social engineering techniques
DESCRIPTION
Social Engineering Techniques. Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager. Agenda. Rapid7 Company Overview and Learning Objectives. 1. Social Engineering Techniques. 2. Summary and Q&A. 3. Rapid7 Corporate Profile. Company - PowerPoint PPT PresentationTRANSCRIPT
Social Engineering Techniques
Will Vandevanter, Senior Security ConsultantDanielle Sermer, Business Development Manager
1
2
Agenda
Rapid7 Company Overview and Learning Objectives 1
Social Engineering Techniques 2
Summary and Q&A 3
Rapid7 Corporate Profile
Company • Headquarters: Boston, MA• Founded 2000, Commercial Launch 2004• 110+ Employees• Funded by Bain Capital (Aug. 08) - $9M• Acquired Metasploit in Oct. 09Solutions• Unified Vulnerability Management Products• Penetration Testing Products• Professional ServicesCustomers• 1,000+ Customers• SMB, Enterprise• Community of 65,000+Partners• MSSPs• Security Consultants• Technology Partners• Resellers
#1 Fastest growing company for Vuln. Mgmt
#1 Fastest growing software company in Mass.
#7 Fastest growing security company in U.S.
#15 Fastest growing software company in U.S.
Organizations use Rapid7 to Detect Risk, Mitigate Threats and Ensure
Compliance
Social Engineering Techniques
4
5
• Penetration Tester and Security Researcher
• Web Application Assessments, Internal Penetration Testing, and Social Engineering
• Disclosures on SAP, Axis2, and open source products
• Twitter: @willis__• will __AT__ rapid7.com
Will Vandevanter
6
Social Engineering Definition
“The act of manipulating people into performing actions or divulging confidential information..”
Wikipedia (also sourced on social-engineer.org)
7
• The act of manipulating the human element in order to achieve a goal.
• This is not a new idea.
Social Engineering Definition Revisited
8
Visualizing the Enterprise
9
• The primary objective of all assessments is to demonstrate risk
• ‘Hack Me’ or ‘We just want to know if we are secure’ is not specific enough
• How do I know what is the most important to the business?
Goal Orientated Penetration Testing
10
• To achieve the goals for the assessment
• To test policies and technologies
How We Use Social Engineering
11
1. Information Gathering2. Elicitation and Pretexting3. The Payload4. Post Exploitation5. Covering your tracks
Commonalities
Electronic Social Engineering
12
13
• White Box vs. Black Box vs. Grey Box• Know Your Target• Gather Your User List
– Email Address Scheming– Document meta-data– Google Dorks– Hoovers, Lead411, LinkedIn, Spoke, Facebook
• Verify Your User List• Test Your Payload
Information Gathering
14
• Goal : To obtain user credentials without tipping off the user
• Identify a user login page– Outlook Web Access– Corporate or Human
Resources Login Page• Information Gathering is
vital
Template 1 – The Fear Factor
15
Pretexting
16
The Payload
17
Post Exploitation
18
How Effective Is it
• Incredibly Successful• Case Study
– Mid December 2010– 80 e-mails sent to various offices and levels of users– 41 users submitted their credentials
• Success varies on certain factors– Centralized vs. Decentralized Locations– Help Desk and internal communication process– Number of e-mails sent– Time of the day and day of the week matter
19
• Do your users know who contact if they receive an e-mail like this?
• How well is User Awareness Training working?
• How well is compromise detection working?
• Are your mail filters protecting your users?
Controls and Policy
20
• Goal: To have a user run an executable providing internal access to the network.
• Information Gathering:– Egress filtering rules– Mail filters– AV
Template 2 – Security Patch
21
Pretexting
22
• Meterpreter Executable
• Internal Pivot
The Payload
23
Post Exploitation
24
• Highly Dependent on a high number of factors• Atleast 5-10% of users will run it• Case Study
– July 2010– ~70 users targeted– 12 Connect backs made
• Success Varies on Many Factors– Egress Filtering– Mail Server Filters– Server and endpoint AV
How Effective Is It?
25
• Do your users know who contact if they receive an e-mail like this?
• How well is User Awareness Training working?
• How well is compromise detection working?
• Are your mail filters protecting your users?• Technical Controls
Controls and Policy
26
• Information Gathering– Maltego– Shodan– Hoovers, Lead411, LinkedIn
• Social Engineering Toolkit (SET)• Social Engineering Framework (SEF) • Metasploit
Tools of The Trade
Physical Social Engineering
27
28
Information Gathering
“If you know the enemy and know yourself you need not fear the results of a hundred battles.”
-Sun Tzu
29
• White Box vs. Black Box vs. Grey Box• Know Your Target• Pretexting is highly important
Information Gathering
30
• Props or other utilities to create the ‘reality’
• Keep the payload and the goal in mind
• Information Gathering is key
Pretexting
31
• Goal: To have a user either insert a USB drive or run a file on the USB drive
• Start with no legitimate access to the building
• Getting it in there is the hard part
Template 1 – Removable Media
32
• The Parking Lot• Inside of an Envelope• Empathy• Bike Messenger, Painter, etc.
Pretexting USB Drives
33
• AutoRun an executable• Malicious PDF • Malicious Word Documents
Payload
34
Post Exploitation
35
• What are the restrictions on portable media?
• Was I able to bypass a control to gain access to the building?
• Technical Controls
Controls and Policies
36
• Goal: “Paul” needed to obtain access to the server room at a credit union
• The room itself is locked and accessible via key card only.
• Information Gathering• Pretexting
Case Study - The Credit Union Heist
37
• RFID card reader and spoofer
• Pocket Router • SpoofApp• Lock Picking Tools• Uniforms
Gadgets
38
• Protecting against Social Engineering is extremely difficult
• User Awareness training has it’s place
• Regularly test your users• Metrics are absolutely
critical to success• During an assessment
much of it can be about luck
Closing Thoughts
39
• www.social-engineer.org• “The Strategems of Social Engineering” – Jayson Street,
DefCon 18• “Open Source Information Gathering” – Chris Gates,
Brucon 2009• Security Metrics: Replacing Fear, Uncertainty, and Doubt –
Andrew Jaquith
Resources
40
Questions or Comments