BSidesIOWA 2015 Track1: Anatomy of a Full Scale Social Engineering Attack by Dave Nelson

uh my name is Dave Nelson and I am president CEO of Integrity uh we're in information security consulting firm based here in De Mo we've also got office in Kansas City and one in Birmingham Alabama uh I'm also a fellow with the information system security Association and the chapter president for the Issa here in De Moine um we do broadcast those meetings those monthly meetings out over the web um and so if you're anywhere in the state and you'd like to join us um please see me afterwards I'd be happy to get you more information about the Issa chapter we're going to be talking a little bit today about um social engineering and how that's kind of changing um why we as

Security Professionals need to be fully understanding how social engineering is being used against our organizations um give you a little bit of an idea of what a fullscale attack would look like uh and then I'll answer any questions that you might have um we can go from there so uh first off uh we're going to talk a little bit just about what social engineering is I'll give you some real world examples of some of the things that we've done and some of the testing that we've uh uh done for clients uh and then talk about some of the best defense uh principles for how to work through uh social engineering attacks with your organizations so first off when you

think about social engineering what's one of the things that comes to mind anybody fishing fishing what's that physical physical entry people what's that people people yeah social media so yeah so the idea here is you know we haven't talked anything really about computers about technology mostly it's been about people and that's what this exactly is about right anybody seen in the movie Rounders way back in the 90s okay I'm getting really old then uh it's a good movie Matt Damon is is one of his earlier movies okay and he's talking about there's a scene in there where he's going in to play high stakes poker uh and he's kind of the Newbie in this area and so as he's walking through

there's a little narration he's narrating um uh about his experience one of the things that he says is that the game of poker is not about playing the cards but playing the man okay and that's exactly what social engineering is we're not worrying about the technology certainly technology will be an enabler it'll be a part of it and it's the ultimate end game is to win the game of Technology but we're going to be playing the man or the woman in front of that technology to try and get access to it so that's a little bit about what we're going to uh start with is is how this actually happens so if you know anything if anybody's taken any colleges

for psychology social engineer or uh psychology sociology anything like that you'll know that we have this huge study of behavior okay human behavior and it's been going on for thousands of years okay one of the things that we're trying to do is understand how people respond in different situations and then place them in those situations to elicit a specific type of response okay so what I'm trying to do is quite simply I'm trying to put you in a situation where I can manipulate you as a social engineer okay as a hacker using social engineering techniques that's what I'm trying to do I'm trying to play on your Humanity I'm going to try and use your Humanity

against you because by Nature we want to be communicative with other people we want to talk with other people we want to be social humans okay that's who we are by our nature and so it's the hacker using that against us okay so we use psychology and sociology okay we talk about what is a learned behavior what's a known Behavior Uh what's a natural response okay we're looking at the Norms of Society okay how are you expected to react in a group of of people at work versus how would we expect you to react in a group of people that your friends versus the group of people that your family okay each one of those if we put

you in a same situation with different group of people how will you react will you react differently will you react the same okay so it's the study of of what's Happening we've been doing this for years and years and years and the bad guys use the same exact information that we use for research to help people to uh plan for marketing and Communications so bad guys are doing doing the exact same thing okay what I want to be able to do is I want to be able to predict your reactions okay because if I can predict your reactions I can craft a scenario that will elicit a specific response based on what I can estimate your

reaction will be so I have two types of responses okay basic types of responses my natural respon resp and my learned response anybody here has small children at some point in your life have you had small children okay so everybody at least has been a small child at some point right okay great we have any small children with us today hey all right we got a couple of you all right think about a two-year-old okay typical response of a two-year-old when they don't get something that they want is to throw a complete and utter temper tantrum right that is their natural behavior their natural resp response you don't have to teach a 2-year-old to throw a temper tantrum

they know how to do that from day one okay your learned response however is through coaching of your parents through teachers through all of your you know grade school and high school and college and then work through people that you interact with it's the fact that you can't throw a temper tantrum when you don't get your way so that your learned response so as a hacker okay when I'm going to employ social engine engineering I'm going to try and play on one of those two responses either what I believe your natural response will be or what I believe your learned response will be anybody's company here have the logo or the motto or the phrase the

customer is always right yeah okay to some degree okay I as a hacker know that and I know that if I get irate enough with you on the phone you're eventually going to pass me off to somebody with a higher clearance to deal with me and that will continue to happen until somebody understands that I'm a really unhappy customer and I want some answers okay so I know that I know that that's the Learned response because you know that your company wants to please me even though I'm not really a customer you may think that I'm a customer and you want to please me so that's what I'm trying to do I'm trying to create these situations where I can

place you in the situation that I want so I can play on your emotion so I can play on your natural response your learned response whatever it happens to be right so why are we talking about this uh according to the 2013 which I know is a year old now uh Verizon data breach response report if you look at the first three okay these are some of the attack methods that were used hacking weak sto or weak or stolen passwords uh and then 40% Incorporated some sort of malware okay each of those were on a downward Trend during that year okay the last two there physical attacks and social tactics were on the increase so what's happening is we're

getting much better at protecting our infrastru structure our applications we're getting better at secure coding at keeping things patched and so those typical technical exploits aren't working as well as they used to so the hackers have to find some other method to get in and the easiest Target is our people us okay that's why we're talking about this that's why this is important so what are some of the common types of attacks we're going to go through these five dumpster diving pre-ex texting are basically fake phone calls they they're real phone calls just the purpose is fake uh fishing uh physical presence and then emanations or things that you can leave around and let people get okay uh

enticement I'm sorry enticement so the first one dumpster diving if we go in and do a full-blown social engineering attack against an organization there's usually a couple weeks worth of uh uh reconnaissance that we do okay we go and we just sit out in the parking lot and we observe the people we look at traffic patterns we look at when people are coming and going do they come together do they go to lunch together uh you know what are they doing uh we look at when is their trash pick up uh we look at how do they do their shredding is somebody come out and watch the guy do the shredding does the shredding guy leave a bunch of buckets

outside and then go in and get more and come back out we we watch all of these things and we're looking okay one of the very first things that we do is dumpster diving anybody feel like that was their career goal of choice no I'm the only one something is very wrong with me okay uh dumpster diving tells us a ton okay there's a couple of different things here when you look at this okay I can go in and I can try and get information from you but I have to deal with you nothing against any of you I'm sure you're all nice people but I don't want to deal with you okay i' prefer to just have that

information provided to me and that's what the dumpster dive does I find all sorts of great information when I go in and I start looking for source code I start looking for um believe it or not we do find source code in the trash and not in the um uh uh shred bins uh I look for day planners I look for uh vacation lists I look for all sorts of stuff okay let me give you a great example of what I'm going to do here okay if I'm going to set up a a a an individual or a company for a social engineering attack here I'm going to go in and one of the very first things I'm going to look for

is a sheet that's pasted that that's typically posted outside of a conference room that has all of the days conference you know all of the days meetings listed Who's involved if there's a bridge line with an access code okay all of that stuff is usually on that sheet and a lot of times people just go by or the janitor at the end of the day just picks it up throws it in the trash and somebody puts a new one out in the morning okay that's one of the very first things I'm going to look for one of the other things I'm going to look for is a calendar for individuals okay believe it or not there's still a ton of

people that use paper calendars they print them out they put them in their little binders and they walk around and they write handwritten notes happens all the time and all of those just get ripped up a lot of times not ripped up just ripped out and thrown in the trash okay here's why that is so important okay as a social engineer I'm looking for any excuse I can to be in your organization to be on a phone call to be physically present to be have you call me for me to call you okay if I'm looking and I see a bridge line okay I'm going to dial in and I'm going to use the passcode and I'm going to have

access to whatever phone call that is and I'm going to listen to see if this is something good and I'm going to start taking notes who's in attendance who's paying attention who's not in attendance where are these people located what's the topic is this a a good discussion is this a not so good discussion because then I'm going to start looking at that information say how can I use that to further my goals later on okay so this dumpster diving idea is something where I initially get my first ideas for how I'm going to further attack your organization because if I don't know anybody there maybe I know some names maybe I know uh some titles or or I know projects that

are being worked on and if you're being targeted I certainly will know some of that but that might not be enough to get me in the door okay so that very first part of that is the dumpster diving where I try and go get some of that information which most of you do not consider confidential okay a conference bridg line with the passcode in most organizations is not considered confidential the conversations in in those Bridge lines very confidential right so now all of a sudden you've just given out all of the information I need to sit in on a verbal conference anybody ever joined one of those Bridge lines and had somebody say hey who joined and

complete silence yeah that was me no I'm kidding that was somebody else in our office it wasn't me uh so that's really important okay if you're running conference Bridge lines make sure that you sound or that you ask who's there have some sort of mechanism to find out who's dialing in okay so after I get this information from the dumpster dive I now have names of people that were involved I know the project I know who was listening and who wasn't listening I know what the deliverables were somebody was asking for something to be done by the end of the day or by next week or somebody was asking for something else now what I'm going to do is I'm

going to call you and pretend to be somebody from your company or somebody that's a consultant or somebody that's involved in this project okay and with this I'm going to do one of two things I'm either going to immediately try and extract additional information from you or I'm going to set you up for a fall later on okay the important part here is that if I come out right away and ask for information that's confidential or that sounds weird and you don't know me what's going to happen red flags right little alarm Bells hey I don't know who this individual is and they just ask me for the keys to the kingdom they're going to start to shut

down okay so if I'm doing this right most of the time I'm not going to ask you for information the first time I'm going to Prime you I'm say I'm here to help you hey I I heard you know Bob was on this phone call earlier today and you're struggling with this this and this and he asked me to give you a call and see if you needed any help or uh can I get some data to you you know okay that's great can you tell me give me the file names that you need and I'll get you know I'll pull all of that data together and I'll push it you know back out to you okay well great I just got a

couple of file names now I start to know what I'm looking for right so once I do get technical access I now have narrowed my search I don't have to do this big huge shotgun approach I'm a very needle Precision you know surgical attack okay so if I ask you for help right away or ask you for information right away you may start to freak out a little bit and say m hold on I don't know about this guy but if I step back and say let me help you oh yeah you're all about help okay if I call and say hey I'm from tech support and I understand you've had a couple of computer issues over the last

couple of weeks and you know we want to get this taken care of for you um I'm not going to be able to get up there today but will you be around tomorrow oh you've got meetings which I already know you have meetings all day because I have your day planner right here okay oh okay well how about I tell you what I'll meet you at your desk ask at at 9:30 before your meeting you get me logged in and I will take care of this for you like oh okay great you're going to help me hey perfect you didn't ask me for anything today and if you're going to physically be in my building well you must be

approved right shaking your head yes if I'm physically in a building I must be authorized to be there because we all know that that's true nobody ever gets into a facility that they shouldn't be in right okay then what I'm going to do is I'm going to follow up probably with some sort of email confirmation hey Sue great talking to you meeting you on the phone today just want to confirm that I will be at your desk at 9:30 tomorrow to take care of this you know computer issue for you uh please send back in valid date or please click here to you know rate my uh you know responsiveness to you blah blah blah blah blah so now you're going to

respond back to me or you're going to click this link and Bam now all of a sudden if I've crafted that well well enough I've evaded some of your uh antivirus tools I've evaded some of your uh anti-spam and anti- fishing I may have just run some sort of executable on that machine so now I don't even care if you're there or not because I've already got access but if that doesn't work maybe I'm going to try something else maybe I'll send you a different email and say hey um I need you to update you know what your your information is about you know this particular um uh concern or your computer issue so provide this

information to me and I give you another link trying to get you to click on something else right or I ask you for your computer name or I ask you for your IP address right because I'm trying to help you you want to give me that information I've placed you in a situation that I know your initial response to me is going to be oh thank you for the help sure I'll give you information if you can help me I you're not trying to take advantage of me you're trying to help me and I might do this to two or three three or four different people within the organization who are all on that same phone call I know they're all going

to be in the same meeting and I tell one of them I'll meet you there at 9:30 and then the other one I I'll call right before then and say hey I got tied up um can you just uh you know leave it logged in I'm I'm going to be there in just two or three minutes you know just leave it logged in or you know write your username and password down right there on on a sticky note and I'll be there I'll get it logged in I'll get your profile fixed and everything will be good okay if you don't believe these things happen I've got tons of reports and proof to show you okay that's all it

takes because somebody's already in the building okay I'm not asking you to send it to me I'm not asking you to give it to me over the phone I'm going to come to your desk and get it and you're okay with that right so I've set up all of this stuff through fishing okay I can use sweet deals and help me help you and if you're my brother who's two years younger than I am you got to see this the man cannot refuse a joke from anybody body on the face of this planet if somebody sends him something thinks that it's funny he's going to click on it okay he is not in technology thank

God all right uh the hidden URLs right I've got sweet deal.com but really it that's pointing to I will rob you blind.com right all of these types of things I mean most of us know these things right but there's be people out on the web watching this so we want them to understand what's happening okay um checking the uh the address bar right if you look up there you've got uh you probably can't see it www.google do oh I stopped reading once I hit Google dot okay that must have been good but you didn't finish reading the bad.com uh oh well it looks like Google it's Google's homepage and it says Google up front is that

Google or not okay uh these tiny URLs I I want every one of you to go into work on Monday walk into your marketing department find somebody and slap them seriously marketing departments are horrible about using these stupid tiny URLs in internal documents and external documents and everything else from us this is kind of like playing Russian roulette right hey I'm just going to you know spin the revolver and who knows where it's going to take me right I'm opening this door and I could be walking off the edge of a cliff we have no idea where these things are going so if I'm trying to fish you these are all of the things that I'm do I may put them all in

one document and if I craft it well enough if I do things right and this is a spear fishing attack your anti-spam and anti- fishing is not going to catch this okay it's getting harder and harder to do it takes a lot of time and a lot of skill to craft it but if I have the time and the skill it's not a problem okay uh so Google is not goggle google.com is not goggle.com your eyes played a little trick on you there didn't it because you saw Google first and you're used to seeing Google and then you didn't see goggle right that's how I'm going to get you okay I'm going to send you to some link

I'm going to send you to something and if you're not an experienced user you're going to click on this day in and day out with our fishing campaigns we usually get about 50% success rate of clicking on the link and after that it's usually somewhere between 30 and 50% of that 50% will get some sort of user credentials or something where they're signing up or using their active directory password uh to sync up with their new health insurance plan or whatever it happens to be okay so this stuff happens it happens all the time so I've used dumpster diving to get information then I've used that information to make some pretexting phone calls and to set up some physical

or set up some uh uh fishing campaigns or some uh spear fishing campaigns and now I'm going to go back to the actual physical entry I'm going to come in and I'm going to be at your desk at 9:30 here's how I'm going to do it I'm going to walk in cuz I've already been watching the patterns right we did about a week's worth of watching who's going what's happening where are they at okay and then I take it to the next level and I know that everybody pretty much comes in around 8 o'l 10 till 10 after okay and I know that they usually all kind of walk together in packs and everybody oh

one guy badges in and everybody else holds the door okay and they never say boo to each other they just look at each other kind of look for a badge and then let everybody walk in and I already know this is your behavior so what I'm going to do is I'm going to walk in with a computer bag over my shoulder a badge that looks like yours on my hip and two bags of bagels from Panera or whatever the you know fancy place is and I'm going to be like trying to get up to the badge reader and doesn't quite get up there so somebody else is going to you know badge me in because hopefully we're going to

become real Good Buds and you're going to come get a bagel and that's exactly what happens and not only do you badge me in the first door you badge me in whatever door I stop at and help me get in and then I sat down the bagels I'm like oh dude thanks I just started here you know a week this earlier this week on Monday I'm working for Bob upstairs or whoever it is because I know because I've already got all of the user list I already know who was on the phone calls I was brought in specifically to work on this project which everybody in the company knows because it's a big huge project right and so you absolutely I

there's no way an outsider could know all that information you trust me so I start setting all this stuff up and say hey I'll be right back go ahead and set stuff up grab a donut or you know grab a bagel or a donut uh and I'll be right back and then I keep you busy doing your stuff and I'm gone I'm anywhere within your company that I want to be now from a legal perspective any attorneys or cops in here okay I'm going to give you a little tip here I have yet to do anything wrong I have yet to break any laws right and here's why I didn't force you to let me in you invited me

in okay you held the door for me I did not force my way in I did not come in and use any sort of false pretense and tell you I was somebody you know from a a um uh you know from a a government agency or anything like that okay I could even walk up to the front door dressed in blue um uh uh work pants and a blue shirt blue t-shirt that says fire across it with a radio strap to my shoulder squawking and say hey yeah sorry hold on just a second yeah okay uh sorry I need to see your uh I just need to see your your sprinkler or your yeah your sprinkler

box and your fire extinguishers and you know then I can do my check and it'll be you know right out of your hair oh okay you must be from the fire department sure if that's what you think okay I've never said that I represent a fire department I've never said that I am a government official I've never claimed to be something that I'm not you made the Assumption and invited me into your organization so at that point the worst you can do is call the police and say that I'm trespassing after you discover I'm not who I say I am and ask me to leave and if I leave I still haven't done anything wrong okay you could

probably still get me for a trespassing charge I'll be you know honest with you the cops probably aren't going to press that unless you really press it hard and there's something that you can prove that I was doing something really nefarious okay so the risk to me is very very small now some of this depends on where I'm found in your organization what's happening obviously if I do this at a bank and I end up in a data center or in a vault which has happened uh things get a little bit more dicey okay I have to talk my way out of a few more things uh but I still probably have not done anything wrong as long as I

have not broken into it if I've been escorted in there's nothing really you can do to me except tell me to leave and as long as I leave peacefully I still probably am not going to get charged with anything okay now the police may do some followup and they may check up on me and I may be in hot water with them for a while for you know uh trying to to get into places I shouldn't be in but at that point I still haven't done anything that I can have a like a a felony you know charge against me okay so I'm still pretty safe now let me think about let's think about this one step further I'm a US

citizen what if you're not a US citizen what happens are you subject to the laws of the United States I have some people shaking their head like a lot of people just staring at me like deer in the headlight okay is there ever a time when there could be somebody on us soil that is not necessarily subject to US law Diplomat H diplomatic diplomats okay diplomats are subject to US law to the extent that their Embassy or their home country is willing to hold them captive here and make them face penalty okay but as soon as they invoke that diplomatic immunity and say nope we're just going to you know push them out of the country

you know pull pull them out of the country or the us is going to eject them then all bets are off so think about this if I'm a foreign a foreign government and I'm the one involved in this social engineering attack the stakes are even less for me right because if I'm a US citizen I'm worried about Hey My My Face being caught on camera having to spend the night in the pokey uh having some sort of you know charge leveled against me uh being tased being shot I mean I have some real physical risk there okay but if I'm a foreign National some of my risk is mitigated especially if I'm there doing what I'm doing at the

behest of my home country the worst thing that's going to happen to me is they're going to pull my diplomatic immunity or the US will pull my diplomatic immunity and eject me from the country and I'll go home and be a hero and they'll send somebody in my place and 24 to 48 hours and this is happening and this is happening on a pretty regular basis at this point the funny thing is is we're doing the exact same thing in other countries okay so this isn't just hey happening to us it's happening across the globe so the last thing that I'm going to do is after I'm on site okay I'm going to do a couple of different things I'm

going to take little duckies little USBS little hacking tools I'm going to plug those into a printer to a multi-function device I'll plug it into any computer that I can find and try and get an IP address and then just start you know let let the fund begin okay or I'm going to take a file folder that I brought in with me and I'm going to put a sheet of paper in there that says uh 2015 layoffs or 2015 promotions and bonus schedule or whatever it happens to be and I'm going to stick a CD in it or a USB I'm going to tape it to that how many of your employees are probably going to plug that in somewhere all of

them all of them yeah okay do I care if they plug it in at your office where you know you got USB controls and great antivirus and anti-spam do I care no not really that'd be my preference but how many of your employees have Remote Access VPN access how many of them can check their email on their home computers okay bam there you go I just pull keystrokes okay I've got usernames and passwords I've got entire emails I've got control of their machine whatever happens to be so I don't care if they pick it up and take it home I don't care if they pick it up and plug it in at work it doesn't matter to me

I'm going to get information okay so even after I've been there I'm still getting information back to me okay they've got these great devices that looks like a u looks like a little unup power supply okay but it's actually a little hacking box okay it's got a 4G LTE connection to it uh I've got a you wireless connection I've got a RJ45 connection and I can put it under any desk anywhere and nobody's going to think twice about it because it looks like a basic little ups that anybody would look at and say huh I wonder why we had a UPS there I don't know looks kind of old all right well I'm sure somebody will get it and now I have a

remote machine back in your office doing whatever it is that I want to do I have not had to to penetrate your external network I haven't had to worry about evading firewalls and IDs and IPS I came in from the inside okay one time we were sitting there in the Executive Suite okay we went in we knocked the little sign to uh to inuse on the conference room shut the door and sat in there and hacked the organization for several hours before anybody came in and then that individual came in we're like hey hey what's going on we're right in the middle of this and she's like oh oh I'm sorry shut the door and walked

away if you act like you're supposed to be there okay everybody else believes it you're not going to see me hiding around in the corner in a little hoodie oh gosh I hope they don't see me okay I'm GNA come right in I'm G to come right to your face I'm going to shake your hand i'm G to introduce myself I'm going to tell you what my new job is and who I'm working for I want to get you talking I want to get you trusting me this whole premise is I need you to trust me okay once I get your trust all bets are off and I can get you to trust me which

means you can get somebody else to trust me which means they can get somebody else to trust me which means I haven't had to do the hard work I only had to do it once and now you go introduce me to all your friends because I asked you hey who do you guys work with what do you guys do down here oh cool I'm just trying to learn more about the company I want to you know do my best that's how this works so when you put it all together when you look at this big picture you may say Dave this seems really crazy three years ago four years ago I would have said you're right this a

little bit far-fetched today this is exactly how it happens right now my company is working on four breach investigations two of them to to what we can tell now followed almost this exact process we're not sure about the dumpster diving we can't pull you know prove they pulled anything there but we're pretty sure somebody was on a conference call that they weren't supposed to be on we're pretty sure that there was some malware introduced we're pretty sure somebody was physically on site at at least one of them okay so now all of a sudden you're looking at things saying hey what's happening how is this changing how is our world changing we used to only have to worry about these

folks in cyers space right now all of a sudden I have to worry about them coming in my front door how am I going to stop that I don't have a technology to stop that I don't have a way to put a technology thing in place over here that's going to stop people from being people it it doesn't work that way okay as soon as you take the humanity out of it what do we have right so at this point what we really have to focus on is training our users getting them to understand this is what's happening this is the way that these things occur changing Behavior changing the way that we think about

what should go in a shred bin and what should go in the garbage quite frankly if a piece of paper has anything printed or written on it it needs to go in the shred bin because a guy like me can take what seems to be nothing such as information about what meetings we're in a conference room and turn that into something pretty powerful maybe that in and of itself I don't have have something you know there but if I can use that information to continually to build and build and build now all of a sudden I've got a ton of information and you've freely given it to me okay so we have to change that

behavior we have to change the behavior of telling people to be nice to everyone okay hey I'm sorry I don't recognize you you're in the building I see a badge but doesn't look exactly like mine or I don't see a badge can I see your badge anybody here like confrontation oh come on there's at least usually one or two or three people in a room this size that that that don't mind it that's like he okay you know I like to argue a little bit now and then really none of you that alterations in the office okay you all know somebody in your in your group of friends or or group of work peers who doesn't shy away

from the meeting where some really you know tough things need to be said right there's a there's always somebody on your floor there's always somebody that you know that you're like man somebody's got to say the nasty stuff it's it's Dave over here you know if somebody's got to be the mean guy Dave Dave's perfect for that he's got no problems being the mean guy right so even though you may not want to be the person that goes up and stop somebody and says hey who are you I don't see a badge okay go find somebody Dave Dave there's a guy over here that I don't recognize you should go talk to him wouldn't that be a great

sweet how you doing I'm Dave right guy like me I don't care hey if I think somebody's not supposed to be there I'll go ask them if I get tased yeah so be it but the idea here is you don't necessarily have to be the one to do something and take action but you do need to be the person who reports it to somebody who can or is willing to take action and that's what we have to get our users to understand they don't have to be mean okay you don't have to completely change the culture of our organization and make you afraid of everybody but we do need to be a little bit more inquisitive we do need to stop

and use some common sense and say huh I've been told a million times not to write my password down but the tech support guy just told me to write my password down and leave it he'll be here in a few minutes that doesn't seem right what do I need to do about that okay that's what we have to do we have to change the perceptions we have to change the behavior of our users we have to get them to begin to question things begin to get them to understand what's happening okay here's the important part most of this is going to occur with no indication to you okay if I'm in the middle of a social

engineering campaign if especially if I'm planning it out well you're not going to have any clue that it's happening each of these pieces are going to be done so inconspicuously each of these pieces are going to be done to Independent individuals they're not going to seem coordinated to an outside person okay you're not going to see it happening and so that's why detection of these things is so important detecting people that aren't supposed to be excuse me in your organization detecting spear fishing emails detecting Rogue uh devices on the network detecting um you know people that aren't that are on a conference call that aren't supposed to be there okay using something like a web a or something like that where you

can actually list out and see how many people are on or using you know a a conference operator to say give me a total of the number of people that are dialed in here right doing something like that so when you think about this social engineering is really nothing more than a long con right I'm just a con man that's all I am I'm trying to get you to trust me I'm trying to get you to do something that benefits me that does not necessarily benefit you don't fall for it train your people get them understanding what this looks like and that this is a very very very real threat that is happening day in and day

out this isn't stuff for the movies anymore so what are some of your best offenses like I said there's no technology that you can use to get by with this or or to fix this right this has to be a mixture of different things process C people technology okay stronger shredding procedures like I said anything that's printed or written on needs to be shredded limiting the facility Ingress and egress points okay don't allow employees to go in every single entrance force them all in one entrance where there's somebody there that's at least kind of looking for familiar faces okay looking at things saying huh I have not seen that individual before stop them ask them can I get a badge okay

something like like that uh challenging those Unknown People Like I said it doesn't necessarily have to be you it needs to be somebody sorry uh provide recurring and relevant employee training we're all technology people how many of this how many of you would say some of the stuff you heard today was new to you or at least a little different right few of you okay now imagine if you weren't technology people and he hadn't been exposed to this you didn't even know this stuff was happen happening we have to we have to tell our employees we can't expect them to to behave in a way that we've never trained them we can't expect them to be

able to detect a threat when we've never explained to them what that threat looks like okay one of the best offenses is going to be going through an exercise with your employees and train them and how to spot these things and how to deal with it once they do find something that's suspicious okay and then obviously Implement all of the the technical controls that we normally would imp email filtering you know firewalls two Factor authentication you know all of those types of things uh that's your last defense honestly and you hope that that that catches 90% of the stuff it's the 10% of the stuff that it doesn't catch that's probably going to hurt the

worst right then the last one is program validation if you've never done some sort of you know fishing email campaign against your own organization or you've never done uh pre- texting phone calls against your own organization you've never done a full scale you know social engineering attack you need to have it done or do it yourself okay how many people have like a call center a customer service group within their organization okay you guys should be doing this a ton you guys I mean with the turnover that we have in call centers there should be somebody constantly calling a call center trying to elicit information about either the company or about the your clients or

whatever happens to be okay that's one of the biggest areas where we see this problem is these people are not trained they get some training about what they can and can't give out but it's very scripted and if I give them a question that's not on that script watch out right if I'm not asking for an account number I'm not asking for you know a diagnosis I'm not asking for something specific that's on this list of you know hey you never ever give this stuff out oh okay well it's not on this list it must be okay to give out and that's what's happening any questions yeah uh in your experience can you talk about a time where you either

got caught or failed and what was it that you did wrong or the client did right sure yep um so we've never been well I shouldn't say we've never been caught uh usually if we're caught it's because we're you know lingering around in the company like all day long you know and you get careless as you go on like uh so one time I was standing in the um it's kind of a little break area and uh the director of management happened to walk in to get a cup of coffee and I was standing there getting a glass of water cuz by this time I'm parched and I need something to drink uh and he just looks

at me and says um what are you doing in my building I said exactly what you paid me to do he's like well how long have you been there I don't know about three and a half hours now crap he just turns around and walks away um so I guess I was getting caught because at that point you know he starts telling everybody else that I'm there and you know words you know starts getting around and the other people that are in the building start getting caught and you know people start looking uh one of the other times where the the company did really well uh there was a bank uh down in Fort Lauderdale uh that we were doing this

for it's a large Bank down in Florida and uh we were at one not their data center but one of their uh processing centers which is actually in a larger office complex there's a br a branch downstairs and then there's a couple of floors and uh you know I you don't always have the floor plans and these things so I go upstairs and I start walking down this hallway and realize crap it's a dead end and the stair door on that end is locked which it should never be locked fire marshall right uh but the doors to that staircase were locked uh and there were some people coming and going from like the HR area

and so I'm trying to just look non-conspicuous you know standing there with my tablet like I'm waiting for a meeting or something but uh there's a cash office right across the hall and HR office here and there probably really shouldn't ever be anybody standing across from a cash office at a bank uh so I got some really strange phone calls or I mean some some really strange looks I made a beine for the elevator because I was pretty sure that they were calling the cops because there's a lady coming came back out she was on her phone kind of describing what she was seeing um and so I had to really quick call the the VP of this bank and

say hey make sure that if they're calling the cops don't call the cops uh I know a lot of the people uh but I don't know any of the FBI agents here in Florida and I really don't want to go to a detention center tonight I'd rather spend the night at my hotel uh so that one they did did really good they had trained their people well um they had made a choke point at that cash uh office where they knew that if you came in there was only one way to get back out so they had good Ingress and egress control um and uh they just had good policies for how quickly to uh

to report an incident so is that something you would in the future try to get more Intel on or something that I mean would you have done something differently Having learned that lesson yes and no I mean you know the reality is is there's always going to be different levels of of of what we can and can't get at a specific you know organization um and if I'm a hacker it's the same thing you know at some point I just have to say hey I've got enough Intel I I've got to I have to make this a you know this is my one shot right um that same bank had other issues where you know we were able to get in so it's

not like you know they were completely okay uh it's just that particular Avenue and that that probably isn't one that I would have picked to get into knowing how well a cash Vault you know is is going to be protected um that's probably not an area that I'm going to try and get into if I'm not trying to steal the cash um so that's probably you know they that was a scenario that they wanted it's not one that I would have necessarily picked for them um but we did it because that's what they wanted okay and one more follow question how how can you kind of quantify how much like intelligence you need before you feel comfortable like as

someone that doesn't know how would I know when I've got enough information yep um I would say it it depends on on what your what your end goal is right if your end goal is just to get physical access um you could get enough information just by watching Ingress and egress one building we went into we watch and people would go in and out of door and the door would open and then it would close about like this fast and people would just walk in and let it go and so I knew all I had to do was wait long enough you know i' I'd start like 20 steps behind somebody I'd have plenty of time to get in there and they'd never

even know because they' already be going up the stairs um if it's you know if my goal is actually to get access to a system then obviously I've got try and continue to go until I believe that I've got somebody that's going to give me that access or you know some sort of credentials or that I've got the ability to get physical entry and I can plug in a device that I can use to then start doing some of my you know fun stuff okay other questions yeah as going back to your first story so when you go on a audit or any sort of you know formal engagement like that do you obviously you have your safe n set up just so you

don't spend a night in jail or yeah so so we always have to care our statement of work that's got the sign you know scope and everything like that but ultimately uh you know especially in a larger organization where that individual may not be readily available and there could be you know police on site or something of that nature it is always up to the arresting officer whether he wants to deal with this or not okay completely so the arresting officer gets to decide whether he wants to hear you out whether he wants to read your documentation whether he wants to make a phone call to the executive or the VP or whoever if he doesn't want to

deal with it then you get arrested and you go to Pokey so I've never had that happen none of our team has ever had that happen but we always plan for the fact that those things could occur we also put into our statement of work that if that does occur the client is responsible for all of the cost incurred with getting us back out so other questions yeah have you ever had to craw through like du or anything crawling through duck dropping through ropes you you see this gray involing head here no I I don't uh I don't do those things uh we have other people on staff who do do those things we've had people go over ceilings um we

had somebody asked I had one of my one of my guys called me one time and said is drywall fair game that was his or it was a text message sorry is drywall fair game and I'm like I need to call him and make sure that we're on the same page here uh the reality was is that there was a data center is and it was there was nothing but drywall between us and it was a pretty important data center uh and he wanted to know should he try and cut through the drywall to get into the data center because he was sure that there was nothing there uh I said no that wasn't in the scope of work we'll

note it and you go from there thanks for asking you miss a ceiling title yeah oh yeah they'll they'll take ladders in and they'll go over ceilings that's not a problem that's not destructive it's when I'm not going to make hole in the wall you know that's Prett how much uh social media you you guys use uh a ton so we'll use people's Facebook pages we'll research them see what they like you know the whole idea is I need to make a connection with you as fast as possible so if our kids go to the same school or I can pretend that our kids go to the same school if I can pretend that hey we're in you know the

same you know social groups or same like same sports teams or whatever whatever I can to get you talking to to form a bond to form a relationship so social media is a big part of that um LinkedIn Twitter you know Facebook even Myspace is still you know there's still a lot of stuff out there in Myspace um so any of those things are are a huge Plus for us so you noticed how to get like through RFID doors but how would you go through a facility if it was a garden facility uh same way we normally would we tell the guard we lost our badge or that our badge isn't working and it looks just like their badge and they're

like oh okay uh or we clone a badge so one of the other ways we do it is we follow people out to lunch okay and everybody walks around at lunch with their badges hanging off of them and I come stand right up next to you at lunch and you're talking to all your friends and I'm talking to all my friends and I oh I'm sorry excuse me pardon me there you go I just cloned your badge takes about eight seconds okay and once I clone your badge as long as I get back before you I'm in okay even if I get back after you I'm still probably in because most organizations don't have tight enough policies where they don't

allow an Ingress without an egress okay most of the time it's just we want to know if you're coming in we don't care if you're already in or if somebody else is trying to come in as you again and you're not checking any egress so I'm probably already it right the thing I I'm worried about is in those organizations that do check egress or do check to make sure that that badge doesn't badge in twice without badging back out uh then I got to be worried about being in the building when you're trying to get back in I have a very very limited amount of time probably before you get back unless I know based on your

day planner that you're at the doctor's office or you're taking a half day vacation then I got all day that help yeah uh so you were talking about using the rubber duckies and the hacking bricks um what other tools do you use in what some of your favorite things to do with those um you mean while we're on site yeah uh um so Okay so we've got I mean we've got you know vulnerability scanners we've got uh we use ber Suite to you know if we're going to look at a web application from the inside versus the outside um we've got um you know all of the other you know just metas sploits and you know the you know knopic and you

know all that good stuff so I mean there there's a ton of different things we've got the the badge readers um we've got a a Wi-Fi booster that we can boost a Wi-Fi signal for somebody sitting outside that they can uh get some stuff outside because a lot of times like for internal Wireless they'll turn the wireless really far down so like even if you're walking around the perimeter of the building on the inside you won't get wireless access so we can put a Wi-Fi booster signal booster in it'll boost the signal and and push it back out so yeah in your reconnaissance step do you use a lot of tools likeo or something or is it more kind of just

freestyle no it's just freestyle we look at it I mean there there's a ton of different tools out there but honestly from a cost perspective and and complexity perspective it's not needed we can get all the information we need from just ling up standard reconnaissance yeah when you're looking to add people to your team to do this stuff what skill do they have what type of skills do you look for sure uh confidence like I said if I believe I'm supposed to be there you're going to believe I'm supposed to be there right so if you're like you know standing there like sweating profusely and like look like you're about ready to you know barf uh you're probably not a good

social engineer uh so I'm looking for people that that are engaging who uh certainly have technical expertise but they can communicate uh that they are uh personable you know that they have varied interest so that if somebody can you know somebody starts talking to them or stops them in the hallway they can pick up just like that um you know if one of the hardest things to do is to be able to think on the fly right uh you go in with what you think the floor plan is or where you think a specific offices or you know whatever happens to be what your objective is going to be and then all of a sudden that changes because

hey they remodeled the you know a year ago and I don't have the the right floor plan or um people moved offices or whatever happens to be so I have to be able to think on the fly or like I said when that when that the Executive Admin came into the to the conference room uh you know most people would have probably just freaked out and been like and you know tried to bolt and we were like hey let's just challenge her and say get out and she did so yeah what happens when you drop some of those USBS with a key logger and an employee takes it home and plugs it into their home machine doesn't that fall out

of the scope of the assessment um yes and no so nobody forced that employee to take that home right so if we left it at the office okay typically we'll leave that on company property either in the building or just directly outside like we're not going to go like put it on their windshield or something like that right so uh the intent was to try and get that to to happen right now certainly what happens is that employee takes that home you know we can't be responsible for that uh they you know pick that up at work okay so theoretically that's work property right I mean it's on company property at that point so it's not theirs they didn't own

it right so if they were to you know from a legal perspective if if if I were to take that take it home and plug it in and then you know we get all this traffic and I get their passwords and all that sort of stuff guessing what you're asking is do I have any Li ability for that right um the reality is they stole work property okay because they didn't own it they didn't turn it in because it wasn't there they didn't know whose it was and so as soon as they did that they take the responsibility for whatever's on that right and so I'm covered under the fact that we gave that to you know to that company now if I'm a

hacker then certainly yeah I have liability on that side as well right but obviously I'm a criminal I really don't care where my liability is but for me personally or for for integrity we're covered under that because it was wored proper that they took outside of work that's our legal interpretation of that all right well thanks everybody hopefully this was informative uh ways to contact me follow us on social media whatever always happy to answer questions or build out the network so appreciate it thank [Applause] you yeah we got