11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 1

TheDEFCON24SocialEngineering

CapturetheFlagReport

POBox62,Brooklyn,PA18813|800.956.6065|www.social-engineer.org

Social-Engineer,LLC

©AllrightsreservedtoSocial-Engineer,LLC,2016.

Nopartofthispublication,inwholeorinpart,maybereproduced,copied,transferredoranyotherrightreservedtoitscopyrightowner,includingphotocopyingandallothercopying,anytransferortransmissionusinganynetworkorothermeansofcommunication,anybroadcast

fordistancelearning,inanyformorbyanymeanssuchasanyinformationstorage,transmissionorretrievalsystem,withoutpriorwrittenpermissionfromtheauthor(s).

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 2

TableofContentsExecutiveSummary............................................................................................3

OverviewoftheSECTF........................................................................................4BackgroundandDescription....................................................................................................................4

2016Parameters.................................................................................................................................6TargetCompanies....................................................................................................................................7Competitors.............................................................................................................................................7Flags.........................................................................................................................................................8Scoring...................................................................................................................................................10RulesofEngagement.............................................................................................................................11

ResultsandAnalysis.........................................................................................12OpenSourceIntelligence.......................................................................................................................12Pretexting...............................................................................................................................................16LiveCallPerformance............................................................................................................................17CompetitorSummary.............................................................................................................................19FinalContestResults..............................................................................................................................20Discussion..............................................................................................................................................23

AbouttheSocial-EngineerVillage.....................................................................27

Conclusion........................................................................................................28

AboutSocial-Engineer,LLC...............................................................................29

Sponsors..........................................................................................................30

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 3

ExecutiveSummary

Social-Engineer.org(SEORG)hostedtheSocialEngineeringCapturetheFlag(SECTF)contestatDEFCON24inLasVegas,NevadafortheseventhyearinarowinAugustof2016.Thisyear’scompetitiontargetedinformationsecuritycompanies.

Fromover150entries,weselected14competitorsfromdiversebackgroundsandexperiencelevelstotesttheirsocialengineeringabilities.Belowisatablehighlightingsomebasicstatisticsfromthisyear’scompetition:

Asinyearspast,theoverallgoalsofthiscontestweretoraiseawarenessoftheongoingthreatposedbysocialengineeringandtoprovidealivedemonstrationofthetechniquesandtacticsusedbythepotentialmaliciousattacker.Therewereverystrictrulesofengagementinplacetoensurenosensitiveinformationoncompaniesorindividualswasdisclosed.Tofurtherprotectemployeesoftargetcompaniesfrompotentialnegativerepercussions,identitiesofthosecontactedisneitherrecordednorretained.

Itisimportanttonotethatthereportingofatargetcompany’soverallperformanceisacombinationofpointsscoredbytheirassignedcontestantinbothOpenSourceIntelligence(OSINT)gatheringandlivecallphasesofthecontest.Thescoringalonecontainedwithinthisreportdoesnotnecessarilyindicatethatonecompanyislesssecurethananothercompany.However,itisanindicatorofthepotentialvulnerabilitiesthatexistanddemonstratesthatdespitetraining,warningsandeducation,socialengineeringisstillaveryseriousandviablethreattocorporations.

Targetcompanies 14Competitors 14Completedcalls 160Totalpointsscoredonreports 1698Totalpointsscoredoncalls 4352

Table1:SECTFgeneralsummary

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 4

OverviewoftheSECTF

TheSocialEngineeringCapturetheFlag(SECTF)isanannualeventheldwithintheSocial-EngineerVillageattheDEFCONHackingConferenceinLasVegas,NV.TheSECTFisorganizedandhostedbySocial-Engineer.Org(SEORG),thenoncommercial,educationaldivisionofSocial-Engineer,LLC.

Thecompetitionwasformedtodemonstratehowserioussocialengineeringthreatsaretocompaniesandhowevennoviceindividualscouldusetheseskillstoobtainimportantinformation.Thecontestisdividedintotwoparts,theinformation-gatheringphasethattakesplacepriortoDEFCON,followedbythelivecallphasethatoccursattheDEFCONconference.

BackgroundandDescription

TheSECTFisacontestinwhichparticipantsattempttoobtainspecificpiecesofinformation,calledflags,fromselectprivate-sectorcompanies.Thepurposeofthecontestistodemonstratehowmuchinformationcanbefreelyobtainedeitherthroughonlinesourcesorviatelephoneelicitation.

MonthspriortotheDEFCONevent,wesolicitedforindividualswhowishedtocompeteviaoursocialmediaoutletsandwww.social-engineer.orgwebsite.Wealsoaskedparticipantstosubmita90-secondvideooutliningwhytheyshouldbeincludedinthecontest.Ourpanelmadeselectionsbasedonanumberoffactorstoincludedesiretolearnaswellasourperceptionofthecontestant’sintent.Asthisisaneducationalevent,wewishourparticipantstohaveaverystrongemphasisonultimatelyhelpingthestatusofcorporatesecurityasopposedtothesingulargoalof“winning”anengagement.Fromover150applicants,weselected14contestantsandrandomlyassignedthemtoacompany.

Contestantswerenotmadeawareofanyothercompetitorsortargetcompaniesotherthantheirownpriortotheircalltimeattheliveevent.ThetargetcompanieswerenotinformedoftheirinclusionintheSECTF,norwastheindustryannouncedpriortoourcontest.Forthisyear,weselectedinformationsecurityasthetargetindustry.Thesearebrandsthatbusinessesrelyontoassisttheirpopulationsinthedefenseofconfidentiality,integrity,andavailabilityofinformation.

Contestantsweregiven3weekstogatherasmuchinformationabouttheirtargetcompanyaspossibleandgenerateaformalreport.TheywereallowedtouseonlyOpenSourceIntelligence(OSINT)thatcouldbeobtainedthroughsearchenginesortoolssuchasGoogle,FOCA,Maltego,etc.Duringthisinformation-gatheringphase,contestantscouldattempttocaptureasmanyofthepre-definedflagsaspossible.Theinformationgatheredwastobeassembledintoaprofessionallookingreport.Contestantswereprovidedwithasamplereporttoassistthem,but

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 5

werenotrequiredtousethistemplate.Inadditiontotheflags,pointswerealsoawardedbasedontheprofessionalismandqualityofthereport,with10bonuspointsawardedforreportssubmittedearly.

ContestantswerethenassignedatimeslottoperformtheirlivecallsoneitherFridayorSaturdayduringDEFCON24inLasVegas,NV.

Greatcarewastakeninthedevelopmentofthecontesttoensuremaximumsuccessforthecontestants.SincethecontestwasheldontheWestCoast,companieswhoseheadquarterswerelocatedontheEastCoastwereassignedearliertimeslots.Furthermore,companieswhoweremoreeasilyaccessibleduringnon-standardbusinesshourswereassignedSaturdaytimeslots.

Contestantswereplacedinasoundproofboothandrequiredtoprovidealistofphonenumbers(obtainedduringtheinformation-gatheringstage)atthetargetcompanytocallalongwithphonenumberstheywishedustospoof.CallerIDspoofingisamethodthroughwhichone’sincomingphonenumbercanbeforged,or“spoofed”.Thisisatacticcommonlyusedbysocialengineerstoincreasetheircredibilitywithrecipients.

Eachcontestantwasfreetousetheirentireallotted25-minutetimeslottoperformasmanyorasfewcallsastheywished.AlthoughUnitedStatesfederallawonlyrequiresonepartytobenotifiedintheeventofrecordingatelephonecall,manystates(Nevadaincluded)havecreatedadditionallawsrequiringbothpartiestoconsent.Sincewecouldnotobtaintheconsentoftargetcompanieswithoutjeopardizingtheintegrityofthecontest,norecordingofanytypewaspermitted(includingthatbytheaudience).Photographswereallowedwithpermissionofthecontestant.

Scoringwasaccomplishedduringeachcallbythreejudges.Basedonverypositivefeedbackfrompreviousyears,weagaintookopportunitiesaftereachcalltodiscussthecallwiththeaudience.Duringthattime,weanalyzedthesuccessofthetechniquesused,andansweredasmanyquestionsdirectedtoeitherjudgingpanelorcontestantastimeallowed.Subsequenttothecontest,scoringandcommentswerereviewedalongwiththereportssubmittedpriortoDEFCONtodeterminethewinners.

Itshouldbenotedthatall14contestantswererequiredtoplacea$20USDfullyrefundabledeposittoreservetheirspotatthecontest.AllcontestantswererefundedthisdepositimmediatelyaftercompletingtheircallattheDEFCONportionofthecontest.

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 6

2016Parameters

Overall,weattempttokeepthemajorparametersofthecompetitionasconsistentaspossiblefromyeartoyear.However,wedomakechangestoensurethatthecontestcontinuestobechallengingandeducationalforbothcontestantsandaudience.Primarychanges:

o Theabilitytospoofwasallowedforallcontestantso Thetargetcompanieswereallinformationsecuritycompanies

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 7

TargetCompanies

TheSocial-Engineerstaff,throughanopennominationandvotingprocessaccomplishedtargetselection.Wemadeeveryattempttoensurethatnobiaswasintroducedthroughattitudesorpreconceivednotionsregardinganyparticularcompany.Ingeneral,weattemptedtoselectFortune500orlargercompaniesfromtheinformationsecurityindustry.Asbusinessesmustfocusontheircorecompetencies,manydonothavetheinternalresourcesforin-houseinformationsecurityteams.Theymustrelyontheexpertiseofexternalserviceproviders,andascompaniesresponsiblefortheprotectionofclientinformation,theseprovidersmustthemselvesbeextremelycognizantoftheirowninformationsecurity.Asinpreviousyears,wemadethecallforcompaniestobewillingparticipantsintheSECTF.Nocompaniesvolunteered;therefore,noneofthecompanieschosenwereawareoftheirselectionpriortotheDEFCONconference.Thetargetlist(inalphabeticalorder):

1. AkamaiTechnologies2. CiscoSystems3. ComcastXfinity4. DellSecureWorks5. DeloitteToucheTohmatsuLimited6. EMCCorporation7. Fortinet8. InternationalBusinessMachinesCorporation(IBM)9. OracleCorporation10. PaloAltoNetworks11. RSASecurity12. SophosGroup13. SymantecCorporation14. SYNNEXCorporation

Competitors

Asinallpreviousyears,oneofourcorerulesisthatnooneisvictimized.Thisincludesthosewhochoosetoparticipate,thosewhoarecalled,andthecompaniestheyworkfor.Ourcontestant’spersonalinformationisneverrevealedandtheyareonlyphotographediftheyprovideexplicitverbalpermissionpriortotheirlivecallsegmentatDEFCON.Novideo

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 8

recordingofcontestantsduringtheircallsiseverpermittedduetotwo-partyconsentlawsinthestateofNevada.

Therewere14competitorsselectedfromanoriginalpoolofover150applicants.Notallwereskilledcallersorexperiencedsocialengineers.Formany,thiswastheirfirstattemptateverplacingadeliberatesocialengineering-basedcall.Someofthecontestantswereredteamorsecurityspecialists,butmanywerefromotherfieldsnotrelatedtosocialengineeringorinformationsecurity.

Flags

A“flag”isaspecificpieceofinformationthatthecontestantsattemptedtoobtaininboththeOSINTandlivecallportionsofthiscompetition.

Everyyear,wesendanoverviewofflags,rules,targetsandotherpertinentinformationtoourlegalcounsel.Wedothistoensurewearestayingwithinthelegalboundarieswesetforourselveswhenwestartedthiscompetition.

Table2outlinesthelistofspecificflags,theircategories,andpointvaluesfor2016:

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 9

Table2:FlaglistforSECTFatDEFCON24in2016

DEFCON24SECTFFlagList

Reportpoints CallpointsLogistics IsITSupporthandledinhouseoroutsourced? 3 6Whodotheyusefordeliveringpackages? 3 6Doyouhaveacafeteria? 4 8Whodoesthefoodservice? 4 8 OtherTech IsthereacompanyVPN? 4 8Doyoublockwebsites? 2 4Ifwebsiteblock=yes,whichones?(Facebook,EBay,etc.) 3 6Iswirelessinuseonsite?(yes/no) 2 4Ifyes,ESSIDName? 4 8Whatmakeandmodelofcomputerdotheyuse? 3 6Whatanti-virussystemisused? 5 10 CanBeUsedforOnsitePretext Whatisthenameofthecleaning/janitorialservice? 4 8Whodoesyourbug/pestextermination? 4 8Whatisthenameofthecompanyresponsibleforthevendingmachinesonsite? 4 8Whohandlestheirtrash/dumpsterdisposal? 4 8Nameoftheir3rdpartyorinhousesecurityguardcompany? 5 10Whattypesofbadgesdoyouuseforcompanyaccess?(RFID,HID,None) 8 16 CompanyWideTech Whatoperatingsystemisinuse? 5 10Whatservicepack/version? 8 16WhatprogramdotheyusetoopenPDFdocumentsandwhatversion? 5 10Whatbrowserdotheyuse? 5 10Whatversionofthatbrowser? 8 16Whatmailclientisused? 5 10Doyouusediskencryption,ifsowhattype? 5 10FakeURL(gettingthetargettogotoaURL)www.seorg.org N/A 26 EmployeeSpecificInfo Howlonghavetheyworkedforthecompany? 3 6Whatdaysofthemonthdotheygetpaid? 3 6Employeesscheduleinformation(start/endtimes,breaks,lunches) 3 6Whatisthenameofthephone/PBXsystem? 4 8Whenwasthelasttimetheyhadawarenesstraining? 5 10

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 10

Scoring

Social-EngineerhadaproprietaryapplicationdevelopedforthepurposeofscoringboththeOSINTandlivecallportionsofthecompetition.FlagsobtainedduringtheOSINTphaseofthecontestwereworthhalf-points(pleaseseeTable2).OSINTreportswerescoredpriortothelivecallevent.Scoringduringthetelephonecallswasaccomplishedliveusingthesameproprietaryapplicationmentionedabove.Judgeswereabletoinputscoresintoadatabasefortheflagsastheywereobtained.Flagscapturedduringthisportionoftheeventwereawardedfullpoints(pleaseseeTable2).Thesameflagcouldbecapturedmultipletimesbythecontestanteitherbycontactingdifferenttargetsonthesamecall(e.g.,throughbeingtransferred)oronsubsequentcallswithintheallotted25minutes.Forexample,ifthecontestantreachedthreedifferentpeopleandconvincedallthreetonavigatetothewebsiteofthecontestant’schoosing(aflagworth26points),theywouldhavereceivedseventy-eightpoints.Everyattemptwasmadetoensureconsistencyinscoringforallcontestants,regardlessofthejudge,althoughourscoringprocessdoesprovidesomesubjectivitythroughtheabilitytoincludenotesandcommentsbyeachjudgeforeachcontestant.Attheendofthecompetitionthescoresweretotaledbytheapplicationtodeterminethewinningscore.InadditiontodeterminingtheSECTFwinnerbasedonpointstotals,wealsoconductedananalysisofhowthetargetcompaniesfaredinresponsetoasocialengineeringattack.Itfollowsthattheinterpersonalskillsandoverallpreparationofthecontestantwashighlypredictiveintheoutcomesindicatedbybothscoresaswellassubjectiveassessmentsofperformancebythejudges.Unfortunately,acompanycannotrelyonthehopethatamalicioussocialengineerwillbeinexperienced,unskilled,orunprepareduponwhichtobasetheirsenseofcorporatesecurity.

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 11

RulesofEngagement

Contestantsareheldtoverystrictrulestoensuretheprotectionoftargetcompaniesaswellastheiremployees.Thecorerulesremainedthesameasinpreviousyears.Wedidnotallowthecollectionofsensitivedatasuchascreditcardinformation,socialsecuritynumbers,andpasswords.OnlyOpenSourceIntelligence(OSINT)wasallowed.Wedidnotallowphysical(i.e.facility)ortechnical(i.e.network)penetrationintocompanies.Inaddition,wedidnotallowthecontestanttovisitanylocationoftheirtargetforinformationgatheringpurposesorinteractwithanypersonfromthetargetbeforethecallsatDEFCON.Wealsospecificallyavoidedsensitiveindustriessuchasgovernment,education,healthcare,andfinance.

Themostimportantrulestressedtoallcontestantsisthattherewastobeabsolutelynovictimizationofanyindividualsortargetcompanies.FormorespecificinformationontheROE,pleaseseeourrulesandregulations:http://www.social-engineer.org/ctf/def-con-sectf-rules-registration/.

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 12

ResultsandAnalysis

Highprofileeventsasaresultofmalicioussocialengineeringareillustrativeofthefactthatcorporationscontinuetobepooratprotectingcriticalinformation.Unfortunately,thisyear’sSECTFsupportedthistrendasourcontestants,bothexperiencedandnewcomerswereabletoobtainflagsboththroughOSINTandthelivecalls.Ourfindingsaredetailedinthesectionsthatfollow.Itshouldbenotedthatanycomparisonstopreviousyears’performanceisforsubjectivetrendanalysisonly.Sincepopulationsandsamplesizesarenotequivalentacrossyears,statisticalanalysisisnotappropriateandwasnotperformed.

OpenSourceIntelligence

Preparationpriortoanysocialengineeringengagementiscritical.Itisthisphasethatisthemosttime-consumingandlaborious,butcanmostoftendeterminethesuccessorfailureoftheengagement.Theprofessionalsocialengineermustbeawareofalloftheinformation-gatheringtoolsfreelyavailableaswellasthemanyaccessiblelocationsonlinethathousevaluablepiecesofdata.

ThefollowingtableisalistoftoolscommonlyusedbyprofessionalsocialengineersaswellasourcontestantsduringtheOSINTphaseoftheSECTF:Google

Maltego

LexisNexis

FOCA

Twitter

PiPl

Reddit

Facebook

Plaxo

GoogleMaps

Shodan

PicasaWeb

WhoIs

WGet

Vimeo

Tineye

WaybackMachine

LinkedIn

Monster

GlassDoor

Yelp!

Craigslist

Spokeo

YouTube

FourSquare

Friendster

theHarvester

GoogleImages

Telnet

EchoSec

DuckDuckGo

Pinterest

JigSaw

Table3:CommonlyusedOSINTtoolsandwebsites

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 13

Thequalityandresearchdedicatedtothereportscontinuestobeimpressive.However,continuingthetrendfromtheprevioustwoyears,thescoresforcallsoutperformedthoseforthereports.Thisreversesthetrendsetintheearliestyearsofthecompetition.Figure1showsasimilarpointdistributiontolastyear’scompetition.ItshouldagainbenotedthatpointsawardedforflagawardedduringOSINTareworthhalfthevalueofthoseawardedduringlivecalling.

Figure1:ComparisonofOSINT/CallsPointsAwarded2015-2016

Thefollowingsmalllistofthisyear’sfindingsdemonstratesthatthedangerposedbysocialengineeringinformationgatheringisextremelyprevalent.Anyofthefollowingpiecesofinformationcouldbeusedbyamaliciousattackertofurtherdevelopvishing,phishing,oronsiteimpersonationattacks.Majorcategoriesareasfollows:

EmployeeInformation

- Keypersonnelwerediscoveredtobesharingpersonalinformationviasocialmedia–activities,interests,purchasinghabits,homelocation,relationshipstatusandfriends/familymembers.

- Severalcontestantswereabletofindemployeespostingpicturesfromtheirdesksonsocialmedia.Thesecontainedviewsofthecomputersusedbytheemployees,andinsomecasesviewsoftheemployee’scomputerscreenwithsensitiveinformationdisplayedonit.

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 14

- Employeeslistedverydetailedinformationontheirexperienceandbackgroundonsocialmedia.

- Somecontestantswereabletofindseveralpostsfromtargetemployeesdiscussingworkschedule.

Technologies

- InformationonoperatingsystemsaswellashardwarewasdiscoveredbyseveralcontestantsduringtheOSINTportion.Thiswouldallowanattackertoselectexploitsspecificallytargetedatacompany’sinfrastructure.

- Informationonsystemarchitecture,operatingsystems,andhardwaredevicesusedbyseveraltargetswasfoundbylookingonjobpostings.

- Multiplecontestantswereabletolocateafullmapoftheirtargetcompany’sVPN.ThiswouldexposetheVPNportaltopotentialattacks.

- SeveralpicturesdisclosedthemakeandmodeloftheWiFiaccesspointsbythetargetcompanies.

- Onetargetdisplayedthemakeandmodelfortheirrouters,firewall,andseveralotherpiecesofhardwareusedtosecureenterprisedata.

PhysicalPlant

- Onsitecafeteriawasdiscoveredtobeopentothepublic,makingbothfacilitiesandemployeesvulnerable.

- Informationregardingofficespaceswasreadilyavailable(e.g.,buildingowners,officermanagers,vacantoffices,othertenants).

- Severalimagesfrominsidetheofficesoftargetcompaniesweredisplayedviasocialmedia.

- ManydetailsaboutthephysicalspacewerelocatedusingtoolssuchasGoogleMaps(e.g.,locationofATMs,security,etc.).

Contractor/Vendor/OtherCompanies

- Avendorlistedatargetastheircustomerforcafeterias.

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 15

- Manycompaniesemploycontractors,manywhoaresuppliedthroughwell-knowncontractingcompanies.

- AGoogleStreetViewimagediscoveredbyacontestantdisplayedthenameofthetrashpickupcompanyusedbyatargetcompany.

- Onetargetcompanyreceivedarewardforrecycling/compostfromtheirtrashpickupcompany.

- Ajanitorialservicelistedatargetcompanyasaclientontheirwebsite.

SpecialNotes

- Socialmediaaccountsofnumeroustargetemployeeswerelocated.Employeesoftendisclosedinformationtoincludedetailsregardingtechnology,systems,andinfrastructureemployedattheircompanies,aswellasotherpertinentdetailssuchaspayscheduleandspecificjobfunctions.Manyemployees(particularlyexecutivelevelindividuals)possessLinkedInaccountsthatarenotprivate,providingsignificantinformationtoattackers.

- Securitybadgeswereprominentlydisplayedinseveralpicturesdiscovered.Thiswouldallowanattackertocreateaveryrealisticcopytouseinanimpersonationattempt.

- Onecontestantwasabletodiscoveraleaseagreementbetweenthetargetcompanyandthelandlordavailableonline.

- TheESSIDandpasswordforonsitewirelesswasmadepublicviaatweetbyanemployeeforonetarget

- AcontestantwasabletouseknowledgegainedfromobservingGoogleEarthimagesofatargetlocationinhiscalltoobtainaseveralflags.

Werecognizethatmuchoftheinformationlistedaboveisbeyondthecontroloftheorganizationsandindividualsconcerned.However,itisimportanttobeawareofinformationfreelyavailableinordertomitigatepossibleexploitationbymaliciousattackers.

Figure2providesaside-by-sidecomparisonofpointsscoredbycompetitorsagainsttheirassignedcompanyduringtheOSINTportionofthecontest,outofapossible225points.TheX-axisrepresentsthecompetitors,andtheY-axisthepointvaluesfortotalpointsawardedforthisphaseofthecompetition.

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 16

Figure2:OSINTScoresbyCompetitor

TheOSINTportionofourcompetitionstressesafewkeypoints.First,thisemphasizestheoverallimportanceoftheinformation-gatheringphaseofanysocialengineeringengagement.Athoroughonlineinvestigationcanprovideanindividualwithaverygoodunderstandingofwhen,where,andhowcompaniesconductbusinessaswellastheonlineactivitiesoftheiremployeesthroughvectorssuchassocialmedia.Second,anyimagesfoundcanbeextremelyusefulformaliciousattackers.Forinstance,ifanattackerknowswhatbuildingslooklike,thelocationofentrancesandbreakareas,andperhapsevenfindspicturesofcorporatebadges,theseareallpotentialvulnerabilities.Finally,ourOSINTexercisestressestheissueofonlinedataleakagebyorganizations.Networkpenetrationwasnotallowed;theflagsduringtheOSINTphasewereobtainedthroughinformationfreelyfoundonlinewithoutanyliveinteractionwithindividualsatthetargetcompanies.

Pretexting

Selectingaproperpretextisakeycomponenttothesuccessofavishingcampaign.Thisyeartherewereavarietyofpretextsusedwithvaryingdegreesofsuccess.Newcomerspredictably

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 17

struggledthemostwithbothbelievablepretextsaswellaswithmaintainingthepretextforthedurationofthecall.

Somecontestantsattemptedtouseaccentswhichwerenotnaturaltothemandfoundverylittlesuccess.Animportantthingtorememberwhenselectingapretextistoselectonewhichisthemostbelievable.Severaloftheyoungersoundingcontestantswereabletoobtaingoodresultsusingintern/collegestudentpretextswherethesewouldbeinappropriateforoldersoundingcontestants.Severalnewcomersdemonstratedanabilitytousetheinherentnervousnesspresentwhencompetingaspartoftheirpretext.

OneofthemostimportantrulesfortheSECTFisthatcontestantsarenotallowedtousenegativepretexting.Thisincludesthreateningdisciplinaryaction,and/orusingextremefearorangertowardsatarget.Thisruleisinplacetokeeptargetsfrombeingleftinfearfortheiremploymentaswellastoprovideachallengetothecontestantstoformulateapretextthatismorecreative.Thisyear,onecontestantdidattemptapretextwhichthejudgingpanelfeltincitedextremefearinatarget.Hiscallwasinterruptedandhewasinstructedtorecallthetargettorectifythesituation.

LiveCallPerformance

ThelivecallportionoftheSECTFisaninterestingtrialforthecontestant.Itisnotonlyatestinmentalagilityandtheabilitytoinfluenceapersoninreal-time,butalsoataskthatmustbeaccomplishedinfrontofaliveaudience.TheluxuryoftimeandtrueanonymityenjoyedintheOSINTphasearenotapplicable.Itisforthatreasonwecongratulateallofourcontestantsincompletingthisphaseofthecompetition.Figure3quantifiespointvaluesscoredbythecontestantsagainsttheirassignedcompanyduringthelivecallportionofthecontest.TheX-axisrepresentsthecontestantsandtheY-axisthepointvaluesawarded.ItshouldbenotedthatsomecontestantsfounddifficultyreachingcompaniestowardstheendofthebusinessdaywhileotherswereillpreparedwithveryfewphonenumbersdiscoveredduringtheOSINTportionofthecompetition.

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 18

Figure3:LiveCallScoresbyCompetitor

Thefollowingareobservationsmadeduringcalls.

- Competitorswhowerethemostsuccessful:o Wereverywellprepared.TheyhadconductedthoroughOSINTandpossessed

morethanenoughpossibletargets/phonenumberstocall.Theywerealsofamiliarwithinternalterminology,systems,processes,andinonenotablecase,veryrecentcorporatenews.

o Developedgoodrapportwiththetarget.Inonecase,thecontestantestablishedapretextwhichallowedhimto‘assist’atargetwithfiguringoutwhyafakelinkwasn’tworkingwhichledtoachievingahighnumberofflags.

o Dealtwellwithanunpredictableenvironment.Thiscontestillustratesthedifficultyoflivecalling.Ourbestcompetitorsthoughtquicklyontheirfeetandwereabletoadjustpretextsandquestionsevenwhenthecallappearedtobegoingpoorly.

o Carefullyplannedtheorderoftheirquestions.Themostexperiencedcontestantstendedtostartwithnon-threateningquestionsandgraduallypressedthetargetsintodisclosingmoresensitiveinformation.

o Werepersistent.Inonecase,acompetitorwasunabletoreachhistargetsandwalkedhistelephonenumberscalledupbyonedigitinanattempttoreachpeople.Inanumberofcases,competitorsrecalledindividualswhenunabletoreachothertargets.

- Competitorswhohadthemostdifficulty:

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 19

o Werenotabletomaketheirpretextsimmediatelycleartotheirtargets.Withoutbeingabletoestablishwho,what,andwhyimmediately,thesecompetitorsoftenrambledandwereunabletodevelopproperrapport.

o Werequicktoabandonacalliftheymeteventheslightestresistance.o Didnotproperlyresearchthecompanybeforethelivecallingphase.

- Techniques:

o Anumberofsuccessfulcompetitorsescalatedtheirrequestsfromsmalltolarge.o Onecompetitoraddedanincentivetohispretextbyofferingagiftcardfor

completingasurvey.Uponcompletionofabriefsurveythecompetitorwasabletoobtainseveralmoreflagsbyassistingthetargetwithreceivingthegiftcard.

o Anumberofsuccessfulcompetitorsphrasedtheirelicitationsasconfirmationofinformationtheyalreadyknew(collectedintheOSINTphase).

o Successfulcompetitorsalsouseddeliberatefalsestatementstohavethetargetcorrectthemwiththecorrectflag.

o Anumberofcompetitorsuseda“rapidfire”styleofquestioning,essentiallyoverwhelmingtheirtargets.Dependingontheamountofrapportestablished,thiswasasuccessfultechnique.

- AdditionalObservations:o Onecompetitornoticedthattherewasadumpsternexttothesmokingareafor

acompanyduringtheOSINTphaseandusedthistoobtainthetrashpickupcompanyflagduringthecalls.

o Twoofourcompetitorswereunabletoobtainflagsduetopersonnelnotansweringcalls.Thismirrorsactualsocialengineeringengagementsanddemonstratesthelackofpredictabilityandcontrolinherentinvishingcalls.

o Inmorethanonecase,acompany’scorporatedirectoryprovidedthefullnamesofindividuals,providingmultipletargetopportunitieswithasinglecall.

CompetitorSummary

Thisyearwehadourtypicalrangeofnovicesocialengineerstoprofessionalpenetrationtesters.AverageOSINTperformanceforthisyearremainedidenticalcomparedtolastyearasdemonstratedinFigure4.However,sincewemakechangestotheconditions,numberofcompetitors,andscoringeachyear(e.g.,extrapointsfor“tag-outs”in2014),theseaveragesareonlyvaluableintermsofidentifyinglargetrendssuchasthedatareversalwesawin2014.Callscoreappearstohavefallenthisyearwhichmaybeattributedtothedifficultysomecompetitorshadinreachingemployeesatthetargetcompanies.Themathematicalaverageisalsoimpactedbyoutlyingscores(eitherveryhighorverylow),soarerelativelylimitedinthe

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 20

informationitconveys.OnecansurmisethatperhapscompetitorsthisyearcontinuedtoemphasizecallphasepreparationandperformanceovertheOSINTphase.

Figure4:MeanPerformanceforSECTF2013-2016

FinalContestResults

Attheconclusionofthelivecallportionofthecontest,thejudgingpanelmetandreviewedallscores.Figure5isatallyofOSINTscores,callscores,andgrandtotalbycompany.Thehigherscoredenotesthatahighernumberorvalueofflagsweresurrendered,andisindicativeofpoorerperformanceonthepartofthecompany.

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 21

Figure5:CompanyRanking

Keepingwiththetrendfromlastyear,contestantsreliedheavilyonthecallportionfortheirscore.Unfortunately,itshouldalsobenotedthattherewereseveraltargetsthisyearcompletelyuntestedduringthecallportionduetopersonnelsimplynotansweringtelephonecallsatall.Finally,everytargetcompanydisclosedatleastsomeinformation(eitherdiscoveredduringOSINTorduringlivecalls)whichcouldbeusedasapossibleattackvectorformaliciousactors.Therankingofcompaniesfrombestperformance(lowestscore)toworstperformance(highestscore)isasfollows:

1. Symantec2. IBM3. Oracle4. EMC5. SYNNEX6. PaloAlto7. Fortinet8. SecureWorks9. Sophos10. Akamai11. CISCO12. RSA13. Deloitte

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 22

14. ComcastXfinity

Wedonotreleaseinformationonspecificvulnerabilitiesofthecompaniestothegeneralpublic.NOTE–WedoprovidethisinformationdirectlytotheinvolvedcompaniesuponrequestOnepositiveaspectofthelivecallportionoftheSECTFeachyearistoseewhenacompanyshutsdownthecontestant.Thatis,thepersonfromthetargetcompanyfollowsappropriatesecurityprotocolanddoesnotansweranyquestionsorhangsuponthecall.Eachyearwhenapersonfromatargetcompanystopsacontestant,theroombreaksoutintoapplause.Thisyearwedidhavecallsduringwhich:

- Thetargetattemptedtoverifythecontestantandrefusedtodiscloseanyinformationwhenthecontestantcouldnotbelocatedintheemployeedirectory.

- Thetargetlookedupthedomainandcompanyfromthecontestant’spretextandrefusedtohavefurtherconversationwhentheseturnedouttobefake.

- Thetargetpolitelyshutdownthecontestantinsistingthatanyrequestsforasurveyshouldgotothetarget’smanager.

- Atargetcompanysentabulletincompany-widethatthefirmwasunderattackfromDEFCON.

Despitethesepositivenotes,overall,thisyear’scontestprovedonceagainthatpotentiallydamaginginformationonorganizationsisstilleithereasilyaccessibleonlineordiscoveredviatelephonecallsbyeventhemostnovicecompetitor.Figure6illustratesthenumberoftimeseachflagwasobtainedduringbothOSINTandlivecallphases.Whilenotallflagswererequestedthesamenumberoftimes,thisisatleastanindicatoroflikelyvectorsintoanorganization.Inspectionwillrevealthatthemostcommonlyobtainedflagthisyearwaswhattheamountoftimethetargethadworkedforthecompany,followedbywhetherornottherewasanonsitecafeteria,thenemployeeschedule.Thefirstflagcouldbeusedbyamaliciousattackerindetermininghowdifficultitmightbetoescalateanattackusingthisindividualaswellasthevalueoftheinformationtheymayhold.Anewcomertoanorganizationmaybeaneasiertarget,butmayalsoprovidelessvaluableinformation,dependingontheirjobfunction.Theotherflagscouldbeusedtoperpetratebelievableattacksviaonsiteimpersonationattempts.Thetake-awayhereisthatsocialengineeringisnottheendgame,butisusedastheentrypointtoperpetratetheftofidentityorresources.Themotivatedindividualwillcompileinformationfromanumberofdifferentsourcesandcreatebelievableattacksthataredifficulttorecognizeandresist.

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 23

ItisinterestingtonotethatEVERYapplicableflagwassurrenderedatleastoncebythetargetcompanies.

Figure6:FrequencyofFlags

Discussion

Thiswas,onceagain,aninterestingandinformativeyear.Basedonallofthedataandourownobservations,wecanconcludeafewpoints.Firstandforemost,socialengineeringcontinuestobeasecurityriskfororganizations.Thiswasourseventhconsecutiveyearhostingthisevent;inthattimeanddespitenumeroushigh-profilesecuritybreachesthatoccurredthisyear,wehavenotseenconsistentimprovementsthatdirectlyaddressthehumanelementinorganizationalsecurity.Evenascompaniesarereportedlyinvestingmoreinsecurityawarenesstrainingandpolicydevelopment,theresultsagainthisyearsupportourbeliefthatoverall,companiesarestilldoingarelativelypoorjob.Notallofourcompetitorswereexperiencedinformationsecurityprofessionals;however,allwereabletoobtainflags.Itdoesnotappearthatemployeesarebeingeducatedtounderstandthevalueoftheinformationtheyholdorhowtoappropriately

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 24

protectit.Ratherthanacceptarequestatfacevalue,employeesneedtobetrainedandencouragedtoquestion,challenge,andmakegooddecisions.Ifthetrainingtaskistoodifficulttoovercomeimmediately,thenatminimum,employeesneedtohaveproperprotocolsinplacethatallowthemtoquestioncallers.Forexample,ifallemployeeswereforcedtoverifythemselveswithanemployeeIDorotherdailycode,thiscouldgreatlyreducetheriskoftelephone-basedattacksandtheneedforemployeestodecideforthemselvesthecorrectcourseofaction.Ifanorganizationcreatesanambiguoussituationeitherthroughunclearpoliciesorinadequatetraining,employeeswillmakechoicesthatareeasierandlessuncomfortable(e.g.,disclosinginformationasopposedtopolitelydecliningtoanswer).Oursecondconclusionisthatcompaniesarestillallowingsensitivedatatobepostedonline.Indirectoppositiontosecurityisthebasicnatureofconductingmodernbusiness.Clearcommunicationwith,andaccessibilityofinformationby,clientsandpartnersismandatory.Thisplacescompaniesinapositionwheretheyneedtomaketheirresourceshighlyavailable,andperhapsvulnerable.Inadditiontomonitoringcorporateinformation,anotherchallengeforallorganizationsistheinabilitytocompletelycontrolthesocialmediaandotherpostingsofcurrentandpastemployees.Ourcompetitorsclearlyfoundvaluableinformationthroughthesesources,andtheyarecertainlyusedbyprofessionalsocialengineerstocraftphishing,vishing,andonsiteimpersonationattempts.Althoughitisunlikelythatthisvulnerabilitycaneverbecompletelymitigated,clearpoliciesandtrainingcanassistmakingemployeesawareoftheriskinwhichtheyplaceboththemselvesandtheircompaniesbyoversharinginformation.Wesincerelyhopeourfindingsareusefulinmakingtheinformationsecurityindustrysafer,andasecureplaceinwhichtoconductbusiness.MitigationTheongoinggoaloftheSECTFistoraiseawarenessofthethreatthatsocialengineeringpresentstobothorganizationsandindividuals.Thecruxofthisreportistoinformcompaniesofthedangersassociatedwithmalicioussocialengineersaswellashowtheycanmitigatevulnerabilitiesandprotectagainsttheseattacks.Basedonourpracticeandinreviewingthetrendsoverthepastseveralyears,wewouldexpecttheuseofsocialengineeringtocontinuetobeasignificantthreattoorganizations.Technicalcontrolsareonlypartofasolutionthatshouldincludeongoingeducationandauditingasastandardpracticetodefeatmaliciousattackers.Belowareafewsuggestionsforpotentialmitigationofthisthreat.

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 25

1.DefensiveactionsTheOSINTphaseofthecontestrevealedhowmuchdataonatargetcompanycanbegatheredthroughthesimplestonlinesearches.Companiesmustbalancethebusinessrequirementsofmanagingtheirbrandswiththerisksassociatedwithhavingopenandapproachablecommunicationswiththeiremployeesandtheworld.Tofurthercomplicatetheissue,corporatepoliciesoninformationhandlingaswellasemployeesocialmediausecanoftenbeeithervagueorunrealistic.Companiesneedtosetcleardefinitionsofwhatisandisnotallowedwithregardtothehandlingandpostingofinformation,particularlywithrespecttosocialmedia.Individualswilloftennotmaketheconnectionthatpersonallifebeingdiscussedinanopensocialforumcanbeleveragedtobreachtheiremployers.Inaddition,clearlydefinedpoliciesonhow,where,andwhatkindofinformationcanbeuploadedtounsecuredareasoftheInternetcangoalongwaytosafeguardingcompanies.Finally,companiesMUSThelptheiremployeesunderstandwhatinformationisvaluableandhowtothinkcriticallyaboutitsprotection.Guidelines,policies,andeducationcanhelptheemployeesunderstandtherisksassociatedwithinformationexchangeinboththeirpersonalandprofessionallives,creatingasecurity-focusedculture.2.RealistictestingOneofthemostnecessaryaspectsofsecurityisthesocialengineeringriskassessmentandpenetrationtest.Whenaproperriskassessmentisconductedbyprofessionalswhotrulyunderstandsocialengineering,real-worldvulnerabilitiesareidentified.Leakedinformation,socialmediaaccounts,andothervulnerableaspectsofthecompanyarediscovered,cataloged,andreported.Potentialattackvectorsarepresentedandmitigationsarediscussed.Asocialengineeringpenetrationtestincreasestheintensityandscrutiny;attackvectorsarenotsimplyreported,butexecutedtotestacompany’sdefenses.Theresultsarethenusedtodevelopawarenesstrainingandcantrulyenhanceacompany’sabilitytobepreparedforthesetypesofattacks.Weconcludethatifthecompaniestargetedinthisyear’scompetitionpossessedregularsocialengineeringriskassessmentsandpenetrationtesting,theymighthavebeenmoreawareofpossibleattackvectorsandbeenabletoimplementeducationandothermitigationtoavoidthesepotentialthreats.3.SecurityawarenesseducationOneoftheareasthatappearstobelackingacrosstheboardisquality,meaningful,securityawarenesseducation.Educatingthepopulationtomeetcompliancerequirementsisnotsufficient.Inourexperience,thereisadefiniterelationshipbetweencompaniesthatprovide

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 26

frequentandrelevantawarenesstrainingandtheamountofinformationthatcompanysurrenders.Anorganizationthatplacesapriorityoneducationandcriticalthinkingissuretopossessaworkforcethatisfarmorepreparedtodealwithmaliciousintrusions,regardlessoftheattackvector.Securityawarenesstrainingneedstobepractical,interactive,andapplicable.Italsoneedstobeconductedonaconsistentbasis.Itdoesn’trequirethatacompanyplanslargeeventseachmonth,butregularsecurityremindersshouldbesentouttokeepthetopicfreshintheemployees’minds.Inaddition,wehavefoundthroughourpracticethatcompanieswhoemployongoingphishingandvishingawarenesscampaignsthroughrealworldtestingoftenfarebetteratthesethreatsthanthosethatdonot.Manytimes,thedifficultyliesinbusinessesmakingtrainingandeducationaprioritytotheextentthatappropriateresourcesareallocatedtoensurequalityandrelevance.Securityeducationreallycannotbefromacanned,pre-madesolution.Educationneedstobespecifictoeachcompanyandinmanycases,evenspecifictoeachdepartmentwithinthecompany.Companieswhotrulyunderstandthechallengesandrewardsassociatedwithhighqualitytrainingandeducationwillfindthemselvesmostpreparedfortheinevitable.Thesearejustthreeofthemanystrategiesthatcanbeutilizedtoimproveandmaintainsecurityandpreparefortheattacksbeinglaunchedoncompanieseveryday.Ourhopeisthatthisreporthelpsshedlightonthethreatspresentedbysocialengineeringandopenstheeyesofcorporationstohowvulnerabletheyreallyare.

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 27

AbouttheSocial-EngineerVillage

DEFCON24broughtbacktheSocial-EngineerVillagebypopulardemand.InadditiontohostingtheSECTF,wecreatedafour-dayeventtoentertainandeducateDEFCONattendeesonallthingssocialengineering.Thisyearweofferedarebootoflastyear’s“MissionSEImpossible”challengethatsimulatedanofficebreak-inandemphasizedthecriticalthinkingskillsnecessarytoperpetratesuccessfulcorporateespionage.Wealsohostedanumberofpresentationsbywell-knownsocialengineerstoprovideouraudiencewiththeiruniqueperspectivesinthefield,theSocialEngineeringCTFforKids,aswellasourownliveSEORGpodcast.Basedonanoverwhelminglypositiveresponse,theSocial-EngineerVillagewillreturnin2017andwillonceagainhosttheHumanTrackatDEFCON25.WewillbereleasingaCallforPapersalongwithourcallfor2017SECTFcontestantsincoordinationwithDEFCONannouncements.Pleasewatchourwebsitewww.social-engineer.organdoursocialmediaaccounts@HumanHacker@SocEngineerInc,andhttps://www.facebook.com/seorg.orgforthemostcurrentinformation.

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 28

Conclusion

ThiswasanotherfantasticyearfortheSECTF.Thereweremanyfirsttimecontestantsaswellassomereturningfrompastyears.Withsomeofthenovicecompetitorsoutperformingexperiencedsecurityprofessionalsthecompetitioncontinuestodemonstratethatsocialengineeringcanbeapowerfulskillforpeopleatanylevel.Unfortunately,asinyearspast,ourlimitedfindingsshowthatcompaniesarestillvulnerabletosocialengineeringattacks.Itisourhopethatthiswillchangeaswecontinuetoexpandoureventandstressongoingpreparation,notjusttheattentiongarneredatDEFCON.

Ifyou,oryourorganization,haveanyquestionsregardinganyaspectofthisreportpleasecontactusat:sectf@social-engineer.org.

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 29

AboutSocial-Engineer,LLC

Social-Engineer,LLCisthepremierconsultingandtrainingcompanyspecializingintheartandscienceofsocialengineering(SE).Socialtacticsareanestablishedandquicklygrowingtrendininformationsecurityintheformsofphishing,phoneelicitation(vishing),andimpersonation.

Withmorethanthreedecadesofcombinedexperience,Social-Engineer,LLCassistsorganizationsingovernment,lawenforcement,andtheprivatesectorindetectionandmitigationofthedevastatingeffectsofbothphysicalandinformationbreaches.Social-Engineer,LLCfocusesontheabilitiesofahostileattackertoexploitthehumanelementofbusinessestogainaccesstocorporateassets.Throughassessment,education,andtraining,Social-Engineer,LLChelpsorganizationsprotectthemselvesandtheirtradesecrets.Tolearnmoreaboutprofessionalsocialengineering,servicespleasevisit:http://www.social-engineer.com/social-engineering-services/.

11/8/2016 Proprietaryinformation.Pleasecontactsectf@social-engineer.org 30

Sponsors

The2016SocialEngineeringCapturetheFlagcontestandtheSocial-EngineeringVillagewould

nothavebeenpossiblewithoutthegeneroussupportofthefollowingorganizations:

www.social-engineer.com

www.trustedsec.comhttp://www.phishline.com/

www.pindropsecurity.comhttp://www.asgent.com