Employee Hijacking: Building a Hacktober Awareness Program

hey everybody less talk of the day just want to remind everybody here we are clearing out in here after this last talked so just a heads up again once one to thank our sponsors if you have any feedback about the conference or about any other sessions I go to besides that complex / feedback for commerce feedback or on the schedule goes particular session and click the feedback survey button we have one last raffle to do we're going to do that immediately after this and besides that I think that's it I want to welcome the guys from the intermedia we have Ryan we have needed and Dylan and they're gonna be talking about employee hijacking building a hack

Tober awareness program there you go thank you okay time is quick so I'm going to move fast so this is the team since mr. Dillon mr. nanad and I'm Ryan and let's talk about what we did so first a little bit us we're a cloud service provider intermedia I've got 800 employees just to give you the size of the company 6 corporate offices in three countries and we do a bunch of cloud stuff which this the colors are kind of obscuring but alright well we'll talk about we'll talk about why we did it what it is overview of some of the acts and campaigns that we ran against our employees some of the feedback and

lessons learned that we had and advice for for getting started so this is kind of why you know when I look at some of our top threats you know the easy stuff is the network the application stuff it's easier than the employee and I think we've known that for a while and so like securing the human and the whole Sam's piece really sparked my interest in terms of driving my security program forward I think the guys at Facebook about five years ago started a October program that really inspired me when I read all the articles about what they had done I thought I'm gonna give this a try myself so the for those of you who haven't heard of it that the

goal is kind of like I liken it to your employees are like teenagers they don't know how to drive you're going to put them in a car throw them on to a track wet it down it's all gonna be padded you're going to let him crash really safely into the barriers going to learn in a consequence free environment what it's like to handle digital information safely and make mistakes in a way that isn't going to like screw the company and screw them as an employee so safe learning fun engaging as much as we could we tried to architect the lessons directly into the campaign's in a way that was automated so they would be much

more scalable they could just learn what they did wrong immediately and move on I didn't have to come and like meet with them personally all right so the rules are pretty simple i sent out an email about six weeks ahead of time before the campaign starts and I say hey don't hack your colleagues we're the ones doing the hacking report spotted hacks to security and if you spot a hack will give you a prize all right so what do we do we did a bunch of different campaigns we did some fishing campaigns which are you know everybody's pretty much running those now road wireless access points social engineering on our support staff we did puzzles with CTFs to engage

employees and let them get involved in other ways we dropped USB keys and we did tailgating for physical security penetration testing all right so spotting the fish so Dylan's going to talk a little bit about building the program the goal was look the employees are just getting tons of email and they you know have to differentiate between the ones that are crap and the ones that have malware and or trying to get them to transfer money or do something tricky so the the goal was just to create enticing males fish them as hard as we could sort of step back and profit and watch the statistics hopefully decline so Dylan will walk through like how we

actually built that and what that looks like great thanks Ryan fishing your employees is fun one thing that's important is to make sure that you have your campaigns targeted towards things that your your users are used to seeing in their mailboxes they on day-to-day basis you want to make sure that the phishing websites that you're sending your users to are created very well you want to make sure that you have this database of metadata that you can pull from to create these these emails and of course you need to code a mailer you're not going to send these manually you're going to want to make sure that you have a good clear lesson of why you're doing

this to the employee so they don't feel shamed you're absolutely going to want to monitor this and you're also going to want to report on it layoffs right now I'm kidding absolutely important to plan this your campaigns you want to make sure that everything is ready to go and it's very important like what is your campaign like I said earlier you want to make sure that it's targeted for things that your employees are going to see every day so for us first thing is people love free stuff so we sent them some amazon gift cards for being the best employee we uh in our database that I'll talk about in a little bit we actually sent this these emails from

their managers so they thought they were special these ones didn't actually collect credentials like the other campaigns we did these were actually for drive-by downloads and so if they click through they would receive a nice cat gif downloaded to their system and we could track that based off of some logs and things that we had collecting we did amazon and we did ohs on for our overseas office the courage credential collecting malware are Wow emails we sent were for our payroll system and also our dropbox like product called secure see so uh first off with a tee I mean the payroll system we ates people want to get paid so if you tell them that

they need to update their information in the payroll system or they're not getting paid they're going to click the link they're going to update it they're going to give the creds and you can kind of laugh about that for the file-sharing your manager accidentally just shared all the salary information with you this confidential folder click here gimmick credentials to the webpage and yeah fail so kind of the bits and pieces you absolutely want to make sure you have an exact duplicate of the website your users will notice a broken image things aren't working correctly especially if they visit the site on a daily basis you're absolutely going to want to get domains that are register as close as

possible as you can to the real domain if the website has SSL by an ssl cert five bucks at namecheap as a tip don't collect the passwords you know don't save those to your sequel database yeah and just to touch on the database for us populating the email messages you know these were some bits and pieces that we kind of came up with for filtering you know we use department office location we kind of just built these these tables in sequel and and you know use these for the the emails to populate the little variables in there with their first name last day in yadda yadda so you need to figure that out like what's going to be

relevant for your campaigns in the database unique identifier very important for reporting and tracking to build this I used PHP don't judge so you're gonna want to use again to populate your email templates you're going to want to use the info from your database and automate this as much as possible the unique identifier will allow you to track and report you can utilize we utilizing splunk also pulling in the apache logs were able to take this unique identifier that we attach to the urls and the phishing emails and kind of create little pretty dashboards and splunk off of that and see who clicked what correlate that and see who needs a talking to you absolutely want to test this don't [ __ ]

it up you need to test it I said these guys emails all night several times testing it out to make sure it works because you get one shot just to touch on these last bits here this is a lesson page this was for the payroll campaign this is what we create create this urgency you need to click this and give us your credentials now and teach them a lesson basically telling them what they should have looked for in these email messages before actually providing creds lastly this was our fun page this was a real time monitoring we could watch people's creds come in in real time and yeah this was for our eyes only nobody

else saw this but you know we did a wall of hacked over instead of a wall of sheep but yeah that's that I'm going to hand this back to Ryan now to talk about the statistics dead like that's really hard to read I get that but this was awesome when we would just sit back and watch the candy role in of users clicking and giving us their passwords and it was ridiculous I mean not just like Jane finance and Joe marketing it was like it was like senior engineers that should know better clicking through and like oh yeah who's my password crazy okay so here's the statistics we ran three different campaigns and I call a

campaign is like like that one of those emails that you saw like so the payroll would be a campaign but we send them out to multiple offices so the first one is demos mentioning which we went small and just like hey how's this work you know we write building a scripts the database so the first one I went out and this is really embarrassing but this is sixty-six percent clicked on the link forty-four percent gave us a password that's horrible payroll 700 emails one out that's almost the whole company dropped precipitously then at the end gift cards you get the picture you hit them every you know a couple weeks and I start learning and I mean our CEO it's

like you didn't get me you know those really great the amount of support we have for the executive staff was awesome to actually pull this off USB flash drives that's fun that's actually a senior director or company picking that up but he didn't plug it in so he brought his straight oh this is awesome so I bring him I sprinkle around to the entrances to the buildings and I'd hang out in the conference room with my phone and just wait and see who picked him up and so he brought us thankfully he didn't plug it in he brought it straight over to us and said hey found this this hack Tober and we said yeah we'd give

him a shirt or a prize or something like a so he feels good they did the right thing he didn't plug it in and the nods gonna tell us a little about I'll get also i'll get there i'll get there so there weren't just dumb USB drives we actually like really thought about this one to see them with with documents it would be really interesting to click on like you know salary survey things like that and they would make outbound connections back to our art collect our data collection server so this is this thing is really tough to read but essentially the document would pop up say it'd be a bunch of ciphertext to be

kind of gibberish and it would say hey enable your macros what you're not supposed to do that's exactly what mal was trying to get you to do and when you did it popped up and said like here's the lesson you know you screwed up this is a common method blah blah blah this is the list of documents that we created enticing file names for but they were they were all laced with code to to phone home back to us and give us a little bit of data on like who they were so this goes back to splunk and it would tell us you know which document they opened the time the workstation name their IP address their skirt I mean what

they plugged it and we could tell the difference between if they plugged it in or if they plugged it in and open a document or if they plug in an open a document and enabled macros so each step was you know you really there is nowhere to hide okay then I was going to talk to us about the rogue access point program Thank You Ryan so the rogue access point so they are mainly the hardware is a Raspberry Pi and they run in run a few open source programs like the rossby NOS which is like debian and a few custom build programs like we've coated them in-house what do they do the primary purpose is to broadcast and open

wireless network collect information about the client that connected to them and send it up to a vu splunk so as log information it also helps in re measuring USB drives it also helps in detecting if the between between the time we threw it out and whether someone plugged it in so when someone brings it back we can identify on the raspberry PI's whether this device was plugged in at all or not let's take a look at the design we have multiple offices throughout the world so each office gets a Raspberry Pi of its own once they are plugged in they what's a powered on they start broadcasting or open wireless network and we have a single command and

control server on the internet it's like like a simple C&C server but what it does is it waits for connections from these raspberry PI's also and they start talking to each other and we can share information like who has connected to our thoughts what is going on constant telemetry data and it also is responsible for or whether it actually it lets us send information to these bots that hey you know change our society to this change or bssid to this or load this new program or this here's a new configuration or even we can send it one time instructions like sleep for the next 20 minutes or so and this also reports data back into spelunk for us to

analyze what what does what does it look like when someone connects you these bots are supposed to be displayed an informational message in addition to this we also send an audio file so there's an audio indicator just to just have fun at times so if someone in the office connects to these BOTS or static connects to these open access points by mistake or deliberately there's also a visual indicator that something's going on and here's a message that they also see what information do we collect once we have all the aggregated information on we use clunk so once this log data goes into this plug we we collect a list of unique devices this is like a sample

dashboard that we use we are constantly like we have this in front of our steering October we also fluctuate the signal strength for fun for someone with who's a little curious and wants to find out where are these access points we they generally use a wireless signal strength meter to identify the location so it makes it a little bit harder to locate these then we collect other information like what is the status of a god at any point in time and their location the geolocation and what are the wireless parameters that they are using so since we change this as and when required it gives us like a single page that we can go to to see what's

happening and most importantly this is our list of victims that have collected that we have seen in addition to all of this the bot also has a capture the flag like puzzle hidden on it on the landing page we have a hidden message that says like if you're curious you just live on ICMP and for someone who goes those further we have a hidden message that you can see in the highlighted highlighted packet it it's up when someone is supposed to go to this single page to this URL which then leads them to another puzzle which asks them to do some sort of code knocking and it gives them a hint on what to do next in this

case it's the people she the first first five Fibonacci numbers and we congratulate them once a day once they've cracked the puzzle when anyone cracks the puzzle we also get notified via splunk that they be is a particular software called not be which is not demon for doing this and once we have this we know someone cracks a puzzle next Ryan is going to talk about alienating just after I'd trying to find her Mike what I will say about that the rogue AP thing that was a hidden benefit which was really cool was it helped us detect a whole bunch of intel wireless adapters that were misconfigured throughout our endpoints that were configured to automatically connect to

open a PS and so we just start seeing all these victims rolling in and we're like this is what is going on with this and it was the same people over and over again so actually had a dual benefit tailgating so that was one thing we decided to try was have a stranger at guests come in I was actually the son of one of our employees is no longer with us I brought in this 18 year old son and we gave him a bunch of boxes and just told him to start going around to different book tours in the buildings and just trying to trying to act like hey I'm just the new guy I'm here can

you let me in and he got in all the time it was not good so that was I think our biggest learning lesson a week that was all right so some of the posters will run through these really quick so this is actually one of the posters that we created and ship those out to all the offices and so these just showed up mysteriously around October and you could read on their the bar code says the intermediate October and lead speak and people will just be like what might want my supposed to do with this and and it asks for clues and we're like look just go figure it out it's you know maybe there's something there and people

there were some people are so paranoid about hacking them that they won't even scan the barcodes there's like are you guys going to own me on my phone no I'm not even to do that but once it dug in a little bit you glue together once you glued together the the QR codes in the order of our color of our logo then you put together a URL leads to Wikipedia about code 39 and NFC tags and look for that and we had we ordered NFC tags and glued them on the back of the puzzles so there was some other stuff to find their bottom line isn't led you to a secret portal which you got to decode

the password and login and they gave you a code that which if you presented it to us you've got your prize so people loved it the prizes were great people of schwag mug stickers privacy guards they just like to elevate themselves amongst our fellow employees and and say hey look I caught the hack and and that's cool I mean security awareness is not like a cool topic that that the employees generally think about is something fun and so we saw this whole different conversation starting to happen around the offices globally which was people really excited about the buzz what was going to happen what with the hacks is going to be this year how can I

win a prize i hope i get one this year so that was something that was that kind of discourse is a win talking about oh i hope i don't get fished this year how did you catch that phishing attack last time that kind of conversation never happens that when you do a cbt based security awareness campaign it just doesn't so that kind of stuff was a huge benefit some of the feedback was they just loved it they thought it was cool some of them learned stuff some didn't others became experts other people got pissed off but that's okay most people thought was really cool they liked it all right looking forward what could we do better start earlier if there's

anything I tell you to do start early this takes a little bit of time but just start don't worry about trying to make it perfect this is going to be 2016 will be our third year doing it and we're already going to swirl ready start working on our artwork now or we're all going to order all our stuff for October fishing quarterly bill more consistent awareness so as you saw the declining arrow like touching the bella three that was three campaigns in a month so we told ourselves we want to start fishing these guys every quarter and and just randomly hitting them with kinds of crappy campaigns that they would know when it where would come from

that would just kind of keep them on their toes and paranoid throughout the whole year said just once a year um we only did tailgating one office or a single-threaded it was a little difficult coordination of other global hacks in time we didn't have gimme we had the ambassador's in each office so people needed to help us set up the pies and take delivery and hand out prizes and stuff like that so getting clear instructions to them would have been much more helpful so wrapping up start early check with management get some support a very small budget gets you going notify your employees and victims victims about six weeks out and and just get started it's good time and we have

it has a lot of benefits that I think that you really can't put your finger on it unless you do it so thanks oh yeah we're hiring for you gentlemen oh yeah questions right hey you guys generated a lot of great material for this would you guys consider putting out on github with your company that way you could publish all these the wireless cracks and the right right when we're gonna get that question we're still thinking about it I'm still running it past a lawyer and if he says yes then I think it's fine yeah all right who else wants some secrets come on any other questions here we go hey so I was wondering if you have

any statistics of how the employees improved their security awareness over three years of fact overs well we definitely have the fishing statistics I think that but we only have one year of that and we did having everything all the data going back into splunk really helps pulling out the entire user database and putting it into a separate database so that we know the first name last name the manager their title that really helps drive KPIs and statistics around like you know who clicked on what and allowed us to fish them directly from their managers that was awesome that is probably my best statistics so far in the first year we did it we just didn't even know if we're going to fail

horribly and so we really didn't bother keeping statistics too much just see if we could do it and if you know they didn't fire us immediately for hacking everybody then when I was a win I think this year we're going to keep much better statistics right guys well yeah that'll be cool to see if the exercises actually worked right I mean obviously employees change over the years you know all right but but still a number and the success of the exercise yeah one thing they weren't doing is plugging in usps I I don't know if this if the younger generation is like what's that the first year we did it we did cd-roms and usps

and like like sprinkled cd-rom so at the office with confidential and people like what's the cd-rom I don't even have a CD reader thing on my what is this rainbow disk going once going twice well thank you guys I feel free to email us if you have any other questions thank you guys so much and again on behalf of security b-sides and thanks to one of our sponsors here are some tidbits