After spending the better part of the last two years working remotely, employees are beginning to filter back into their office buildings. Their return is greeted by familiar faces, fresh new faces, and probably some forgotten faces as well. The newness of being back in an office building makes this a perfect time to test their understanding of company “unknown personnel” policies. The Social Engineering Teaming Service (SE Teaming) is an excellent way to do this.
SE Teaming can include nighttime and/or daytime entries. Nighttime tasks may include breaking in via lockpicking (as determined by scope), while daytime entries tend to rely more heavily on rapport building and influence techniques. Our social engineers are masters at talking their way into your business and, once inside, they will see how far they can invade using the impersonation attack vector. They talk their way past the guard stations and, from there, past other barriers. These might be set up in front of more sensitive areas – like server rooms and Network Operations Command (NOC) centers.
It All Begins with OSINT (Open-Source Intelligence)
Well… the attacks begin with OSINT. Before the attacks begin, we work with the client to determine the scope of the engagement. First, our project managers get clarification on which parts of the client’s property are off limits and which parts they would like us to test. Then we have a scope discussion to solidify the boundaries of the upcoming engagement. And finally, during the engagement, we continue to check in with our client contacts.
The first step of our offensive action is a thorough OSINT examination of our target company and locations. We use freely-available online sources to find any information that will help us in our upcoming attacks. OSINT has multiple uses for impersonation. For example, it gives information about the buildings we will be infiltrating. Additionally, it gives us themes with which we can create pretexts which are the reasons we will give for being in the building.
During OSINT, we look for a wide range of things. Information about company culture gives us insights into how we should dress and behave. Sometimes we can find pictures of ID badges that we can use to create counterfeits. Floor plans will help us navigate our way through buildings once we are in, and may even lead us to the more sensitive, higher-security areas that we are looking for. Vendor information can be very helpful in pretext creation and can sometimes get us a company escort who can let us into high-security areas.
Implementing the Attack
Once the OSINT is compiled, pretexts are finalized, and a date is set, the engagement can begin. On a previous campaign, SECOM discovered that the license for the client’s GPS clock service was about to expire. So, the team used this for our pretext, posing as the GPS clock company doing a routine check as part of the license renewal process. Early on in those attacks, the team discovered that this pretext was not enough to get them past the front door guards. But following some real employees in through a back door (tailgating) helped get them into more secure areas of the building.
Getting past the door
Getting past the door guards to test the rest of the employee population can be tricky. We have used tactics such as:
- pretending a badge was malfunctioning until someone else let us in; and
- walking in through an open loading dock.
Some more complicated tactics have been having someone distract the guards. While this happened, a pair of social engineers walked past, pretending to be involved in an important phone call. Another time one team member went in through the front and printed themselves a guest badge at a terminal in the lobby, while another snuck in through a back door with a fake badge and pretended to be the other’s required company escort.
Inside the target building
Once we are inside the target building, the scope of the project determines what the team does next. Some projects only require that we get into the building and take photos and video as proof. In these cases, photos of more sensitive materials have more impact. However, on other projects we may drop USB devices with tempting labels like “salary” or “bonuses.” These will have a file on them which will tell us if someone opened it on their machine. Trying to use a USB device to install pseudo-malicious software on unattended, or possibly attended, computers is also an option. Finding a way to talk target employees into letting us try that one is a fun, high-risk/high-reward social engineering attack simulation. Social-Engineer’s COO, Ryan MacDougall, discusses some of these attacks in his Defcon 29 talk SE Team Vs. Red Team.
Request a Quote
The novelty of returning to an office building after nearly two years of solitary, remote work makes this a perfect time to test the security posture of your organization with an SE Teaming engagement. After the engagement, you will receive a detailed report of your business’s vulnerability landscape. See how well your personnel fare against smooth-talking strangers or unannounced visits from important “vendors.” Test their response to tempting USB drives, and innocent-seeming requests for help. Your report will have detailed accounts of all of our findings. It will also have recommendations for shoring up any holes we find in your security measures. You can request a quote on our Social Engineering Teaming Service page at social-engineer.com.