How To Bypass Expensive Cyber Security Solutions: War Stories Of A Social Engineer

CU I like to move around a bit uh good afternoon everybody thank you for staying till half past 4 on on know it's been a busy and exciting day uh my name is Chris I have a lovely picture of myself I don't know why I think that's in case I forgot who I was I'm not really sure it seems to be quite common um just a little bit of background I spent 12 years in uh it security the water industry protecting both it and OT operational technology uh I spent four years at the purple palaces it's well known as which is Dyson um protecting their it and OT as well and 10 years I've been a penetration tester uh and

the only thing that you really need to take from this slide is that at 26 years of experience which means I'm bloody old so um in modern one day it World we've all got these amazing Technology Solutions and they're probably you know next Generation firewalls you've probably got hopefully a full-time follow the sun uh 24/7 Security operation Center somewhere protecting all of the things that are really key to you and all your critical assets you've hopefully got multiactor authentication enabled right there's some sniggering going on yes okay true um uh so let's talk over some examples where uh physical security and or social engineering was potentially obviously missing from that company's uh sort of Defense in-depth design or their

model um and in the context of cyber security what is social engineering well social engineering is any act that influences a person to take an action that may or may not be in their best interests so that's basically somebody trying to persuade someone to do something that they shouldn't really be doing and that's essentially what a social engineer does so let's talk over some examples talk over some War Stories where this has not worked out quite so well so the first one I want to talk to you about is critical National infrastructure or cni and uh was engaged to test this particular piece of sit critical National infrastructure and the external internet facing perimeter was really super secure as

you'd expect it to be great tick in the Box the physical head office the physical security around the head office also really pretty secure great and well a satellite office not quite as secure and let's talk about that so I made a pretext now a pretext is a story that I have made up that is not genuine but is potentially believable as to why I am going to be there and so I went to this satellite office and uh massive high security uh fence primitive fence all way around it big automatic Gates and a little intercom nothing else there nothing to say what the company was or anything like that just a little intercom so I rang the intercom and um

before I ran the intercom I got this pretext and my pretext is always that I am an IT network engineer because that's my background so those are things that I know about and understand about and so if anybody challenges me on those things when I happen to be in this place I've got things coming from the back of my mind that I know about so it's easy I don't look too suspicious so I make up a uh an alter ego if you like a character his name is Leon Leon from the it Network team so I ring the intercom and I go hi it's Leon from the it Network team and out of the interor I

go oh um and I wait a second and then this happened and I did nothing else other than sit there and go hi it's Leon from the it Network team and then the doors opened and I thought H this isn't so great so I drove in and uh I walked into the office and um I got talking to the shift manager and um he made me a cup of tea I love it when they're making me a cup of tea um I didn't get any biscuits at this particular one which is a shame but I got a cup of team and um I started talking to him and uh we have a great conversation and all the time I am

plugged into his Network and um you know packing it basically uh which I shouldn't you know I should shouldn't really be doing should be doing because I'm allowed to but you know not really what the company wanted to happen and um this guy's very chatty we're having inside cup of tea and he's really into it himself so much so that he has designed an Android application to do his job for him while he's walking around so he has to go and walk around this particular site and he's built this Android application and he wanted to use it to make his life easier now who wouldn't want to do that who wouldn't want to make their life

easier so he' gone to the IT team and said hey guys I've built this this this Android application that makes my life really easy and I can respond to things when I'm walking around the site that are happening in the control room it's really great can I please use it and the IT team went no of course you can't and he got really upset about this because he was trying to do something to make his life easy and then he starts talking to me about well you know they were really worried about hackers and I was thinking hey I'm sat right next to you um and he's like really worried about hackers and they're really worried about you

know Russia and all this sort of stuff and you know people jumping the fence and thinking why the hell would you jump the fence you just pressed the bicom button and you're allowed in and I thought okay well you know what does a what does a hacker look like because your threat model might not be my threat model and threat models in different companies different and I think what the expectation was was somebody you know in a black hoodie dark mysterious uh an unknown unsighted person no face and all this kind of stuff and in reality what he got was this okay so that's one example um let's talk about a casino group this is another example now

casinos are super secure right they often deal with a lot of money big big chunks of Hard Cash and believe me I've seen I've been into some casino saes and there are big chunks of Hard Cash big WS of it more money though I've ever seen in my life um and so in this particular instance the external uh internet facing preter was super secure and the physical access well not quite so secure and uh and again managed to get in there uh and the internal Network once we got in plugged in wasn't so secure either now let's be fair challenge people is hard none of us are built as human beings by default to go up someone and go o what are you

doing you don't do that we're not that kind of person we're we're General we're polite and helpful so I get that challenging people in an office environment or a facility or whatever is really difficult um my advice is to use the trust but verify approach and by that trust what someone is telling you and if you don't feel comfortable going further than that go away and verify that information because you will be able to find that person again if the information they've given you is not quite correct but in this particular Casino group of all the people that had the most Authority and the best authority to challenge me was probably the HR Director because that's super high right

that's a super high person with a lot of clout in the company and fortunately that was the person that let me [Music] in not great

okay airports now most of us have been to an airport and most most of us probably think it's quite a scary experience um because when we go there it's it just looks like a secure place right there are lots of physical security there are police there with guns um you know there's the border security people and if you go to you know the US you've got the TSA who are uh you know very strict and very Stern and even all of the staff that are in uh airports tend to be on high alert they tend to be trained to a level where they know that things are going to be uh dangerous and risky and

so they will report things pretty quickly um so I was tasked with uh getting into this particular airport and and again the external internet facing perimeter was mildly secure at the time and they had a couple of issues H we we talked to them about it and they managed to fix it which is great but in terms of physical security it's going to be really hard to get in in there right it's going to be really hard to get into an airport surely yeah okay turns out it wasn't quite so difficult and in fact I couldn't actually believe how easy it was and so I went out left the airport and I went back in again and I

thought I can't be this easy this there there's some a jinx or something happening here and so I left again and I went back in again I left again and I went back in again five times five times into an airport and that was crazy uh and this is a picture from actually inside that particular airport uh you know obviously a security restricted area the thing that I find really really us unusual is the second line or second paragraph from the bottom says it is an offense to enter this area without permission of the airport CEO or other lawful Authority or a reasonable excuse what um okay I have no idea what a reasonable excuse for breaking into an

airport would be but if you've got one you're allowed in supposedly very strange as a as a social engineer you often build up a collection of lanyards and badges um here are some of the ones that I have uh and I want to talk to you about badges because they're really interesting um so I was tasked with trying to get into to a facility in uh the US um uh about 3 months ago um very high security military uh ex-military people guarding it 5 Mile perimeter around it uh lots of people with guns um very proud of guns obviously in the US uh they've got them massively on display in the US which is interesting um and I

managed to get into this particular facility because what was happening was people were wearing their badges as they were walking in in the morning uh and you know out again and so I was able with a smartphone to take a video of people's Badges and I have a badge printer um specifically for my job and what I was doing was basically copying did a design basically of their badge that looked exactly the same it didn't look exactly the same it looked close because although you know camera phones are pretty good at picking up high quality images they're not ideal and they tend to mess with colors a little bit so my colors were wrong and

some of my uh fonts were wrong but I drove up to this facility armed guard show me your badge showed him my badge we took a look at it and let me in now when I did the debrief with this particular client and he said well how did you get one of our badges I said I I didn't I haven't got one of your badges I printed my own well let's have a look okay well it's different yeah I know it's different because I didn't know what yours look like but it's you know as close as possible this is

cheating what because somebody else can't buy a £400 badge Pinter from Amazon and make up a badge that looks the same as yours that's cheating uh okay sure no problem you might have some other issues there that are a bit strange um yeah so I don't know how printing a badge looks similar to theirs and it wasn't the same is considered cheating very unusual okay um so that's me getting in by you know walking in or persuading someone that I should be there uh there's some other novel attacks that I've tried in the past as well and this was a good one um so there was a building that had floor to glass ceiling and had a hotel opposite and I

rented a very very nice but very expensive lens and I had to put down a £5,000 deposit just to rent this lens um and another 2,000 just to rent the camera as well so it was quite an expensive one but it was a lot of fun cuz managed to prove that by sitting in a hotel room at uh between 700 and 9: in the morning looking down through a glass building you can actually see things clear enough to be able to replicate and get very close to what a pass should be um so that was an interesting job if anybody wants to do the same I have a tip for you uh don't use a monopole on a

camera that is this big and this long and very heavy because standing at a hotel window like this for 4 hours gets a bit tiring right a tripod tripods are much better so yeah if anybody wants to try that at home don't use a monopole it's not a good idea okay so what about the perimeter what about the outside bit I talked earlier about how in most places that was really secure and really good now most places have got some kind of VPN solution for you to come in you know everybody's working from home these days um they've got some kind of remote desktop whether that be Citrix or something along those lines or even just

something as simple as using web mou and in most cases I I know we had some sniggers earlier we have MFA to protect us from these things right uh and we all know as Security Professionals the MFA is great we like it it's a really good tool but it is just one part of our security solution it's not everything it should not be the last line of our of Defense it is just one bit and for those of you that haven't seen MFA uh because we had some cers earlier MFA is normally configured in two modes or one of two months it's either a notification to say you are trying to log in somewhere do you accept

this and you have to press the allow button or the deny button or it will give you a code a rolling sort of six-digit code that changes every minute so how could we get past that how could a social engineer or a red team pentester like myself get past that kind of thing well let's talk about the first one let's talk about push notifications and the first one I do frequently is push fatigue because every time you get that push thing if I can time that at roughly the same time that I think you'll be logging in you might go oh I've had push notification already but I'm looking in now U oh I must be looking in there must

be something wrong with the system I'll press it again and they accept it great thanks very much um and if that doesn't work what you can do is keep sending push notifications over and over and over and over again and it's almost like a denial of service because they're getting these notifications well I'm trying to do some work stop stop notifying me and eventually they just get bored and they press accept and that happens frequently really frequently okay so what about the other one what about when there is a six-digit code just being displayed on the screen how could I get past that well um the easiest way is to ring them ring that particular person and go hi

Bob it's Leon from it Network team here me again uh your MFA codes are out of sync at the moment and what I'm going to do is I'm going to send you two codes to put things back into sync again and then everything will be fine uh if you could just read out those codes to me that would be fantastic and again that happens and works frequently now what have we done wrong here well what we've given is we've given our end users a piece of security technology a security barrier if you like but we haven't told them about any of the risks that come with that we haven't told them you might get Leon

from the it Network team calling you and going your MFA codes out I think we don't give them that information we just go here you go here's MFA please use it if you can't get in or something in the service desk but if you don't use it you won't be able to use your computer or your VPN or your web mail or whatever but none of us have tell them watch out from Leon from the it Network team's bringing you CU he might be trying to get in on your behalf and I read something really interesting from The Wall Street Journal a little while ago that said the key challenge holding MFA back is not the

technology itself the technology is fine but it's our inability to describe or communicate MFA to the end user in a term andology that they can understand now that is crazy we're giving end users something that we want them to use every SLE every single day and we're not telling them how to use it properly we're not describing properly what it actually is so that's not great um so we've talked a lot about the problems if you like let's talk about some

solutions so one of the things that I see a lot is and I had this um I had this in a talk probably probably six months ago um where one of the questions was what is the technical solution what product can I buy that will help my end user understand about MFA and I thought why would you want a product why why you know you've got all of this money spent in your next gen firewall and your your EDR solution and and your MFA and all of this stuff why is your default to buy another product to help people become aware of something that we as an IT team or a cyber security team have

enforced upon our end users and it it isn't a product it isn't the solution is not a product it is a conversation uh whether that is um you know a face to-face conversation um and when I used to work in both Dyson and in Southwest water there was a new starter on boarding process the the first day a new starter started in Dyson and in South westwater they didn't do any work they were shown around the property they were shown where the cafeteria was where the where the canteen was and the toilets and all that sort of stuff um and then they were taken to talks and they were given Talks by the CEO when

they were given Talks by James Dyson sometimes um and I you know there used to be a security deal talk where I talk about you know not leaking their information obviously Dyson's got lots of secure products and product designs that don't want anybody outside of Dyson to talk about but in no point did we talk about MFA no point did I go oh and by the way if you get Leon from the it Network team ringing you up and saying MF codes are out of sink it's probably not genuine we don't have those conversations why not we should be doing that and the other thing I want to say is make sure that sort of physical

testing and and social engineering is 100% in your defense indepth designs and uh and this was this was crucial uh especially at Dyson because obviously they've got a lot of things I don't want to talk about I used to go and sit and have a coffee not a meeting but a coffee with the physical security manager every month and we fostered an amazing relationship where the two of us could talk really really openly about physical and social engineering and how cyber security should be intertwined together they shouldn't be separate they were but they should be talking to each other about how we can make each other's lives diff easier for ourselves not more difficult and that's something I see commonly that

everybody just assumes that that conversation is going to be a difficult conversation it's not it's an easy conversation go and have a coffee sit down with somebody and just talk about how your two worlds are massively intertwined because they are the number of times you see something secure from the outside from the internet facing perimeter and then you walk on walk inside somehow and the inside is soft by that I mean vulnerable and it's very easy to hack Etc well whose fault is that because physical security teams let me in or is it because the cyber security team has not thought about how soft the inside should be and should be making it harder if you go and talk to

the physical security team and make your lives easier and intertwined brilliant you're making each other's lives easier so yeah anybody who is having that conversation good on you if you're not please go and have it my other suggestion is don't just dump Tech onto end users and expect them to understand or even know about any new risks or any attack surfaces that come with that Tech they're not going to they're not going to understand that you've given them an MFA tool and is you've now pushed your security boundary out to your end users they're not going to understand that they're just going to go oh bloody hell cyber security team are making my life difficult again well

yes you are but explain to them why and they're going to be more on board and then they're going to understand about these new risks because you've given those risks to them they're not your risks anymore they are but you've passed the risk on to somebody who is just an end user they're not going to understand you just enrolled somebody in your cyber security Team without them even knowing about it that's crazy so go and talk to them about it help them understand there isn't a product or solution out there that makes this easy go and talk to them send an email if you have to go talk to them be first day stuff whatever it is

that they're doing go and talk to them and the other thing I want to talk about is empowering staff to challenge now I know this is really hard uh and um the number of of times uh walked into a facility with two coffee cups in my hand and walked up to the door and go oh I can't get to my badge right now cuz I've got my hands full would you mind letting me in and someone lets you in it's so common it happens a lot but are you helping your staff and giving them the tools to encourage them to and empowering them to challenge me with my two c cups in my hand standing at the front door trying

to get in have they got that Authority do they know they have that Authority probably not so tell them they do and encourage them I know uh a CEO uh and it wasn't James Dyson um James Dyson was terrible at walking into the office without his badge and no one would challenge him um I but I do know a CEO who would give out 50 if anybody challenged him because he was not wearing his batch now that is fantastic that is really good uh a really good way of encouraging and empowering your staff to challenge people because if you've got the if you are a I don't know a lonely person at the bottom of the food chain

in a corporate environment and you've got the power to challenge a CEO because they're not wearing their ID badge fantastic that is going to make my life as a social engineer really difficult so please do something along those lines work out how to do it within your organization and the other thing I'd say is encourage sorry include all of these attacks in your security awareness training now we all know and we're probably bored to death of fishing training tests um I see them all the time and I think ah uh and you know in some of the jobs that I work or do I get given client laptops that I have to keep for long period of time and I get emails

from the company to say Hey you haven't done your fishing training or like I am the person that's doing the fishing why would I need to do fishing training on your company laptop fishing training is getting dull I think it is time to move on it is not Innovative um and we are still falling for it so something else needs to happen there in terms of fishing training um but also don't just focus on fishing dring there are so many other attack Parts in there and we've seen some here you know we're talking about physical security we're talking about MFA include those in your awareness training don't just focus on fishing we all know about fishing yes

we get your fishing email every month yes we get a gold star or a tip when we click and report it as a fishing email great what about all your other tax services that are being um potentially vulnerable um so yeah that's it that is my uh talk 's got any questions I put my contact details up there as well so who's got some questions raise a hand come see the [Music]

microphone is that microphone on oh I see a green light hey there it is

[Music] um what you do about what awareness you send that email once you send it tce and IGN every single time after that what you what you do to try and reengage St you try and add few

Choice after yeah I I get it what ceny you sending emails out [Music] um but how how frequently are you sending up like once a month is it once every three months once a month once two weeks again depending on on the company so

obv of course [Music] yeah um I'm sorry to be BL right sounds like the frequency that you're sending them out is too much it's a bit like when we get spam email and uh you know uh if I sign up to um Clarks for example to buy some shoes if I get an email every week the first thing I'm doing when I get the second one is I'm I'm clicking the unsubscribe button because it's too much for me if you're sending out awareness emails at that frequency I think that people are going to get turned off to very quickly and they will want to although the proberbly there isn't a button to say up unsubscribe they will probably want to

unsubscribe think about it in that same way if you get marketing emails what kind of frequency what kind of cadence are they coming in at that is acceptable to you normally as opposed to too much and if you're sending something out every two weeks or every month and you're not getting a lot of uh hit rate from that or a lot of uh interest in terms of people clicking on those emails maybe you're going too frequently also think of something different don't just send emails out think about how you could potentially do a coffee Workshop or something along those lines and let people come and talk to you face to face I know as uh it Sis admin I've been one

myself we don't necessarily like talking to people face to face because they tend to ask us lots of aw questions about how to fix a email for example um but go and talk to people and and do a coffee morning or something along those lines or or or a talk or a zoom call if you've got lots of people who are working from home approach it differently and and variation if everything is the same and we know that every month without fail on the first of the month we're going to get an awareness email or something people will switch off it needs a bit of variation and you could be clever in terms of sending out every 3 months for

one batch and then every two months and then six vary it make a bit of variance because that's how our brains will work better I think any more questions do you think we

[Music] should yes there's a lot of I mean I hate saying it depends it depends um on your business risks you know what are you trying to protect what things have you got that are are potentially a risk that are interesting to somebody else a potential hacker or attacker or nation state or whatever it is but yes if you've got that sort of thing that needs to be that kind of level of protection absolutely yeah oh this is abuse of power this is abuse of power um so the question I've got is obviously in the social engineering text we've been come to situations where the morality of social engineering text question so there's one quite in the news a couple of years ago

when Co hit whereby an organization simulated that they were getting some kind of payment for Co and it worked really really well as it would yeah do you do you sometimes so see the same sort of things happening with voice fishing attack as well where sometimes organizations just tailing them completely from us as a consultancy because it seem entally moral do you think morality is holding us back I it's a really hard question I love that question it's really hard um I'm just trying to think of some examples that I can tell you of that are uh colleague of not not described as being professionally yes professionally evil so uh there some people in the room

who used to work with uh and we have a common colleague who was described as professionally evil um who came up with something very similar to to that if and again it goes back to the same question if you have got things that are of that type of risk and you are facing that kind of attack or or threat then why not I don't like it but if somebody's going to do it then why not test it the other thing to say is this shouldn't be our only line of defense if you've got a problem where one particular user is going to compromise your company by Falling for exactly that kind of scenario there are other problems and

let's not take or forget about those because they exist as well um so yeah there's it's not great I'd admit but if a company will come to us and go hey Chris we have got the you know nation state attackers or we're at risk from nation state attacks we want you to emulate this yeah yes because you you're trying to protect something that is important to their mind would have to emulate that because an nation state is going to do that so why not absolutely thank

[Music]

you about social engineering really interesting slid about including the risk of social engineering inel particularly around M how much responsibility do you think we have as technical professionals to make sure that when we engineer Security Solutions we're engineering them in a way that avoids that pushy by how frequently that push happens and as we know whatever Microsoft is cool this week and just changed it every 5 seconds but you know when you integrate that with other applications it throws serious pations in the middle of the day and you know what responsibil do we have to try and litigate against a lot I'd say um because let's think of a let's think of a web page or let's think of a mobile

application if a mobile application is horrible to use you I you're trying to sell it to a customer they're not going to use it because the the UI is awful but what's nice is that uh web application designers or mobile phone application designers have matured and they've taken into consideration uh human responses and layout and what looks nice in terms of UI um and in some places you will get companies who hire UI Specialists they know nothing about the coding of the back end or anything like that they just know how to design a pretty user interface we I think think in the cyber security industry are in the early stages although we've been around for a

long time we are only just getting to the point where we are starting to interface properly with our end users so we are at the beginning of this horrible UI journey and what we need is some UI experts who come in and design a nicer thing that is better for the end user to use rather than a clunky horrible interface the interface that we've got in terms of you know fa push is relatively straightforward because a UA designer UI designer has designed it but in terms of the cyber security journey I don't think we are quite as good yet as we should be in terms of interfacing with our end users around what works for them and what doesn't

work for them does that make sense definitely absolutely do you think there's worth the conversation about balancing the risk of account takeover which say the frequency of pushes actually is maybe what a week but a known user known device perhaps a better method than the every time I log on at 9:00 in the morning and then halfway through day because yeah yes however you need to have detections in place to spot irregularities so if Leon from it Network sits there and logs in and you know he's doing his day-to-day job uh and he's only getting that one push notification at the beginning of the week or the middle of the week whenever it happens to be if that person then

starts doing something different you need to be able to detect that if you can't detect that then maybe you should come down to two a week or three a week maybe something along those SES but I I totally get that the fatigue thing is horrendous at the moment it's beautiful for me because I'm allowed to take advantage of it but yet it's not great for we probably got time for one more more questions anything from this

side thank you

Feb um yes so at the companies that we used to work at uh I was not allowed to expense a bulletproof best which makes you think about so you know we're given a we're given a letter given a get out get out jafree letter right um so which is the authorization for me to be there and to do my job um I had to think very carefully around where I placed that get out of jail fre less because you know if I'm wearing a suit which I was like this and I'm challenged with by a polican with a gun for example if I go I'm just going to get my kid out jail free L out bang you know bad ending

for me um and it's stupid things like that that give you the fear as a as a social engineer you know uh our brains are very good at thinking negatively um and ultimately armed police at a at a at an airport are not actually realistically there to shoot somebody they will but they're not there to shoot someone they're there as a deterrent they're not there to shoot me going about my daily job but that's not what you think about when you go and do that kind of job um so yeah I even to this day uh I still get the fear at doing those kind of jobs any kind of social engineering jobs because you know my mom and dad bought

me up to be a nice person and not to lie to people or tried to convince them to let me into a building or break into a building I shouldn't be in so yeah I still get that fear uh and and you know you see these amazing adverts with these football players um with 72-hour Jen that works wonders let me tell you that does not work when you a social engineering does not work at all um so yeah I definitely still get the fear and and placement of things is really important to think about fantastic thank you guys besid can we