social engineering techniques
Post on 25-Feb-2016
45 Views
Preview:
DESCRIPTION
TRANSCRIPT
Social Engineering Techniques
Will Vandevanter, Senior Security ConsultantDanielle Sermer, Business Development Manager
1
2
Agenda
Rapid7 Company Overview and Learning Objectives 1
Social Engineering Techniques 2
Summary and Q&A 3
Rapid7 Corporate Profile
Company • Headquarters: Boston, MA• Founded 2000, Commercial Launch 2004• 110+ Employees• Funded by Bain Capital (Aug. 08) - $9M• Acquired Metasploit in Oct. 09Solutions• Unified Vulnerability Management Products• Penetration Testing Products• Professional ServicesCustomers• 1,000+ Customers• SMB, Enterprise• Community of 65,000+Partners• MSSPs• Security Consultants• Technology Partners• Resellers
#1 Fastest growing company for Vuln. Mgmt
#1 Fastest growing software company in Mass.
#7 Fastest growing security company in U.S.
#15 Fastest growing software company in U.S.
Organizations use Rapid7 to Detect Risk, Mitigate Threats and Ensure
Compliance
Social Engineering Techniques
4
5
• Penetration Tester and Security Researcher
• Web Application Assessments, Internal Penetration Testing, and Social Engineering
• Disclosures on SAP, Axis2, and open source products
• Twitter: @willis__• will __AT__ rapid7.com
Will Vandevanter
6
Social Engineering Definition
“The act of manipulating people into performing actions or divulging confidential information..”
Wikipedia (also sourced on social-engineer.org)
7
• The act of manipulating the human element in order to achieve a goal.
• This is not a new idea.
Social Engineering Definition Revisited
8
Visualizing the Enterprise
9
• The primary objective of all assessments is to demonstrate risk
• ‘Hack Me’ or ‘We just want to know if we are secure’ is not specific enough
• How do I know what is the most important to the business?
Goal Orientated Penetration Testing
10
• To achieve the goals for the assessment
• To test policies and technologies
How We Use Social Engineering
11
1. Information Gathering2. Elicitation and Pretexting3. The Payload4. Post Exploitation5. Covering your tracks
Commonalities
Electronic Social Engineering
12
13
• White Box vs. Black Box vs. Grey Box• Know Your Target• Gather Your User List
– Email Address Scheming– Document meta-data– Google Dorks– Hoovers, Lead411, LinkedIn, Spoke, Facebook
• Verify Your User List• Test Your Payload
Information Gathering
14
• Goal : To obtain user credentials without tipping off the user
• Identify a user login page– Outlook Web Access– Corporate or Human
Resources Login Page• Information Gathering is
vital
Template 1 – The Fear Factor
15
Pretexting
16
The Payload
17
Post Exploitation
18
How Effective Is it
• Incredibly Successful• Case Study
– Mid December 2010– 80 e-mails sent to various offices and levels of users– 41 users submitted their credentials
• Success varies on certain factors– Centralized vs. Decentralized Locations– Help Desk and internal communication process– Number of e-mails sent– Time of the day and day of the week matter
19
• Do your users know who contact if they receive an e-mail like this?
• How well is User Awareness Training working?
• How well is compromise detection working?
• Are your mail filters protecting your users?
Controls and Policy
20
• Goal: To have a user run an executable providing internal access to the network.
• Information Gathering:– Egress filtering rules– Mail filters– AV
Template 2 – Security Patch
21
Pretexting
22
• Meterpreter Executable
• Internal Pivot
The Payload
23
Post Exploitation
24
• Highly Dependent on a high number of factors• Atleast 5-10% of users will run it• Case Study
– July 2010– ~70 users targeted– 12 Connect backs made
• Success Varies on Many Factors– Egress Filtering– Mail Server Filters– Server and endpoint AV
How Effective Is It?
25
• Do your users know who contact if they receive an e-mail like this?
• How well is User Awareness Training working?
• How well is compromise detection working?
• Are your mail filters protecting your users?• Technical Controls
Controls and Policy
26
• Information Gathering– Maltego– Shodan– Hoovers, Lead411, LinkedIn
• Social Engineering Toolkit (SET)• Social Engineering Framework (SEF) • Metasploit
Tools of The Trade
Physical Social Engineering
27
28
Information Gathering
“If you know the enemy and know yourself you need not fear the results of a hundred battles.”
-Sun Tzu
29
• White Box vs. Black Box vs. Grey Box• Know Your Target• Pretexting is highly important
Information Gathering
30
• Props or other utilities to create the ‘reality’
• Keep the payload and the goal in mind
• Information Gathering is key
Pretexting
31
• Goal: To have a user either insert a USB drive or run a file on the USB drive
• Start with no legitimate access to the building
• Getting it in there is the hard part
Template 1 – Removable Media
32
• The Parking Lot• Inside of an Envelope• Empathy• Bike Messenger, Painter, etc.
Pretexting USB Drives
33
• AutoRun an executable• Malicious PDF • Malicious Word Documents
Payload
34
Post Exploitation
35
• What are the restrictions on portable media?
• Was I able to bypass a control to gain access to the building?
• Technical Controls
Controls and Policies
36
• Goal: “Paul” needed to obtain access to the server room at a credit union
• The room itself is locked and accessible via key card only.
• Information Gathering• Pretexting
Case Study - The Credit Union Heist
37
• RFID card reader and spoofer
• Pocket Router • SpoofApp• Lock Picking Tools• Uniforms
Gadgets
38
• Protecting against Social Engineering is extremely difficult
• User Awareness training has it’s place
• Regularly test your users• Metrics are absolutely
critical to success• During an assessment
much of it can be about luck
Closing Thoughts
39
• www.social-engineer.org• “The Strategems of Social Engineering” – Jayson Street,
DefCon 18• “Open Source Information Gathering” – Chris Gates,
Brucon 2009• Security Metrics: Replacing Fear, Uncertainty, and Doubt –
Andrew Jaquith
Resources
40
Questions or Comments
top related