11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 1

The2017SocialEngineeringCapturetheFlagReport

DEFCON25SECTF|DerbyConVIISECTF|www.social-engineer.org

Social-Engineer,LLC

©AllrightsreservedtoSocial-Engineer,LLC,2017.

Nopartofthispublication,inwholeorinpart,maybereproduced,copied,transferredoranyotherrightreservedtoitscopyrightowner,includingphotocopyingandallothercopying,anytransferortransmissionusinganynetworkorothermeansofcommunication,anybroadcastfordistancelearning,inanyformorbyanymeanssuchasanyinformationstorage,transmissionorretrievalsystem,withoutpriorwrittenpermissionfromtheauthor(s).

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 2

TableofContentsExecutiveSummary............................................................................................3

OverviewoftheSECTF........................................................................................4BackgroundandDescription....................................................................................................................42017Parameters......................................................................................................................................5TargetCompanies....................................................................................................................................7Competitors.............................................................................................................................................7Flags.........................................................................................................................................................8Scoring.....................................................................................................................................................9RulesofEngagement.............................................................................................................................10

ResultsandAnalysis.........................................................................................11OpenSourceIntelligence.......................................................................................................................11Pretexting...............................................................................................................................................16LiveCallPerformance............................................................................................................................17CompetitorSummary.............................................................................................................................19FinalContestResults..............................................................................................................................22Discussion..............................................................................................................................................27AbouttheSocial-EngineerVillage..........................................................................................................30

Conclusion........................................................................................................31

AboutSocial-Engineer,LLC...............................................................................32

Sponsors..........................................................................................................33

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 3

ExecutiveSummarySocial-Engineer.org(SEORG)hostedtwoSocialEngineeringCapturetheFlag(SECTF)conteststhisyear.ThefirstwasinJulyatDEFCON25inLasVegas,NVfortheeighthyearinarow,withthiscompetitiontargetinggamingcompanies.Fromover150DEFCONentries,weselected14competitorsfromdiversebackgroundsandexperiencelevelstotesttheirsocialengineeringabilities.Belowisatablehighlightingsomebasicstatisticsfromthisyear’scompetition:

ThesecondSECTFwasheldatDerbyCon7.0inLouisville,KYinSeptember2017andwasthefirstSECTFtobeheldthere,targetingFortune500companiesbasedinLouisville.From17DerbyConentries,weselected6andbelowisatablehighlightingsomebasicstatisticsfromthiscompetition:

Table2:DerbyConSECTFgeneralsummary

Asinyearspast,theoverallgoalsofthesecontestsweretoraiseawarenessoftheongoingthreatposedbysocialengineeringandtoprovidealivedemonstrationofthetechniquesandtacticsusedbythepotentialmaliciousattacker.Therewereverystrictrulesofengagementinplacetoensurenosensitiveinformationoncompaniesorindividualswasdisclosed.Tofurtherprotectemployeesoftargetcompaniesfrompotentialnegativerepercussions,identitiesofthosecontactedareneitherrecordednorretained.Itisimportanttonotethatthereportingofatargetcompany’soverallperformanceisacombinationofpointsscoredbytheirassignedcontestantinbothOpenSourceIntelligence(OSINT)gatheringandlivecallphasesofthecontest.Thescoringalonecontainedwithinthisreportdoesnotnecessarilyindicatethatonecompanyislesssecurethananothercompany.However,itisanindicatorofthepotentialvulnerabilitiesthatexistanddemonstratesthatdespitetraining,warningsandeducation,socialengineeringisstillaveryseriousandviablethreattocorporations.

Targetcompanies 14Competitors 14Attemptedcalls(logged) 114Totalpointsscoredonreports 1774Totalpointsscoredoncalls 2360

Targetcompanies 6Competitors 6Attemptedcalls(logged) 80Totalpointsscoredonreports 725Totalpointsscoredoncalls 1642

Table1:DEFCONSECTFgeneralsummary

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 4

OverviewoftheSECTFTheSocialEngineeringCapturetheFlag(SECTF)contestsareannualeventsheldwithintheSocial-EngineerVillageatboththeDEFCONHackingConferenceinLasVegas,NVandtheDerbyConInformationSecurityconferenceinLouisville,KY.TheSECTFisorganizedandhostedbySocial-Engineer.Org(SEORG),thenoncommercial,educationaldivisionofSocial-Engineer,LLC.Thecompetitionswereformedtodemonstratehowserioussocialengineeringthreatsaretocompaniesandhowevennoviceindividualscanusetheseskillstoobtainimportantinformation.Thecontestsaredividedintotwoparts,theinformation-gatheringphasethattakesplacepriortotheconferences,followedbythelivecallphasethatoccursatDEFCONandDerbyCon.

BackgroundandDescriptionTheSECTFisacontestinwhichparticipantsattempttoobtainspecificpiecesofinformation,calledflags,fromselectprivate-sectorcompanies.Thepurposeofthecontestistodemonstratehowmuchinformationcanbefreelyobtainedeitherthroughonlinesourcesorviatelephoneelicitation.Monthspriortotheevents,SEORGsolicitedforindividualswhowishedtocompeteviaoursocialmediaoutletsandwww.social-engineer.orgwebsite.Wealsoaskedparticipantstosubmita90-secondvideooutliningwhytheyshouldbeincludedinthecontest.Ourpanelmadeselectionsbasedonanumberoffactorsthatincludedthedesiretolearn,aswellasourperceptionofthecontestant’sintent.Asthisisaneducationalevent,wewishourparticipantstohaveaverystrongemphasisonultimatelyhelpingthestatusofcorporatesecurityasopposedtothesingulargoalof“winning”acontest.Althoughapplicantswhosubmittedvideosweregivenpreferenceinselection,itwasnotmandatory.Fromover150DEFCONapplicants,weselected14contestantsandrandomlyassignedthemtoacompany.From17DerbyConapplicants,weselected6contestantsandrandomlyassignedthemtoacompany.Contestantswerenotmadeawareofanyothercompetitorsortargetcompaniesotherthantheirownpriortotheircalltimeattheliveevent.ThetargetcompanieswerenotinformedoftheirinclusionintheSECTF,norwastheindustryannouncedpriortoourcontest.ForDEFCONthisyear,weselectedgamingasthetargetindustry.Thesearebrandsthatareimmenselypopularonaglobalscaleandhaverecentlysufferedhigh-profileattackswithuserpersonallyidentifiableinformation(PII)beingreleased.FortheinauguralSECTFatDerbyCon,weselectedFortune500companiesthatwereformedinthelocalareaofLouisvilleKY.Contestantsweregiven3weekstogatherasmuchinformationabouttheirtargetcompanyaspossibleandgenerateaformalreport.TheywereallowedtouseonlyOpenSourceIntelligence(OSINT)thatcouldbeobtainedthroughsearchenginesortoolssuchasGoogle,FOCA,Maltego,etc.Duringthisinformation-gatheringphase,contestantsattemptedtocaptureasmanyofthepre-definedflagsaspossible.Theinformationgatheredwastobeassembledintoaprofessionalreport.Contestantswereprovidedwithasamplereporttoassistthem,butwerenotrequiredtousethistemplate.Inadditiontotheflags,pointswerealsoawardedbasedontheprofessionalismandqualityofthereport.

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 5

ContestantswerethenassignedatimeslottoperformtheirlivecallsoneitherFridayorSaturdayduringDEFCONandFridayduringDerbyCon.Greatcarewastakeninthedevelopmentofthecontesttoensuremaximumsuccessforthecontestants.SinceDEFCONcallswereconductedfromtheWestCoast,companieswhoseheadquarterswerelocatedontheEastCoastwereassignedearliertimeslots.Furthermore,companieswhoweremoreeasilyaccessibleduringnon-standardbusinesshourswereassignedSaturdaytimeslots.Contestantswereplacedinasoundproofboothandrequiredtoprovidealistofphonenumbers(obtainedduringtheinformation-gatheringstage)atthetargetcompanytocallalongwithphonenumberstheywishedustospoof.CallerIDspoofingisamethodthroughwhichone’sincomingphonenumbercanbeforged,or“spoofed,”usuallytoappearasanon-threatening,and/orinternalnumber.Thisisatacticcommonlyusedbysocialengineerstoincreasetheircredibilitywithrecipients.Eachcontestantwasfreetousetheirentireallotted20-minutetimeslottoperformasmanyorasfewcallsastheywished.AlthoughUnitedStatesfederallawonlyrequiresonepartytobenotifiedintheeventofrecordingatelephonecall,manystates(Nevadaincluded)havecreatedadditionallawsrequiringbothpartiestoconsent.Sincewecouldnotobtaintheconsentoftargetcompanieswithoutjeopardizingtheintegrityofthecontest,norecordingofanytypewaspermittedduringDEFCON(includingthatbytheaudience),butrecordingwasallowedatDerbyConasKentuckyisaone-partyconsentstate.Photographswereallowedwithpermissionofthecontestant.ScoringwasaccomplishedduringeachcallbythreejudgesatDEFCONandasinglejudgeatDerbyCon.Basedonverypositivefeedbackfrompreviousyears,weagaintookopportunitiesaftereachcallforaQ&Aanddiscussionwiththecontestantandjudgingpanel.Duringthattime,weanalyzedthesuccessofthetechniquesused,andansweredasmanyquestionsdirectedtoeitherjudgingpanelorcontestantastimeallowed.Subsequenttothecontest,scoringandcommentswerereviewedalongwiththereportssubmittedpriortotheconferencestodeterminethewinners.Itshouldbenotedthatallcontestantswererequiredtoplacea$20USDfullyrefundabledeposittoreservetheirspotatthecontest.Allcontestantswererefundedthisdepositimmediatelyaftercompletingtheircalls,unlesstheywerenotpresentfortheirtimeslot.

2017ParametersOverall,weattempttokeepthemajorparametersofthecompetitionasconsistentaspossiblefromyeartoyear.However,wedomakechangestoensurethatthecontestcontinuestobechallengingandeducationalforbothcontestantsandaudience.Primarychangesfor2017:

o Contestantswerenolongerallowedtoobtainthesameflagmultipletimesduringasinglecallfromasingletarget

o Contestantswerenolongerallowedtorecallthesametargettoobtainthesameinformationpreviouslyacquired

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 6

o ContestantswereallowedtocallpotentialtargetcompaniespriortoDEFCON,onlytoensuretelephonenumberswerevalid,butpersonalnumbersorcellphonenumberswerenotbeincludedinthesetests

o Bribery(“youwillbegivenagiftcardforyourparticipation”)wasexplicitlydisallowedo ThetargetcompanieswereallgamingcompaniesforDEFCONo ThetargetcompanieswereFortune500companiesstartedinLouisville,KYfor

DerbyCon

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 7

TargetCompaniesTheSocial-Engineerstaff,throughanopennominationandvotingprocess,accomplishedtargetselection.Wemadeeveryattempttoensurethatnobiaswasintroducedthroughattitudesorpreconceivednotionsregardinganyparticularcompany.Asinpreviousyears,wemadethecallforcompaniestobewillingparticipantsintheSECTF.Thiswasthefirstyearinwhichacompanyvolunteeredtobeatarget.Unfortunately,theywerenotinthetargetindustryandtherequestcouldnotbehonored.Therefore,noneofthecompanieschosenwereawareoftheirselectionpriortoeitherconference.TheDEFCONtargetlist(inalphabeticalorder):

1. 2KGames2. ActivisionBlizzard3. BandaiNamcoEntertainment4. BethesdaGameStudios5. Disney6. ElectronicArts7. Hasbro8. Mattel9. Nintendo10. RockstarGames11. SegaGames12. Sony13. UbisoftEntertainment14. WarnerBrothersGames

TheDerbyContargetlist(inalphabeticalorder):

1. Ashland2. Brown-FormanCorporation3. GEAppliances4. PapaJohn’sInternational5. Tempur-Pedic6. Yum!Brands

Competitors

Asinallpreviousyears,oneofourcorerulesisthatnooneisvictimized.Thisincludesthosewhochoosetoparticipate,thosewhoarecalled,andthecompaniestheyworkfor.Ourcontestants’personalinformationisneverrevealed,andtheyareonlyphotographediftheyprovideexplicitverbalpermissionpriortotheirlivecallsegment.NorecordingofcontestantsduringtheircallsatDEFCONiseverpermittedduetotwo-partyconsentlawsinthestateofNevada.

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 8

Therewere14competitorsselectedfromanoriginalpoolofover150applicantsforDEFCONand6selectedfrom17applicantsforDerbyCon.Notallwereskilledcallersorexperiencedsocialengineers.Formany,thiswastheirfirstattemptateverplacingadeliberatesocialengineering-basedcall.Someofthecontestantswereredteamorsecurityspecialists,butmanywerefromotherfieldsnotrelatedtosocialengineeringorinformationsecurity.

FlagsA“flag”isaspecificpieceofinformationthatthecontestantsattemptedtoobtaininboththeOSINTandlivecallportionsofthiscompetition.Everyyear,wesendanoverviewofflags,rules,targetsandotherpertinentinformationtoourlegalcounsel.Wedothistoensureweremainwithinthelegalboundsasprescribedbystateandfederallaw,basedontheadviceofourlegalcounsel,aswellasensuringweadheretoourethicalbeliefsasanorganization.Table3outlinesthelistofspecificflags,theircategories,andpointvaluesfor2017.

2017SECTFFlagList

Reportpoints CallpointsLogistics IsITSupporthandledinhouseoroutsourced? 3 6Whodotheyusefordeliveringpackages? 3 6Doyouhaveacafeteria? 4 8Whodoesthefoodservice? 4 8 OtherTech WhatisthenameofthecompanyVPN? 4 8Doyoublockwebsites? 2 4Ifwebsiteblock=yes,whichones?(Facebook,EBay,etc.) 3 6Iswirelessinuseonsite?(yes/no) 2 4Ifyes,ESSIDName? 4 8Whatmakeandmodelofcomputerdotheyuse? 3 6Whatanti-virussystemisused? 5 10 CanBeUsedforOnsitePretext Whatisthenameofthecleaning/janitorialservice? 4 8Whodoesyourbug/pestextermination? 4 8Whatisthenameofthecompanyresponsibleforthevendingmachinesonsite?

4 8

Whohandlestheirtrash/dumpsterdisposal? 4 8Nameoftheir3rdpartyorin-housesecurityguardcompany? 5 10Whattypesofbadgesdoyouuseforcompanyaccess?(RFID,HID,None) 8 16 CompanyWideTech

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 9

Table3:FlaglistforSECTF

ScoringSocial-EngineerpossessesaproprietaryapplicationforscoringofboththeOSINTandlivecallportionsofthecompetition.FlagsobtainedduringtheOSINTphaseofthecontestareworthhalf-points(seeTable3).OSINTreportswerescoredpriortothelivecallevent.Scoringforthetelephonecallswasaccomplishedduringeachcallbyathree-personjudgingpanelatDEFCON,andasinglejudgeatDerbyCon.Flagscapturedduringthisportionoftheeventwereawardedfullpoints(seeTable3).Everyattemptwasmadetoensureconsistencyinscoringforallcontestants,regardlessofthejudge,althoughourscoringprocessdoesprovidesomesubjectivitythroughtheabilitytoincludenotesandcommentsbyeachjudgeforeachcontestant.Attheendofthecompetitionthescoresweretotaledbytheapplicationtodeterminethewinningscore.InadditiontodeterminingtheSECTFwinnerbasedonpointstotals,wealsoconductedananalysisofhowthetargetcompaniesfaredinresponsetoasocialengineeringattack.Itfollowsthattheinterpersonalskillsandoverallpreparationofthecontestantwashighlypredictiveintheoutcomesindicatedbybothscoresaswellassubjectiveassessmentsofperformancebythejudges.Unfortunately,acompanycannotrelyonthehopethatamalicioussocialengineerwillbeinexperienced,unskilled,orunprepareduponwhichtobasetheirsenseofcorporatesecurity.

Whatoperatingsystemisinuse? 5 10Whatservicepack/version? 8 16WhatprogramdotheyusetoopenPDFdocumentsandwhatversion? 5 10Whatbrowserdotheyuse? 5 12Whatversion? 8 Whatmailclientisused? 5 10Doyouusediskencryption,ifsowhattype? 5 10FakeURL(gettingthetargettogotoaURL)www.seorg.org N/A 26 EmployeeSpecificInfo Howlonghavetheyworkedforthecompany? 3 6Whatdaysofthemonthdotheygetpaid? 3 6Employeesscheduleinformation(start/endtimes,breaks,lunches) 3 6Whatisthenameofthephone/PBXsystem? 4 8Whenwasthelasttimetheyhadawarenesstraining? 5 10 10pointseachforeachrealisticattackvectordetailedinthereporttoamaximumof50points.Supportingevidencemustbeprovidedforeachattackvectorastowhyitisrealistic.

0-50 N/A

Format,structure,grammar,layout,generalqualityofthereportamaximumof50points.

0-50 N/A

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 10

RulesofEngagementContestantsareheldtoverystrictrulestoensuretheprotectionoftargetcompaniesaswellastheiremployees.Thecorerulesremainedthesameasinpreviousyears.Wedonotallowthecollectionofsensitivedatasuchascreditcardinformation,socialsecuritynumbers,andpasswords.OnlyOpenSourceIntelligence(OSINT)wasallowed.Wedonotallowphysical(i.e.facility)ortechnical(i.e.network)penetrationintocompanies.Inaddition,wedidnotallowthecontestanttovisitanylocationoftheirtargetforinformationgatheringpurposesorinteractwithanypersonfromthetargetbeforethecalls.ContestantswereonlyallowedtoverifythatthetelephonenumberscollectedduringOSINTwerevalid.Wealsospecificallyavoidedsensitiveindustriessuchasgovernment,education,healthcare,andfinance.Themostimportantrulestressedtoallcontestantsisthattherewastobeabsolutelynovictimizationofanyindividualsortargetcompanies.FormorespecificinformationontheROE,pleaseseeourrulesandregulationsathttp://www.social-engineer.org/ctf/def-con-sectf-rules-registration/andhttps://www.social-engineer.org/sevillage-derby-con/sectf-derby-con/.

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 11

ResultsandAnalysisHighprofileeventsasaresultofmalicioussocialengineeringareillustrativeofthefactthatorganizationscontinuetohavevulnerabilitiestohumanbasedattacks.Unfortunately,thisyear’sSECTFsupportedthisevaluationasourcontestants,bothexperiencedandnewcomersalike,wereabletoobtainflagsboththroughOSINTandthelivecalls.Ourfindingsaredetailedinthesectionsthatfollow.Itshouldbenotedthatanycomparisonstopreviousyears’performanceareforsubjectivetrendanalysisonlyandnostatisticalsignificancecanbeassumedduetodifferencesinsamplesizes,populations,andscoringconditions.

OpenSourceIntelligencePreparationpriortoanysocialengineeringengagementiscritical.Itisthisphasethatisthemosttime-consumingandlaborious,butcanmostoftendeterminethesuccessorfailureoftheengagement.Theprofessionalsocialengineermustbeawareofalloftheinformation-gatheringtoolsfreelyavailableaswellasthemanyaccessiblelocationsonlinethathousevaluablepiecesofdata.ThefollowingtableisapartiallistoftoolsandwebsitescommonlyusedbyprofessionalsocialengineersaswellasourcontestantsduringtheOSINTphaseoftheSECTF:GoogleMaltegoLexisNexisFOCATwitterPiPlRedditFacebookPlaxoGoogleMapsGoogleEarthShodanNetcraftWikileaksNmap/ZenmapBlogspotLoopnet.comSlideshare.comBgp.he.netIconosquareHaveibeenpwned.com

PicasaWebWhoIsWGetVimeoTineyeWaybackMachineLinkedInMonsterGlassDoorYelp!CraigslistInstagramWikipediaStartPageWigle.netScans.ioIndeedInteltechniques.comLeakedsource.comFlicker

SpokeoYouTubeFourSquareFriendstertheHarvesterGoogleImagesTelnetEchoSecDuckDuckGoPinterestJigSawRecon-NGQuoraCentralOps.netRocketreach.coCensys.ioSync.meHooverspentest-tools.comGiantbomb

Table4:CommonlyusedOSINTtoolsandwebsites

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 12

Thequalityandresearchdedicatedtothereportscontinuestobeimpressive.Figure1showstotalOSINTscorescomparedtothelast3yearsofcompetitionatDEFCON.DerbyCon2017numbersareincludedforthesakeofcomplete2017databutarenotcomparabletoDEFCONtotalsduetothesignificantlysmallernumberofcompetitors.Again,thedatanotedarestrictlyforgeneralcomparisonsonlyanddonotindicatestatisticallysignificantdifferencesacrossyears.

Figure1:ComparisonofOSINTtotalpoints2014-2017

AnexaminationofOSINTmeanscoresandstandarddeviationsinFigure2indicatethattheamountofinformationlocatedonlinebycontestantshasremainedrelativelystable,includingthatreportedbythesmallernumberofcontestantsfromDerbyConthisyear.Thissuggeststhatcompanieshavenotappreciablyimprovedinsecuringtheirpotentiallysensitiveonlineinformation.Themeanscoreissimplythemathematicalaverageofthegroups.Thestandarddeviationisanindicatorofhowmuchthescoresvariedfromthemathematicalaverage;inotherwords,itisanindicatorofscoredispersion.Alargerstandarddeviationindicatesthescoresarenotasclusteredaroundtheaverage,andthereforeshowgreatervariability.

Figure2:ComparisonofOSINTpointsmeansandstandarddeviations2014-2017

0

500

1000

1500

2000

2014 2015 2016 20172017

DerbyCon

14071696 1698 1774

725

2014- 2017OSINTScores

0

50

100

150

200

2014 2015 2016 20172017

DerbyCon

156

121 121 127121

45 64 7266

82

2014- 2017OSINTMean/StdDev

OSINTMean OSINTStdDev

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 13

Thefollowinglistofthisyear’smoresignificantfindingsdemonstratesthatthedangerposedbysocialengineeringinformationgatheringisextremelyprevalent.Anyofthefollowingpiecesofinformationcouldbeusedbyamaliciousattackertofurtherdevelopvishing,phishing,oronsiteimpersonationattacks.Onlythemoresignificantfindingsarelisted.CorporateInformation

- Multiplebreachesandinformationleakshaveexposedsensitivecorporateinformationo Plaintextpasswordsforcorporateaccountso DirectionsonaccessingcorporateVPN

- Openemployeesocialmediauseindicatedalackofdistinctionbetweenpersonalandprofessionalcommunications–corporateaswellasproductinformationwasoftenlocatedonpersonalsocialmediaaccounts

- Payandshiftscheduleswerelocatedonvariousemploymentsitesaswellasemployeehandbooks

- Vacationaccrualandotherbenefitswerelocatedonvariousemploymentsitesaswellasemployeehandbooks

- Securityawarenesstrainingpolicywaslocatedinanemployeehandbook- Picturesofemployeebadgeswereoftenlocatedonvarioussocialmediaaccounts- Organizationalchartsanddepartmentlistswerelocatedoncorporatewebsites- Expansionplansandadditionalbusinessventureshavebeenannouncedopenly- Thestandardformattingforemailaddresseswasdiscoveredfornumerouscompanies- Directtelephoneextensionswerelocatedonnumerousoccasions- Thefullemployeedirectorywasavailableviatelephonefornumerouscompanies- Apictureofabusinesscardfoundonlineallowedtheenumerationofadditionalcorporate

telephonenumbers- Apublic-facingwebsitelisteddetailedinformationtoincludeemployeeprograms,benefits,

trainingnetworks,andsocialmediaaccountsEmployeeInformation

- Opencorporatecultureandsocialmediauseatbothcorporateandemployeelevelsfacilitatedlocatingandconnectingemployees’professionalandsocialnetworksaswellasidentifyingkeypersonnel

- Corporateandemployeesocialmediaoftendisclosedsignificantamountsofemployeeinformationtoincludeeducation,background,lengthoftimewiththecompany,hiring/departuresfromthecompany,employeeIDnumbers,etc.

- Employeeresumeswerelocated;manylistedPIItoincludehomeaddressesandpersonalcellphonenumbers

- Multiplebreachesandinformationleakshaveexposedthepersonalandprofessionalinformationofmanyemployees

Technologies

- OnecorporatewebsitewasdiscoverednothavingimplementedSSL- OnetargetcompanywasfoundtohaveanunsecuredVPN- Useofawebmailclientbyseveraltargetswasdiscovered- Onetargetcompanyfailedtoanonymizetheirdomainregistrantinformation- Intranetlinkswerelocatedonpublicfacingwebsites

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 14

- Anemployeeportalwasdiscoveredtorequireanoutdatedwebbrowserandvulnerablescripts- Troubleticketsubmissionsbycustomersatonetargetcompanyallowtheinclusionoflinks,

attachments,andfiles- 2factorauthorizationwasconfirmedasnotinuseforseveralInternetfacingservers- Adevelopmentwebsitewasfoundtobepubliclyaccessible- Productionserversweredeterminedtobeindefaultconfiguration- Awebmailsubdomainwaseasilyguessedandexposedmultiplepiecesofinformationtoinclude

technologiesinuse- Socialmediaandjobpostingsoftenrevealedtechnologiesusedwithincompaniestoinclude

specificinfrastructure,telephoneandbadgingsystems,andapplications- RoutersdiscoveredatspecificIPaddressesdisclosedtheirmodelsandserialnumbers- Specificfindings(notall-inclusive):

o Computermakes/modelsidentified(e.g.,Dell,Asus,Mac,Windowstablets)o Telephonesystems(e.g.,Cisco,Polycom,Avaya)o Badgetypeandvendorsidentifiedo Operatingsystems(e.g.,Linux,Mac,Windows,Apache,Oracle,Ubuntu)o Accesspointtechnologies(e.g.,Cisco)o Emailapplications(e.g.,MicrosoftExchange/Outlook,Gmail,Lotusnotes,webmail)o Officeproductivityapplications(e.g.,MicrosoftOfficeSuite,GoogleSuite,AdobeSuite,

CiscoWebex,MicrosoftLync)o Securityapplications(SymantecPGP,SecureDoc,BitLocker,SymantecVerisign,Cisco

AnyConnectVPN,SafeNetMobilePass,F5Firepass,MacFilevault)o Antivirusapplications(Norton,Avast,TrendMicro,McAfee)o Othermiscellaneoustechnologies(PowerShell,RemedyITSM,ServiceNow,Confluence,

Sharepoint,VMware)o OutwardfacingSplunkserverslocatedatspecificIPaddresseso SMTPserverslocatedatspecificIPaddresseso SpecificwirelessnetworkESSIDs/SSIDs

PhysicalPlant

- Theavailabilityoftoursofthefacilitywaslocatedonline- Picturesandvideosonpersonalandcorporatemediarevealedmanydetailsaboutthephysical

plant:o Thetypeandlocationofbadgesensorso LocationofCCTVcameraso Interiorsofofficeso Cafeteriaso Fitnesscenterso Completelayoutofthefacilitytoincludeingress/egresspointso On-sitedaycarefacilities

Contractor/Vendor/OtherCompanies

- Sometargetcompanywebsiteslistedtheirclients- Corporatewebsitesandcorporate/employeesocialmediaoftendisclosedvendorssuchas

shippingcompanies,wastedisposal,andfoodservice

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 15

- Mediasuchasnewsoutletsdisclosedemployeebenefitstoincludecafeterias,healthsubsidies,etc.

- Vendorswerefoundtoposttargetcompanyinformationontheirownwebsites- Specificcontractors/vendors/othercompanieslocatedinclude:

o Shipping(e.g.,UPS,FedEx,USPS,DHL)o Foodservice(e.g.,CocaCola,Starbucks,Equiterre,CaféBonAppétit,Eurest,Sodexo,

Aramark)o Waste/janitorial(e.g.,CleanTileandGrout,RainbowEnvironmentalServices,Waste

Management)o Security(e.g.,ReelSecurity,ADTSecuritySystems,AlliedBarton)o Realestatemanagement(e.g.,AlliedREIT,PMIProperties)o ISP/content/technologyproviders(e.g.,AT&T,ComcastXfinity,Akamai,Rackspace)o Corporatelodgingandshuttletransportationweredetermined

PositiveFindings

- Employeesreferencednon-disclosureagreements- Althoughphysicaltoursaregiven,recordinginsensitiveareasisprohibited- Somecompaniesdisalloweddirecttelephonelinestoemployees

Werecognizethatmuchoftheinformationlistedaboveisbeyondthecontroloftheorganizationsandindividualsconcerned.However,itisimportanttobeawareofinformationfreelyavailableinordertomitigatepossibleexploitationbymaliciousattackers.Figures3and4provideaside-by-sidecomparisonofpointsscoredbycompetitorsagainsttheirassignedcompanyduringtheOSINTportionofthecontest,outofapossible228points.TheX-axisrepresentsthecompetitors,andtheY-axisthepointvaluesfortotalpointsawardedforthisphaseofthecompetition.

Figure3:OSINTScoresbyDEFCONcompetitor

0

50

100

150

200

250

1 2 3 4 5 6 7 8 9 10 11 12 13 14

119

166

35

186

95124

167

215

111

4967

221189

30

Competitor

DEFCON2017OSINTScores

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 16

Figure4:OSINTScoresbyDerbyConcompetitor

TheOSINTportionofourcompetitionstressesafewkeypoints.First,itemphasizestheoverallimportanceoftheinformation-gatheringphaseofanysocialengineeringengagement.Athoroughonlineinvestigationcanprovideanindividualwithaverygoodunderstandingofwhen,where,andhowcompaniesconductbusinessaswellastheonlineactivitiesoftheiremployeesthroughvectorssuchassocialmedia.Second,anyimagesfoundcanbeextremelyusefulformaliciousattackers.Forinstance,ifanattackerknowswhatbuildingslooklike,thelocationofentrancesandbreakareas,andperhapsfindspicturesofcorporatebadges,theseareallpotentialvulnerabilities.Finally,ourOSINTexercisestressestheissueofonlinedataleakagebyorganizations.Networkpenetrationwasnotallowed;theflagsduringtheOSINTphasewereobtainedthroughinformationfreelyfoundonlinewithoutanyliveinteractionwithindividualsatthetargetcompanies.

PretextingSelectingaproperpretextisakeycomponenttothesuccessofavishingcampaign.Thisyearthereweremanypretextsusedwithvaryingdegreesofsuccess.Newcomerspredictablystruggledthemostwithbothbelievablepretextsaswellaswithmaintainingthepretextforthedurationofthecall.Themostsuccessfulpretextsusedthisyearwerevariationsofafellowemployee.OurfirstandsecondplacewinnersatDEFCONbothusedascenarioinwhichtheycalledasaninternalITstafferattemptingtotroubleshoot/confirmsystems.Somewhatlesssuccessfulwasthevariationoftheemployeeplanningasitevisitandaskingquestionstobeproperlyprepared.SubsequenttotheDEFCONSECTF,ourwinnerrecreatedhissuccessfulcallandthevideomaybeviewedhere:https://www.veracode.com/blog/security-news/how-single-phone-call-can-compromise-your-company.Otherpretextsusedincluded:

0

50

100

150

200

250

1 2 3 4 5 6

153

120

189

29 18

216

Competitor

DerbyCon2017OSINTScores

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 17

- Journalistrequestinganinterview- Packagedelivery- HVACvendor- Impersonationofanactualemployee- Callingaspartofatriviagame

OneofthemostimportantrulesfortheSECTFisthatcontestantsarenotallowedtousenegativepretexting.Thisincludesthreateningdisciplinaryaction,and/orusingextremefearorangertowardsatarget.Thisruleisinplacetokeeptargetsfrombeingleftinfearfortheiremploymentaswellastoprovideachallengetothecontestantstoformulateapretextthatismorecreative.Wearehappytoreportthatallcontestantsstayedwithintheboundariesofnon-manipulativepretextsthisyear.

LiveCallPerformanceThelivecallportionoftheSECTFisaninterestingtrialforthecontestant.Itisnotonlyatestinmentalagilityandtheabilitytoinfluenceapersoninreal-time,butalsoataskthatmustbeaccomplishedinfrontofaliveaudience.TheluxuryoftimeandtrueanonymityenjoyedintheOSINTphasearenotapplicable.Itisforthatreasonwecongratulateallofourcontestantsincompletingthisphaseofthecompetition.Figure5showstotalcallscorescomparedtothelast3yearsofcompetitionatDEFCON.DerbyCon2017numbersareincludedforthesakeofcomplete2017databutarenotcomparabletoDEFCONtotalsduetothesignificantlysmallernumberofcompetitors.Again,thedatanotedarestrictlyforgeneralcomparisonsonlyanddonotindicatestatisticallysignificantdifferencesacrossyears,butacursoryexaminationsuggeststhatcompaniesthisyearweremoresuccessfulatdenyinginformationviathetelephone.

Figure5:Comparisonofcalltotalpoints2014-2017

0100020003000

4000

5000

6000

7000

2014 2015 20162017

2017DerbyCon

5306

6772

4353

2360

1642

2014- 2017CallScores

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 18

AnexaminationofcallmeanscoresandstandarddeviationsinFigure6supportsthatcontestantswere,onaverage,lesssuccessfulinobtainingflagsoverthetelephonethaninpreviousyears,althoughvariabilitywasveryhigh.Thismaysuggestthatsomecompanieshaveimprovedinsecuringinformationleakageoverthetelephonetounverifiedcallers.

Figure6:Comparisonofcallpointsmeansandstandarddeviations2014-2017Figures7and8quantifypointvaluesscoredbythecontestantsagainsttheirassignedcompanyduringthelivecallportionofthecontest.TheX-axisrepresentsthecontestantsandtheY-axisshowsthepointvaluesawarded.Thisyear,wehadonelast-minutecontestantwhoreplacedano-showatDEFCON.

Figure7:LivecallscoresbyDEFCONcompetitor

0100200300400500600

2014 2015 20162017

2017DerbyCon

438564

311

169274167

318 331

218223

2014- 2017CallMean/StdDev

CallMean CallStdDev

0

100

200

300

400

500

600

700

800

1 2 3 4 5 6 7 8 9 10 11 12 13 14

018

152

350

78 42 54

794

920

294346

122

18

Contestant

DEFCON2017CallScores

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 19

Figure8:LivecallscoresbyDerbyConcompetitor

Evenacursoryexaminationindicatesextremelyhighvariabilityamongstcontestants.Someofthisisattributabletochance,withsuccessbasedonthefrequencywithwhichtargetswerereached.However,wefeelthatthevastmajorityofperformancedifferenceisduetopreparationonthepartofthecontestant.

CompetitorSummaryThisyearwehadourtypicalrangeofnovicesocialengineerstoprofessionalpenetrationtesters.However,sincewemakechangestotheconditions,targetindustries,numberofcompetitors,andscoringeachyear(e.g.,extrapointsfor“tag-outs”in2014),theseaveragesareonlyvaluableintermsofidentifyinglargetrendssuchasthedatareversalwesawin2014.Figure9isasummaryofthemeanscoresofbothOSINTandcallsforthepast4years.Themathematicalaverageofscoresisimpactedbyoutliers(eitherveryhighorverylow),soisrelativelylimitedintheinformationitconveys.OnecansurmisethatcompetitorperformanceonOSINThasremainedrelativelyconsistentwhiletherehasbeenmuchgreatervariabilitywithrespecttocallsuccess.Thismaybeinpartduetocontestantsortargetindustry,butbasedondirectobservation,italsoappearsthatcompaniesareimprovingtheirabilitiestorepeltelephonerequestsmadebyunverifiedcallers.

0

100

200

300

400

500

600

700

1 2 3 4 5 6

374310

644

2692

196

Contestant

DerbyCon2017CallScores

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 20

Figure9:MeanperformanceforSECTF2013-2016

Thefollowingareobservationsmadeduringcalls.

- Competitorswhowerethemostsuccessful:o Wereverywellprepared.TheyhadconductedthoroughOSINTandpossessedmore

thanenoughpossibletargets/phonenumberstocall.Thisyear,bothfirstandsecondplacewinnershad30+phonenumberstocall.Theywerealsofamiliarwithinternalterminology,systems,processes,andrecentcorporatenews.

o Developedgoodrapportwiththetarget.o Dealtwellwithanunpredictableenvironment.Thiscontestillustratesthedifficultyof

livecalling.Ourbestcompetitorsthoughtquicklyontheirfeetandwereabletoadjustpretextsandquestionsevenwhenthecallappearedtobegoingpoorly.

o Carefullyplannedtheorderoftheirquestions.Themostexperiencedcontestantstendedtostartwithnon-threateningquestionsandgraduallypressedthetargetsintodisclosingmoresensitiveinformation.

o Werepersistent.AtDEFCON,ourFridaycompetitorshadthemostissuesreachinglivetargets.Onecontestantinparticularkeptreachingdeadendsuntilhisverylastcall,duringwhichheobtainedalmostallofhisflags.

o Mademasterfuluseofquestionsandobtainedflagswithoutdirectlyasking–akeyingoodelicitation.

o Hadexcellenttimemanagement–withaneyeontheclock,thisallowedthecontestanttodecidewhentoabandonanunproductivecallandmoveontothenexttarget.

o Dealtwithresistanceandrejectioninacalmfashion.

- Competitorswhohadthemostdifficulty:o Werenotabletomaketheirpretextsimmediatelycleartotheirtargets.Withoutbeing

abletoestablishwho,what,andwhyimmediately,thesecompetitorsoftenrambledandwereunabletodevelopproperrapport.

o Werequicktoabandonacalliftheymeteventheslightestresistance.

0100200300400500600

2014 2015 20162017

2017DerbyCon

156121 121 127

121

438

564

311

169274

MeanPerformance2014-2017

OSINTMean CallMean

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 21

o Didnotproperlyresearchthecompanybeforethelivecallingphase.o Failedtorecognizeopportunitiesthatcouldeithercontinueanongoingcallorleadto

moreinformedfollowoncalls.§ Severalcompetitorsendedcallswhentheintendedtargetwasnotreached,

evenwhenthepersononthephoneindicatedwillingnesstoassist.§ Onetargetreferenceda“bigevent”inprogressthatourcompetitorfailedto

pursueo Wererelativelyrigidinobtainingcertainflags;e.g.,onecontestantcontinuedtoask

questionsaboutfoodservice,makingthecallseemunnatural.o Spentmoretimetalkingthanlistening.o Usedclosed-endedquestionsthatoftencutofftheopportunitytocontinuethe

conversation.o Madeassumptionsaboutcertaindepartments(e.g.,HRwouldbelessforthcoming)and

lostopportunities.

- Techniques:o Anumberofsuccessfulcompetitorsescalatedtheirrequestsfromsmalltolarge.o Severalcompetitorshaddiscoveredthenamesoftargetcompanyemployees,and

referencedthemincalls.o Anumberofsuccessfulcompetitorsphrasedtheirelicitationsasconfirmationof

informationtheyalreadyknew(collectedintheOSINTphase).o Successfulcompetitorsalsouseddeliberatefalsestatementstohavethetargetcorrect

themwiththecorrectflag.o Anumberofcompetitorsuseda“rapidfire”styleofquestioning,essentially

overwhelmingtheirtargets.Dependingontheamountofrapportestablished,thiswasasuccessfultechnique.

o Onecompetitorreferencedarecenthigh-profileeventtoaddurgencyandveracitytoherpretext.Thisisanextremelypowerfulandtypicallyverysuccessfultechnique.

o Onecompetitorusedaphysicalprop(keyboard)toaddthesoundeffecttohiscall,addingvaliditytohispretext.

- AdditionalObservations:

o Onecompetitorhadthemisfortuneofreachinganindividualwhoworkedforthepersonhewasimpersonating.

o Twoofourcompetitorswereunabletoobtainflagsduetopersonnelnotansweringcalls.Thismirrorsactualsocialengineeringengagementsanddemonstratesthelackofpredictabilityandcontrolinherentinvishingcalls.

o Inmorethanonecase,acompany’scorporatedirectoryprovidedthefullnamesofindividuals,providingmultipletargetopportunitieswithasinglecall.

o Wehadoneno-showatDEFCONthisyear.Despiteminimaltimetoprepare,thevolunteercontestantwasabletoobtainsomeflags,demonstratingtheeasewithwhichinformationcanbeobtainedviathetelephone,evenbyanunpreparednovice.

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 22

FinalContestResultsAttheconclusionofthelivecallportionofthecontest,thejudgingpanelmetandreviewedallscores.Figure10and11aretalliesofOSINTscores,callscores,andgrandtotalbycompany.Thehigherscoredenotesthatahighernumberorvalueofflagsweresurrendered,andisindicativeofpoorerperformanceonthepartofthecompany.AverageOSINTscoresremainedstableforbothDEFCONandDerbyCon,butcallscoresappeartohavefallenagainthisyear,perhapsindicativeofapositivetrendinwhichorganizationsareimprovingwithrespecttotheinformationdisclosedtounverifiedcallers.

Figure10:DEFCON2017companyranking

0

200

400

600

800

1000

30 49 119 124 9… 16635 111 167 189

67 186 221 215

18 0 0 42 7818

15292

54122

294350 346

794

48 49119 166 173 184 187 203 221

311 361

536 567

1009

DEFCON2017CompanyRanking

OSINT Call Total

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 23

Figure11:DerbyCon2017companyranking

Keepingwiththetrendfrompastyears,contestantstendedtorelyheavilyonthecallportionfortheirscore.Unfortunately,itshouldalsobenotedthattherewereseveraltargetsthisyearcompletelyuntestedduringthecallportionduetopersonnelsimplynotansweringtelephonecallsatall.Finally,everytargetcompanydisclosedatleastsomeinformation(eitherdiscoveredduringOSINTorduringlivecalls)whichcouldbeusedasapossibleattackvectorformaliciousactors.

Therankingofcompaniesfrombestperformance(lowestscore)toworstperformance(highestscore)forDEFCON2017isasfollows:

1. WarnerBrothersGames2. RockstarGames3. 2KGames4. ElectronicArts5. Disney6. ActivisionBlizzard7. BandaiNamcoEntertainment8. Nintendo9. Hasbro10. UbisoftEntertainment11. SegaGames12. BethesdaGameStudios13. Sony14. Mattel

0100200300400500600700800900

29 18 216 120153 189

26 92 196310 374

644

55 110

412 430 527

833

DerbyCon2017CompanyRanking

OSINT Call Total

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 24

Therankingofcompaniesfrombestperformance(lowestscore)toworstperformance(highestscore)forDerbyCon2017isasfollows:

1. PapaJohn’sInternational2. Tempur-Pedic3. Yum!Brands4. Brown-FormanCorporation5. Ashland6. GEAppliances

Wedonotreleaseinformationonspecificvulnerabilitiesofthecompaniestothegeneralpublic.NOTE–Wedoprovidethisinformationdirectlytotheinvolvedcompaniesuponrequest.Anyinvolvedcompanycanreachouttousatsectf@social-engineer.orgforinformationonhowtoobtainthisdata.OnepositiveaspectofthelivecallportionoftheSECTFeachyearistoseewhenacompanyshutsdownthecontestant.Thatis,thepersonfromthetargetcompanyfollowsappropriatesecurityprotocolanddoesnotansweranyquestionsorhangsuponthecall.Eachyear,whenapersonfromatargetcompanystopsacontestant,theroombreaksoutintoapplause.Thisyearwehadseveralcallsduringwhichthetargetsstatedtheywereprohibited,throughcompanypolicy,fromdisclosinginformationtounverifiedcallers.Despitethesepositivenotes,overall,thisyear’scontestproved,onceagain,thatpotentiallydamaginginformationonorganizationsisstilleithereasilyaccessibleonlineordiscoveredviatelephonecallsbyeventhemostnovicecompetitor.Figures12and13illustratethenumberoftimeseachflagwasobtainedduringbothOSINTandlivecallphases.Whilenotallflagswererequestedthesamenumberoftimes,thisisatleastanindicatoroflikelyvectorsintoanorganization.

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 25

Figure12:DEFCON2017flagfrequencydistribution

10

6

22

75

14

4

11

0

16

53

0

6

0 0

1517

46

13

6

14

0

15

24

6

13

57

11

8

12

98

13

86

8

3 32

56

5

89

56

8

4

10

4

0

8

56

10

4

0

5

10

15

20

25

DEFCON2017FlagsSurrendered

CALLS OSINT

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 26

Figure13:DerbyCon2017flagfrequencydistributionInspectionwillrevealthatthemostcommonlyobtainedflagthisyearatDEFCONwastheamountoftimethetargethadworkedforthecompany,followedbywhetherornottherewasanonsitecafeteria.Theseareidenticaltolastyear’stopflags.Thefirstflagcouldbeusedbyamaliciousattackerindetermininghowdifficultitmightbetoescalateanattackusingthisindividualaswellasthevalueoftheinformationtheymayhold.Anewcomertoanorganizationmaybeaneasiertarget,butmayalsoprovidelessvaluableinformation,dependingontheirjobfunction.Theotherflagcouldbeusedtoperpetratebelievableattacksviaonsiteimpersonationattempts.ThemostcommonlyobtainedflagatDerbyConwaswhetherornotthetargetedcompanyblockedwebsites.Thisinformationcouldbeusedinplanningaphishingattackusingamaliciouslink,particularlyifitwasdeterminedthatthetargetcompanyhadnopolicyorcontrolsinplacetopreventunmonitoredInternetaccess.

3

6

2 2

7

17

13

5

8

5

0 0

2

01

4

10

4

8

12

3

12

5

12

10

0

4

6 6

11

43 3 3

5

1

3 3 32

3

1

34

2 2

4

2 2

4

0

43

0

5

2 2

4

21

0

2

4

6

8

10

12

14

16

18

DerbyCon2017FlagsSurrendered

CALLS REPORTS

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 27

Thetake-awayhereisthatsocialengineeringisnottheendgame,butisusedastheentrypointtoperpetratetheftofidentityorresources.Themotivatedindividualwillcompileinformationfromanumberofdifferentsourcesandcreatebelievableattacksthataredifficulttorecognizeandresist.ItisinterestingtonotethatEVERYapplicableflagwassurrenderedatleastoncebythetargetcompanies.

DiscussionThiswas,onceagain,aninterestingandinformativeyear.Basedonallofthedataandourownobservations,wecanconcludeafewpoints.Firstandforemost,socialengineeringcontinuestobeasecurityriskfororganizations.ThiswasoureighthconsecutiveyearhostingthiseventatDEFCON;inthattime,anddespitenumeroushigh-profilesecuritybreachesthatoccurredthisyear,wehavenotseenconsistentimprovementsthatdirectlyaddressthehumanelementinorganizationalsecurity.Evenascompaniesarereportedlyinvestingmoreinsecurityawarenesstrainingandpolicydevelopment,theresultsagainthisyearsupportourbeliefthatoverall,companiesarestilldoingarelativelypoorjob.Notallofourcompetitorswereexperiencedinformationsecurityprofessionals;however,allwereabletoobtainflags.Itdoesnotappearthatemployeesareconsistentlybeingeducatedtounderstandthevalueoftheinformationtheyholdorhowtoappropriatelyprotectit.Ratherthanacceptarequestatfacevalue,employeesneedtobetrainedandencouragedtoquestion,challenge,andmakegooddecisions.Ifthetrainingtaskistoodifficulttoovercomeimmediately,thenatminimum,employeesneedtohaveproperprotocolsinplacethatallowthemtoquestioncallers.Forexample,ifallemployeeswereforcedtoverifythemselveswithanemployeeIDorotherdailycode,thiscouldgreatlyreducetheriskoftelephone-basedattacksandtheneedforemployeestodecideforthemselvesthecorrectcourseofaction.Ifanorganizationcreatesanambiguoussituationeitherthroughunclearpoliciesorinadequatetraining,employeeswillmakechoicesthatareeasierandlessuncomfortable(e.g.,disclosinginformationasopposedtopolitelydecliningtoanswer).Itshouldbenotedthatinthepastfewyears,wehaveobservedatrendinwhichmorecompaniesappeartobeimprovingintheirresistancetotelephoneelicitationattempts.Oursecondconclusionisthatcompaniesarestillallowingsensitivedatatobepostedonline.Indirectoppositiontosecurityisthebasicnatureofconductingmodernbusiness.Clearcommunicationwith,andaccessibilityofinformationby,clientsandpartnersismandatory.Thisplacescompaniesinapositionwheretheyneedtomaketheirresourceshighlyavailable,andperhapsvulnerable.Inadditiontomonitoringcorporateinformation,anotherchallengeforallorganizationsistheinabilitytocompletelycontrolthesocialmediaandotherpostingsofcurrentandpastemployees.Ourcompetitorsclearlyfoundvaluableinformationthroughthesesources,andtheyarecertainlyusedbymaliciousattackerstocraftphishing,vishing,andonsiteimpersonationattempts.Althoughitisunlikelythatthisvulnerabilitycaneverbecompletelymitigated,clearpoliciesandtrainingcanassistmakingemployeesawareoftheriskinwhichtheyplaceboththemselvesandtheircompaniesbyoversharinginformation.

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 28

Wesincerelyhopeourfindingsareusefulinmakingallorganizationssaferandmoresecureplacesinwhichtoconductbusiness.Mitigation

TheongoinggoaloftheSECTFistoraiseawarenessofthethreatthatsocialengineeringpresentstobothorganizationsandindividuals.Thecruxofthisreportistoinformcompaniesofthedangersassociatedwithmalicioussocialengineersaswellashowtheycanmitigatevulnerabilitiesandprotectagainsttheseattacks.Basedonourpracticeandinreviewingthetrendsoverthepastseveralyears,wewouldexpecttheuseofsocialengineeringtocontinuebeingasignificantthreattoorganizations.Mitigationmustbeacombinationoftechnicalcontrols,policy,andtraininginordertodefeatmaliciousattackers.Belowareafewareasforpotentialmitigationofthisthreat.1.DefensiveactionsGoodtechnologymustbethefoundationofcorporateinformationsecurity.Atabareminimum,organizationsmustpossessbasictechnicalcontrolstoincludeappropriatehardware,software,andadequatesystemadministration.Technicalexploitationcontinuestobeaperimetertestofunpatchedsystemsandoutdatedtechnology.Don’tmakeahacker’sjobthatmucheasierbynotinvestinginsecuretechnologies.Inaddition,helpyouremployeesmakesafedecisions.Mostmakedecisionsthatwillaffectcorporatesecurityonadailybasis.Ifyourpolicyisunclear,orputstheemployeeinapositiontomakeanunsafechoice,youarenotgivingthemthetoolstheyneedtohelpkeepthecompanysecure.TheOSINTphaseofthecontestrevealedhowmuchdataonatargetcompanycanbegatheredthroughthesimplestonlinesearches.Companiesmustbalancethebusinessrequirementsofmanagingtheirbrandswiththerisksassociatedwithhavingopenandapproachablecommunicationswiththeiremployeesandtheworld.Companiesneedtosetcleardefinitionsofwhatisandisnotallowedwithregardtothehandlingandpostingofinformation,particularlywithrespecttosocialmedia.Individualswilloftennotmaketheconnectionthatpersonallifebeingdiscussedinanopensocialforumcanbeleveragedtobreachtheiremployers.Inaddition,clearlydefinedpoliciesonhow,where,andwhatkindofinformationcanbeuploadedtounsecuredareasoftheInternetcangoalongwaytosafeguardingcompanies.Finally,companiesMUSThelptheiremployeesunderstandwhatinformationisvaluableandhowtothinkcriticallyaboutitsprotection.Guidelines,policies,andeducationcanhelptheemployeesunderstandtherisksassociatedwithinformationexchangeinboththeirpersonalandprofessionallives,creatingasecurity-focusedculture.2.SecurityawarenesseducationOneoftheareasthatappearstobelackingacrosstheboardishighqualityandmeaningfulsecurityawarenesseducation.Educatingthepopulationtomeetcompliancerequirementsisnotsufficient.In

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 29

ourexperience,thereisadefiniterelationshipbetweencompaniesthatprovidefrequentandrelevantawarenesstrainingandtheamountofinformationthatcompanysurrenders.Anorganizationthatplacesapriorityoneducationandcriticalthinkingissuretopossessaworkforcethatisfarmorepreparedtodealwithmaliciousintrusions,regardlessoftheattackvector.Securityawarenesstrainingneedstobepractical,interactive,andapplicable.Italsoneedstobeconductedonaconsistentbasis.Itdoesn’trequirethatacompanyplanslargeeventseachmonth,butregularsecurityremindersshouldbesentouttokeepthetopicfreshintheemployees’minds.Inaddition,wehavefoundthroughourpracticethatcompanieswhoemployongoingphishingandvishingawarenesscampaignsthroughrealworldtestingoftenfarebetteratthesethreatsthanthosewhodonot.Manytimes,thedifficultyliesinbusinessesmakingtrainingandeducationaprioritytotheextentthatappropriateresourcesareallocatedtoensurequalityandrelevance.Securityeducationcannotbefromacanned,pre-madesolution.Educationneedstobespecifictoeachcompanyand,inmanycases,evenspecifictoeachdepartmentwithinthecompany.Companieswhotrulyunderstandthechallengesandrewardsassociatedwithhighqualitytrainingandeducationwillfindthemselvesmostpreparedfortheinevitable.3.RealistictestingOnelargemistakethatmanyorganizationsmakeisassumingadeficitmodelofdecisionmaking,whichstatesthatifindividualsareprovidedwithmoreinformation,theywillmakebetterdecisions.Thereisasignificantamountofresearchthatindicatesthisisuntrue.Thekeytohelpingapopulationmakesaferdecisionsisthroughrealistictesting.Onlyplacinganindividualinthepositionofactuallymakingadecisioninasafesettingcanassuretheorganizationthattheiremployeeswillmaketherightchoiceatthecriticaltime.Twoofthemostnecessaryaspectsofsecurityarethesocialengineeringriskassessmentandpenetrationtest.Whenaproperriskassessmentisconductedbyprofessionalswhotrulyunderstandsocialengineering,real-worldvulnerabilitiesareidentified.Leakedinformation,socialmediaaccounts,andothervulnerableaspectsofthecompanyarediscovered,cataloged,andreported.Potentialattackvectorsarepresentedandmitigationsarediscussed.Asocialengineeringpenetrationtestincreasestheintensityandscrutiny;attackvectorsarenotsimplyreported,butexecutedtotestacompany’sdefenses.Theresultsarethenusedtodevelopawarenesstrainingandcantrulyenhanceacompany’sabilitytobepreparedforthesetypesofattacks.Weconcludethatifthecompaniestargetedinthisyear’scompetitionpossessedregularsocialengineeringriskassessmentsandpenetrationtesting,theymighthavebeenmoreawareofpossibleattackvectorsandbeenabletoimplementeducationandothermitigationtoavoidthesepotentialthreats.Thesearejustthreeofthemanystrategiesthatcanbeutilizedtoimproveandmaintainsecurityandpreparefortheattacksbeinglaunchedoncompanieseveryday.Ourhopeisthatthisreporthelpsshedlightonthethreatspresentedbysocialengineeringandopenstheeyesofcorporationstohowvulnerabletheyreallyare.

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 30

AbouttheSocial-EngineerVillage

TheSocial-EngineerVillageisnowapopularstapleatbothDEFCONandDerbyCon.InadditiontohostingtheSECTF,SEORGhascreatedaseriesofeventstoentertainandeducateattendeesonallthingssocialengineering.Thisyearweofferedarebootofpreviousyears’“MissionSEImpossible”challengethatsimulatedanofficebreak-inandemphasizedthecriticalthinkingskillsnecessarytoperpetratesuccessfulcorporateespionage.Wealsohostedanumberofpresentationsbywell-knownsocialengineerstoprovideouraudiencewiththeiruniqueperspectivesinthefield,theSocialEngineeringCTFforKids,anewSocialEngineeringCTFforTeens,andourownliveSEORGpodcast.Basedonanoverwhelminglypositiveresponse,theSocial-EngineerVillageisplanningtoreturnin2018tobothDEFCONandDerbyCon.WewillbereleasingaCallforPapersalongwithourcallfor2018SECTFcontestantsincoordinationwithconferenceannouncements.Pleasewatchourwebsitewww.social-engineer.organdoursocialmediaaccounts@humanHacker@SocEngineerInc,andhttps://www.facebook.com/seorg.orgforthemostcurrentinformation.

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 31

ConclusionThiswasanotherfantasticyearfortheSECTF.Thisyear,mostwerefirst-timecontestants,provingthatanyonewithatelephoneandcouragecanobtainvaluableinformation.Withsomeofthenovicecompetitorsoutperformingexperiencedsecurityprofessionals,thecompetitioncontinuestodemonstratethatsocialengineeringcanbeapowerfulskillforpeopleatanylevel.Unfortunately,asinyearspast,ourlimitedfindingsshowthatcompaniesarestillvulnerabletosocialengineeringattacks.Itisourhopethatthiswillchangeaswecontinuetoexpandoureventandstressongoingpreparation,notjusttheattentiongarneredatDEFCON.Ifyou,oryourorganization,haveanyquestionsregardinganyaspectofthisreportpleasecontactusat:sectf@social-engineer.org.

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 32

AboutSocial-Engineer,LLCSocial-Engineer,LLCisthepremierconsultingandtrainingcompanyspecializingintheartandscienceofsocialengineering(SE).Socialtacticsareanestablishedandquicklygrowingtrendininformationsecurityintheformsofphishing,phoneelicitation(vishing),andimpersonation.Withmorethanthreedecadesofcombinedexperience,Social-Engineer,LLCassistsorganizationsingovernment,lawenforcement,andtheprivatesectorindetectionandmitigationofthedevastatingeffectsofbothphysicalandinformationbreaches.Social-Engineer,LLCfocusesontheabilitiesofahostileattackertoexploitthehumanelementofbusinessestogainaccesstocorporateassets.Throughassessment,education,andtraining,Social-Engineer,LLChelpsorganizationsprotectthemselvesandtheirtradesecrets.Tolearnmoreaboutprofessionalsocialengineering,servicespleasevisit:http://www.social-engineer.com/social-engineering-services/.

11/27/2017 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 33

Sponsors

The2017SocialEngineeringCapturetheFlagcontestandtheSocial-EngineeringVillagewouldnothavebeenpossiblewithoutthegeneroussupportofthefollowingorganizations:

www.social-engineer.com

http://www.phishline.com/ www.pindropsecurity.com

https://www.ravenii.com/