Social engineer reveals effective tricks for real-world intrusions
In this Help Net Security interview, Jayson E. Street, Chief Adversarial Officer at Secure Yeti, discusses intriguing aspects of social engineering and unconventional methods for gathering target information.
Street explores the overlooked threat of physical security and the human tendency to neglect negative outcomes. He also shares insights on the potential damage from a physical attack on company workstations and recounts situations encountered in the field.
One of the most intriguing parts of social engineering is the homework or research phase. What unconventional methods have you seen or used to gather information about a target?
One of the most unconventional methods I use when doing research and recon for an engagement, especially the ones that involve me going on-site for a physical compromise, is to use the websites of the architects who did work on their building. I’ll go to their building management website because you will sometimes find blueprints and pictures showing what the inside of their building looks like.
What this does is help provide a familiarity with the surroundings before you get there. The more you look at ease and become familiar with the surroundings, the more people are not going to suspect you as being an outsider, and the less suspicious they are, the easier it is for you to go about your business of what you’re there to do, which is to rob them!
I visited the website of the building of a large corporation I was targeting. Remarkably, the site openly shared detailed blueprints of the building, including interior layouts and office spaces. This freely accessible information revealed critical infrastructure elements such as the location of the freight elevator, the loading dock, and electrical rooms. Such detailed disclosure offered insights into how one might circumvent the building’s physical security systems.
We all know that social media makes gathering information on your targets extremely easy. Getting their badges off Instagram and Twitter is one thing. Still, companies need to understand that it’s not just social media that can be used against them; it’s their partner’s, those they’ve hired, and people they work with that can divulge information that could be detrimental to their cybersecurity and their perimeter security.
What are some of the most common social engineering tricks you use in the real world?
My main social engineering trick is just walking into a location like you belong there. People underestimate how far confidence will get you into a location and how unsuspecting people are when they feel secure. I’ve always said the only thing worse than no security is the false sense of security because it is tough to imagine something terrible will happen when you have that false sense of security.
One of the main tricks that I do when I am doing a phishing attack is not to tell them that something positive has happened. I always have the topic of the e-mail to be unfortunate, something that may be a mistake, something that has happened that is important and, if not fixed immediately, could have dire consequences.
People are very suspicious when they get an e-mail that something good has happened or will happen to them. Still, throughout history, humans have always craved information almost at any cost when they felt like a threatening situation was occurring around them. They need to discover what is happening and how it could affect them.
When you create a situation like that, people subconsciously are more likely to click on a link to find out more information, especially when you don’t highlight or specifically tell them to click on the link. You tell them, “This looks bad for us; we might need to get ahead of this,” or “I just read this news article; let me know when you get into the office tomorrow so we can discuss it.” Never once did I tell them to click the link. I told them here’s all the bad stuff, and by the way, here’s a source inside this e-mail that also gives you more information on it. Curiosity does the rest.
We often hear about software vulnerabilities, but physical intrusion is an overlooked threat for many organizations. How often do businesses neglect this security aspect, and why do you think this oversight happens?
One of the key differences between software vulnerabilities and physical intrusions that many organizations often overlook is that software vulnerabilities have very defined and narrow vectors of attack. The reason is they are limited by the network, the operating system, and the program that is being targeted.
However, with a physical intrusion, so many factors come into play, like the time of day, the location of the building itself, the security measures in place, and the people entrusted to maintain that security. All these factors are constantly in flux and will change from day to hour, moment to moment without any notice, so therefore, it is inherently more complicated to prevent.
Many companies will put in the bare minimum and hope for the best until they are unfortunately proven wrong. Human nature has always had an aversion to contemplating and preparing for negative outcomes. We do not like to think something bad is going to happen or something bad is in the process of happening. Unless we have no choice but to confront the truth that it is occurring, this flaw is very hard to overcome in most people.
A perfect example of this is how many times you will hear bystanders and witnesses tell the news reporter after a tragic event occurs in their area. One of the first things they mention is that it is a quiet neighborhood, and they thought nothing like this would happen here.
When an attacker gains physical access to a company’s fixed workstations, what kind of damage or theft is typically achievable, given these machines often have a lower level of protection?
The more concerning question is, what isn’t achievable? If I have physical access to your device, then I have access to your network, and if I have access to your network, then given time, I will own your network.
What are some of the most interesting situations you’ve encountered while working in the field?
While doing most of my engagements on-site, making a physical compromise, I encountered quite a few interesting situations. I’ve also caused a few interesting situations.
Once, I was robbing a client inside a high-rise building, and to get into the freight elevator, I had the shoeshine operator walk me in and get me through the loading dock to the elevator. He was very friendly and helpful. I felt terrible that I didn’t have any cash to tip him because he earned it on that engagement.
I also had to break into a state treasury by getting a cleaning crew to let me into the suite. The whole time, I was forced by the scope of work to tell the truth, and I did so in such a dishonest way they did let me into the suite, and I ended up compromising the state treasury.
I’ve also had to play the role of a TV producer who would put some people on television for the many wonderful works they do for their community in Jamaica. I got them to run the USB drive on the head of the charity’s laptop on the same network as the financial institution I was robbing.
When looking into the near future, what threats do you think organizations should be particularly worried about?
When we talk about the future threats, most people will automatically go to the dangers of AI or hacking into a national power grid or infrastructure of a country. However, while everybody is trying to focus on the brand new shiny zero-day or the far-flung threats that are coming from AI and machine learning and blockchain and any other chain, I say that the threats that an organization should be particularly worried about in the future are the ones that have been here for quite a while now.
How can you be concerned about what AI can do to your company’s network when we are still having networks being taken down by light bulbs and vending machines because there are so many insecure, adequately password-protected IoT devices all over our networks? I am not sure these assets are even being properly tracked or put onto their subnet and segmented from the rest of the network. In the worst case scenario they have unfettered access to the internet.
A company can significantly reduce its risk by initiating a comprehensive asset management program from the outset. Concurrently, it is also crucial to invest time in establishing a robust patch management process. This dual approach ensures both the effective tracking and maintenance of assets, as well as the timely updating and securing of systems, thereby enhancing overall organizational resilience.
Regrettably, many companies tend to focus more on the latest, buzzword-laden threats, rather than investing effort in implementing defensive measures, which, although they may seem mundane and challenging, are often far more effective in safeguarding the organization. Ultimately, the practicality and effectiveness of these foundational security practices cannot be overstated in ensuring the company’s protection.