Five Days, One Red Team, A Beach Like No Other: The Bank Job

good afternoon everybody uh thanks for joining b-sides thanks for being here today uh thanks for joining my talk um my name's Alex I am a 20-year veteran in cyber security probably 19 years longer than I really should have been but hey 20 plus years veteran oh I'm currently the Cyber director for trust Hogan um I also do mentoring in the industry uh under M Consulting I'm a Yorkshire cyber security cluster searing committee group so we're looking for bolstering the ecosystem um in the Yorkshire region and looking for help from anybody who is interested in cyber in our region as well so please do join up I'm also a member of the one million mentors um so trying to dedicate some time for further mentoring of people younger Generations coming up through education and I also have a brand that I built up after lockdown which is kind of a hobby which is very interesting as Sam mentioned there baking under Michelin demali nothing Michelin about it but it is me still and yes um I do do cakes it's genuine right a big guy I do cyber but I bake as a part-time and they're [ __ ] amazing I've just got to my own home um but let's get back to the actual um Talk itself right uh the bank job so I have to Preamble this a little bit um this was an engagement that I was involved in from a project management planning not doing the execution but I was involved with the team doing the execution through the project so I understand what they were doing and how they were doing it what until they were gathering and all that kind of good stuff this is also done for a client of mine as a subcontracting job so they weren't my client directly therefore they're still ndas in place and I have to be very careful about what I say of who I say it about the other additional Preamble piece that I want to put on here is that the organization I was doing the assessment for actually tried this themselves the week prior so they sent in a couple of guys who walked into the bank and uh tried to get into the employee section the guard literally ran across the the branch and stopped the guys and escorted them off the premises uh Julie because they might as well turn up looking like this right um honestly it was two guys with backpacks walking into a bank uh looking very shady and trying to get into the staff members area it's never going to work the problem that we had at that point is that obviously the guards and the security and the staff are on high alert so it made our job that much more difficult so this is basically the Target that we were looking at the branch at the bottom where anybody could go in it was a member they had a door that went in to then this multi-story office block where the head office basically was um standard things like emergency exits fire exits and all that kind of stuff withstanding but this was typically the place that we were actually looking to hit phase one of this whole entire exercise and I was actually on the uh I went down and listened to the red teaming kill chain exercise that was on downstairs and they were talking about the first phase being Recon and it is knowing what or they were talking about enumeration but still Recon um knowing what you're coming up against from day one what your target looks like what their frequencies are coming in and out the building looks like what their comings and goings what's around is is vital to engaging going forward so we were sitting in cars with long Zoom cameras literally the stuff that's up on here um obviously LinkedIn online has a vast quantity of data about who works there who started when they started how often they or how long they've been there all that kind of good stuff but one of the best ones is the um standing in the queue at the coffee shop nearby a lot of Staff members are still going to be having their lanyards on with their IDs they might not have their lanyards on with their IDs but their ideas are gonna be in their pocket but it gives you the opportunity to a validate identities by actually seeing their faces but also having your device in your pocket being able to get close enough to them to take that ID and strip it off and utilize it later on um NCP car Parks just again from a red teaming perspective they're great if they're local to Target you can get up in them it's public space you can get as high up in it nobody's in the question there you can sit in your car looking out of them you can stand at The Edge looking over into a client site and nine out of ten times if they're off the ground floor they're not putting any concealment on their windows so you can literally see in straight into the windows and straight onto the machines so something to know um once you've done the Recon and you've worked on kind of getting a good idea of what the client looks like and who they are where they are we then go into engage so actually let's let's make this work um take the data that we have take all the RFID scans and the ID scans that we've got and actually Implement them and it's astounding how knowing how the hackers work on the red teaming side from the Cyber perspective and how much it costs to buy kit and buy licensing and buy the infrastructure to actually start doing a hack from a red teaming physical perspective it's pretty cheap lanyards are cheap RFID cards are cheap 260 quid for an RFID repurposer or magnet strip repurpose or whatever you call it programmer um you know this stuff is not expensive and it gives you the ability to very quickly clone somebody's ID to be able to get in so you're coming back to the story we'd done the reconnaissance which I think the guy actually found a lanyard I don't know if it was hanging around in the branch where it was but we found the lanyard so that made life a lot easier and then we'd obviously scan somebody's RFID so we could get in and on day one of the actual engagement itself we were walking into the building um just as if it was real staff we're a new member of Staff you know we did the whole social engineering thing where we go and stand around in the canteen in fact there's a slide on that in a minute but go stand in the canteen smoking areas and things like that make friends because these are the guys that are going to let you open doors and walk you through um I've seen one of these this afternoon as well somebody was holding on to one of these oscares in the room no he's not but flippers again just another device you guys all know about these things so once you're into the office like I say common thing for for most social Engineers go straight to the canteen go straight for the coffee you can stand in there for 20 minutes an hour people come in and out you know make yourself a coffee make yourself another coffee talk to people it's a social environment a social area and you get to know people's comings and going to get to again cids and see who these people are and what have you make friends and again these people will see you through the building if they to see you again um I come back to when we talk about cyber hacking and all that kind of stuff we're talking about data breaches right a data breach is a data breach it doesn't matter if it's digital or if it's physical so typically what we're looking for is the metal desk scenario you know pulling off um some documents from disks or printers printers the scanners and photocopiers you know bin diving all that kind of stuff um the the bank that we worked in um had all that information I believe we did pull some stuff off of the printer the photocopier as well um but people put stuff in photocopies and just you know go off make a coffee come back grab this stuff and walk off forget that that information's there but it's all still valid and we love a messy office we love cables everywhere yes you can follow a cable to a network point where you can then plug something in right um and people don't notice the new device because it's just another device so we were again as part of all this project looking for all those typical places where you can plug in a USB point um obviously as you're going through or as we were going through this the the problem with physical red teaming is when are we going to get caught when are these Gunners going to find us out and catch us out and realize that we're not an employee um and the best thing is to try and keep that persistence into the network into the business and remotely is the best option because then you're not physically there and somebody can't question you so we're looking for all these USB points to plug something in um and again Messier the office the better um the devices that we were looking at are the typical ones that I'm sure you guys have seen you land turtles and all that kind of stuff and like I say stick a good little sticker on it and uh nobody's moving is something from it particularly if you're just a normal staff member um so we got this to this point where we're in the building we're in the infrastructure technically because we're sitting there and uh and we are two three days in um and my man's starting to sweat because he's thinking he's going to get busty he's going to get rumbled he's getting a bit paranoid again you only got so much time in these things before somebody questions you in the wrong way so we thought again well let's go back to having that Remote device back in the network plugging in and accessing it remotely um but how do we how do we do that because this is a bank and Banks kind of go this is networking 101 because you guys don't know about any of this right so traffic outbound any to any traffic inbound they want to make sure that the inbound traffic's clean right because you don't want anybody getting into your network typical rules Banks don't they check traffic both ways obviously they don't want Account Details go now they don't want personal information going out uh any of that kind of internal data leaking out so they're monitoring traffic both ways so you can't just put a land turtle on the network connecting back to the C2 and saying yeah well it'll dial home and jobs are good because it's going to get checked it's going to get spotted so you can't do land turtles or anything like that so very quickly because I'm running through this a lot faster than I thought I was going to um if you can't connect something to the network that's going to dial back through the firewall just quickly pronounce the room what's what could you do huh Wi-Fi cellular cellular 4g5 yeah 3G 4G that's exactly what we did um they weren't checking for um Rogue network devices they weren't checking for internal Wi-Fi 3G um data connections or anything like that so we managed to plug one of these in and at that point you've created your own external connection and bang you're back in the net we've been able to Monitor and track the traffic so easy peasy and we're nearing the end of this unfortunately because again we've only got half an hour but I'll tell you this in 15 minutes which is scary maybe I should have breathed in between the slides but anyway so the last Point bear in mind that we've done actually breaching into the place we've done the Recon we've got the land turtle on there 3G land turtle and we've got persistent access the next thing was what can we do we've got I think we had about a day left of the actual engagement um so what more can we do well we noticed that the actual guys in the branch side and the public side were the kind of G4S typical security guards they're wearing blue primary suits um typical kind of security guard stuff you know um so my man went to go and get himself on events from around the corner literally around the corner um and with his handheld RFID stood on the public side of the branch by the employee's door asked the first couple of employees coming through I just want to check your ID to make sure you're legitimately staff members we've had a bit of an incident as you guys already know last week and the sheeple just queued up nicely for him at that point I think we scored probably about another 100 IDs quite easily that's how we own the bank um now I'm gonna I should have probably preambled this right at the beginning rather than saying at the end but uh I have been led to believe that if you walk into a bank with a balaclava and a gun and you steal the money from the bank you're looking at five to fifteen years depending on how badly you do it if you hack the bank it starts at 25 years so let's not let's not you know I'm not saying anybody should and that's it that's me um I hope that was enjoyable I hope you liked it have you got any questions because I might be able to answer some of them at least you said about the cafeteria and about you know it's the first place you can go to make some friends have some chats what do you actually say because you can't be like oh well I'm Dave from accounts my someone says I'm I run the accounting and uh you're not in this mate doesn't that open you up to actually like yeah uh yeah so um if we're going into the canteen at the beginning just to repeat the question for the mic if we're going into the canteen at the beginning what are the stories that we kind of use because we might be bumping into the head of HR or wherever the case is or someone like that well again because of the reconnaissance element right at the beginning uh you're going to find out who the heads of different departments might be um and therefore you can typically face to name them right uh again uh most of the staff that are going to be coming in there at specific times might be normal staff members so you can play on a lot of the time I'm new I've just started in Department by the department you're starting I don't know I.T starting I.T you know what I mean I I think as well if you kind of go down the I've just started in the it route basically in in a social environment like the cafeteria the it teams typically stick to their own in the IT department and they'll bring in Monster or Red Bull or whatever it is that they're doing you know what I mean they ain't in the canteen socializing with people do not mean so you can be that one that goes to the canteen as the I.T guy and you can start having those conversations and you just you know I'm new here I've just come together you know I haven't brought my monster with me today you know what I mean and you can have that conversation you know you can start again you're building rapport with people and again hopefully as you've gone through your reconnaissance you can face the name and figure out what department they worked in very quickly and then track them back to their department and use that relationship that you've already got with them oh yeah I met you in the canteen you know I'm from it yeah well they've just sent me to come and have a look at your machine in HR you know right right yeah any other questions yeah yeah so typically um I mean this this was one of those cases where it was like it was an emergency job they had a deadline that my client had a deadline to meet um for their client which was the bank um so typically what we say is that a physical red teaming exercise should be three to six months it should be three to six months because that enables you to go away that do the Recon do all the planning do all the um setting up of any weaponized malware that you want to try and push out to them or whatever the case to get their persistence into the network from the Cyber side of things as well but it also means that their team because you're going to have a point of contact in there as your mole in the company who signs everything off and gives you your get out of jail free card right but it means that you can say to them you're involved in this as well you have to react in the same way as you would if this was a malicious attack so go away with your team when we attack you in this three to six month window we're not going to tell you when it's going to happen so act like you would if it was a real hack then at the end of the engagement we'll come back and we'll put our timeline and your timeline together and then we can say well how did your team react so I was coming in doing that validates also some of the incident response mechanisms that you have in the business and how people react to attacks yes mate really enjoyed it thank you well no actually a question that's penetration testing consultancy when we recruit we're looking for technical scaling consistency scale um what are we looking for in Social Engineers is that is yeah you're probably not going to get the types of people you can confidently rather talk to people here to plug in but what we're looking for in people and process so you are going to be looking for somebody who is somewhat technical because you're going to need to be able to do all the RFID scanning reprogramming of cards and getting but you want somebody with massive personal skills as well somebody who's um maybe got a background in Psychology but also an interesting Tech and those guys particularly know the triggers that people are going to have ex-military ex-intelligence um definitely those people that have had training and that kind of stuff yeah but definitely people who are more personable outgoing but also I want to say not memorable because you know you want to be able to almost change your figure by changing a hat or taking a glasses off Superman style um but yeah personable people intelligent individuals slack techy background it's after that it's good I mean it's great consultancy that you can say it's actually smaller so they might have yeah and if if a bank say you're working with the bank for a while and there are clients who also supported by team engagement yeah I mean what I'd maybe say in that sense because again uh the physical red teaming takes a specific skill set um and there are very few of them that can do it very very well um so maybe it's more of a case that those are kind of subcontracted out again if you're very much entrenched with a specific client and the client knows your team's faces and you're maybe only a small team that means that it's gonna be really difficult for you to walk in on site without being recognized and it needs to be somebody from outside the company potentially but it's only like subcontract anything else in this industry you know there's there's enough of us that know people who know people who could get you that person and we're all on reasonable rates just plug that one yes sir particularly if you want to get into amusement parks yes we've all seen the videos and yes it does work but again I think the the Crux of it is is basically one leveraging the fact that human beings as generalists are here to help people so if you're looking a bit confused or a bit days or a little bit like I don't know where I'm supposed to be going with my clipboard and I have this jacket somebody's going to come and go oh who are you looking for you're like oh I'm doing maintenance over there because I can see you've got scaffolding up how do I get in there and they'll lead you through because they want to help always looking for that Health Factor um but certainly looking like you're of a point of authority helps as well and having some big hoonies to walk in does help yeah you've got to have the bottle to do it you know if you're suddenly getting to the front door and you're stumbling and earning and iring and I don't know what my backstory is and I don't know why I'm here then somebody's just going to go yeah Trotter mate but yeah I had this yeah it works um oh go on we're here we went straight in perception just a lot if I actually said the next morning foreign the fastest we've ever got access into a clients on the flip side of that instead of being busted how how quickly have we actually breached um I had a specific client that we did physical red teaming for two years on the Trot it was the same receptionist on the front door i