Social engineering techniques
This presentation is the property of its rightful owner.
Sponsored Links
1 / 40

Social Engineering Techniques PowerPoint PPT Presentation


  • 70 Views
  • Uploaded on
  • Presentation posted in: General

Social Engineering Techniques. Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager. Agenda. Rapid7 Company Overview and Learning Objectives. 1. Social Engineering Techniques. 2. Summary and Q&A. 3. Rapid7 Corporate Profile. Company

Download Presentation

Social Engineering Techniques

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Social engineering techniques

Social Engineering Techniques

Will Vandevanter, Senior Security Consultant

Danielle Sermer, Business Development Manager


Agenda

Agenda

Rapid7 Company Overview and Learning Objectives

1

Social Engineering Techniques

2

Summary and Q&A

3


Rapid7 corporate profile

Rapid7 Corporate Profile

Company

  • Headquarters: Boston, MA

  • Founded 2000, Commercial Launch 2004

  • 110+ Employees

  • Funded by Bain Capital (Aug. 08) - $9M

  • Acquired Metasploit in Oct. 09

    Solutions

  • Unified Vulnerability Management Products

  • Penetration Testing Products

  • Professional Services

    Customers

  • 1,000+ Customers

  • SMB, Enterprise

  • Community of 65,000+

    Partners

  • MSSPs

  • Security Consultants

  • Technology Partners

  • Resellers

Organizations use Rapid7 to Detect Risk, Mitigate Threats and Ensure Compliance

#1 Fastest growing company for Vuln. Mgmt

#1 Fastest growing software company in Mass.

#7 Fastest growing security company in U.S.

#15 Fastest growing software company in U.S.


Social engineering techniques

Social Engineering Techniques


Will vandevanter

Will Vandevanter

  • Penetration Tester and Security Researcher

  • Web Application Assessments, Internal Penetration Testing, and Social Engineering

  • Disclosures on SAP, Axis2, and open source products

  • Twitter: @willis__

  • will __AT__ rapid7.com


Social engineering definition

Social Engineering Definition

Wikipedia (also sourced on social-engineer.org)


Social engineering definition revisited

Social Engineering Definition Revisited

  • The act of manipulating the human element in order to achieve a goal.

  • This is not a new idea.


Visualizing the enterprise

Visualizing the Enterprise


Goal orientated penetration testing

Goal Orientated Penetration Testing

  • The primary objective of all assessments is to demonstrate risk

  • ‘Hack Me’ or ‘We just want to know if we are secure’ is not specific enough

  • How do I know what is the most important to the business?


How we use social engineering

How We Use Social Engineering

  • To achieve the goals for the assessment

  • To test policies and technologies


Commonalities

Commonalities

1. Information Gathering

2. Elicitation and Pretexting

3. The Payload

4. Post Exploitation

5. Covering your tracks


Social engineering techniques

Electronic Social Engineering


Information gathering

Information Gathering

  • White Box vs. Black Box vs. Grey Box

  • Know Your Target

  • Gather Your User List

    • Email Address Scheming

    • Document meta-data

    • Google Dorks

    • Hoovers, Lead411, LinkedIn, Spoke, Facebook

  • Verify Your User List

  • Test Your Payload


Template 1 the fear factor

Template 1 – The Fear Factor

  • Goal : To obtain user credentials without tipping off the user

  • Identify a user login page

    • Outlook Web Access

    • Corporate or Human Resources Login Page

  • Information Gathering is vital


Pretexting

Pretexting


The payload

The Payload


Post exploitation

Post Exploitation


How effective is it

How Effective Is it

  • Incredibly Successful

  • Case Study

    • Mid December 2010

    • 80 e-mails sent to various offices and levels of users

    • 41 users submitted their credentials

  • Success varies on certain factors

    • Centralized vs. Decentralized Locations

    • Help Desk and internal communication process

    • Number of e-mails sent

    • Time of the day and day of the week matter


Controls and policy

Controls and Policy

  • Do your users know who contact if they receive an e-mail like this?

  • How well is User Awareness Training working?

  • How well is compromise detection working?

  • Are your mail filters protecting your users?


Template 2 security patch

Template 2 – Security Patch

  • Goal: To have a user run an executable providing internal access to the network.

  • Information Gathering:

    • Egress filtering rules

    • Mail filters

    • AV


Pretexting1

Pretexting


The payload1

The Payload

  • Meterpreter Executable

  • Internal Pivot


Post exploitation1

Post Exploitation


How effective is it1

How Effective Is It?

  • Highly Dependent on a high number of factors

  • Atleast 5-10% of users will run it

  • Case Study

    • July 2010

    • ~70 users targeted

    • 12 Connect backs made

  • Success Varies on Many Factors

    • Egress Filtering

    • Mail Server Filters

    • Server and endpoint AV


Controls and policy1

Controls and Policy

  • Do your users know who contact if they receive an e-mail like this?

  • How well is User Awareness Training working?

  • How well is compromise detection working?

  • Are your mail filters protecting your users?

  • Technical Controls


Tools of the trade

Tools of The Trade

  • Information Gathering

    • Maltego

    • Shodan

    • Hoovers, Lead411, LinkedIn

  • Social Engineering Toolkit (SET)

  • Social Engineering Framework (SEF)

  • Metasploit


Social engineering techniques

Physical Social Engineering


Information gathering1

Information Gathering

-Sun Tzu


Information gathering2

Information Gathering

  • White Box vs. Black Box vs. Grey Box

  • Know Your Target

  • Pretexting is highly important


Pretexting2

Pretexting

  • Props or other utilities to create the ‘reality’

  • Keep the payload and the goal in mind

  • Information Gathering is key


Template 1 removable media

Template 1 – Removable Media

  • Goal: To have a user either insert a USB drive or run a file on the USB drive

  • Start with no legitimate access to the building

  • Getting it in there is the hard part


Pretexting usb drives

Pretexting USB Drives

  • The Parking Lot

  • Inside of an Envelope

  • Empathy

  • Bike Messenger, Painter, etc.


Payload

Payload

  • AutoRun an executable

  • Malicious PDF

  • Malicious Word Documents


Post exploitation2

Post Exploitation


Controls and policies

Controls and Policies

  • What are the restrictions on portable media?

  • Was I able to bypass a control to gain access to the building?

  • Technical Controls


Case study the credit union heist

Case Study - The Credit Union Heist

  • Goal: “Paul” needed to obtain access to the server room at a credit union

  • The room itself is locked and accessible via key card only.

  • Information Gathering

  • Pretexting


Gadgets

Gadgets

  • RFID card reader and spoofer

  • Pocket Router

  • SpoofApp

  • Lock Picking Tools

  • Uniforms


Closing thoughts

Closing Thoughts

  • Protecting against Social Engineering is extremely difficult

  • User Awareness training has it’s place

  • Regularly test your users

  • Metrics are absolutely critical to success

  • During an assessment much of it can be about luck


Resources

Resources

  • www.social-engineer.org

  • “The Strategems of Social Engineering” – Jayson Street, DefCon 18

  • “Open Source Information Gathering” – Chris Gates, Brucon 2009

  • Security Metrics: Replacing Fear, Uncertainty, and Doubt – Andrew Jaquith


Questions or comments

Questions or Comments


  • Login