Phishing: It’s Not Just for PentestersUsing Phishing to Build a Successful Awareness Program

Intro

www.hackerhalted.com 2

• Enterprise Security Consultant at Sword & Shield Enterprise Security• 2017 DerbyCon Social Engineering Capture the Flag (SECTF) winner• Served in the US Navy, Navigating Submarines• Holds the CISSP-ISSMP, GSNA, and GCIH certifications• Frequent Guest Blogger

• AlienVault• Tripwire• ITSP Magazine• Sword & Shield’s Blog

• Maintains blog and podcast at https://advancedpersistentsecurity.net• Trains (spoken taps out a lot) in Brazilian Jiu Jitsu

www.hackerhalted.com 3

Goals

www.hackerhalted.com 4

• Open Source Intelligence (OSINT)

• Social Engineering• Pretexting• *ishing (Spear phishing, Vishing, and Smishing)• Whaling• Baiting• Dumpster Diving

• Applied Social Engineering

• OSINT in enabling more effective social engineering

• Tools and Techniques for collecting OSINT

• OSINT and Social Engineering integration

• Mitigations of Social Engineering

• Training of Teams

What is Social Engineering?

www.hackerhalted.com 5

• Human Hacking

• Exploits the human factor and often bypasses technology and expensive equipment

Pioneers of the Art

www.hackerhalted.com 6

www.hackerhalted.com 7

Examples of Social Engineering

www.hackerhalted.com 8

• Phishing

• Spear Phishing

• Whaling

• Vishing

• Smishing

• Baiting

• Pretexting

• Dumpster Diving

• Tailgating

Psychology of Social Engineering

www.hackerhalted.com 9

• Everything goes back to Dr. Cialdini’s 6 Principles of Persuasion1. Reciprocity

2. Commitment and Consistency

3. Social Proof

4. Liking (Likability)

5. Authority

6. Scarcity (Urgency)

Applicationof Social Engineering

www.hackerhalted.com 10

• Social Engineering aims to influence the users to:• Provide some sort of data (ideally, sensitive data)

• Tell us something that is not online and readily available

• Tell us who could do something or tell us more (give us better targets)

• Tell us about the operating environment and issues within

• Perform an action• Clicking a link

• Making a change to the firewall rules

• Open an email

What is OSINT?

www.hackerhalted.com 11

OSINT is drawn from publicly available material, including:

• The Internet

• Traditional mass media (e.g. television, radio, newspapers, magazines)

• Specialized journals, conference proceedings, and think tank studies

• Photos

• Geospatial information (e.g. maps and commercial imagery products)

Where can one gather OSINT?

www.hackerhalted.com 12

Gathering OSINT

www.hackerhalted.com 13

• Public conversations (borderline HUMINT)• Bars• Malls• Restaurants

• Family and Friends

• Back Windshields

• Mostly, the internet• Forums• Job Boards• Search Engines• Social Media

Goals of OSINT

www.hackerhalted.com 14

An example of OSINT

www.hackerhalted.com 15

Another Example

www.hackerhalted.com 16

…another…

www.hackerhalted.com 17

…last one…

www.hackerhalted.com 18

OSINT Demo

www.hackerhalted.com 19

Timing

www.hackerhalted.com 20

SE and OSINT Relationship

www.hackerhalted.com 21

• They share similar properties in terms of human psychology

• OSINT can be used to build a dossier or profile about a SE target• This can provide context for the contact

• Better pretexting

• Better (spear) phishing

• Better “other” technical stuff like password guess (or even passwords)

Attribution?

www.hackerhalted.com 22

Law Enforcement

www.hackerhalted.com 23

Sales and Retail

www.hackerhalted.com 24

…more examples…

www.hackerhalted.com 25

…even more…

www.hackerhalted.com 26

Is this one and done?

• Several rounds may be required.

• You may find something interesting towards the end that causes you to look at everything again from a different angle.

www.hackerhalted.com 27

Collection Considerations

• What is the Endgame?

• Is what you’re doing ethical? • Do you have an ethical obligation to do this a certain way?

• Is this legal?• Does the state that I am doing this in require Private

Investigator Licensure?

• I have collected all this data, how do I protect it?• How long do I retain it?• How do I dispose of it?• What value could be assigned to it?

www.hackerhalted.com 28

Weaponizing OSINT

• We can’t be like the South Park underpants gnomes…

www.hackerhalted.com 29

Social Engineering Demo

www.hackerhalted.com 30

Contact Me

Social Media

• Twitter: @C_3PJoe / @advpersistsec

• LinkedIn: linkedin.com/in/billyjgrayjr

• Facebook: facebook.com/joegrayinfosec

Email

• jgray@advancedpersistentsecurity.net

• bjg@swordshield.com

Blog and Podcast

• advancedpersistentsecurity.net

Podcast is also on iTunes, Stitcher, Google Play, and other fine platformswww.hackerhalted.com 31

Future Speaking Engagements

October 17-18: EDGE Security Conference, Knoxville, TN

October 20-22: SkyDogCon, Nashville, TN

October 26-17: Lone Star Application Security Conference

(LASCON), Austin, TX

November 11: Bsides Charleston, Charleston, SC

November 15: Metro Atlanta ISSA Conference, Atlanta, GA

www.hackerhalted.com 32

Contacting Sword & Shield

www.hackerhalted.com 33

Questions?

www.hackerhalted.com 34

OSINT Resources35

(All in no particular order; except the book section)

• Blogs:• Automatingosint.com• learnallthethings.net• Osint.fail

• Podcasts:• Complete and Privacy Security Podcast• Social Engineer Podcast

• Book:• Open Source Intelligence Techniques (Michael Bazzell)

• Slack:• Openosint.slack.com• Aps-opensource.signup.team

OSINT Resources36

(All in no particular order; except the book section)

• People to Follow:• @beast_fighter• @baywolf88• @jms_dot_py• @jnordine• @upgoingstar• @_sn0ww• @sarahjamielewis• @webbreacher• @andrewsmhay• @dutch_osintguy• @infosecsherpa• @sweet_grrl• @inteltechniques• @cybersecstu• @jennyradcliffe• @ginsberg5150• @iv_Machiavelli• @GRC_Ninja