Social engineering
In one of the last articles, we discussed the changes in social engineering scenarios that the global COVID-19 pandemic provoked. Of course, it is impossible to consider all the subtleties within the framework of one publication, so today we will continue our conversation and tell you about the features of the attacker's physical penetration into the company's territory. It would not be superfluous to remind once again about the security measures that everyone should take in order not to become an unwitting victim.
We emphasize that although our recommendations are aimed at maintaining the vigilance of company employees, the public should also adopt them.
At the mention of the term “social engineering”, many have associations with Kevin D. Mitnick and his books. Mitnik's works were published more than fifteen years ago, but the penetration scenarios described in them still work, somewhat modified and adapted to the realities of the current time (and some even in the same form).
Of course, this is just a drop in the ocean. For each company, both a “template” and a unique scenario can be used, taking into account the specific features of the enterprise.
Having set himself the task of getting inside the company, the attacker will analyze such factors as:
the company's field of activity;
features of physical protection of the perimeter of an office building (fences, cameras, security posts, etc.);
features of the building where the office is located (whether the whole business center is occupied by a company or only a part, the location of security posts, the location of the main and alternate entrances and exits);
features of the surrounding landscape (the presence of bushes, benches, garbage containers around the building, where an attacker can hide his devices);
employees' daily routine and their habits;
the possibility of penetration of 3 persons into the territory;
photos of passes, floor plans, event schedules and other information that can be found in the public domain.
Physical penetration implies a high risk of deanonymization for the attacker himself. So why would an attacker take such a dangerous step? To simplify and reduce the cost of implementing the attack. An attacker can imperceptibly gain a foothold in the internal network and for some time receive confidential information, including about the device of the system he needs.
The range of goals pursued by an attacker can be quite wide: from the theft of equipment and other office property to the theft of confidential and critical data. This is fraught with financial and reputational risks for the company.
In the conditions of the exit from the pandemic, there are more opportunities for a social engineer. Rapid changes in the labor market have caused an outflow of workers from some companies and an influx into others. This has led to the fact that many employees are familiar with their new colleagues exclusively through messengers and email. This situation is especially relevant for large companies where a large number of people work.
A reasonable step for management in such conditions is to bring new and old employees closer together. This will serve not only to strengthen the overall team spirit, but also the security of the enterprise, regardless of the profile of activity. At the same time, we are well aware that for large companies to introduce all employees to each other is far from a primary, and sometimes even an impossible task, but it can be successfully solved within departments/departments.
Which persons have a high credit of trust and do not arouse suspicion, being at the entrance to the company building?
Outside (?) suspicions
1. Technical staff
Electricians, fitters, cleaners – all those who wear uniforms. The uniform always inspires confidence, and few people will be puzzled by the question“ "What is this person doing here?” And he can do anything, including leave technical "bookmarks" and study the structure of the infrastructure.
It is impossible not to recall the recent high-profile case when unknown people in workers' clothes took out a picture of Kuindzhi from the Tretyakov Gallery. And no one, including the caretaker, stopped them.
2. Service personnel
Workers replacing carpets, caring for plants, serving vending machines… Again, it depends on the specifics of the work of a particular enterprise. Few people pay attention to the people who ensure the functioning of the office. And very in vain, because an attacker can pretend to be a representative of such personnel in order to get to the right part of the building. If he also manages to copy the pass of an employee or a real representative of the service company, then moving around the company's territory will be much easier.
3. Food delivery
In the pandemic, food delivery services have reached a new level, and it seems that they are not going to give up their positions. An attacker can pretend to be waiting for the customer at the checkpoint, and at this time install a fake Wi-Fi access point, copy employee passes, etc.
What should I do in this case?
If you know for sure that representatives of the food delivery service are not allowed to enter the territory of the enterprise, warn the guards about an outsider. The same should be done if a suspicious courier is found in the lobby and does not leave for a long enough time.
4. Courier services
The company's security policy, in principle, should not allow outsiders, including couriers, to go further than the checkpoint. Otherwise, the company itself opens the doors to an attacker who can always pretend to be a courier.
What should I do in this case?
The delivery of any documents and cargo should be limited to the security post or the reception desk of the company administration. This also applies to the delivery of bulky goods. If there is no way to do without the help of outsiders, you should definitely appoint an escort who will take outsiders to the exit after the completion of the work.
And again, the key link of social engineering is psychology. If the attacker decides to interact with the company's employees, he will try to ensure that the initiative of assistance comes from their side. This is how the scenario will look most natural. If in the case of phishing mailings, the emphasis is mainly on curiosity and fear of authorities, then in this situation the attacker will play on politeness, mutual assistance and a desire to help.
Does this mean that no one can hold the doors or show a shortcut to the library? Of course not. Politeness and mutual assistance are never superfluous. This only means that you should not lose vigilance, no matter how natural the situation may seem. It is better to be safe than to play into the hands of the attacker with his inattention.
How can they get into the building?
1. "I'm for an interview"
An attacker can arrange an interview in advance in order to get a legitimate guest pass and enter the company's territory. If you do not pay enough attention to the procedure of accompanying an unfamiliar person, then this will give the attacker the opportunity to explore the premises of interest to him and implement his ideas and ideas.
What should I do in this case?
If you caught a suspicious person on the floor, then ask who exactly he came to. If you don't get a clear answer, don't jump to conclusions. Offer to go to the security post or reception together, where they will definitely help you find the right office or call the recruiter. It should also be noted that the person invited to the interview, in principle, should not look for the office he needs alone. An employee should always be with him, including when withdrawing from the territory of the enterprise.
Let's talk about one attack with physical penetration, where the auditor acted as a candidate for an open vacancy of the company under test.
While conducting intelligence and gathering information, he used HR resources to search for employees to find open vacancies of the company. After that, the auditor compiled a resume that best met the requirements of the vacancy, and began to wait for an invitation to an interview at the office or for an initial remote interview.
Having received an invitation to an interview, he conducted an exploration of the internal layout of the office, considered floor plans and the location of meeting rooms, how tables, power outlets, power supplies, etc. are located. It became clear that it costs nothing to find an opportunity to "go to the toilet" or "answer an important call" during an interview in order to place technical devices or insert a Rubber Duck/HID flash drive into someone's unlocked computer. It would also be quite possible to use acting skills and ask employees to print a certificate or resume from a "flash drive". In this case, the auditor (read: the attacker) would have gained remote access to the company's network.
2. The dress-up game
An attacker can put on a maid's dress, work clothes or overalls and pretend that he came from a contractor organization to do repair or technical work. Under this cover, he can, for example, gain physical access to the internal network of the enterprise or install his equipment in order to collect as much information as possible about the system he is interested in.
Let's give an example from our practice. During the security audit, it became known that the building of the company under test was undergoing repairs, so the auditor changed into work clothes and tried to pass through the turnstiles of the business center without a pass. He told the security officer that he had come to pick up construction debris on the orders of his superiors, but he did not have a pass, because he would carry heavy boxes in his hands. After that, the security officer let the auditor through. After a while, the auditor left, but since he didn't have any boxes, he explained that nothing was ready yet, and he was told to return in the evening. We did not further develop the attack vector, since the goal was achieved – the penetration into the territory was successful.
What should I do in this case?
To draw the attention of the security or the relevant department to a suspicious situation. If you see a certain worker conjuring something over network communications, check with a representative of the IT department: were any work planned for today?
3. Being late for meetings
This scenario can be played out with security guards if they are not attentive enough to the performance of work duties. The attacker pretends to be late for an important meeting, operates with familiar names, demands to skip it, because there is no time to issue a pass or to find the right person. With the proper level of acting and persuasiveness, the script will work, and the attacker will penetrate the internal territory of the company.
What should I do in this case?
If you have witnessed such a situation, offer an escort to your destination. And if you are a representative of a security organization, then remember that your work duties are of paramount importance to you, and no matter how much a person tries to soften you or suppress you with authority, you cannot violate official instructions.
4. Entrance through the smoking room
If a company has a smoking area near a separate entrance to the building (and this happens very often), then the attacker can wait until the employees of the company he is interested in finish their break, and go into the building behind them, pretending to be one of the employees. To enhance the effect of trust, he can remain without outerwear, with documents in his hands, with boxes, etc., or even with a banana. After all, a person with a banana just doesn't walk down the street, so he definitely works somewhere here
What should I do in this case?
To clarify with the person where exactly he is going or what is the name of the head of his department. If your suspicions are not justified, you will meet a new colleague. But if a person cannot answer, it would not be superfluous to warn the guards about an outsider on the territory.
5. Copying passes
A copied pass can allow an attacker not only to enter premises where a limited number of employees are allowed to enter, but also to move freely around the territory of the enterprise under a false identity. Identifying marks like lanyards or branded retractors will help to calculate the employees of the right company. To copy, it is enough to stand close to the victim for just a couple of seconds. An attacker can inquire about the shortest way to the library, ask for a light or help navigate through Google maps and find the right building.
What should I do in this case?
Do not wear passes in plain sight outside the office - on the neck or on the belt. Put the pass in your pocket, bag or wallet. Although this is not as convenient as having a pass in the zone of quick reach, but by doing so you will complicate the task of the attacker at times. Do not post photos of passes to social networks – thereby you help the attacker to make a plausible fake.
6. Physical media
In a separate item, we decided to take out the road apple technique, when an attacker scatters media in public places: toilets, parking lots, canteens, etc. An employee driven by curiosity can open a malicious file on the media, thereby allowing the attacker, for example, to gain control of his workstation.
What should I do in this case?
Do not run suspicious media in a production environment, use a virtual machine for this. And it is better not to launch media of unknown origin at all. But if you really want to find out what is on it, then give the find to the IT department or the security department, be sure to specify where you found it.
This is just the tip of the iceberg. At the same time, sometimes it is not necessary for an attacker to penetrate directly into the territory of the enterprise. For example, to carry out an evil twin type attack, he can raise a copy of the wireless access point in the lobby of the building.
Here is an example from our practice, where elements of several scenarios described above are combined.
In the social network Instagram, a search was performed for a tag with the name of the desired company. Further, a geo-location was extracted from the received photos taken in the office. The geo-location search allowed us to pick up a number of photos of badges, of good quality and resolution. Thus, the auditors were able to understand how the company's omissions look externally.
In the lobby of the main entrance to the office, in the immediate vicinity of the entrance doors, there were chairs for visitors. The auditors put a backpack with equipment for cloning passes in the last chair. This gave them the opportunity to be at a minimum distance from the employees entering the office. So it was possible to clone the pass of one of the employees to gain access to the office and make a physical copy of it, which outwardly looked like a real pass.
Thus, the auditors received an unlimited opportunity to freely enter and exit the territory of various buildings of the company's office to conduct intelligence, collect information, place their own devices and other actions in order to simulate significant financial and reputational damage to the company.
They were able to visit all floors of the buildings without arousing suspicion of security guards and employees of various departments of the company (including accounting, HR, development department, advertising departments of various projects, etc.), place 3 devices to provide network access to the company's internal network, and the successful implementation of the evil-twin attack on corporate Wi-Fi allowed access to employee credentials.
Recommendations
For companies:
Conduct security training. All people entering the territory must either use passes or manually log in. In one form or another, information about movements in the territory should be recorded.
Have guest passes for visitors with a limited range. If possible, implement the man's trap system.
Implement an ACS that is not susceptible to cloning attacks, for example, based on HID iclass se or mifare desfire.
Conduct trainings for employees. Employees should understand at what point they can become a target and what ways there are to make it difficult for an attacker to work.
Maintain a balance between the "corporate culture" and the task of protecting the company.
This is an important point, since the imprudent actions of the company can contribute to the emergence of a new threat – the appearance of an internal violator in the person of an offended or dissatisfied employee. He can commit destructive actions, steal critical information in order to sell it or engage in sabotage, and it can be quite difficult to figure out such an employee.
Therefore, if your employees are caught by phishing during trainings or testing on social engineering, you do not need to apply punitive measures to them. We recommend introducing an element of a game or a joke into this situation, especially if the employee fails the check not for the first time: scold, tell that Mr. N got caught, but do not cross the line.
As a fine, such an employee can undergo additional training, but it is certainly not worth cutting wages or bonuses as a punishment.
For employees:
No need to be shy to talk to people. In most cases, you will help a person solve his problem, but do not forget about basic precautions at this time.
Are you in doubt, but you don't want to seem impolite by letting a suspicious person follow you with a “train”? Hesitate, pretend that you are reading a message on your phone, and see where this person will go and what he will do.
Don't be afraid to seem paranoid by drawing the attention of others to suspicious activity.
Follow the instructions of the security service/IT department. Remember that security trainings are held for a reason, and the information security policy is not another document that you can read and forget.
You need to understand that no one asks you to catch a suspicious person by the sleeve and personally drag them to the authorities. This (unless otherwise approved by the employment contract) not your responsibility. The responsibility for catching a possible criminal lies with the security of the facility, your job is to pay attention to suspicious activity and warn about it.
Turn off Wi-Fi on phones if you don't need it. This is especially true for owners of Android devices, since they are more vulnerable to evil-twin attacks due to the peculiarities of this OS.
Conclusion
Attacks using social engineering tools may not seem the most dangerous, since they imply the direct, undetected presence of an attacker in the process of preparing or carrying out an attack. However, such an imaginary simplicity of their detection is much more likely to play into the hands of the attacker himself.
Social engineers are inventive and cunning people. They know perfectly well how to use not only the vulnerabilities of the system, but also the weaknesses of the person that the employee of the company remains throughout his working day anyway. It is not particularly important what position he holds – an attacker can always find a way to use his carelessness, modesty, credulity, as well as other both positive and negative personality qualities to his advantage.
It is quite obvious in this case that the only effective way to prevent the attacks of social engineers is to inform employees in advance. This implies both familiarization of employees with the rules of behavior in the workplace, and cultivation of habits that contribute to the safe resolution of the situations described above for the company's resources.
Employees should not forget that politeness and caution do not exclude each other in any way. Even if you are on guard, you still remain a person and live in society. However, sufficient awareness and attentiveness will allow you to do something that an attacker often does not expect – to become a much greater threat to himself than he is to you and to the company in which you work.