It’s now turn for Shane MacDougall to contribute to the presentation and focus on the different aspects of modeling the defender for offensive purposes.Shane MacDougall: Now we’re going to get into the meat of the matter of how we’re actually going to break this down. So, modeling the defender (see image): assessing the people component, like I said, this is broken record type stuff. But we assess the footprint of the organization structure and their defensive talent. I mean, it’s really important that we identify who is doing what within the organization.
We scan the corporate website, press releases, conference presentations. Conference presentations are fantastic: it’s amazing how many people actually put out stuff that is considered company sensitive at conferences, because for some reason they think: “Well, it’s not going to leave this room of the conference,” as if they’d never heard of the Internet, or email. But we’ve seen that happen many, many times.
Identify secondary attack factors, such as suppliers, vendors and customers; again, can’t say enough about attacking vendors, it’s one of my favorite attack vectors, and it just works over and over. Dialing through voicemail and phone directories: I’m always amazed at how few people do an exhaustive poll of company phone directories; you call up and get dialed by name or dialed by department. But think what some of the information is that you get when you dial these services. You often get people to answer usually with their position and their name, and that’s information that you definitely need to know, because we’re trying to map out who the actors are. But often you will hear them say: “I’m out of the office from this date to this date, if you need me you can get me on my cell at this number, and if it’s really urgent, you can contact this person.”
All of that is actual intelligence that you can use for a social engineering attack or just establish your window of attack, because as Raf said, time is really essential on a ton of these attacks, so we really want to extract as much information as we can. Always be sure to traverse the entire phone directory. It’s amazing how many people kind of ignore that.
But suppliers and vendors and customers – I mean, a frazzled customer line always works. A perfect line also is: “I’m such and such from the target company and I’m replacing the guy that’s really your point of contact.” It doesn’t hurt to throw a little bit of sales pitch in there: “We’re interested in buying more stuff,” and the fall for it. I mean, it’s scary how few people pass and take that idea of security for the other person. Everyone’s secure about themselves, but they don’t really stop and think about securing the other people you might be attacking. That’s kind of frightening.So, when you go through social media, it’s really important that you mine the living daylights of it. I mean, everyone goes to Twitter, Facebook and LinkedIn, and they’re all goldmines for sure. But look at some of the more esoteric sides as well, like Flickr and SmugMug; it’s crazy what amount of information you can get: ID cards, badges, employee names, numbers, building layouts, etc. (see image to the right). People just like to put stuff on the web. Here’s an example: this was Oracle Corporation, one of their employees put a whole bunch of events online, but this one kind of grabbed my eye because it was about the Diwali celebration (see left-hand image). If you look at that link, you will see that she says the address, including the floor number, the SVP, his name, his org group that’s working there, and she took all these pictures with a DSLR.
And thank god to Canon, because these high-res pictures are fantastic. So you can basically zoom in and find people’s ID badges on their hips, you can zoom in, you can grab their name, grab the barcode, you can grab the whole layout of the cards. You can essentially make a fake card that you can tailgate into the facilities with. And, of course, tons of information that you can use: the pretexting, talk about the delicious Gulab Jamun that they took several pictures of, must have been fantastic.
They also allow us to get fantastic information that we can use as a social engineer: the names on the badges were nice to know, but even more nice was once we took these names and ran them through several different social networking sites, we saw that two of the guys on their social media profiles said that they’re currently open to job offers. So, those are the two guys we are going to go after, right?
It’s really not hard to pull ID badges off. This was SmugMug, the first two pages I pulled off – several pretty badges that are pretty nice: the Google one, the Apple one was nice. The Google Guest one, as you can see, got the time sensitive thing; the Encom one – there were actually several of these, some people masked theirs out, but you were able to get enough so that you could, seriously, very easily reconstruct an entire badge with these guys. So, you know, people just don’t think before they go to social media for whatever reason, it’s kind of scary.
Doing the social media mining, we can cultivate tons of background information: phone numbers, email addresses, you name it. Sites like beenverified.com; I love spokeo.com, emailfinder.com and many others – you can really get a ton of verifiable information. Never go on one of these sites, so grab several of them and confirm, especially if these guys are doing email verification and kind of data mining or data providing, I guess. It really helps to go through several of them, because you’ll see there’s a lot of junk in the cloud.Another thing that we want to do is we want to really identify the organizational hierarchy of a company. By that I don’t just mean hierarchy as who’s got what title, but who the influencers are. Because within every group you’re going to have the people that really drive decision making, and even if they don’t have a title, they are usually the people you really want to target.
And it’s kind of hard to do sometimes if you don’t have the org chart, or of it’s one of a few companies that doesn’t let their people post on LinkedIn. But Eric Gilbert at Georgia Institute of Technology has really developed some interesting stuff. He basically developed all these phrases in electronic messaging that will have a very high correlation to a person’s social status within a company. It’s very interesting, I really suggest you check it out. He basically created a data set of 7200+ phrases that will give you a really good, accurate idea of that person’s social status within a company. So, if the email has: “Thought you would,” it means that the recipient outranks the sender. But “Let’s discuss,” – you know, the famous words you always hear in a company; if you see that in an email, the guy sending that is the big cheese.As we have said before, the high payoff target list, HPTL – that’s really what we want to focus on, to begin with. The tangential target list, TTL, is our secondary targets. They still have the potential for access, they might not be your IT guys or infosec guys, but if you compromise them you’re at least going to get some proprietary information or access that could be logical or physical to a facility.
And then there’s the targets of opportunity, or ToL, because it’s a low-hanging fruit. These are mainly for throwaway operations, one-time phishing attacks, that sort of thing. Whenever I do a social engineering attack, I always make sure I have one good persistent connection, and then I’ll develop a bunch of ToLs, and those are the ones that I use for the one-time phishing attacks or the one time social engineering attacks: “Do this password change,” and they change it; because I don’t want to impact my one guy that’s going to be my persistent connection.We also do the reconnaissance, you know, identifying, fingerprinting systems and applications to find vulnerable assets. This is the standard fare for most pentesters. Doing active reconnaissance is the same thing: Nmap, that sort of thing.
Physical asset assessment is something that a lot of people kind of fall down on. That’s where you actually perform the physical surveillance of your facilities, and I’m always kind of amazed at how many guys that do pentest never actually set foot on-site. They always do it entirely remotely. And that just misses so much of the company.
Physical surveillance, having a physical presence is absolutely essential to identifying the company’s overall security posture, and if your pentest doesn’t have that in it, it’s not a useful pentest. Obviously, lacking physical security is probably an indicator of lacking overall security; not always the case, but usually. It lets you identify things such as closed-circuit TV, whether the cameras do PTZ or they’re fixed. Even just hanging around in the lobby, grab titles of the magazines that are sitting in the lobby, where you look at the label and it has person’s name, their position and often home address or work address. Just sitting in the lobby will help you pick up things like that.
The welcome boards – almost every company has a welcome board in the lobby; if you’ve seen those, they would say: “Welcome, here’s the chump of the day that’s visiting us,” – that gives me points of data right there. And even a sign-in book – it shocks me how many companies still have basically just a clipboard that has you sign in your name, the person you’re visiting, the company you’re with and the time you’re on-site. For your competitor that’s just a goldmine, because it tells me everything. If you’ve got a guy who’s coming in from IBM tech support, you probably have IBM hardware within your facility. But it also lets you map out vendors, customers, that sort of thing.