social engineering techniques will vandevanter, senior security consultant danielle sermer, business...
TRANSCRIPT
![Page 1: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/1.jpg)
Social Engineering Techniques
Will Vandevanter, Senior Security ConsultantDanielle Sermer, Business Development Manager
1
![Page 2: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/2.jpg)
2
Agenda
Rapid7 Company Overview and Learning Objectives 1
Social Engineering Techniques 2
Summary and Q&A 3
![Page 3: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/3.jpg)
Rapid7 Corporate Profile
Company • Headquarters: Boston, MA• Founded 2000, Commercial Launch 2004• 110+ Employees• Funded by Bain Capital (Aug. 08) - $9M• Acquired Metasploit in Oct. 09Solutions• Unified Vulnerability Management Products• Penetration Testing Products• Professional ServicesCustomers• 1,000+ Customers• SMB, Enterprise• Community of 65,000+Partners• MSSPs• Security Consultants• Technology Partners• Resellers
#1 Fastest growing company for Vuln. Mgmt
#1 Fastest growing software company in Mass.
#7 Fastest growing security company in U.S.
#15 Fastest growing software company in U.S.
Organizations use Rapid7 to Detect Risk, Mitigate Threats and Ensure
Compliance
![Page 4: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/4.jpg)
Social Engineering Techniques
4
![Page 5: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/5.jpg)
5
• Penetration Tester and Security Researcher
• Web Application Assessments, Internal Penetration Testing, and Social Engineering
• Disclosures on SAP, Axis2, and open source products
• Twitter: @willis__• will __AT__ rapid7.com
Will Vandevanter
![Page 6: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/6.jpg)
6
Social Engineering Definition
“The act of manipulating people into performing actions or divulging confidential information..”
Wikipedia (also sourced on social-engineer.org)
![Page 7: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/7.jpg)
7
• The act of manipulating the human element in order to achieve a goal.
• This is not a new idea.
Social Engineering Definition Revisited
![Page 8: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/8.jpg)
8
Visualizing the Enterprise
![Page 9: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/9.jpg)
9
• The primary objective of all assessments is to demonstrate risk
• ‘Hack Me’ or ‘We just want to know if we are secure’ is not specific enough
• How do I know what is the most important to the business?
Goal Orientated Penetration Testing
![Page 10: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/10.jpg)
10
• To achieve the goals for the assessment
• To test policies and technologies
How We Use Social Engineering
![Page 11: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/11.jpg)
11
1. Information Gathering2. Elicitation and Pretexting3. The Payload4. Post Exploitation5. Covering your tracks
Commonalities
![Page 12: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/12.jpg)
Electronic Social Engineering
12
![Page 13: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/13.jpg)
13
• White Box vs. Black Box vs. Grey Box• Know Your Target• Gather Your User List
– Email Address Scheming– Document meta-data– Google Dorks– Hoovers, Lead411, LinkedIn, Spoke, Facebook
• Verify Your User List• Test Your Payload
Information Gathering
![Page 14: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/14.jpg)
14
• Goal : To obtain user credentials without tipping off the user
• Identify a user login page– Outlook Web Access– Corporate or Human
Resources Login Page• Information Gathering is
vital
Template 1 – The Fear Factor
![Page 15: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/15.jpg)
15
Pretexting
![Page 16: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/16.jpg)
16
The Payload
![Page 17: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/17.jpg)
17
Post Exploitation
![Page 18: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/18.jpg)
18
How Effective Is it
• Incredibly Successful• Case Study
– Mid December 2010– 80 e-mails sent to various offices and levels of users– 41 users submitted their credentials
• Success varies on certain factors– Centralized vs. Decentralized Locations– Help Desk and internal communication process– Number of e-mails sent– Time of the day and day of the week matter
![Page 19: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/19.jpg)
19
• Do your users know who contact if they receive an e-mail like this?
• How well is User Awareness Training working?
• How well is compromise detection working?
• Are your mail filters protecting your users?
Controls and Policy
![Page 20: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/20.jpg)
20
• Goal: To have a user run an executable providing internal access to the network.
• Information Gathering:– Egress filtering rules– Mail filters– AV
Template 2 – Security Patch
![Page 21: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/21.jpg)
21
Pretexting
![Page 22: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/22.jpg)
22
• Meterpreter Executable
• Internal Pivot
The Payload
![Page 23: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/23.jpg)
23
Post Exploitation
![Page 24: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/24.jpg)
24
• Highly Dependent on a high number of factors• Atleast 5-10% of users will run it• Case Study
– July 2010– ~70 users targeted– 12 Connect backs made
• Success Varies on Many Factors– Egress Filtering– Mail Server Filters– Server and endpoint AV
How Effective Is It?
![Page 25: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/25.jpg)
25
• Do your users know who contact if they receive an e-mail like this?
• How well is User Awareness Training working?
• How well is compromise detection working?
• Are your mail filters protecting your users?• Technical Controls
Controls and Policy
![Page 26: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/26.jpg)
26
• Information Gathering– Maltego– Shodan– Hoovers, Lead411, LinkedIn
• Social Engineering Toolkit (SET)• Social Engineering Framework (SEF) • Metasploit
Tools of The Trade
![Page 27: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/27.jpg)
Physical Social Engineering
27
![Page 28: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/28.jpg)
28
Information Gathering
“If you know the enemy and know yourself you need not fear the results of a hundred battles.”
-Sun Tzu
![Page 29: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/29.jpg)
29
• White Box vs. Black Box vs. Grey Box• Know Your Target• Pretexting is highly important
Information Gathering
![Page 30: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/30.jpg)
30
• Props or other utilities to create the ‘reality’
• Keep the payload and the goal in mind
• Information Gathering is key
Pretexting
![Page 31: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/31.jpg)
31
• Goal: To have a user either insert a USB drive or run a file on the USB drive
• Start with no legitimate access to the building
• Getting it in there is the hard part
Template 1 – Removable Media
![Page 32: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/32.jpg)
32
• The Parking Lot• Inside of an Envelope• Empathy• Bike Messenger, Painter, etc.
Pretexting USB Drives
![Page 33: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/33.jpg)
33
• AutoRun an executable• Malicious PDF • Malicious Word Documents
Payload
![Page 34: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/34.jpg)
34
Post Exploitation
![Page 35: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/35.jpg)
35
• What are the restrictions on portable media?
• Was I able to bypass a control to gain access to the building?
• Technical Controls
Controls and Policies
![Page 36: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/36.jpg)
36
• Goal: “Paul” needed to obtain access to the server room at a credit union
• The room itself is locked and accessible via key card only.
• Information Gathering• Pretexting
Case Study - The Credit Union Heist
![Page 37: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/37.jpg)
37
• RFID card reader and spoofer
• Pocket Router • SpoofApp• Lock Picking Tools• Uniforms
Gadgets
![Page 38: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/38.jpg)
38
• Protecting against Social Engineering is extremely difficult
• User Awareness training has it’s place
• Regularly test your users• Metrics are absolutely
critical to success• During an assessment
much of it can be about luck
Closing Thoughts
![Page 39: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/39.jpg)
39
• www.social-engineer.org• “The Strategems of Social Engineering” – Jayson Street,
DefCon 18• “Open Source Information Gathering” – Chris Gates,
Brucon 2009• Security Metrics: Replacing Fear, Uncertainty, and Doubt –
Andrew Jaquith
Resources
![Page 40: Social Engineering Techniques Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager 1](https://reader035.vdocument.in/reader035/viewer/2022062515/56649cff5503460f949cfbc6/html5/thumbnails/40.jpg)
40
Questions or Comments