoyants, and allows social engineers to use a fictitious persona – like Wayne the auditor – that best fits the scenario.

 

This article first appeared in SC Magazine's March print edition.

Tags: