Targeting the right areas

An unfortunate side effect of limited time frames is for inexperienced security consultants to “smash and grab.” They will neglect threat modeling and, as a result, won’t plan anything remotely relevant to the company’s actual risks (Chapter 6 covers the threat modeling process in much greater detail). In the limited time available, they will evade detection when breaching security in any way they can (usually by tailgating in) on entry and egress and then consider the objective met. The resulting report only serves as a “snap shot” with a prediction of what they “could have potentially done if they were real attackers”. This leads to the client implementing countermeasures based on guesswork. Similarly, some security companies will just target a single member of staff to obtain sensitive information. The report then details how that specific individual was susceptible to some insubstantial pseudoscience-based psychological vulnerability. Occasionally this type of approach can be beneficial and it may be what the client actually requests, but it only highlights a small set of vulnerabilities or even just a single point of “possible” failure. The unfortunate reality is that a lot of testing companies work in this way. With a seemingly unlimited scope to “break in” they will inevitably reveal one or two new vulnerabilities each time the test is performed. This type of dynamic testing could go on indefinitely and could never highlight the issues the client really needs to know about. It would be like a penetration tester identifying a single vulnerability on one server each time they perform the test. This is clearly an inefficient approach and will ultimately fail to highlight a business’s true vulnerabilities.

One reason that testing companies work this way is that too many clients have a lack of understanding of how assessments should be performed. This is mainly due to the fact that social engineering assessments are still “relatively” unknown. Clients have certain expectations regarding standard tests such as infrastructure testing or web application testing but still tend to look to the testing company to guide them through the social engineering tests. As a result, substandard tests may be performed and the client is none the wiser. If the consultants manage to easily breach the security of the company then the clients tend to believe that the consultants have done a good job. In addition, the “scare factor” when presenting such findings to upper management tends to distract from the question as to whether the test actually revealed anything of value or anything that can actually be fixed.

Suppose a business decides to hire security consultants to test their susceptibility to social engineering. The consultants smooth talk past reception, attach to the corporate network and escalate their privileges. They manage to exit the building in possession of a customer database on their laptop. The management team’s reaction is one of shock and fear. The management team would make comments such as “What if a real attacker was to do this? The damage to our reputation could cripple the business, never mind the loss of sensitive information!”. The business then follows all the advice of the testing company, from implementing staff awareness training through to improved physical and technical security controls. The very next day, social engineers arrive at the warehouse behind the same building dressed as delivery drivers with all the valid credentials. They chat with the warehouse staff, load their truck with goods and drive away without incident. The original social engineering test highlighted a “possible” sequence of events that could damage the business but not a very likely one. The chances of a social engineer breaking into the building to steal the customer database is relatively low. Whereas, the risk of theft for this particular company is relatively high, when considering the value of the goods they store. Had the testing company and the business conducted threat modeling, the likely threat of warehouse theft would have been highlighted. Social engineering is not just about breaching buildings and networks, it’s about breaching security in general. This is not to say that the original social engineering test was a complete waste of time, it is simply saying that the efforts could have been prioritized elsewhere. The tests should have been designed to identify vulnerabilities in the warehouse procedures and awareness training. Once the most significant risks have been assessed, the lower risks can then be examined.

Using the allotted time effectively

When given a small testing opportunity it is imperative that you use the time available in the most efficient way possible. A very suitable quote to sum this up would be one by Abraham Lincoln:

When related to social engineering this means spending the vast majority of your time conducting reconnaissance, with a significantly reduced portion performing the actual attack. For real-world criminal attacks this is extremely important. If you are attacking a business you may only have one chance, as repeated attacks increase the likelihood of being caught.

Time allocation regarding professional social engineering assessments is a little more complicated. If the client has requested that you identify a single specific vulnerability, then the above would apply. However, assessments generally focus on multiple areas, using different scenarios to identify different vulnerabilities and may have to be repeated within the same time window.

The initial client contact, scoping meetings, threat modeling and discussions regarding rules of engagement, are conducted outside the testing window. However, these are critical stages that lay the foundations of the assessment. The testing period should consist of four fundamental stages, being:

Basic attacks, such as those conducted over a telephone to obtain specific information, may also follow this structure. However, more complex engagements, such as breaching building security, wouldn’t necessarily be performed in this order. The reconnaissance may lead to initial attacks, which then feeds information back into reconnaissance to help design new attacks. To enable effective time allocating you need to fully understand the process of the engagements you plan on performing. In addition, if you have been tasked with assessing security over multiple attack vectors, then it’s important to understand how they relate to one another.

One approach is to string attack vectors together. For example, the initial reconnaissance may provide the information required to enable basic phishing and telephone attacks. The results of these attacks may aid targeted attacks, such as spear phishing e-mails. The sensitive information gained from the targeted attacks can then be used to design scenarios for physical attacks against the building. By feeding the results of each attack vector into the next you use the time you have effectively while covering multiple areas. Each stage of this method can represent a single day in terms of time. Therefore, a full assessment might well be conducted over as little as 5 days, with the final day reserved for the report writing. However, although this is an efficient way of working, it only identifies vulnerabilities that manifest as a result of such a sequential attack strategy. For example, it doesn’t realistically simulate an attacker’s strategy aimed at a single attack vector. If an attacker had no intention of breaching the security of the building and only wanted to obtain sensitive information via telephone, then they may use very different set of techniques to achieve different objectives. If individual vectors are to be assessed, then they should be treated individually, with separate reconnaissance and scenario execution time allocated to them. Therefore, assessing all three major vectors could result in a 9-day assessment including report writing time.

If a client does not have budget constraints and requests an assessment that spans over weeks or months, then it may be possible to take both approaches. Individual attack vectors could be assessed with multiple objectives aimed at assessing the vector in isolation and as part of a stringed attack strategy.

The way in which you allocate your time ultimately depends on what the client’s requirements are. Do they want to simulate a real-world attack or do they want to focus on individual areas of security? These questions need to be asked and answered before the assessment can begin.

Common short game scenarios

There are certain “short game” scenarios that are regularly used to test for common security issues. These scenarios only require a modest amount of planning and, if executed successfully, can identify multiple vulnerabilities, ensuring the most value for the client within the limited time allocated.

These scenarios should be considered as “generic” approaches to common social engineering vulnerabilities, which can then be tailored to suit the client’s requirements. However, the best possible approach is always to design your scenarios from scratch based on the results of the threat modeling stage.

To ensure that you collect the most valuable information possible in the strict time frame, ensure that you can answer the following fundamental questions.

Expanding on initial reconnaissance

The importance of good reconnaissance is a reoccurring theme throughout this book. The greater the reconnaissance, the greater the chances of a successful attack. There are certain pieces of information that are critical to most social engineering attacks and these often form the basis for short game techniques. This is information such as potential target’s names and contact details. If you have unlimited time to perform reconnaissance, what other information would be useful? The short answer to this question would be; any information that is deemed useful. However, some types of information are more useful than others. If you are able to expand your research you should be able to gather information that will significantly support your attacks.

The initial reconnaissance should reveal a large number of potential targets, including their name, position and contact information. This is often the only information gathered during short game attack scenarios. If an attacker wanted to send a phishing e-mail to company, they may only require the e-mail addresses. However, each individual staff member has a lifetime of useful information that could be used against them specifically or against the company they work for. If you can access this information, perhaps through social media or by building a relationship with them, then you can use it against them.

If you wanted to perform a targeted attack on an individual rather than a group, then consider obtaining the following information:

The above list all seems like very innocuous information, yet they can all be used as a basis for attacks or just be used to gain credibility. Let’s examine a few of them to determine how they could be leveraged.

Knowing that the target went to a certain school may be all that’s required to perform a successful spear phishing attack. For example, the e-mail may read:

Another e-mail phishing attack could be based simply on where they regularly shop. For example, you could attach a malicious PDF to an e-mail and send the following:

Suppose you learn of a recent holiday the target has been on and who they booked with. Consider impersonating a travel agent and contacting the target via phone explaining that:

If the victim agrees, then the attacker asks for their card details to take the deposit over the phone.

We have discussed expanding on reconnaissance to target the employees of a business. What about the business itself? The usual “short game” information gathering is business address, building layout, external security, internal security, business purpose, etc. However, in a similar way to looking into employee’s personal lives, you can continue your research to look at other aspects of the business. For example, you could expand your reconnaissance to include the following:

The more information you can gather, the more likely you will be successful in your attack.

Fake social media profiles

The previous section discussed gathering information about a target’s personal life in order to attack the business they work for. A great deal of this kind of information can be gathered from social media websites as they are essentially a database of our lives. It is generally more difficult these days to extract such potentially sensitive information from social media websites, mainly due to ever increasing security controls. In order to access the information you want you first have to be associated with the target, be it as a “friend” or some other type of symbolic link associated with the social media website. Usually this requires both a request and confirmation stage to take place before the link can be made. Unfortunately, there is little security in place to prevent fake social media profiles. Therefore, an attacker can create a fake profile to establish a connection with a victim. Once the connection has been established, the victim’s account can then be scraped for useful information.

The reason this is considered a “long game” strategy is because it can take a great deal of time to develop a fake account. For the account to be convincing it will need detailed profile information, posts, photos and links with other accounts. It is challenging to create a convincing fake account without the basic content that is generated over a long period of time. In addition, targets may not necessarily check their social media accounts regularly or respond to link requests straight away.

There are a number of different approaches to creating fake social media accounts:

Remember that although fake accounts are primarily used to gather information, they do have other uses. Established accounts with good connections to the target business could also be used to gain credibility in other attacks. For example, you could mention something regarding your account or a post the target had submitted to gain credibility when on the phone to them. In addition, social media websites are another possible vector of attack. If you notice an employee is currently browsing a social media website (perhaps from the chat panel) then you could potentially send a malicious link, which could result in you gaining access to the work computer they are using. After all, how likely is it that the business conducts awareness and training that includes content covering attacks over this medium?

Information elicitation

Information elicitation is seemingly at the heart of social engineering and is defined by the Federal Bureau of Investigation as:

This sounds exactly like the kind of technique that should be used on assessments. However, techniques of this kind are usually employed in casual conversations and often benefit greatly from an established relationship with the target. Therefore, on short assessments lasting as little as a few days, these techniques are not entirely practical. To truly leverage the power of information elicitation you have to engage with the target multiple times, developing the relationship and guiding the conversations in the direction that reveals the information you are wanting. Of course, a good “elicitor” could glean information from a single conversation with a complete stranger, but it is not a reliable enough technique to employ when time is very restricted. Therefore, as this book is focused on social engineering assessment techniques, information elicitation of this kind is confined to the “long game” category.

These techniques are designed to obtain information that, although isn’t very sensitive, is still information that the target wouldn’t normally reveal. For example, in casual conversation with an employee you may learn, through these techniques, that the phone system is broken. This isn’t very sensitive information but it could be used to gain credibility as part of an attack scenario. In addition, discussing the current state of the business’s equipment isn’t something you would normally do with nonemployees. In the same conversation the employee may mention the manufacturer of that same phone system. Again, this information could be useful to a social engineer and the employee wouldn’t normally reveal it to strangers. The reason they do reveal this information, without realizing they’ve caused a breach, is due to the techniques of elicitation. We will now cover some of the most common techniques that can be used.

As mentioned before, information elicitation benefits greatly from an established relationship with the target. The following techniques are focused on creating the rapport necessary for a good relationship.

Extended phishing attacks

The creation and execution of phishing e-mail attacks is extensively discussed in Chapter 9. However, it is worth mentioning how the approach can differ when executed as a “long game” strategy.

On assessments, the e-mail attack vector is initially used to gather information, such as the business e-mail structure, out-of-office automatic responses and additional employee contact details. Following this, targeted phishing e-mails are sent to harvest credentials or direct the target to malicious websites. However, both of these approaches are “short game” techniques, as the entire process from initial e-mails to backdoor access can actually be completed in as little a few hours. How would the approach differ if the attacker was not limited by time?

The approach to phishing attacks mentioned above does not necessarily require an established relationship with the target, even when targeting specific individuals. Obviously, if the phishing e-mail is spoofed to appear to come from the target’s colleague, then you are leveraging the trust relationship they have. However, if you could build the relationship yourself and ultimately know the target better, then you would stand a far greater chance of success. Extended spear phishing attacks will slowly build up a dialogue between you and the target, develop a relationship and will inevitably reveal the perfect approach to manipulation.

The section on common “short game” attack scenarios mentioned obtaining sensitive information by posing as a university student. They would contact the target via telephone and ask questions about the business and how it operates. The social engineer, posing as the student, would select questions that may reveal useful information. This approach comes with some risk. The employees you contact could refuse to give information and the more employees you contact the greater the chances of invoking suspicion.

To reduce the risk and increase the chances of success, this scenario could be translated from a “short game” telephone attack to a “long game” extended spear phishing attack.

In typical phishing attacks an e-mail is sent to multiple targets obtained from initial reconnaissance. In extended attacks the approach should be as realistic as possible. Therefore the initial e-mail sent should be to a generic contact such as info@ or inquiries@ or whatever address is most prominent on the target’s website. Remember that the idea is to build up credibility over time as convincingly as possible.

In the above e-mail you are only asking for a contact, this could even be a request for a department. Typically you will receive a response to an inquiry like this from an employee rather than from a generic e-mail address. This initial contact should provide you with your first target and the structure of their e-mails. If you are lucky, the response will include further contact details for employees that “May be able to help you”. Or you may be told that your request has been forwarded on to other employees that will be contacting you soon. Hopefully your e-mail will begin to circulate around the business as each employee attempts to avoid the responsibility by passing it on to their colleagues. Eventually, when you do establish a dialogue with someone willing to provide information, the previous e-mail chain creates credibility and the chain of authentication effect also applies.

Consider asking fairly innocuous questions that reveal useful information when combined. Try to establish how many departments there are, how many employees work there, who is responsible for each department, employee hierarchy, what partner companies they work with and general policies and processes. This all sounds like information they would never reveal but remember the concepts of information elicitation. You wouldn’t directly ask “How many department do you have?”. Instead, you would say something along the lines of “The previous company we spoke to said they were well established, but they also said they only had three departments, which we thought that was a bit odd?”. Here we are using social proof (the previous company revealed the information) and we’re leveraging the power of “ignorance”, hoping that we’ll be informed by the target. The response will hopefully be something such as “Really? That is strange, I wouldn’t say we’re particularly long established but we have eight departments here, one of each floor!”.

Once you have obtained information from one employee, you would then continue to spread the attack with a request such as:

There will be employees that will remain in contact with you. For example, the initial contact may e-mail to ask whether or not you received the information you wanted and whether there is anything else they can do to help. Once you believe you have established a strong relationship with a specific employee then it may well be time to spring the trap. Consider the conversations you have had with them and use key information to your advantage. For example, suppose you have discussed the difficulty and scope of the university project with one employee and they have asked you “Will we ever get to see the results?”.

If you wanted them to browse to a malicious web site:

Or if you wanted them to download a malicious attachment:

By this point, after several days or weeks of e-mails being sent back and forth, it is very unlikely that the target will suspect any malicious intent. The best approach is to wait for the target to respond with something that almost “requests” you to send a link or attachment.

The above is just one example of how you could perform an extended spear phishing attack, you could of course approach this in infinitely different ways. The important point to remember is that you build up credibility over time and wait for the target to reveal the best way to manipulate them.

Gaining inside help

The previous section talked about eliciting information that could aid in attacks. However, the information that could be useful to an attacker is not always so obvious. Rather than looking for partially sensitive employee or company information, what about looking for employees that could potentially help you directly.

It is often stated that the vast majority of security breaches are caused by internal staff. Often the breach will not be intentional but sometimes it is. The concept of the “disgruntled employee” is a serious concern for most businesses, especially those that have just dismissed an employee with high privileges. Even if the business has followed strict and thorough employee dismissal procedures (such as disabling the employee’s various computer accounts and changing any passwords they may have known), there is still the possibility that the employee has some level of access they failed to remove, such as computer network backdoors they didn’t know about. If they were able to remotely access the business’s computer system and delete the current and backed-up databases, then the business could be severely damaged, perhaps beyond the point of recovery.

Disgruntled employees need not only be those that have actually been dismissed, as current employees can also have significant grudges against the business. They may dislike their job but have no choice but to stay for any number of reasons. This type of employee is perhaps the most dangerous as they definitely still have the privileges that could harm the business. In addition, the business is not necessarily aware of any potential risk such as that posed by a recently dismissed employee.

An employee with a serious grudge against the business, whether they still work there or not, would be extremely useful to an attacker. An “inside man” could not only provide useful information but could also act on behalf of the attacker to accomplish all manner or attacks from the inside. They could establish network backdoors, provide legitimate passes or exfiltrate business data to the attacker directly.

All the attacker would need to do is find them and this could be accomplished through information elicitation.

The first challenge is to meet with the employees, which could be accomplished in smoking areas, local cafes or pubs they frequent or even on public transport they take.

You could strike up a fairly innocuous conversation with the employee, then focus the subject to that of work life in general. You know exactly where they work, but of course act as though you don’t. You focus the conversation down further to how you’re treated at work. Providing they are actually unhappy with their current role they will hopefully either try and better it by saying how much more badly they’re treated, or establish common ground by agreeing that they too dislike their job greatly.

Once you have determined if an employee is a potential accomplice, the next question is how they could be leveraged. Do you attempt to enlist them to your cause, resulting in them risking their job? Or do you try and obtain sensitive information from them, such as remote access passwords? There is always the chance that they will immediately raise the alarm if you reveal your position, regardless of whether they dislike their job or not. This is why this is a “long game” technique, as fully establishing the target as a genuine risk-free “insider” could take a great deal of time indeed.

Working at the target company

This is possibly one of the most clichéd social engineering techniques, often proclaimed as the ultimate attack that businesses couldn’t possibly defend against. If you apply for and are successful in obtaining a job at your target company, then you will at least gain access to the building. Once you’re inside the building, it is then much easier to execute your attacks. For example, while cleaning the offices you could plant key loggers or install drop boxes to create backdoors into the network.

What vulnerabilities are we exploiting? Strictly speaking you are testing the robustness of the business’s employee screening process. Do they check the basic details such as the individual’s name and address? Do they contact the references? If they do contact the references do they actually validate them? Do they check the employment history properly?

One of the classic positions that attackers apply for is a cleaning role, presumably for two reasons. First, a cleaning position shouldn’t really require any specific qualifications and second, it is fairly unlikely that a business will perform thorough checks on applicants due to the apparent low privileges associated with that position. However, the irony is that cleaners are commonly given more building access than regular employees. Once the attacker has successfully obtained the job role then the vulnerabilities they could exploit are no different to those available to any general employee.

This entire process can take a great deal of time. From the perspective of an attacker it could be the highest payoff against the lowest risk. From the perspective of a security assessor this approach is testing the employee screening process, which is something that can be significantly improved without lengthy practical assessments. For example, the security consultant could apply for a position with fake credentials and references to test whether or not the screening procedures are being followed. This does however rely on a position being currently available, which is not always the case.

Targeting partner companies

Previous chapters have discussed how sensitive data can be stored in more than one location. Once you have located all the places where the data is stored, you then choose to attack the weakest point. However, even if your target data is only stored in one business location, establishing all the direct and indirect links to that business can be hugely beneficial. Any company that deals with your target company is a link in the overall security chain, even though they don’t necessarily store the data you want. There are two approaches to taking advantage of a third party; you can impersonate them or you can attack them directly to obtain useful information.

Contractors from third party companies will often contact and visit a business. This could be to perform routine maintenance on their hardware or respond to reported faults. Employees will be used to seeing these contractors and are unlikely to fully challenge them. In addition, the employees will also be used to seeing different engineers, making the impersonation even easier. All the social engineer needs to do is convincingly impersonate a third-party contractor (which could be little more than polo shirt with their logo) and devise a decent pretext. The ease of this approach makes it possibly one of the most common physical attacks against businesses. Scenarios based around contractor visits are identifying weaknesses in the visitor/contractor sign-in and validation procedures. Sadly, simply arriving onsite and explaining that you’ve been called to look at a printer can sometimes be enough to gain access, though the authors would never recommend such an approach. See Chapter 7 for a breakdown of building targeted scenarios.

Third-party companies will often contact a business in response to support requests or even to sell more services and products. If you can successfully impersonate a third-party company then you could obtain very useful information. For example, if your reconnaissance has revealed the target company use a particular manufacturer of printer, you could impersonate a sales representative asking them if the equipment is meeting their expectations. From that one phone call you could potentially learn:

This information may seem completely innocuous but as previous sections have shown, changing innocuous data into sensitive data is a process of small steps. If you learn from the call that the manufacturer themselves will send engineers out, then you have the beginnings of a possible scenario.

In addition to impersonation there is always the possibility of simply attacking the third-party company directly to gain a foothold on your main target. The third party may not store the data you want, but they could have network visibility of the main target.

Long-term surveillance

Long-term surveillance is an age-old technique for gathering information. Various spy films have seen investigators on “stake outs” watching a target from across the road through blinds or using zoom lenses to capture photos from afar. The risk is relatively low, provided you are well hidden and you have plenty of time on your hands then these methods can gather a lot of information. However, how do these methods relate to attacking businesses? Before the authors can give any practical advice regarding these methods, we first need to dispel some of the common clichés.

Secret surveillance and high-powered lenses may be advantageous if you’re trying to learn the layout of a high-security military complex. However, when attacking the average business, you need only walk your dog past the front door to see all the cameras, security guards, entrances and exits. You can even walk into reception and ask for directions to see the layout and all the possible weak points. Therefore, long-term surveillance isn’t really that useful for the initial reconnaissance stage of the attack. As far as an assessment goes, simple photography of the building and information from Google Maps will likely suffice.

A frequently used cliché in surveillance is the use of binoculars or even a telescope to watch an employee’s keyboard strokes through a window. The idea is that you will be able to see them enter their password and use this to your advantage. How practical is this? Typically, of all of the employees in a business, only a handful will have the privileges of a “domain admin” user. It is this level of privilege that is required to quickly and efficiently compromise the network (assuming that it is a Microsoft Windows domain). Therefore, you may be looking through a lot of office windows before you come across a valuable password. In addition, you have no real way of fully confirming if that password is a highly privileged user. However, if the business has a remotely accessible service such as a business e-mail or VPN portal, then potentially even a standard user’s credentials could access it (provided it doesn’t have two-factor authentication). If you can gain access to a user’s e-mail account then you can use it to launch further phishing e-mail attacks. Chances are that passwords will be reused, so you may well gain access to additional services such as the user’s eBay, Amazon or even PayPal account. If you do gain access to the building, then at the very least you should be able to use a standard user’s credentials to logon to a free workstation. Launching attacks from a workstation is generally less suspicious than plugging your laptop or “dropbox” into the network, unless of course you can do it without being seen.

Similarly to watching employees enter passwords, another common use of surveillance is to watch employees enter codes into keypads (simplex locks, etc.). In high-security environments such as banks, these locks are often mounted horizontally, so it is difficult to see the pad from a distance. However, strangely enough in the vast majority of cases they are mounted vertically on the wall for all to see. Sitting in your car in the car park with a good pair of binoculars may be all that’s required to see the code being entered. Sometimes, a keypad will be used on the car park barriers as well. If you ever see these locks in use, it is essential that you highlight the vulnerability to the client. They can then weigh up the cost of the countermeasure (replacement with radio-frequency identification (RFID) or mounting horizontally) to the risk of an attacker using the code to gain access. Don’t waste days trying to capture someone entering the code if a 5-min conversation with the client will establish the risk and allow them to make a good business decision.

If time is not a limited resource then the best approach is to combine long-term surveillance with the concept of turning innocuous information into sensitive information. Suppose you have rented a room across the road and have good visibility of the target office space using a telescope. Generally speaking, you will see employees working away, typing at their desks, having conversations at the water cooler, filing papers in cabinets, etc. However, if you know what to look for then you can gather some great pieces of information.

At the very least you should be looking for:

There are also less obvious things that you should take note of:

Remember that almost anything you see could potentially be used to gain credibility. Suppose you notice that the employees bring biscuits in every Friday and lay them out on a table. When calling your target and impersonating an employee credibility could be gained by jovially saying something as simple as “So, how many biscuits did you eat today?”. Sometimes the less obvious and totally innocuous pieces of information such as “Friday biscuits” can be more valuable than passwords.