Shane MacDougall and Rafal Los explicate herein the issues of offensive modeling from the perspectives of company’s human component and time windows for attack.Shane MacDougall: A big tool in determining your targets within a company is company sentiment. You really want to identify as many users at risk of being compromised within a company as you can. You should use negative employee morale to stage attacks, so basically we go through the different sites like glassdoor.com, insidebuzz.com, jobitorial.com – fantastic sites, to gauge sentiment within a company.
You’ll be shocked at how many people give up the goods on companies in these forums, where they believe they’re anonymous. Obviously you can identify any negative widespread sentiment against the employer on these forums, they don’t hide it. And obviously you can peg users with social media profiles that are very liberal as being a low-hanging fruit.
All these guys identify their posture for attack as very easy to do. We can use social media to gather company lingos, like off-site data center slang, I mean, they usually have nicknames for sites, that sort of thing; all very valuable for social engineering attacks. You can run sentiment analysis on data sets that you get from targets. I prefer manual analysis to automation; I’ll show you why.
Here are some examples from the tools that I use. The sentence that you grabbed from an email is: “I really can’t wait to quit this job, I’m seriously fed up with the bs in this company, and will jump ship the first chance I get.” And the automated tools said that this was positive.
The next example was: “I’m going to burn this company to the ground,” which was also flagged as neutral, a positive score of 0.65. And then the final example was: “Good god, I’m not fond of this f…ing place, if I don’t get a go…ed raise, I’m going to gun down every manager I see,” and it still came out as a neutral.Like I said, you really have to do manual assessment. We have a list of words that are used to go through, I mean, you have to manually do it, the tools are just not in their prime time. This one was ToneCheck, there is actually another piece of software that’s done by Stanford, it’s called Muse, it’s quite a bit better. It lets you go through chat logs and everything rather than just email. But people say: “Well, if you got their email you’re already in the company, what’s the big deal?”
Remember, we don’t know whose email we have, we’re trying to identify people within the company that we can exploit and target, whose posture is ripe for exploitation. And remember, we want to create as many diverse entrance points at this company as possible, we’re not just looking for one point in. The goal of an APT is not simply to get root. This is important. Your target is to create as many different vectors of persistent attack as possible.Let’s continue on modeling the asset’s posture: planning time-based physical attacks, as we said many times, is very important. We got physical plant, social engineering, which basically rely on the target not being around, while time-based attacks rely on knowing schedules. So, if you’re going to a conference, that’s going to be a good place we can either gain access to the physical machine, employ a honey trap, social engineering, etc. And if they’ve indicated on their profile that they’re open looking for new positions, that’s perfect: we approach them as a recruiter, and we pick their brains on some of the work they’re doing and a little bit of misdirection – who knows what we can get them to click on.
We’ve noticed if the target is a speaker, that really helps you identify, when and where they’re going to be, and gives you different avenues for connecting to the speaker.Maintenance windows, again, are perfect times for low-risk access, can be gleaned either from social engineering or monitoring behavior. Identifying a window is the difference between success and failure in so many of these attacks. New systems being delivered – perfect; construction projects at corporate facilities, a lot of chaos in companies – those sort of activities. Mass hirings or layoffs exploit human confusion: when companies do mass layoffs, there are a lot of people that are ticked off and they are ripe for the picking. And then we obviously get to our Pwn, this is where we target our asset list; we send trojaned AV, software branded as if it were coming from an organization. We mail branded USB thumb drives as tokens of appreciation from the company. We attack an employee’s home network, especially if the user is utilizing wireless networking. We even do physical break-ins into employee’s house in order to install malware, keyloggers, etc., we can just clone drives. Like I said before, dumpster diving at the employee home is usually more effective than at the corporate site.
If we know the IT team from our target will be out at the bar somewhere, that’s where we ingratiate ourselves: we start buying rounds, and by the closing time we’re also around and we’ve got them appropriately lubricated.
Rafal M. Los: Anybody ever have a vendor buy them a few drinks at a conference or anything? You tend to start telling people more than you ordinarily would. Before you know it, you’ve sort of given out too much. It’s happened.
Shane MacDougall: It happens all the time, and there’s actually a mayor in the States that just signed a multi-million dollar contract, and it came out after the fact that they just took him out and got him hammered, and then he signed this multi-million dollar contact. It happens all the time, and nobody does it to me, unfortunately. I am open for drinks if you want to come buy me some.
Obviously, you should utilize social media to track down the assets, engage them directly where they’re weakest: bars, clubs, wherever their guard is down. Use Foursquare, my favorite; use Facebook, Twitter, all these real-time data points are fantastic for the attacker. Exploit and incapacitate them so they can’t respond to incident, and exploit the items on that asset’s person: if they have a smartphone, a laptop, access badge – grab it and exploit it.