Social engineering techniques
This presentation is the property of its rightful owner.
Sponsored Links
1 / 40

Social Engineering Techniques PowerPoint PPT Presentation


  • 84 Views
  • Uploaded on
  • Presentation posted in: General

Social Engineering Techniques. Will Vandevanter, Senior Security Consultant Danielle Sermer, Business Development Manager. Agenda. Rapid7 Company Overview and Learning Objectives. 1. Social Engineering Techniques. 2. Summary and Q&A. 3. Rapid7 Corporate Profile. Company

Download Presentation

Social Engineering Techniques

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Social Engineering Techniques

Will Vandevanter, Senior Security Consultant

Danielle Sermer, Business Development Manager


Agenda

Rapid7 Company Overview and Learning Objectives

1

Social Engineering Techniques

2

Summary and Q&A

3


Rapid7 Corporate Profile

Company

  • Headquarters: Boston, MA

  • Founded 2000, Commercial Launch 2004

  • 110+ Employees

  • Funded by Bain Capital (Aug. 08) - $9M

  • Acquired Metasploit in Oct. 09

    Solutions

  • Unified Vulnerability Management Products

  • Penetration Testing Products

  • Professional Services

    Customers

  • 1,000+ Customers

  • SMB, Enterprise

  • Community of 65,000+

    Partners

  • MSSPs

  • Security Consultants

  • Technology Partners

  • Resellers

Organizations use Rapid7 to Detect Risk, Mitigate Threats and Ensure Compliance

#1 Fastest growing company for Vuln. Mgmt

#1 Fastest growing software company in Mass.

#7 Fastest growing security company in U.S.

#15 Fastest growing software company in U.S.


Social Engineering Techniques


Will Vandevanter

  • Penetration Tester and Security Researcher

  • Web Application Assessments, Internal Penetration Testing, and Social Engineering

  • Disclosures on SAP, Axis2, and open source products

  • Twitter: @willis__

  • will __AT__ rapid7.com


Social Engineering Definition

Wikipedia (also sourced on social-engineer.org)


Social Engineering Definition Revisited

  • The act of manipulating the human element in order to achieve a goal.

  • This is not a new idea.


Visualizing the Enterprise


Goal Orientated Penetration Testing

  • The primary objective of all assessments is to demonstrate risk

  • ‘Hack Me’ or ‘We just want to know if we are secure’ is not specific enough

  • How do I know what is the most important to the business?


How We Use Social Engineering

  • To achieve the goals for the assessment

  • To test policies and technologies


Commonalities

1. Information Gathering

2. Elicitation and Pretexting

3. The Payload

4. Post Exploitation

5. Covering your tracks


Electronic Social Engineering


Information Gathering

  • White Box vs. Black Box vs. Grey Box

  • Know Your Target

  • Gather Your User List

    • Email Address Scheming

    • Document meta-data

    • Google Dorks

    • Hoovers, Lead411, LinkedIn, Spoke, Facebook

  • Verify Your User List

  • Test Your Payload


Template 1 – The Fear Factor

  • Goal : To obtain user credentials without tipping off the user

  • Identify a user login page

    • Outlook Web Access

    • Corporate or Human Resources Login Page

  • Information Gathering is vital


Pretexting


The Payload


Post Exploitation


How Effective Is it

  • Incredibly Successful

  • Case Study

    • Mid December 2010

    • 80 e-mails sent to various offices and levels of users

    • 41 users submitted their credentials

  • Success varies on certain factors

    • Centralized vs. Decentralized Locations

    • Help Desk and internal communication process

    • Number of e-mails sent

    • Time of the day and day of the week matter


Controls and Policy

  • Do your users know who contact if they receive an e-mail like this?

  • How well is User Awareness Training working?

  • How well is compromise detection working?

  • Are your mail filters protecting your users?


Template 2 – Security Patch

  • Goal: To have a user run an executable providing internal access to the network.

  • Information Gathering:

    • Egress filtering rules

    • Mail filters

    • AV


Pretexting


The Payload

  • Meterpreter Executable

  • Internal Pivot


Post Exploitation


How Effective Is It?

  • Highly Dependent on a high number of factors

  • Atleast 5-10% of users will run it

  • Case Study

    • July 2010

    • ~70 users targeted

    • 12 Connect backs made

  • Success Varies on Many Factors

    • Egress Filtering

    • Mail Server Filters

    • Server and endpoint AV


Controls and Policy

  • Do your users know who contact if they receive an e-mail like this?

  • How well is User Awareness Training working?

  • How well is compromise detection working?

  • Are your mail filters protecting your users?

  • Technical Controls


Tools of The Trade

  • Information Gathering

    • Maltego

    • Shodan

    • Hoovers, Lead411, LinkedIn

  • Social Engineering Toolkit (SET)

  • Social Engineering Framework (SEF)

  • Metasploit


Physical Social Engineering


Information Gathering

-Sun Tzu


Information Gathering

  • White Box vs. Black Box vs. Grey Box

  • Know Your Target

  • Pretexting is highly important


Pretexting

  • Props or other utilities to create the ‘reality’

  • Keep the payload and the goal in mind

  • Information Gathering is key


Template 1 – Removable Media

  • Goal: To have a user either insert a USB drive or run a file on the USB drive

  • Start with no legitimate access to the building

  • Getting it in there is the hard part


Pretexting USB Drives

  • The Parking Lot

  • Inside of an Envelope

  • Empathy

  • Bike Messenger, Painter, etc.


Payload

  • AutoRun an executable

  • Malicious PDF

  • Malicious Word Documents


Post Exploitation


Controls and Policies

  • What are the restrictions on portable media?

  • Was I able to bypass a control to gain access to the building?

  • Technical Controls


Case Study - The Credit Union Heist

  • Goal: “Paul” needed to obtain access to the server room at a credit union

  • The room itself is locked and accessible via key card only.

  • Information Gathering

  • Pretexting


Gadgets

  • RFID card reader and spoofer

  • Pocket Router

  • SpoofApp

  • Lock Picking Tools

  • Uniforms


Closing Thoughts

  • Protecting against Social Engineering is extremely difficult

  • User Awareness training has it’s place

  • Regularly test your users

  • Metrics are absolutely critical to success

  • During an assessment much of it can be about luck


Resources

  • www.social-engineer.org

  • “The Strategems of Social Engineering” – Jayson Street, DefCon 18

  • “Open Source Information Gathering” – Chris Gates, Brucon 2009

  • Security Metrics: Replacing Fear, Uncertainty, and Doubt – Andrew Jaquith


Questions or Comments


  • Login