Checking the awareness of personnel about cybersecurity threats is one of the most demanded cases. It is carried out, as a rule, by methods of social engineering.
In today's article:
• Our goal: to verify that employees comply with information security policies.
• Methods: social engineering.
• Local goal: obtaining information that will allow for a "privilege escalation" attack.
This post was written by me in co-authorship with colleagues of the Prospective Monitoring based on real cases worked out by our working group in practice. Enjoy reading!
Purpose: to verify that employees comply with information security policies.
Methods: social engineering.
Local goal: Obtain information that will enable a privilege escalation attack.
The stages of social networking are not much different from the stages of a pentest.
Planning
The main thing in social networking is to set a clear goal. Without goal-setting, acting chaotically, you will achieve little, only turn the social program into a booth, and yourself into clowns.
We set a goal: to contact the system administrator and get information from him on the account structure, password structure, ideally - to get the password itself.
Collection and analysis of information
This is the longest and most tedious stage. Through the eyes of an uninformed person, the work of a social engineer consists of telephone conversations, during which he, with the power of magic, talent and charm, fishes out confidential information from gullible users. In reality, information gathering / negotiations are related to many days of exhausting training / performance at the championship with an athlete.
What we need: the most complete information about the employees of the attacked company. Namely: full name, positions, contacts, powers. The most important information is the technologies used in the company. You also need information about the company itself: market position, financial condition, rumors, gossip (the latter is especially interesting, since it reveals the informal atmosphere in the company).
What we use: the organization's website, collection of information from open sources, phishing, some information can be provided by the customer.
Phishing is an ideal solution, but for a whitehacker it is not always possible in terms of a contract with a customer. Preparing an email containing a malicious attachment or a link to a phishing site. The goal is to get real user credentials.
In order for a phishing email to hit its target, you need to carefully study the information about the company and its specifics. What technologies are used in the company? Where is the office? What bonuses are offered to employees? What problems does the company have?
An example of a phishing email:
You can make several letters, each of which is focused on its own target group.
Is the customer against phishing? Ok, arm yourself with patience and sift through open sources: work sites, review sites, social networks, blogs, forums, thematic groups. Prepare to kill a few days with a boring and often thankless job.
Collecting information from public sources manually is laborious. Since one of the products developed by our company is a complex for collecting data from open sources, this stage takes a small amount of time for us, because everything is done quickly enough, connections between objects of interest are built automatically.
Friendship diagram of a real account. Photos are replaced.
The final outcome of the stage may be as follows:
From all users, we need to select several victims: those to whom we call, and those on behalf of whom we are calling. Think over their connections, based on the analysis of social media accounts, write a supposed psychological portrait.
If our goal is a system administrator, then the target groups will be as follows: reception, secretaries, hr, accounting, technical support staff and, in fact, administrators.
Conventionally, according to the degree of susceptibility to attacks, we divide users into the following groups.
Paranoid. You won't get anything out of these. It doesn't matter why they are like that, as a child, my mother forbade talking to strangers or recently received a thrashing from an evil security guard. Recognizable by the cloth language, coldness and formalism.
Indifferent. Such an employee does not care deeply who calls him and why. Even before he picks up the phone, he is already thinking of how to get rid of you as quickly as possible, no matter who you are and what you need. In a small percentage of cases, precisely because of his indifference, such an employee will give you all the information you need. More often it will refer to lunch, the end of the working day, busyness or lack of authority.
Cowardly. Employees who are afraid to death not to please their superiors, to break any rules or orders, in general, those who fear for their chair at a given moment prevails over critical thinking. Get more bossy metal in your voice and you'll crack it.
Kind, good people, sincerely ready to help. But at the same time, they do not try to figure out who they are actually helping. And this is our target audience.
How to distinguish one from the other? Preparation, knowledge of psychology, flair, acting, experience.
So, based on the analysis of the profiles of social media employees, we select 2 victims: a secretary with a rescue and an administrator. It is desirable, of course, not 2, but 5-6. The best choice is bright personalities with pronounced features, which are easy to imagine and portray. The attack script must also be written taking into account the peculiarities of the psychology and connections of the found "victims". Calling a random employee asking for a password is a failure.
The victim, on whose behalf the call will be made: Secretary of the Responsible Ekaterina Petrova, 21 years old, with the company for half a year, studying by correspondence to become an economist. Bright makeup, pink hair, lots of social media photos, a Tinder account.
We call the employee of the technical support department Dmitry, 35 years old, work experience in the company for 5 years, single, wants to change his place of work. This is important because it is possible that, psychologically, the employee already associates himself less with the company and is more negligent about safety.
Developing an attack scenario
Legend: agirl on sick leave cannot access her work email via owa. She needs to send a mailing list to top managers regarding the timing of the closed conference. She entered the password incorrectly 3 times and asks to send her a temporary one, promising to change the password at the first login. The legend must be thought up in advance and learned by heart in order to avoid the situation "never before was Stirlitz so close to failure." You still have to improvise and the degree of chaos is better to reduce.
The main thing is confidence, do not let the person on the other end of the line come to their senses. Lost, lost, began to mumble, forgot your name, did not find quickly what to answer - I lost.
Call script:
- Dim, hello! This is Katya. Do you have a minute?
- Hey! What is Katya?
- Yes I am! Katya Petrova, from the reception. Dim, save me.
Further, several options for the development of events are possible:
Let's say that everything is fine with us and Dima is ready for a dialogue.
- What's happened?
- Dim, I'm at home, on sick leave. I can't go to our general mailbox reс[email protected], but I really desperately need to make a mailing list for our tops today. Help, Ivanova will kill me. (Ivanova, as we found out during the collection of information, is Katya's immediate leader).
During a call, it is necessary to scan Dima's emotional state with lightning speed. Is he in the mood for communication? Is he restrained? Is he in a hurry? Is he flirting with Katya? Is he indifferent? If Dima has any hobbies that you read about on social networks, you can also screw it up, but very carefully so as not to overplay it. This is where you need all your empathy. "Calculate" the person, choose the desired tone - the password is in your pocket.
You can keep a photo of Katya in front of your eyes. For some time you need to become "Katya" yourself to the core.
Next, consider 2 options.
1) Dima is a cheerful dolt, he is interested in chatting, and he is ready to help.
- What did you fail? Have you checked the layout and caps?
- Why can't I come in? Yes, I entered the password incorrectly 3 times. That's how I contrived, we do not use this box so often. I forgot, we have there "si" or "s". Yes, I tried it anyway, and that's all 3 times wrong, I remembered, but there are no more attempts, he got stuck. What to do !!! Ivanova will kill me, as if she will. Help Dimaan ... Can you put a temporary password in my cart? And I will change it back at the first entrance.
There can be many options for a conversation. I forgot the caps, mixed up the layout, chose the wrong browser. The general idea is that "Katya" will harass Dima with her stupidity, chirping and moronic questions until he spits and dictates or sends a new password.
After changing the password, you will have a certain amount of time, exactly until the moment when someone tries to log in with a regular password and calls technical support. What can you take in the general secretariat box? Well, for example, download a directory with employee contacts.
In Dima's defense, I can say that situations in the work of technical support are still not the same, and users sometimes demonstrate even greater learning disabilities and forgetfulness.
2) Dima is a gloomy, non-contact type.
- Dmitry, I need remote access to e-mail. Due to production needs. I urgently need it. Which means there is no request, I'm at home, on sick leave. Yes, I ask you to create a request yourself as an exception! My name is Ekaterina Ivanovna Petrova, department secretariat. I urgently need to send a mailing list to senior management. Should I write to the management that I could not do this newsletter due to the fault of the technical support employee?
And now Dima's ideal answer: “Dear Ekaterina, I ask you to call back from the phone indicated in the corporate information system. I have no right to give you a password. "
The purpose of the awareness test is not to punish the unfortunate Dima, who merged the password for a girl with pink hair. The main thing is to identify and eliminate weak points.
What should a company do that has been socially engineered to identify multiple Human Factors vulnerabilities? Our recommendations:
In today's article:
• Our goal: to verify that employees comply with information security policies.
• Methods: social engineering.
• Local goal: obtaining information that will allow for a "privilege escalation" attack.
This post was written by me in co-authorship with colleagues of the Prospective Monitoring based on real cases worked out by our working group in practice. Enjoy reading!
Checking the awareness of personnel about cybersecurity threats is one of the most demanded cases. It is carried out, as a rule, by methods of social engineering.
Purpose: to verify that employees comply with information security policies.
Methods: social engineering.
Local goal: Obtain information that will enable a privilege escalation attack.
The stages of social networking are not much different from the stages of a pentest.
Planning
The main thing in social networking is to set a clear goal. Without goal-setting, acting chaotically, you will achieve little, only turn the social program into a booth, and yourself into clowns.
We set a goal: to contact the system administrator and get information from him on the account structure, password structure, ideally - to get the password itself.
Collection and analysis of information
This is the longest and most tedious stage. Through the eyes of an uninformed person, the work of a social engineer consists of telephone conversations, during which he, with the power of magic, talent and charm, fishes out confidential information from gullible users. In reality, information gathering / negotiations are related to many days of exhausting training / performance at the championship with an athlete.
What we need: the most complete information about the employees of the attacked company. Namely: full name, positions, contacts, powers. The most important information is the technologies used in the company. You also need information about the company itself: market position, financial condition, rumors, gossip (the latter is especially interesting, since it reveals the informal atmosphere in the company).
What we use: the organization's website, collection of information from open sources, phishing, some information can be provided by the customer.
Phishing is an ideal solution, but for a whitehacker it is not always possible in terms of a contract with a customer. Preparing an email containing a malicious attachment or a link to a phishing site. The goal is to get real user credentials.
In order for a phishing email to hit its target, you need to carefully study the information about the company and its specifics. What technologies are used in the company? Where is the office? What bonuses are offered to employees? What problems does the company have?
An example of a phishing email:
You can make several letters, each of which is focused on its own target group.
Is the customer against phishing? Ok, arm yourself with patience and sift through open sources: work sites, review sites, social networks, blogs, forums, thematic groups. Prepare to kill a few days with a boring and often thankless job.
Collecting information from public sources manually is laborious. Since one of the products developed by our company is a complex for collecting data from open sources, this stage takes a small amount of time for us, because everything is done quickly enough, connections between objects of interest are built automatically.
Friendship diagram of a real account. Photos are replaced.
The final outcome of the stage may be as follows:
- approximate organizational structure of the attacked company;
- the structure of the employee's email address;
- list of prospective employees with positions;
- contacts of employees, phones, e-mail, accounts in social networks.
From all users, we need to select several victims: those to whom we call, and those on behalf of whom we are calling. Think over their connections, based on the analysis of social media accounts, write a supposed psychological portrait.
If our goal is a system administrator, then the target groups will be as follows: reception, secretaries, hr, accounting, technical support staff and, in fact, administrators.
Conventionally, according to the degree of susceptibility to attacks, we divide users into the following groups.
Paranoid. You won't get anything out of these. It doesn't matter why they are like that, as a child, my mother forbade talking to strangers or recently received a thrashing from an evil security guard. Recognizable by the cloth language, coldness and formalism.
Indifferent. Such an employee does not care deeply who calls him and why. Even before he picks up the phone, he is already thinking of how to get rid of you as quickly as possible, no matter who you are and what you need. In a small percentage of cases, precisely because of his indifference, such an employee will give you all the information you need. More often it will refer to lunch, the end of the working day, busyness or lack of authority.
Cowardly. Employees who are afraid to death not to please their superiors, to break any rules or orders, in general, those who fear for their chair at a given moment prevails over critical thinking. Get more bossy metal in your voice and you'll crack it.
Kind, good people, sincerely ready to help. But at the same time, they do not try to figure out who they are actually helping. And this is our target audience.
How to distinguish one from the other? Preparation, knowledge of psychology, flair, acting, experience.
So, based on the analysis of the profiles of social media employees, we select 2 victims: a secretary with a rescue and an administrator. It is desirable, of course, not 2, but 5-6. The best choice is bright personalities with pronounced features, which are easy to imagine and portray. The attack script must also be written taking into account the peculiarities of the psychology and connections of the found "victims". Calling a random employee asking for a password is a failure.
The victim, on whose behalf the call will be made: Secretary of the Responsible Ekaterina Petrova, 21 years old, with the company for half a year, studying by correspondence to become an economist. Bright makeup, pink hair, lots of social media photos, a Tinder account.
We call the employee of the technical support department Dmitry, 35 years old, work experience in the company for 5 years, single, wants to change his place of work. This is important because it is possible that, psychologically, the employee already associates himself less with the company and is more negligent about safety.
Developing an attack scenario
Legend: agirl on sick leave cannot access her work email via owa. She needs to send a mailing list to top managers regarding the timing of the closed conference. She entered the password incorrectly 3 times and asks to send her a temporary one, promising to change the password at the first login. The legend must be thought up in advance and learned by heart in order to avoid the situation "never before was Stirlitz so close to failure." You still have to improvise and the degree of chaos is better to reduce.
The main thing is confidence, do not let the person on the other end of the line come to their senses. Lost, lost, began to mumble, forgot your name, did not find quickly what to answer - I lost.
Call script:
- Dim, hello! This is Katya. Do you have a minute?
- Hey! What is Katya?
- Yes I am! Katya Petrova, from the reception. Dim, save me.
Further, several options for the development of events are possible:
- Dima does not remember who Katya is, but he is ashamed to admit it.
- Dima "recognized" Katya.
- Katya is standing next to Dima, and he is shocked by what is happening.
Let's say that everything is fine with us and Dima is ready for a dialogue.
- What's happened?
- Dim, I'm at home, on sick leave. I can't go to our general mailbox reс[email protected], but I really desperately need to make a mailing list for our tops today. Help, Ivanova will kill me. (Ivanova, as we found out during the collection of information, is Katya's immediate leader).
During a call, it is necessary to scan Dima's emotional state with lightning speed. Is he in the mood for communication? Is he restrained? Is he in a hurry? Is he flirting with Katya? Is he indifferent? If Dima has any hobbies that you read about on social networks, you can also screw it up, but very carefully so as not to overplay it. This is where you need all your empathy. "Calculate" the person, choose the desired tone - the password is in your pocket.
You can keep a photo of Katya in front of your eyes. For some time you need to become "Katya" yourself to the core.
Next, consider 2 options.
1) Dima is a cheerful dolt, he is interested in chatting, and he is ready to help.
- What did you fail? Have you checked the layout and caps?
- Why can't I come in? Yes, I entered the password incorrectly 3 times. That's how I contrived, we do not use this box so often. I forgot, we have there "si" or "s". Yes, I tried it anyway, and that's all 3 times wrong, I remembered, but there are no more attempts, he got stuck. What to do !!! Ivanova will kill me, as if she will. Help Dimaan ... Can you put a temporary password in my cart? And I will change it back at the first entrance.
There can be many options for a conversation. I forgot the caps, mixed up the layout, chose the wrong browser. The general idea is that "Katya" will harass Dima with her stupidity, chirping and moronic questions until he spits and dictates or sends a new password.
After changing the password, you will have a certain amount of time, exactly until the moment when someone tries to log in with a regular password and calls technical support. What can you take in the general secretariat box? Well, for example, download a directory with employee contacts.
In Dima's defense, I can say that situations in the work of technical support are still not the same, and users sometimes demonstrate even greater learning disabilities and forgetfulness.
2) Dima is a gloomy, non-contact type.
- Dmitry, I need remote access to e-mail. Due to production needs. I urgently need it. Which means there is no request, I'm at home, on sick leave. Yes, I ask you to create a request yourself as an exception! My name is Ekaterina Ivanovna Petrova, department secretariat. I urgently need to send a mailing list to senior management. Should I write to the management that I could not do this newsletter due to the fault of the technical support employee?
And now Dima's ideal answer: “Dear Ekaterina, I ask you to call back from the phone indicated in the corporate information system. I have no right to give you a password. "
The purpose of the awareness test is not to punish the unfortunate Dima, who merged the password for a girl with pink hair. The main thing is to identify and eliminate weak points.
What should a company do that has been socially engineered to identify multiple Human Factors vulnerabilities? Our recommendations:
- periodic training of personnel in the basics of information security, trainings with the involvement of specialized companies;
- checking the awareness of employees in information security issues;
- the employee must know exactly what information is confidential;
- training IT staff in methods of countering social engineering.