BG - Social Aftermath Responding To Social Pwnage - Steven F. Fox

all right well welcome to uh the social afterm talk we'll be discussing a incident that happened in a financial organization Automotive who am I I am a Fed yes I am not afraid of the death conon boards I'm here to help it's my job I'm here to protect your money my job is to is to be sure that Federal projects at the US Treasury comply with Federal Security and other or organizational requirements and rules my background is actually in application security I used to be a security consultant before joining Treasury and I love to hack stuff I especially like to hack people I'm a social engineer and I'm also a veter of deathcon 17 here's a picture of me with

the runner R to the match hacking contest that's Defcon 17 that was a fun defc so today we're going to be discussing an incident that happened at an automotive pance company where the credit card numbers and Bank information of Automotive loan customers were breached we're going to be looking at the pieces that went into point this attack together and how the incident response team was able to apply foric analysis to a social engineering incident how the company actually changed its processes to be more more resilient against social engineers and now open the floor to question so our Story begins at a reasonbly large international finance company and the deal that they have several hundred dealerships throughout

the US well one of their dealerships in New York got a phone call from one of their customers saying hey it looks like some of my information was breached I've launched a identity theft investigation in your dealership was part of that investigation so the finance sorry the dealership manager called the automotive finance company and said we've had it breach what do we do what is the process and the primary worry is that the dealership portal the portal where all the information that goes into the find the Lo applications that you might fill out when you buy a car all that stuff goes through a portal and into the finance company's databases so the finance company starts

to look at their servers trying to figure out well is there evidence of this happening is there a mistake on behalf of the dealership Lo the whole they find they find out evidence that over 800 individuals have been affected by this breach so 800 people have had their load information breached from this one dealers what after more oips so the the manager of the finance company is wondering how come we didn't see this how come we W the ones that detected the breach well it's never unusual because according to the recent yes you got a question oh sorry according to the Verizon threat report over 70% of breaches are actually reported by a third party so it's very reasonable that that

Finance Company wouldn't have detected that breach so the next step the incident response team from the finance company started to investigate their first question was to ask how long has it been since the actual Bree took place how many of you think it was 1 month two months three six a year 5 months is the average time from the moment the incident happens till someone even notice this it happened imagine what someone could do with all those accounts in a period of 5 months so what do we do as we start to look at the logs we have a forensic trail of what's been accessed and who who who was accessing it well this Trail

led to the finance manager at the deal the dealership so there's a lot of people talking about firing this guy arresting him but but they have no proof yet all they know is that this person logged in but all the loging happened when he was out of town on vacation so he's fighting back he's saying look I was on vacation for over two weeks I didn't log in so the investigators are wondering WTF what's going on here we have evidence that the account was was breached it was used to access these records but the fous manager was saying hey it wasn't me so the best the best way to go after resic for a financial incident is to

follow where the money comes from and where the money goes so here we have a general map of the flow of money throughout this organization the dealerships collect information and it goes through the dealer portal into the databases that are handled the finance what the finance company employees they go through the finance portal to manage the information that comes from here customer service didn't handles any phone calls from the individual customers of that company now not everyone in the dealership can touch the financial information only financial officers of the company can do that so if you're a hacker or a social engineer you go after the financial off officers not regular employees because the regular employees are not very

valuable it's a finance guys like a finance manager and you can actually utilize and the finance company if you go after health desk you're not going to really get anywhere if you go after regular employees again noow value however the individuals to actually process the loone input for the dealerships Finance the financial managers Financial uh processors of the ones you go after customer service dare pretty much dare to get phone calls from customers so if you've already breached those two those first two areas you can pose as a customer and that's what it appears has happened here somehow the trust relationship between the dealership and the finance company has been breached but we don't know yet how

that happened well these different paral groups have call centers as we'll see later on in this investigation these call centers are isolated even though they work for the same company they don't share

information so the investigators now we've had information leading the organization we've had a reach but how do the people know how to map our our environment how was the information collected and processed and used to target attack so the response team cooperated with the security team to do a little bit of red team so the blue team took on a red team oil and went out there and just m Us in this this is what they found so they found the dealer ID numbers that are used to ID vertify each dealership to to the call service where they find things it was embedded in the actual uh HTML code of each web page of the de of the

dealership so if you wanted to all you have to do is pull up the code and you could find the dealer code that's used to verify each individual dealership also they found out information about Executives and staff that worked at both the ownerships and and the finance company they found the it standards for each dealership that work for this uh group so they knew the infrastructure of EIP and this is part of they really amazed they actually found conversations on SE about the finance Mar justification plans so hackers were starting to Target this this person over High scene

so the always went oned to find the manager's Facebook account but it was protected forther be kind I covered a list of friends that were connected to this person but also worked with the fans company so they probed those individuals they became became friends with them on Facebook well because they were friends with the the manager uh friends they were able to look at the full Facebook profile and collect the manager's full full full birth date the pictures of the dealerships and information on the person's hobbies and what they do socially so they were able to profile the F manager even though his account was protected because he had he allowed his friends of friends to

access his account on Facebook and here's a picture of the finance manager announcing his vacation on Facebook well further analysis of the access logs proved that during the patient time the attacks did not originate from the places where this this finance manager was vacation so they were able to show it was not a f management however someone used this account so they figure out well how did the person get a hold of the credentials was there a web durability well server logs discovered that the password recovery page was being used to enumerate accounts basically there was no limit on how many times you could input email addresses to see which ones are valid and as soon as you can valid account you

got this so for every valid account the hacker was able to enumerate if lack all the secret questions for each valid account so now they have a collection of valid Accounts at at each dealership and you know the secret questions for each of those accounts these are the same questions that will be posed to them during their phone calls to the various call centers was there a security Breeze physically well there was no sign of a physical Breeze no one broke into the PS compy however there were rumors coming from the different call centers that there was a lot of unusual activity we talking about unusual requests unusual indication of problem with viruses the computer need some help

it request her passws also the incident response scem discovered that there was no script used by the call centers to determine well I need to escalate this phone call it's it's unusual or someone's asking for things that are inappropriate they pretty much went with whatever they wanted to do interestingly with the different activities there was a separation between employ EMP es of the of the company and the contractors at at the finance company the employees had annual security training full trading with everything covered the contractors had a shorter version of that now we have two groups with different security knowledge and processes the employees at the company worked the day shift for the call centers contractors work Bank shift so

now we have call there are people that don't have the same security knowledge working at night than those working dur during the day and also the employees were more likely to escalate pH policy were suspicious whereas the contractors and now and then they were more likely to be targets of people calling this was verified by call C LS that showed increased call volumes after hours during this twoe period of time that the manager was on vacation the content of these these logs also revealed that there were recorded recorded notifications of people saying that all of a sudden there were problems with the RSA keyops they were being used to access systems now these laws were escalated to

it and it was saying there problem here we don't know why we're why we're getting these phone calls but these phone calls kept coming and coming and coming so the investigators suspected this could be the Avenue through which people are accessing the uh other systems that might be effective what can someone do with this access point the six access point they could get a hold of the virtual desktop for for whatever role they're logging in is they can get a hold of the associated corporate assets however access requires an N St key who here or thinks that's good enough is that really good enough

security well a loan manager called with an urgent need to access the network and said my RS key fob is not working I'm typing in the code but it's not accepting it I need you to help me

out so the people on the other end disabled the RSA it's a manager call he needs he need to got something done so we'll give him access this happened three months before the incident was reported

so now we know this was a social inuring attack latest report shows that 29% of we just last year had a social part within them they may not have been totally social inine but part of them work that's four times increase says the a report so who here has done Network pivoting in their in their pests anyone has done trust ping with social engineering that's what's happened here basically we have a we have a finance manager and a loan manager that have trust relationships with their individual companies the the companies dealership and the F company also have a trust relationship and the attackers were able to use social media to discover individuals that share trust

relationship between each other and the companies and they leverage that to get assets of individual of the individual companies themselves so here the same idea of PIV was applied to people and companies as opposed to networks so now the answer Response Team knows what happen What do we do next how do we prepare ourselves to fight the next round of attacks well as I'm sure you anyone here has an automotive loan knows the basis of the company is customer service so we can't just shut everything down and fix things we need to stay up and focus on the finance office employees the dealership employees and also the relationship with the with loan customers but we need to understand

where things broke as we've already seen the poor security training coverage between employees and contractors is part of the problem the lack of an enforced call center script is also an issue there was no enforced escalation process for pH calls they were susp ious so if someone had gotten the phone call asking for help with the RSA key what do you guys think should have happened do you think they should have shut off the RSA key option checkes well see what was interesting was You' had all this previous activity all these complaints there were problems so the call center fory thought oh this makes sense we've we heard about this RSA ke option or the problem so we'll go ahead and

help this guy out because the attack big sense what I think should have happened is that should have been escalated to an IT manager someone that could address the issue with some other way other than shutting them off but from a incident analysis perspective there was no interconnected communication between the systems at the dealerships and the call centers there was no way to correlate data across these different areas so there was no way to identify the problem earlier to reduce that time gap between incident in Discovery now we I'm sure we all know we have some ideas of what we could do but we can't afford to do so the team proposed some things to

management and these were the changes that they accepted so they improved the training program to equalize the training offered between employees and contractors they started to tag s suspect phone calls for f official retrieval future incidents so someone called asking for a password that phone call would get tagged with metadata to later on retrieve it if there was an incident anything that was unusual will get tagged and that a documented escalation process was established for all three call center areas also two major products were evaluated to correlate all this data together I really can't see which one was selected so these were the two that we looked at so the recap the organization was prepared to handle

a certain kind of attack they weren't prepared for social engineering at this level they went through a process of detection analysis and were able to determine nature of the attack and discovered that was was it really a network attack it was socially driven they were able to contain it do Post in analysis and modify their playbook and dealing with future incidents but more importantly they were able to drive changes in the organization so that they were able to provide provide better customer service while while providing better security so the response team learned that critical systems can be overridden by social influence and they were they learned that there was a serious defect in the way they

were correlating different different events across to the Enterprise the company learned that they need to communicate more effectively but also need need to Le how St now is still provide your customer service any

questions well if you want to contact me here's my email address I'm SEC on Twitter here a shout out to the m organization in Michigan thank you so much [Applause] [Music]