1 / 40

Social Engineering Techniques

Social Engineering Techniques. Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager. Agenda. Rapid7 Company Overview and Learning Objectives. 1. Social Engineering Techniques. 2. Summary and Q&A. 3. Rapid7 Corporate Profile. Company

candy
Download Presentation

Social Engineering Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager

  2. Agenda Rapid7 Company Overview and Learning Objectives 1 Social Engineering Techniques 2 Summary and Q&A 3

  3. Rapid7 Corporate Profile Company • Headquarters: Boston, MA • Founded 2000, Commercial Launch 2004 • 110+ Employees • Funded by Bain Capital (Aug. 08) - $9M • Acquired Metasploit in Oct. 09 Solutions • Unified Vulnerability Management Products • Penetration Testing Products • Professional Services Customers • 1,000+ Customers • SMB, Enterprise • Community of 65,000+ Partners • MSSPs • Security Consultants • Technology Partners • Resellers Organizations use Rapid7 to Detect Risk, Mitigate Threats and Ensure Compliance #1 Fastest growing company for Vuln. Mgmt #1 Fastest growing software company in Mass. #7 Fastest growing security company in U.S. #15 Fastest growing software company in U.S.

  4. Social Engineering Techniques

  5. Will Vandevanter • Penetration Tester and Security Researcher • Web Application Assessments, Internal Penetration Testing, and Social Engineering • Disclosures on SAP, Axis2, and open source products • Twitter: @willis__ • will __AT__ rapid7.com

  6. Social Engineering Definition Wikipedia (also sourced on social-engineer.org)

  7. Social Engineering Definition Revisited • The act of manipulating the human element in order to achieve a goal. • This is not a new idea.

  8. Visualizing the Enterprise

  9. Goal Orientated Penetration Testing • The primary objective of all assessments is to demonstrate risk • ‘Hack Me’ or ‘We just want to know if we are secure’ is not specific enough • How do I know what is the most important to the business?

  10. How We Use Social Engineering • To achieve the goals for the assessment • To test policies and technologies

  11. Commonalities 1. Information Gathering 2. Elicitation and Pretexting 3. The Payload 4. Post Exploitation 5. Covering your tracks

  12. Electronic Social Engineering

  13. Information Gathering • White Box vs. Black Box vs. Grey Box • Know Your Target • Gather Your User List • Email Address Scheming • Document meta-data • Google Dorks • Hoovers, Lead411, LinkedIn, Spoke, Facebook • Verify Your User List • Test Your Payload

  14. Template 1 – The Fear Factor • Goal : To obtain user credentials without tipping off the user • Identify a user login page • Outlook Web Access • Corporate or Human Resources Login Page • Information Gathering is vital

  15. Pretexting

  16. The Payload

  17. Post Exploitation

  18. How Effective Is it • Incredibly Successful • Case Study • Mid December 2010 • 80 e-mails sent to various offices and levels of users • 41 users submitted their credentials • Success varies on certain factors • Centralized vs. Decentralized Locations • Help Desk and internal communication process • Number of e-mails sent • Time of the day and day of the week matter

  19. Controls and Policy • Do your users know who contact if they receive an e-mail like this? • How well is User Awareness Training working? • How well is compromise detection working? • Are your mail filters protecting your users?

  20. Template 2 – Security Patch • Goal: To have a user run an executable providing internal access to the network. • Information Gathering: • Egress filtering rules • Mail filters • AV

  21. Pretexting

  22. The Payload • Meterpreter Executable • Internal Pivot

  23. Post Exploitation

  24. How Effective Is It? • Highly Dependent on a high number of factors • Atleast 5-10% of users will run it • Case Study • July 2010 • ~70 users targeted • 12 Connect backs made • Success Varies on Many Factors • Egress Filtering • Mail Server Filters • Server and endpoint AV

  25. Controls and Policy • Do your users know who contact if they receive an e-mail like this? • How well is User Awareness Training working? • How well is compromise detection working? • Are your mail filters protecting your users? • Technical Controls

  26. Tools of The Trade • Information Gathering • Maltego • Shodan • Hoovers, Lead411, LinkedIn • Social Engineering Toolkit (SET) • Social Engineering Framework (SEF) • Metasploit

  27. Physical Social Engineering

  28. Information Gathering -Sun Tzu

  29. Information Gathering • White Box vs. Black Box vs. Grey Box • Know Your Target • Pretexting is highly important

  30. Pretexting • Props or other utilities to create the ‘reality’ • Keep the payload and the goal in mind • Information Gathering is key

  31. Template 1 – Removable Media • Goal: To have a user either insert a USB drive or run a file on the USB drive • Start with no legitimate access to the building • Getting it in there is the hard part

  32. Pretexting USB Drives • The Parking Lot • Inside of an Envelope • Empathy • Bike Messenger, Painter, etc.

  33. Payload • AutoRun an executable • Malicious PDF • Malicious Word Documents

  34. Post Exploitation

  35. Controls and Policies • What are the restrictions on portable media? • Was I able to bypass a control to gain access to the building? • Technical Controls

  36. Case Study - The Credit Union Heist • Goal: “Paul” needed to obtain access to the server room at a credit union • The room itself is locked and accessible via key card only. • Information Gathering • Pretexting

  37. Gadgets • RFID card reader and spoofer • Pocket Router • SpoofApp • Lock Picking Tools • Uniforms

  38. Closing Thoughts • Protecting against Social Engineering is extremely difficult • User Awareness training has it’s place • Regularly test your users • Metrics are absolutely critical to success • During an assessment much of it can be about luck

  39. Resources • www.social-engineer.org • “The Strategems of Social Engineering” – Jayson Street, DefCon 18 • “Open Source Information Gathering” – Chris Gates, Brucon 2009 • Security Metrics: Replacing Fear, Uncertainty, and Doubt – Andrew Jaquith

  40. Questions or Comments

More Related