the 2017 social engineering capture the flag report · pdf file11/27/2017 proprietary...
TRANSCRIPT
11/27/2017 [email protected] 1
The2017SocialEngineeringCapturetheFlagReport
DEFCON25SECTF|DerbyConVIISECTF|www.social-engineer.org
Social-Engineer,LLC
©AllrightsreservedtoSocial-Engineer,LLC,2017.
Nopartofthispublication,inwholeorinpart,maybereproduced,copied,transferredoranyotherrightreservedtoitscopyrightowner,includingphotocopyingandallothercopying,anytransferortransmissionusinganynetworkorothermeansofcommunication,anybroadcastfordistancelearning,inanyformorbyanymeanssuchasanyinformationstorage,transmissionorretrievalsystem,withoutpriorwrittenpermissionfromtheauthor(s).
11/27/2017 [email protected] 2
TableofContentsExecutiveSummary............................................................................................3
OverviewoftheSECTF........................................................................................4BackgroundandDescription....................................................................................................................42017Parameters......................................................................................................................................5TargetCompanies....................................................................................................................................7Competitors.............................................................................................................................................7Flags.........................................................................................................................................................8Scoring.....................................................................................................................................................9RulesofEngagement.............................................................................................................................10
ResultsandAnalysis.........................................................................................11OpenSourceIntelligence.......................................................................................................................11Pretexting...............................................................................................................................................16LiveCallPerformance............................................................................................................................17CompetitorSummary.............................................................................................................................19FinalContestResults..............................................................................................................................22Discussion..............................................................................................................................................27AbouttheSocial-EngineerVillage..........................................................................................................30
Conclusion........................................................................................................31
AboutSocial-Engineer,LLC...............................................................................32
Sponsors..........................................................................................................33
11/27/2017 [email protected] 3
ExecutiveSummarySocial-Engineer.org(SEORG)hostedtwoSocialEngineeringCapturetheFlag(SECTF)conteststhisyear.ThefirstwasinJulyatDEFCON25inLasVegas,NVfortheeighthyearinarow,withthiscompetitiontargetinggamingcompanies.Fromover150DEFCONentries,weselected14competitorsfromdiversebackgroundsandexperiencelevelstotesttheirsocialengineeringabilities.Belowisatablehighlightingsomebasicstatisticsfromthisyear’scompetition:
ThesecondSECTFwasheldatDerbyCon7.0inLouisville,KYinSeptember2017andwasthefirstSECTFtobeheldthere,targetingFortune500companiesbasedinLouisville.From17DerbyConentries,weselected6andbelowisatablehighlightingsomebasicstatisticsfromthiscompetition:
Table2:DerbyConSECTFgeneralsummary
Asinyearspast,theoverallgoalsofthesecontestsweretoraiseawarenessoftheongoingthreatposedbysocialengineeringandtoprovidealivedemonstrationofthetechniquesandtacticsusedbythepotentialmaliciousattacker.Therewereverystrictrulesofengagementinplacetoensurenosensitiveinformationoncompaniesorindividualswasdisclosed.Tofurtherprotectemployeesoftargetcompaniesfrompotentialnegativerepercussions,identitiesofthosecontactedareneitherrecordednorretained.Itisimportanttonotethatthereportingofatargetcompany’soverallperformanceisacombinationofpointsscoredbytheirassignedcontestantinbothOpenSourceIntelligence(OSINT)gatheringandlivecallphasesofthecontest.Thescoringalonecontainedwithinthisreportdoesnotnecessarilyindicatethatonecompanyislesssecurethananothercompany.However,itisanindicatorofthepotentialvulnerabilitiesthatexistanddemonstratesthatdespitetraining,warningsandeducation,socialengineeringisstillaveryseriousandviablethreattocorporations.
Targetcompanies 14Competitors 14Attemptedcalls(logged) 114Totalpointsscoredonreports 1774Totalpointsscoredoncalls 2360
Targetcompanies 6Competitors 6Attemptedcalls(logged) 80Totalpointsscoredonreports 725Totalpointsscoredoncalls 1642
Table1:DEFCONSECTFgeneralsummary
11/27/2017 [email protected] 4
OverviewoftheSECTFTheSocialEngineeringCapturetheFlag(SECTF)contestsareannualeventsheldwithintheSocial-EngineerVillageatboththeDEFCONHackingConferenceinLasVegas,NVandtheDerbyConInformationSecurityconferenceinLouisville,KY.TheSECTFisorganizedandhostedbySocial-Engineer.Org(SEORG),thenoncommercial,educationaldivisionofSocial-Engineer,LLC.Thecompetitionswereformedtodemonstratehowserioussocialengineeringthreatsaretocompaniesandhowevennoviceindividualscanusetheseskillstoobtainimportantinformation.Thecontestsaredividedintotwoparts,theinformation-gatheringphasethattakesplacepriortotheconferences,followedbythelivecallphasethatoccursatDEFCONandDerbyCon.
BackgroundandDescriptionTheSECTFisacontestinwhichparticipantsattempttoobtainspecificpiecesofinformation,calledflags,fromselectprivate-sectorcompanies.Thepurposeofthecontestistodemonstratehowmuchinformationcanbefreelyobtainedeitherthroughonlinesourcesorviatelephoneelicitation.Monthspriortotheevents,SEORGsolicitedforindividualswhowishedtocompeteviaoursocialmediaoutletsandwww.social-engineer.orgwebsite.Wealsoaskedparticipantstosubmita90-secondvideooutliningwhytheyshouldbeincludedinthecontest.Ourpanelmadeselectionsbasedonanumberoffactorsthatincludedthedesiretolearn,aswellasourperceptionofthecontestant’sintent.Asthisisaneducationalevent,wewishourparticipantstohaveaverystrongemphasisonultimatelyhelpingthestatusofcorporatesecurityasopposedtothesingulargoalof“winning”acontest.Althoughapplicantswhosubmittedvideosweregivenpreferenceinselection,itwasnotmandatory.Fromover150DEFCONapplicants,weselected14contestantsandrandomlyassignedthemtoacompany.From17DerbyConapplicants,weselected6contestantsandrandomlyassignedthemtoacompany.Contestantswerenotmadeawareofanyothercompetitorsortargetcompaniesotherthantheirownpriortotheircalltimeattheliveevent.ThetargetcompanieswerenotinformedoftheirinclusionintheSECTF,norwastheindustryannouncedpriortoourcontest.ForDEFCONthisyear,weselectedgamingasthetargetindustry.Thesearebrandsthatareimmenselypopularonaglobalscaleandhaverecentlysufferedhigh-profileattackswithuserpersonallyidentifiableinformation(PII)beingreleased.FortheinauguralSECTFatDerbyCon,weselectedFortune500companiesthatwereformedinthelocalareaofLouisvilleKY.Contestantsweregiven3weekstogatherasmuchinformationabouttheirtargetcompanyaspossibleandgenerateaformalreport.TheywereallowedtouseonlyOpenSourceIntelligence(OSINT)thatcouldbeobtainedthroughsearchenginesortoolssuchasGoogle,FOCA,Maltego,etc.Duringthisinformation-gatheringphase,contestantsattemptedtocaptureasmanyofthepre-definedflagsaspossible.Theinformationgatheredwastobeassembledintoaprofessionalreport.Contestantswereprovidedwithasamplereporttoassistthem,butwerenotrequiredtousethistemplate.Inadditiontotheflags,pointswerealsoawardedbasedontheprofessionalismandqualityofthereport.
11/27/2017 [email protected] 5
ContestantswerethenassignedatimeslottoperformtheirlivecallsoneitherFridayorSaturdayduringDEFCONandFridayduringDerbyCon.Greatcarewastakeninthedevelopmentofthecontesttoensuremaximumsuccessforthecontestants.SinceDEFCONcallswereconductedfromtheWestCoast,companieswhoseheadquarterswerelocatedontheEastCoastwereassignedearliertimeslots.Furthermore,companieswhoweremoreeasilyaccessibleduringnon-standardbusinesshourswereassignedSaturdaytimeslots.Contestantswereplacedinasoundproofboothandrequiredtoprovidealistofphonenumbers(obtainedduringtheinformation-gatheringstage)atthetargetcompanytocallalongwithphonenumberstheywishedustospoof.CallerIDspoofingisamethodthroughwhichone’sincomingphonenumbercanbeforged,or“spoofed,”usuallytoappearasanon-threatening,and/orinternalnumber.Thisisatacticcommonlyusedbysocialengineerstoincreasetheircredibilitywithrecipients.Eachcontestantwasfreetousetheirentireallotted20-minutetimeslottoperformasmanyorasfewcallsastheywished.AlthoughUnitedStatesfederallawonlyrequiresonepartytobenotifiedintheeventofrecordingatelephonecall,manystates(Nevadaincluded)havecreatedadditionallawsrequiringbothpartiestoconsent.Sincewecouldnotobtaintheconsentoftargetcompanieswithoutjeopardizingtheintegrityofthecontest,norecordingofanytypewaspermittedduringDEFCON(includingthatbytheaudience),butrecordingwasallowedatDerbyConasKentuckyisaone-partyconsentstate.Photographswereallowedwithpermissionofthecontestant.ScoringwasaccomplishedduringeachcallbythreejudgesatDEFCONandasinglejudgeatDerbyCon.Basedonverypositivefeedbackfrompreviousyears,weagaintookopportunitiesaftereachcallforaQ&Aanddiscussionwiththecontestantandjudgingpanel.Duringthattime,weanalyzedthesuccessofthetechniquesused,andansweredasmanyquestionsdirectedtoeitherjudgingpanelorcontestantastimeallowed.Subsequenttothecontest,scoringandcommentswerereviewedalongwiththereportssubmittedpriortotheconferencestodeterminethewinners.Itshouldbenotedthatallcontestantswererequiredtoplacea$20USDfullyrefundabledeposittoreservetheirspotatthecontest.Allcontestantswererefundedthisdepositimmediatelyaftercompletingtheircalls,unlesstheywerenotpresentfortheirtimeslot.
2017ParametersOverall,weattempttokeepthemajorparametersofthecompetitionasconsistentaspossiblefromyeartoyear.However,wedomakechangestoensurethatthecontestcontinuestobechallengingandeducationalforbothcontestantsandaudience.Primarychangesfor2017:
o Contestantswerenolongerallowedtoobtainthesameflagmultipletimesduringasinglecallfromasingletarget
o Contestantswerenolongerallowedtorecallthesametargettoobtainthesameinformationpreviouslyacquired
11/27/2017 [email protected] 6
o ContestantswereallowedtocallpotentialtargetcompaniespriortoDEFCON,onlytoensuretelephonenumberswerevalid,butpersonalnumbersorcellphonenumberswerenotbeincludedinthesetests
o Bribery(“youwillbegivenagiftcardforyourparticipation”)wasexplicitlydisallowedo ThetargetcompanieswereallgamingcompaniesforDEFCONo ThetargetcompanieswereFortune500companiesstartedinLouisville,KYfor
DerbyCon
11/27/2017 [email protected] 7
TargetCompaniesTheSocial-Engineerstaff,throughanopennominationandvotingprocess,accomplishedtargetselection.Wemadeeveryattempttoensurethatnobiaswasintroducedthroughattitudesorpreconceivednotionsregardinganyparticularcompany.Asinpreviousyears,wemadethecallforcompaniestobewillingparticipantsintheSECTF.Thiswasthefirstyearinwhichacompanyvolunteeredtobeatarget.Unfortunately,theywerenotinthetargetindustryandtherequestcouldnotbehonored.Therefore,noneofthecompanieschosenwereawareoftheirselectionpriortoeitherconference.TheDEFCONtargetlist(inalphabeticalorder):
1. 2KGames2. ActivisionBlizzard3. BandaiNamcoEntertainment4. BethesdaGameStudios5. Disney6. ElectronicArts7. Hasbro8. Mattel9. Nintendo10. RockstarGames11. SegaGames12. Sony13. UbisoftEntertainment14. WarnerBrothersGames
TheDerbyContargetlist(inalphabeticalorder):
1. Ashland2. Brown-FormanCorporation3. GEAppliances4. PapaJohn’sInternational5. Tempur-Pedic6. Yum!Brands
Competitors
Asinallpreviousyears,oneofourcorerulesisthatnooneisvictimized.Thisincludesthosewhochoosetoparticipate,thosewhoarecalled,andthecompaniestheyworkfor.Ourcontestants’personalinformationisneverrevealed,andtheyareonlyphotographediftheyprovideexplicitverbalpermissionpriortotheirlivecallsegment.NorecordingofcontestantsduringtheircallsatDEFCONiseverpermittedduetotwo-partyconsentlawsinthestateofNevada.
11/27/2017 [email protected] 8
Therewere14competitorsselectedfromanoriginalpoolofover150applicantsforDEFCONand6selectedfrom17applicantsforDerbyCon.Notallwereskilledcallersorexperiencedsocialengineers.Formany,thiswastheirfirstattemptateverplacingadeliberatesocialengineering-basedcall.Someofthecontestantswereredteamorsecurityspecialists,butmanywerefromotherfieldsnotrelatedtosocialengineeringorinformationsecurity.
FlagsA“flag”isaspecificpieceofinformationthatthecontestantsattemptedtoobtaininboththeOSINTandlivecallportionsofthiscompetition.Everyyear,wesendanoverviewofflags,rules,targetsandotherpertinentinformationtoourlegalcounsel.Wedothistoensureweremainwithinthelegalboundsasprescribedbystateandfederallaw,basedontheadviceofourlegalcounsel,aswellasensuringweadheretoourethicalbeliefsasanorganization.Table3outlinesthelistofspecificflags,theircategories,andpointvaluesfor2017.
2017SECTFFlagList
Reportpoints CallpointsLogistics IsITSupporthandledinhouseoroutsourced? 3 6Whodotheyusefordeliveringpackages? 3 6Doyouhaveacafeteria? 4 8Whodoesthefoodservice? 4 8 OtherTech WhatisthenameofthecompanyVPN? 4 8Doyoublockwebsites? 2 4Ifwebsiteblock=yes,whichones?(Facebook,EBay,etc.) 3 6Iswirelessinuseonsite?(yes/no) 2 4Ifyes,ESSIDName? 4 8Whatmakeandmodelofcomputerdotheyuse? 3 6Whatanti-virussystemisused? 5 10 CanBeUsedforOnsitePretext Whatisthenameofthecleaning/janitorialservice? 4 8Whodoesyourbug/pestextermination? 4 8Whatisthenameofthecompanyresponsibleforthevendingmachinesonsite?
4 8
Whohandlestheirtrash/dumpsterdisposal? 4 8Nameoftheir3rdpartyorin-housesecurityguardcompany? 5 10Whattypesofbadgesdoyouuseforcompanyaccess?(RFID,HID,None) 8 16 CompanyWideTech
11/27/2017 [email protected] 9
Table3:FlaglistforSECTF
ScoringSocial-EngineerpossessesaproprietaryapplicationforscoringofboththeOSINTandlivecallportionsofthecompetition.FlagsobtainedduringtheOSINTphaseofthecontestareworthhalf-points(seeTable3).OSINTreportswerescoredpriortothelivecallevent.Scoringforthetelephonecallswasaccomplishedduringeachcallbyathree-personjudgingpanelatDEFCON,andasinglejudgeatDerbyCon.Flagscapturedduringthisportionoftheeventwereawardedfullpoints(seeTable3).Everyattemptwasmadetoensureconsistencyinscoringforallcontestants,regardlessofthejudge,althoughourscoringprocessdoesprovidesomesubjectivitythroughtheabilitytoincludenotesandcommentsbyeachjudgeforeachcontestant.Attheendofthecompetitionthescoresweretotaledbytheapplicationtodeterminethewinningscore.InadditiontodeterminingtheSECTFwinnerbasedonpointstotals,wealsoconductedananalysisofhowthetargetcompaniesfaredinresponsetoasocialengineeringattack.Itfollowsthattheinterpersonalskillsandoverallpreparationofthecontestantwashighlypredictiveintheoutcomesindicatedbybothscoresaswellassubjectiveassessmentsofperformancebythejudges.Unfortunately,acompanycannotrelyonthehopethatamalicioussocialengineerwillbeinexperienced,unskilled,orunprepareduponwhichtobasetheirsenseofcorporatesecurity.
Whatoperatingsystemisinuse? 5 10Whatservicepack/version? 8 16WhatprogramdotheyusetoopenPDFdocumentsandwhatversion? 5 10Whatbrowserdotheyuse? 5 12Whatversion? 8 Whatmailclientisused? 5 10Doyouusediskencryption,ifsowhattype? 5 10FakeURL(gettingthetargettogotoaURL)www.seorg.org N/A 26 EmployeeSpecificInfo Howlonghavetheyworkedforthecompany? 3 6Whatdaysofthemonthdotheygetpaid? 3 6Employeesscheduleinformation(start/endtimes,breaks,lunches) 3 6Whatisthenameofthephone/PBXsystem? 4 8Whenwasthelasttimetheyhadawarenesstraining? 5 10 10pointseachforeachrealisticattackvectordetailedinthereporttoamaximumof50points.Supportingevidencemustbeprovidedforeachattackvectorastowhyitisrealistic.
0-50 N/A
Format,structure,grammar,layout,generalqualityofthereportamaximumof50points.
0-50 N/A
11/27/2017 [email protected] 10
RulesofEngagementContestantsareheldtoverystrictrulestoensuretheprotectionoftargetcompaniesaswellastheiremployees.Thecorerulesremainedthesameasinpreviousyears.Wedonotallowthecollectionofsensitivedatasuchascreditcardinformation,socialsecuritynumbers,andpasswords.OnlyOpenSourceIntelligence(OSINT)wasallowed.Wedonotallowphysical(i.e.facility)ortechnical(i.e.network)penetrationintocompanies.Inaddition,wedidnotallowthecontestanttovisitanylocationoftheirtargetforinformationgatheringpurposesorinteractwithanypersonfromthetargetbeforethecalls.ContestantswereonlyallowedtoverifythatthetelephonenumberscollectedduringOSINTwerevalid.Wealsospecificallyavoidedsensitiveindustriessuchasgovernment,education,healthcare,andfinance.Themostimportantrulestressedtoallcontestantsisthattherewastobeabsolutelynovictimizationofanyindividualsortargetcompanies.FormorespecificinformationontheROE,pleaseseeourrulesandregulationsathttp://www.social-engineer.org/ctf/def-con-sectf-rules-registration/andhttps://www.social-engineer.org/sevillage-derby-con/sectf-derby-con/.
11/27/2017 [email protected] 11
ResultsandAnalysisHighprofileeventsasaresultofmalicioussocialengineeringareillustrativeofthefactthatorganizationscontinuetohavevulnerabilitiestohumanbasedattacks.Unfortunately,thisyear’sSECTFsupportedthisevaluationasourcontestants,bothexperiencedandnewcomersalike,wereabletoobtainflagsboththroughOSINTandthelivecalls.Ourfindingsaredetailedinthesectionsthatfollow.Itshouldbenotedthatanycomparisonstopreviousyears’performanceareforsubjectivetrendanalysisonlyandnostatisticalsignificancecanbeassumedduetodifferencesinsamplesizes,populations,andscoringconditions.
OpenSourceIntelligencePreparationpriortoanysocialengineeringengagementiscritical.Itisthisphasethatisthemosttime-consumingandlaborious,butcanmostoftendeterminethesuccessorfailureoftheengagement.Theprofessionalsocialengineermustbeawareofalloftheinformation-gatheringtoolsfreelyavailableaswellasthemanyaccessiblelocationsonlinethathousevaluablepiecesofdata.ThefollowingtableisapartiallistoftoolsandwebsitescommonlyusedbyprofessionalsocialengineersaswellasourcontestantsduringtheOSINTphaseoftheSECTF:GoogleMaltegoLexisNexisFOCATwitterPiPlRedditFacebookPlaxoGoogleMapsGoogleEarthShodanNetcraftWikileaksNmap/ZenmapBlogspotLoopnet.comSlideshare.comBgp.he.netIconosquareHaveibeenpwned.com
PicasaWebWhoIsWGetVimeoTineyeWaybackMachineLinkedInMonsterGlassDoorYelp!CraigslistInstagramWikipediaStartPageWigle.netScans.ioIndeedInteltechniques.comLeakedsource.comFlicker
SpokeoYouTubeFourSquareFriendstertheHarvesterGoogleImagesTelnetEchoSecDuckDuckGoPinterestJigSawRecon-NGQuoraCentralOps.netRocketreach.coCensys.ioSync.meHooverspentest-tools.comGiantbomb
Table4:CommonlyusedOSINTtoolsandwebsites
11/27/2017 [email protected] 12
Thequalityandresearchdedicatedtothereportscontinuestobeimpressive.Figure1showstotalOSINTscorescomparedtothelast3yearsofcompetitionatDEFCON.DerbyCon2017numbersareincludedforthesakeofcomplete2017databutarenotcomparabletoDEFCONtotalsduetothesignificantlysmallernumberofcompetitors.Again,thedatanotedarestrictlyforgeneralcomparisonsonlyanddonotindicatestatisticallysignificantdifferencesacrossyears.
Figure1:ComparisonofOSINTtotalpoints2014-2017
AnexaminationofOSINTmeanscoresandstandarddeviationsinFigure2indicatethattheamountofinformationlocatedonlinebycontestantshasremainedrelativelystable,includingthatreportedbythesmallernumberofcontestantsfromDerbyConthisyear.Thissuggeststhatcompanieshavenotappreciablyimprovedinsecuringtheirpotentiallysensitiveonlineinformation.Themeanscoreissimplythemathematicalaverageofthegroups.Thestandarddeviationisanindicatorofhowmuchthescoresvariedfromthemathematicalaverage;inotherwords,itisanindicatorofscoredispersion.Alargerstandarddeviationindicatesthescoresarenotasclusteredaroundtheaverage,andthereforeshowgreatervariability.
Figure2:ComparisonofOSINTpointsmeansandstandarddeviations2014-2017
0
500
1000
1500
2000
2014 2015 2016 20172017
DerbyCon
14071696 1698 1774
725
2014- 2017OSINTScores
0
50
100
150
200
2014 2015 2016 20172017
DerbyCon
156
121 121 127121
45 64 7266
82
2014- 2017OSINTMean/StdDev
OSINTMean OSINTStdDev
11/27/2017 [email protected] 13
Thefollowinglistofthisyear’smoresignificantfindingsdemonstratesthatthedangerposedbysocialengineeringinformationgatheringisextremelyprevalent.Anyofthefollowingpiecesofinformationcouldbeusedbyamaliciousattackertofurtherdevelopvishing,phishing,oronsiteimpersonationattacks.Onlythemoresignificantfindingsarelisted.CorporateInformation
- Multiplebreachesandinformationleakshaveexposedsensitivecorporateinformationo Plaintextpasswordsforcorporateaccountso DirectionsonaccessingcorporateVPN
- Openemployeesocialmediauseindicatedalackofdistinctionbetweenpersonalandprofessionalcommunications–corporateaswellasproductinformationwasoftenlocatedonpersonalsocialmediaaccounts
- Payandshiftscheduleswerelocatedonvariousemploymentsitesaswellasemployeehandbooks
- Vacationaccrualandotherbenefitswerelocatedonvariousemploymentsitesaswellasemployeehandbooks
- Securityawarenesstrainingpolicywaslocatedinanemployeehandbook- Picturesofemployeebadgeswereoftenlocatedonvarioussocialmediaaccounts- Organizationalchartsanddepartmentlistswerelocatedoncorporatewebsites- Expansionplansandadditionalbusinessventureshavebeenannouncedopenly- Thestandardformattingforemailaddresseswasdiscoveredfornumerouscompanies- Directtelephoneextensionswerelocatedonnumerousoccasions- Thefullemployeedirectorywasavailableviatelephonefornumerouscompanies- Apictureofabusinesscardfoundonlineallowedtheenumerationofadditionalcorporate
telephonenumbers- Apublic-facingwebsitelisteddetailedinformationtoincludeemployeeprograms,benefits,
trainingnetworks,andsocialmediaaccountsEmployeeInformation
- Opencorporatecultureandsocialmediauseatbothcorporateandemployeelevelsfacilitatedlocatingandconnectingemployees’professionalandsocialnetworksaswellasidentifyingkeypersonnel
- Corporateandemployeesocialmediaoftendisclosedsignificantamountsofemployeeinformationtoincludeeducation,background,lengthoftimewiththecompany,hiring/departuresfromthecompany,employeeIDnumbers,etc.
- Employeeresumeswerelocated;manylistedPIItoincludehomeaddressesandpersonalcellphonenumbers
- Multiplebreachesandinformationleakshaveexposedthepersonalandprofessionalinformationofmanyemployees
Technologies
- OnecorporatewebsitewasdiscoverednothavingimplementedSSL- OnetargetcompanywasfoundtohaveanunsecuredVPN- Useofawebmailclientbyseveraltargetswasdiscovered- Onetargetcompanyfailedtoanonymizetheirdomainregistrantinformation- Intranetlinkswerelocatedonpublicfacingwebsites
11/27/2017 [email protected] 14
- Anemployeeportalwasdiscoveredtorequireanoutdatedwebbrowserandvulnerablescripts- Troubleticketsubmissionsbycustomersatonetargetcompanyallowtheinclusionoflinks,
attachments,andfiles- 2factorauthorizationwasconfirmedasnotinuseforseveralInternetfacingservers- Adevelopmentwebsitewasfoundtobepubliclyaccessible- Productionserversweredeterminedtobeindefaultconfiguration- Awebmailsubdomainwaseasilyguessedandexposedmultiplepiecesofinformationtoinclude
technologiesinuse- Socialmediaandjobpostingsoftenrevealedtechnologiesusedwithincompaniestoinclude
specificinfrastructure,telephoneandbadgingsystems,andapplications- RoutersdiscoveredatspecificIPaddressesdisclosedtheirmodelsandserialnumbers- Specificfindings(notall-inclusive):
o Computermakes/modelsidentified(e.g.,Dell,Asus,Mac,Windowstablets)o Telephonesystems(e.g.,Cisco,Polycom,Avaya)o Badgetypeandvendorsidentifiedo Operatingsystems(e.g.,Linux,Mac,Windows,Apache,Oracle,Ubuntu)o Accesspointtechnologies(e.g.,Cisco)o Emailapplications(e.g.,MicrosoftExchange/Outlook,Gmail,Lotusnotes,webmail)o Officeproductivityapplications(e.g.,MicrosoftOfficeSuite,GoogleSuite,AdobeSuite,
CiscoWebex,MicrosoftLync)o Securityapplications(SymantecPGP,SecureDoc,BitLocker,SymantecVerisign,Cisco
AnyConnectVPN,SafeNetMobilePass,F5Firepass,MacFilevault)o Antivirusapplications(Norton,Avast,TrendMicro,McAfee)o Othermiscellaneoustechnologies(PowerShell,RemedyITSM,ServiceNow,Confluence,
Sharepoint,VMware)o OutwardfacingSplunkserverslocatedatspecificIPaddresseso SMTPserverslocatedatspecificIPaddresseso SpecificwirelessnetworkESSIDs/SSIDs
PhysicalPlant
- Theavailabilityoftoursofthefacilitywaslocatedonline- Picturesandvideosonpersonalandcorporatemediarevealedmanydetailsaboutthephysical
plant:o Thetypeandlocationofbadgesensorso LocationofCCTVcameraso Interiorsofofficeso Cafeteriaso Fitnesscenterso Completelayoutofthefacilitytoincludeingress/egresspointso On-sitedaycarefacilities
Contractor/Vendor/OtherCompanies
- Sometargetcompanywebsiteslistedtheirclients- Corporatewebsitesandcorporate/employeesocialmediaoftendisclosedvendorssuchas
shippingcompanies,wastedisposal,andfoodservice
11/27/2017 [email protected] 15
- Mediasuchasnewsoutletsdisclosedemployeebenefitstoincludecafeterias,healthsubsidies,etc.
- Vendorswerefoundtoposttargetcompanyinformationontheirownwebsites- Specificcontractors/vendors/othercompanieslocatedinclude:
o Shipping(e.g.,UPS,FedEx,USPS,DHL)o Foodservice(e.g.,CocaCola,Starbucks,Equiterre,CaféBonAppétit,Eurest,Sodexo,
Aramark)o Waste/janitorial(e.g.,CleanTileandGrout,RainbowEnvironmentalServices,Waste
Management)o Security(e.g.,ReelSecurity,ADTSecuritySystems,AlliedBarton)o Realestatemanagement(e.g.,AlliedREIT,PMIProperties)o ISP/content/technologyproviders(e.g.,AT&T,ComcastXfinity,Akamai,Rackspace)o Corporatelodgingandshuttletransportationweredetermined
PositiveFindings
- Employeesreferencednon-disclosureagreements- Althoughphysicaltoursaregiven,recordinginsensitiveareasisprohibited- Somecompaniesdisalloweddirecttelephonelinestoemployees
Werecognizethatmuchoftheinformationlistedaboveisbeyondthecontroloftheorganizationsandindividualsconcerned.However,itisimportanttobeawareofinformationfreelyavailableinordertomitigatepossibleexploitationbymaliciousattackers.Figures3and4provideaside-by-sidecomparisonofpointsscoredbycompetitorsagainsttheirassignedcompanyduringtheOSINTportionofthecontest,outofapossible228points.TheX-axisrepresentsthecompetitors,andtheY-axisthepointvaluesfortotalpointsawardedforthisphaseofthecompetition.
Figure3:OSINTScoresbyDEFCONcompetitor
0
50
100
150
200
250
1 2 3 4 5 6 7 8 9 10 11 12 13 14
119
166
35
186
95124
167
215
111
4967
221189
30
Competitor
DEFCON2017OSINTScores
11/27/2017 [email protected] 16
Figure4:OSINTScoresbyDerbyConcompetitor
TheOSINTportionofourcompetitionstressesafewkeypoints.First,itemphasizestheoverallimportanceoftheinformation-gatheringphaseofanysocialengineeringengagement.Athoroughonlineinvestigationcanprovideanindividualwithaverygoodunderstandingofwhen,where,andhowcompaniesconductbusinessaswellastheonlineactivitiesoftheiremployeesthroughvectorssuchassocialmedia.Second,anyimagesfoundcanbeextremelyusefulformaliciousattackers.Forinstance,ifanattackerknowswhatbuildingslooklike,thelocationofentrancesandbreakareas,andperhapsfindspicturesofcorporatebadges,theseareallpotentialvulnerabilities.Finally,ourOSINTexercisestressestheissueofonlinedataleakagebyorganizations.Networkpenetrationwasnotallowed;theflagsduringtheOSINTphasewereobtainedthroughinformationfreelyfoundonlinewithoutanyliveinteractionwithindividualsatthetargetcompanies.
PretextingSelectingaproperpretextisakeycomponenttothesuccessofavishingcampaign.Thisyearthereweremanypretextsusedwithvaryingdegreesofsuccess.Newcomerspredictablystruggledthemostwithbothbelievablepretextsaswellaswithmaintainingthepretextforthedurationofthecall.Themostsuccessfulpretextsusedthisyearwerevariationsofafellowemployee.OurfirstandsecondplacewinnersatDEFCONbothusedascenarioinwhichtheycalledasaninternalITstafferattemptingtotroubleshoot/confirmsystems.Somewhatlesssuccessfulwasthevariationoftheemployeeplanningasitevisitandaskingquestionstobeproperlyprepared.SubsequenttotheDEFCONSECTF,ourwinnerrecreatedhissuccessfulcallandthevideomaybeviewedhere:https://www.veracode.com/blog/security-news/how-single-phone-call-can-compromise-your-company.Otherpretextsusedincluded:
0
50
100
150
200
250
1 2 3 4 5 6
153
120
189
29 18
216
Competitor
DerbyCon2017OSINTScores
11/27/2017 [email protected] 17
- Journalistrequestinganinterview- Packagedelivery- HVACvendor- Impersonationofanactualemployee- Callingaspartofatriviagame
OneofthemostimportantrulesfortheSECTFisthatcontestantsarenotallowedtousenegativepretexting.Thisincludesthreateningdisciplinaryaction,and/orusingextremefearorangertowardsatarget.Thisruleisinplacetokeeptargetsfrombeingleftinfearfortheiremploymentaswellastoprovideachallengetothecontestantstoformulateapretextthatismorecreative.Wearehappytoreportthatallcontestantsstayedwithintheboundariesofnon-manipulativepretextsthisyear.
LiveCallPerformanceThelivecallportionoftheSECTFisaninterestingtrialforthecontestant.Itisnotonlyatestinmentalagilityandtheabilitytoinfluenceapersoninreal-time,butalsoataskthatmustbeaccomplishedinfrontofaliveaudience.TheluxuryoftimeandtrueanonymityenjoyedintheOSINTphasearenotapplicable.Itisforthatreasonwecongratulateallofourcontestantsincompletingthisphaseofthecompetition.Figure5showstotalcallscorescomparedtothelast3yearsofcompetitionatDEFCON.DerbyCon2017numbersareincludedforthesakeofcomplete2017databutarenotcomparabletoDEFCONtotalsduetothesignificantlysmallernumberofcompetitors.Again,thedatanotedarestrictlyforgeneralcomparisonsonlyanddonotindicatestatisticallysignificantdifferencesacrossyears,butacursoryexaminationsuggeststhatcompaniesthisyearweremoresuccessfulatdenyinginformationviathetelephone.
Figure5:Comparisonofcalltotalpoints2014-2017
0100020003000
4000
5000
6000
7000
2014 2015 20162017
2017DerbyCon
5306
6772
4353
2360
1642
2014- 2017CallScores
11/27/2017 [email protected] 18
AnexaminationofcallmeanscoresandstandarddeviationsinFigure6supportsthatcontestantswere,onaverage,lesssuccessfulinobtainingflagsoverthetelephonethaninpreviousyears,althoughvariabilitywasveryhigh.Thismaysuggestthatsomecompanieshaveimprovedinsecuringinformationleakageoverthetelephonetounverifiedcallers.
Figure6:Comparisonofcallpointsmeansandstandarddeviations2014-2017Figures7and8quantifypointvaluesscoredbythecontestantsagainsttheirassignedcompanyduringthelivecallportionofthecontest.TheX-axisrepresentsthecontestantsandtheY-axisshowsthepointvaluesawarded.Thisyear,wehadonelast-minutecontestantwhoreplacedano-showatDEFCON.
Figure7:LivecallscoresbyDEFCONcompetitor
0100200300400500600
2014 2015 20162017
2017DerbyCon
438564
311
169274167
318 331
218223
2014- 2017CallMean/StdDev
CallMean CallStdDev
0
100
200
300
400
500
600
700
800
1 2 3 4 5 6 7 8 9 10 11 12 13 14
018
152
350
78 42 54
794
920
294346
122
18
Contestant
DEFCON2017CallScores
11/27/2017 [email protected] 19
Figure8:LivecallscoresbyDerbyConcompetitor
Evenacursoryexaminationindicatesextremelyhighvariabilityamongstcontestants.Someofthisisattributabletochance,withsuccessbasedonthefrequencywithwhichtargetswerereached.However,wefeelthatthevastmajorityofperformancedifferenceisduetopreparationonthepartofthecontestant.
CompetitorSummaryThisyearwehadourtypicalrangeofnovicesocialengineerstoprofessionalpenetrationtesters.However,sincewemakechangestotheconditions,targetindustries,numberofcompetitors,andscoringeachyear(e.g.,extrapointsfor“tag-outs”in2014),theseaveragesareonlyvaluableintermsofidentifyinglargetrendssuchasthedatareversalwesawin2014.Figure9isasummaryofthemeanscoresofbothOSINTandcallsforthepast4years.Themathematicalaverageofscoresisimpactedbyoutliers(eitherveryhighorverylow),soisrelativelylimitedintheinformationitconveys.OnecansurmisethatcompetitorperformanceonOSINThasremainedrelativelyconsistentwhiletherehasbeenmuchgreatervariabilitywithrespecttocallsuccess.Thismaybeinpartduetocontestantsortargetindustry,butbasedondirectobservation,italsoappearsthatcompaniesareimprovingtheirabilitiestorepeltelephonerequestsmadebyunverifiedcallers.
0
100
200
300
400
500
600
700
1 2 3 4 5 6
374310
644
2692
196
Contestant
DerbyCon2017CallScores
11/27/2017 [email protected] 20
Figure9:MeanperformanceforSECTF2013-2016
Thefollowingareobservationsmadeduringcalls.
- Competitorswhowerethemostsuccessful:o Wereverywellprepared.TheyhadconductedthoroughOSINTandpossessedmore
thanenoughpossibletargets/phonenumberstocall.Thisyear,bothfirstandsecondplacewinnershad30+phonenumberstocall.Theywerealsofamiliarwithinternalterminology,systems,processes,andrecentcorporatenews.
o Developedgoodrapportwiththetarget.o Dealtwellwithanunpredictableenvironment.Thiscontestillustratesthedifficultyof
livecalling.Ourbestcompetitorsthoughtquicklyontheirfeetandwereabletoadjustpretextsandquestionsevenwhenthecallappearedtobegoingpoorly.
o Carefullyplannedtheorderoftheirquestions.Themostexperiencedcontestantstendedtostartwithnon-threateningquestionsandgraduallypressedthetargetsintodisclosingmoresensitiveinformation.
o Werepersistent.AtDEFCON,ourFridaycompetitorshadthemostissuesreachinglivetargets.Onecontestantinparticularkeptreachingdeadendsuntilhisverylastcall,duringwhichheobtainedalmostallofhisflags.
o Mademasterfuluseofquestionsandobtainedflagswithoutdirectlyasking–akeyingoodelicitation.
o Hadexcellenttimemanagement–withaneyeontheclock,thisallowedthecontestanttodecidewhentoabandonanunproductivecallandmoveontothenexttarget.
o Dealtwithresistanceandrejectioninacalmfashion.
- Competitorswhohadthemostdifficulty:o Werenotabletomaketheirpretextsimmediatelycleartotheirtargets.Withoutbeing
abletoestablishwho,what,andwhyimmediately,thesecompetitorsoftenrambledandwereunabletodevelopproperrapport.
o Werequicktoabandonacalliftheymeteventheslightestresistance.
0100200300400500600
2014 2015 20162017
2017DerbyCon
156121 121 127
121
438
564
311
169274
MeanPerformance2014-2017
OSINTMean CallMean
11/27/2017 [email protected] 21
o Didnotproperlyresearchthecompanybeforethelivecallingphase.o Failedtorecognizeopportunitiesthatcouldeithercontinueanongoingcallorleadto
moreinformedfollowoncalls.§ Severalcompetitorsendedcallswhentheintendedtargetwasnotreached,
evenwhenthepersononthephoneindicatedwillingnesstoassist.§ Onetargetreferenceda“bigevent”inprogressthatourcompetitorfailedto
pursueo Wererelativelyrigidinobtainingcertainflags;e.g.,onecontestantcontinuedtoask
questionsaboutfoodservice,makingthecallseemunnatural.o Spentmoretimetalkingthanlistening.o Usedclosed-endedquestionsthatoftencutofftheopportunitytocontinuethe
conversation.o Madeassumptionsaboutcertaindepartments(e.g.,HRwouldbelessforthcoming)and
lostopportunities.
- Techniques:o Anumberofsuccessfulcompetitorsescalatedtheirrequestsfromsmalltolarge.o Severalcompetitorshaddiscoveredthenamesoftargetcompanyemployees,and
referencedthemincalls.o Anumberofsuccessfulcompetitorsphrasedtheirelicitationsasconfirmationof
informationtheyalreadyknew(collectedintheOSINTphase).o Successfulcompetitorsalsouseddeliberatefalsestatementstohavethetargetcorrect
themwiththecorrectflag.o Anumberofcompetitorsuseda“rapidfire”styleofquestioning,essentially
overwhelmingtheirtargets.Dependingontheamountofrapportestablished,thiswasasuccessfultechnique.
o Onecompetitorreferencedarecenthigh-profileeventtoaddurgencyandveracitytoherpretext.Thisisanextremelypowerfulandtypicallyverysuccessfultechnique.
o Onecompetitorusedaphysicalprop(keyboard)toaddthesoundeffecttohiscall,addingvaliditytohispretext.
- AdditionalObservations:
o Onecompetitorhadthemisfortuneofreachinganindividualwhoworkedforthepersonhewasimpersonating.
o Twoofourcompetitorswereunabletoobtainflagsduetopersonnelnotansweringcalls.Thismirrorsactualsocialengineeringengagementsanddemonstratesthelackofpredictabilityandcontrolinherentinvishingcalls.
o Inmorethanonecase,acompany’scorporatedirectoryprovidedthefullnamesofindividuals,providingmultipletargetopportunitieswithasinglecall.
o Wehadoneno-showatDEFCONthisyear.Despiteminimaltimetoprepare,thevolunteercontestantwasabletoobtainsomeflags,demonstratingtheeasewithwhichinformationcanbeobtainedviathetelephone,evenbyanunpreparednovice.
11/27/2017 [email protected] 22
FinalContestResultsAttheconclusionofthelivecallportionofthecontest,thejudgingpanelmetandreviewedallscores.Figure10and11aretalliesofOSINTscores,callscores,andgrandtotalbycompany.Thehigherscoredenotesthatahighernumberorvalueofflagsweresurrendered,andisindicativeofpoorerperformanceonthepartofthecompany.AverageOSINTscoresremainedstableforbothDEFCONandDerbyCon,butcallscoresappeartohavefallenagainthisyear,perhapsindicativeofapositivetrendinwhichorganizationsareimprovingwithrespecttotheinformationdisclosedtounverifiedcallers.
Figure10:DEFCON2017companyranking
0
200
400
600
800
1000
30 49 119 124 9… 16635 111 167 189
67 186 221 215
18 0 0 42 7818
15292
54122
294350 346
794
48 49119 166 173 184 187 203 221
311 361
536 567
1009
DEFCON2017CompanyRanking
OSINT Call Total
11/27/2017 [email protected] 23
Figure11:DerbyCon2017companyranking
Keepingwiththetrendfrompastyears,contestantstendedtorelyheavilyonthecallportionfortheirscore.Unfortunately,itshouldalsobenotedthattherewereseveraltargetsthisyearcompletelyuntestedduringthecallportionduetopersonnelsimplynotansweringtelephonecallsatall.Finally,everytargetcompanydisclosedatleastsomeinformation(eitherdiscoveredduringOSINTorduringlivecalls)whichcouldbeusedasapossibleattackvectorformaliciousactors.
Therankingofcompaniesfrombestperformance(lowestscore)toworstperformance(highestscore)forDEFCON2017isasfollows:
1. WarnerBrothersGames2. RockstarGames3. 2KGames4. ElectronicArts5. Disney6. ActivisionBlizzard7. BandaiNamcoEntertainment8. Nintendo9. Hasbro10. UbisoftEntertainment11. SegaGames12. BethesdaGameStudios13. Sony14. Mattel
0100200300400500600700800900
29 18 216 120153 189
26 92 196310 374
644
55 110
412 430 527
833
DerbyCon2017CompanyRanking
OSINT Call Total
11/27/2017 [email protected] 24
Therankingofcompaniesfrombestperformance(lowestscore)toworstperformance(highestscore)forDerbyCon2017isasfollows:
1. PapaJohn’sInternational2. Tempur-Pedic3. Yum!Brands4. Brown-FormanCorporation5. Ashland6. GEAppliances
Wedonotreleaseinformationonspecificvulnerabilitiesofthecompaniestothegeneralpublic.NOTE–Wedoprovidethisinformationdirectlytotheinvolvedcompaniesuponrequest.Anyinvolvedcompanycanreachouttousatsectf@social-engineer.orgforinformationonhowtoobtainthisdata.OnepositiveaspectofthelivecallportionoftheSECTFeachyearistoseewhenacompanyshutsdownthecontestant.Thatis,thepersonfromthetargetcompanyfollowsappropriatesecurityprotocolanddoesnotansweranyquestionsorhangsuponthecall.Eachyear,whenapersonfromatargetcompanystopsacontestant,theroombreaksoutintoapplause.Thisyearwehadseveralcallsduringwhichthetargetsstatedtheywereprohibited,throughcompanypolicy,fromdisclosinginformationtounverifiedcallers.Despitethesepositivenotes,overall,thisyear’scontestproved,onceagain,thatpotentiallydamaginginformationonorganizationsisstilleithereasilyaccessibleonlineordiscoveredviatelephonecallsbyeventhemostnovicecompetitor.Figures12and13illustratethenumberoftimeseachflagwasobtainedduringbothOSINTandlivecallphases.Whilenotallflagswererequestedthesamenumberoftimes,thisisatleastanindicatoroflikelyvectorsintoanorganization.
11/27/2017 [email protected] 25
Figure12:DEFCON2017flagfrequencydistribution
10
6
22
75
14
4
11
0
16
53
0
6
0 0
1517
46
13
6
14
0
15
24
6
13
57
11
8
12
98
13
86
8
3 32
56
5
89
56
8
4
10
4
0
8
56
10
4
0
5
10
15
20
25
DEFCON2017FlagsSurrendered
CALLS OSINT
11/27/2017 [email protected] 26
Figure13:DerbyCon2017flagfrequencydistributionInspectionwillrevealthatthemostcommonlyobtainedflagthisyearatDEFCONwastheamountoftimethetargethadworkedforthecompany,followedbywhetherornottherewasanonsitecafeteria.Theseareidenticaltolastyear’stopflags.Thefirstflagcouldbeusedbyamaliciousattackerindetermininghowdifficultitmightbetoescalateanattackusingthisindividualaswellasthevalueoftheinformationtheymayhold.Anewcomertoanorganizationmaybeaneasiertarget,butmayalsoprovidelessvaluableinformation,dependingontheirjobfunction.Theotherflagcouldbeusedtoperpetratebelievableattacksviaonsiteimpersonationattempts.ThemostcommonlyobtainedflagatDerbyConwaswhetherornotthetargetedcompanyblockedwebsites.Thisinformationcouldbeusedinplanningaphishingattackusingamaliciouslink,particularlyifitwasdeterminedthatthetargetcompanyhadnopolicyorcontrolsinplacetopreventunmonitoredInternetaccess.
3
6
2 2
7
17
13
5
8
5
0 0
2
01
4
10
4
8
12
3
12
5
12
10
0
4
6 6
11
43 3 3
5
1
3 3 32
3
1
34
2 2
4
2 2
4
0
43
0
5
2 2
4
21
0
2
4
6
8
10
12
14
16
18
DerbyCon2017FlagsSurrendered
CALLS REPORTS
11/27/2017 [email protected] 27
Thetake-awayhereisthatsocialengineeringisnottheendgame,butisusedastheentrypointtoperpetratetheftofidentityorresources.Themotivatedindividualwillcompileinformationfromanumberofdifferentsourcesandcreatebelievableattacksthataredifficulttorecognizeandresist.ItisinterestingtonotethatEVERYapplicableflagwassurrenderedatleastoncebythetargetcompanies.
DiscussionThiswas,onceagain,aninterestingandinformativeyear.Basedonallofthedataandourownobservations,wecanconcludeafewpoints.Firstandforemost,socialengineeringcontinuestobeasecurityriskfororganizations.ThiswasoureighthconsecutiveyearhostingthiseventatDEFCON;inthattime,anddespitenumeroushigh-profilesecuritybreachesthatoccurredthisyear,wehavenotseenconsistentimprovementsthatdirectlyaddressthehumanelementinorganizationalsecurity.Evenascompaniesarereportedlyinvestingmoreinsecurityawarenesstrainingandpolicydevelopment,theresultsagainthisyearsupportourbeliefthatoverall,companiesarestilldoingarelativelypoorjob.Notallofourcompetitorswereexperiencedinformationsecurityprofessionals;however,allwereabletoobtainflags.Itdoesnotappearthatemployeesareconsistentlybeingeducatedtounderstandthevalueoftheinformationtheyholdorhowtoappropriatelyprotectit.Ratherthanacceptarequestatfacevalue,employeesneedtobetrainedandencouragedtoquestion,challenge,andmakegooddecisions.Ifthetrainingtaskistoodifficulttoovercomeimmediately,thenatminimum,employeesneedtohaveproperprotocolsinplacethatallowthemtoquestioncallers.Forexample,ifallemployeeswereforcedtoverifythemselveswithanemployeeIDorotherdailycode,thiscouldgreatlyreducetheriskoftelephone-basedattacksandtheneedforemployeestodecideforthemselvesthecorrectcourseofaction.Ifanorganizationcreatesanambiguoussituationeitherthroughunclearpoliciesorinadequatetraining,employeeswillmakechoicesthatareeasierandlessuncomfortable(e.g.,disclosinginformationasopposedtopolitelydecliningtoanswer).Itshouldbenotedthatinthepastfewyears,wehaveobservedatrendinwhichmorecompaniesappeartobeimprovingintheirresistancetotelephoneelicitationattempts.Oursecondconclusionisthatcompaniesarestillallowingsensitivedatatobepostedonline.Indirectoppositiontosecurityisthebasicnatureofconductingmodernbusiness.Clearcommunicationwith,andaccessibilityofinformationby,clientsandpartnersismandatory.Thisplacescompaniesinapositionwheretheyneedtomaketheirresourceshighlyavailable,andperhapsvulnerable.Inadditiontomonitoringcorporateinformation,anotherchallengeforallorganizationsistheinabilitytocompletelycontrolthesocialmediaandotherpostingsofcurrentandpastemployees.Ourcompetitorsclearlyfoundvaluableinformationthroughthesesources,andtheyarecertainlyusedbymaliciousattackerstocraftphishing,vishing,andonsiteimpersonationattempts.Althoughitisunlikelythatthisvulnerabilitycaneverbecompletelymitigated,clearpoliciesandtrainingcanassistmakingemployeesawareoftheriskinwhichtheyplaceboththemselvesandtheircompaniesbyoversharinginformation.
11/27/2017 [email protected] 28
Wesincerelyhopeourfindingsareusefulinmakingallorganizationssaferandmoresecureplacesinwhichtoconductbusiness.Mitigation
TheongoinggoaloftheSECTFistoraiseawarenessofthethreatthatsocialengineeringpresentstobothorganizationsandindividuals.Thecruxofthisreportistoinformcompaniesofthedangersassociatedwithmalicioussocialengineersaswellashowtheycanmitigatevulnerabilitiesandprotectagainsttheseattacks.Basedonourpracticeandinreviewingthetrendsoverthepastseveralyears,wewouldexpecttheuseofsocialengineeringtocontinuebeingasignificantthreattoorganizations.Mitigationmustbeacombinationoftechnicalcontrols,policy,andtraininginordertodefeatmaliciousattackers.Belowareafewareasforpotentialmitigationofthisthreat.1.DefensiveactionsGoodtechnologymustbethefoundationofcorporateinformationsecurity.Atabareminimum,organizationsmustpossessbasictechnicalcontrolstoincludeappropriatehardware,software,andadequatesystemadministration.Technicalexploitationcontinuestobeaperimetertestofunpatchedsystemsandoutdatedtechnology.Don’tmakeahacker’sjobthatmucheasierbynotinvestinginsecuretechnologies.Inaddition,helpyouremployeesmakesafedecisions.Mostmakedecisionsthatwillaffectcorporatesecurityonadailybasis.Ifyourpolicyisunclear,orputstheemployeeinapositiontomakeanunsafechoice,youarenotgivingthemthetoolstheyneedtohelpkeepthecompanysecure.TheOSINTphaseofthecontestrevealedhowmuchdataonatargetcompanycanbegatheredthroughthesimplestonlinesearches.Companiesmustbalancethebusinessrequirementsofmanagingtheirbrandswiththerisksassociatedwithhavingopenandapproachablecommunicationswiththeiremployeesandtheworld.Companiesneedtosetcleardefinitionsofwhatisandisnotallowedwithregardtothehandlingandpostingofinformation,particularlywithrespecttosocialmedia.Individualswilloftennotmaketheconnectionthatpersonallifebeingdiscussedinanopensocialforumcanbeleveragedtobreachtheiremployers.Inaddition,clearlydefinedpoliciesonhow,where,andwhatkindofinformationcanbeuploadedtounsecuredareasoftheInternetcangoalongwaytosafeguardingcompanies.Finally,companiesMUSThelptheiremployeesunderstandwhatinformationisvaluableandhowtothinkcriticallyaboutitsprotection.Guidelines,policies,andeducationcanhelptheemployeesunderstandtherisksassociatedwithinformationexchangeinboththeirpersonalandprofessionallives,creatingasecurity-focusedculture.2.SecurityawarenesseducationOneoftheareasthatappearstobelackingacrosstheboardishighqualityandmeaningfulsecurityawarenesseducation.Educatingthepopulationtomeetcompliancerequirementsisnotsufficient.In
11/27/2017 [email protected] 29
ourexperience,thereisadefiniterelationshipbetweencompaniesthatprovidefrequentandrelevantawarenesstrainingandtheamountofinformationthatcompanysurrenders.Anorganizationthatplacesapriorityoneducationandcriticalthinkingissuretopossessaworkforcethatisfarmorepreparedtodealwithmaliciousintrusions,regardlessoftheattackvector.Securityawarenesstrainingneedstobepractical,interactive,andapplicable.Italsoneedstobeconductedonaconsistentbasis.Itdoesn’trequirethatacompanyplanslargeeventseachmonth,butregularsecurityremindersshouldbesentouttokeepthetopicfreshintheemployees’minds.Inaddition,wehavefoundthroughourpracticethatcompanieswhoemployongoingphishingandvishingawarenesscampaignsthroughrealworldtestingoftenfarebetteratthesethreatsthanthosewhodonot.Manytimes,thedifficultyliesinbusinessesmakingtrainingandeducationaprioritytotheextentthatappropriateresourcesareallocatedtoensurequalityandrelevance.Securityeducationcannotbefromacanned,pre-madesolution.Educationneedstobespecifictoeachcompanyand,inmanycases,evenspecifictoeachdepartmentwithinthecompany.Companieswhotrulyunderstandthechallengesandrewardsassociatedwithhighqualitytrainingandeducationwillfindthemselvesmostpreparedfortheinevitable.3.RealistictestingOnelargemistakethatmanyorganizationsmakeisassumingadeficitmodelofdecisionmaking,whichstatesthatifindividualsareprovidedwithmoreinformation,theywillmakebetterdecisions.Thereisasignificantamountofresearchthatindicatesthisisuntrue.Thekeytohelpingapopulationmakesaferdecisionsisthroughrealistictesting.Onlyplacinganindividualinthepositionofactuallymakingadecisioninasafesettingcanassuretheorganizationthattheiremployeeswillmaketherightchoiceatthecriticaltime.Twoofthemostnecessaryaspectsofsecurityarethesocialengineeringriskassessmentandpenetrationtest.Whenaproperriskassessmentisconductedbyprofessionalswhotrulyunderstandsocialengineering,real-worldvulnerabilitiesareidentified.Leakedinformation,socialmediaaccounts,andothervulnerableaspectsofthecompanyarediscovered,cataloged,andreported.Potentialattackvectorsarepresentedandmitigationsarediscussed.Asocialengineeringpenetrationtestincreasestheintensityandscrutiny;attackvectorsarenotsimplyreported,butexecutedtotestacompany’sdefenses.Theresultsarethenusedtodevelopawarenesstrainingandcantrulyenhanceacompany’sabilitytobepreparedforthesetypesofattacks.Weconcludethatifthecompaniestargetedinthisyear’scompetitionpossessedregularsocialengineeringriskassessmentsandpenetrationtesting,theymighthavebeenmoreawareofpossibleattackvectorsandbeenabletoimplementeducationandothermitigationtoavoidthesepotentialthreats.Thesearejustthreeofthemanystrategiesthatcanbeutilizedtoimproveandmaintainsecurityandpreparefortheattacksbeinglaunchedoncompanieseveryday.Ourhopeisthatthisreporthelpsshedlightonthethreatspresentedbysocialengineeringandopenstheeyesofcorporationstohowvulnerabletheyreallyare.
11/27/2017 [email protected] 30
AbouttheSocial-EngineerVillage
TheSocial-EngineerVillageisnowapopularstapleatbothDEFCONandDerbyCon.InadditiontohostingtheSECTF,SEORGhascreatedaseriesofeventstoentertainandeducateattendeesonallthingssocialengineering.Thisyearweofferedarebootofpreviousyears’“MissionSEImpossible”challengethatsimulatedanofficebreak-inandemphasizedthecriticalthinkingskillsnecessarytoperpetratesuccessfulcorporateespionage.Wealsohostedanumberofpresentationsbywell-knownsocialengineerstoprovideouraudiencewiththeiruniqueperspectivesinthefield,theSocialEngineeringCTFforKids,anewSocialEngineeringCTFforTeens,andourownliveSEORGpodcast.Basedonanoverwhelminglypositiveresponse,theSocial-EngineerVillageisplanningtoreturnin2018tobothDEFCONandDerbyCon.WewillbereleasingaCallforPapersalongwithourcallfor2018SECTFcontestantsincoordinationwithconferenceannouncements.Pleasewatchourwebsitewww.social-engineer.organdoursocialmediaaccounts@humanHacker@SocEngineerInc,andhttps://www.facebook.com/seorg.orgforthemostcurrentinformation.
11/27/2017 [email protected] 31
ConclusionThiswasanotherfantasticyearfortheSECTF.Thisyear,mostwerefirst-timecontestants,provingthatanyonewithatelephoneandcouragecanobtainvaluableinformation.Withsomeofthenovicecompetitorsoutperformingexperiencedsecurityprofessionals,thecompetitioncontinuestodemonstratethatsocialengineeringcanbeapowerfulskillforpeopleatanylevel.Unfortunately,asinyearspast,ourlimitedfindingsshowthatcompaniesarestillvulnerabletosocialengineeringattacks.Itisourhopethatthiswillchangeaswecontinuetoexpandoureventandstressongoingpreparation,notjusttheattentiongarneredatDEFCON.Ifyou,oryourorganization,haveanyquestionsregardinganyaspectofthisreportpleasecontactusat:[email protected].
11/27/2017 [email protected] 32
AboutSocial-Engineer,LLCSocial-Engineer,LLCisthepremierconsultingandtrainingcompanyspecializingintheartandscienceofsocialengineering(SE).Socialtacticsareanestablishedandquicklygrowingtrendininformationsecurityintheformsofphishing,phoneelicitation(vishing),andimpersonation.Withmorethanthreedecadesofcombinedexperience,Social-Engineer,LLCassistsorganizationsingovernment,lawenforcement,andtheprivatesectorindetectionandmitigationofthedevastatingeffectsofbothphysicalandinformationbreaches.Social-Engineer,LLCfocusesontheabilitiesofahostileattackertoexploitthehumanelementofbusinessestogainaccesstocorporateassets.Throughassessment,education,andtraining,Social-Engineer,LLChelpsorganizationsprotectthemselvesandtheirtradesecrets.Tolearnmoreaboutprofessionalsocialengineering,servicespleasevisit:http://www.social-engineer.com/social-engineering-services/.
11/27/2017 [email protected] 33
Sponsors
The2017SocialEngineeringCapturetheFlagcontestandtheSocial-EngineeringVillagewouldnothavebeenpossiblewithoutthegeneroussupportofthefollowingorganizations:
www.social-engineer.com
http://www.phishline.com/ www.pindropsecurity.com
https://www.ravenii.com/