Social engineering: an educational program about an attack method that never becomes obsolete

As the world practice shows, successful hacking (successful for the attackers, of course), most of the problems are related to problems with people. To be more precise, the point is their ability to give out any information and perform completely stupid actions.

I think IT examples are already very well known to you, so I ’ll recall an example from the book Psychology of Influence: psychologists phoned nurses in hospitals, and then presented themselves as a doctor and gave orders to inject a lethal dose of the substance to the patient. The sister knew what she was doing, but in 95% of cases she performed the command (she was stopped at the entrance to the ward by psychology assistants). In this case, the doctor was not even at least somehow authorized. Why did my sister do that? Just because she was accustomed to obey authority.

Let's do it again: in the example, thanks to competent social engineering, 95% of hospitals were critically vulnerable .
')

The method does not become outdated

Systems are constantly changing. Software and hardware are complicated. In order to be more or less confident in owning the topic both in defense and in attack, you need to constantly monitor all the innovations, be the first to watch new things, understand the entire IT background very well. This is the way of the classic hacker, the one who is fanned by the aura of romance. In the modern world, rather, hackers have in the group several narrow specialists trained for specific technology targets, but the main task is always penetration into the perimeter of the defense.

This means that, sooner or later, you will most likely need to be sotsinzhiniring. And usually it’s too early, because first there is a collection of information and preparation, and already on top are superimposed technologies and a deep knowledge of IT systems.

If your company has a security department, most likely there are paranoids who understand how much valuable data employees can have, plus cynics who don’t believe in people at all. This command delimits rights, writes instructions and works out critical situations in practice. In general, this allows you to impart some immunity, but still does not provide a decent level of protection. What is the most unpleasant, in the sotsinzhinringe can not "put a patch" and forget - once the mechanics assimilated by the attacker will always work, because the behavior of people in general does not change very much.

Basic model of social engineering

It is assumed that each employee has his own level of security competence and his own level of access. Line employees (for example, girls from the reception) do not have access to critical information, that is, even capturing their accounts and obtaining all the data they know will not cause serious damage to the company. But their data can be used to go to the next step already inside the protected area. For example, you can get the names of employees and call a higher level, introducing yourself as one of them. In this case, you can play in authority (as in the example with the doctors above), or you can simply ask a couple of innocent questions and get a piece of the puzzle. Or move further, to the next more knowledgeable employee, using the fact that the team decided to help each other, rather than turn on paranoia on questions about a number of important data. Even with tough instructions, there are chances that emotions will always outweigh.

Do not believe? Imagine a situation where an attacker calls the same girl from a call center several times a week for a month. He presents himself as an employee, brings a lot of positive energy, speaks lively, clarifies some open trifles, sometimes he asks for petty help. A clear authorization replaces the fact that a person calls often. Ten, twenty, if necessary - thirty times. Until it becomes one of the phenomena of life. He is his, because he is aware of various trifles of the company and calls constantly. At the 31st time, the attacker again makes a petty request, but this time concerning important data. And if necessary, he gives a logical and plausible rationale for why this is required, and in what he is in trouble. Of course, a normal person will help him.

If you think that only incompetent users are subject to such attacks, then open the book “The Art of Deception”, where Mitnick talks about how he introduced himself as the lead developer of the project and made the sysadmin give privileged access to the system for a second. Notice a person who understood perfectly what exactly he was doing.

Reverse social engineering

The general model of the attack is exactly the same: you get the data that users are willing to share. But unlike the classical "ladder" methods, here the user himself says what he needs. This is an effective three-way approach: you adjust the trouble to the user, ensure contact with yourself, then carry out the attack. Example - come to the secured perimeter as a cleaner, replace the technical support number in the print on the wall with your own, and then fix a minor problem. In a day, an upset user calls you, ready to share all his knowledge with a competent specialist. Your authorization does not cause problems - after all, the person himself knows to whom and why he is calling.

A beautiful variation is banking IVR phishing, when a victim of an attack receives a letter with a phishing number of the “client center”, where the answering machine asks for authorization to enter important card details at some step.

More special cases

You can use phishing on the resources used by the target. Or, for example, put on these external resources the malware infecting the company's machines (one of the main vectors of attacks of recent years, by the way). You can transfer the disc with something interesting to the employee (assuming that he launches software or uses information from there), you can use social networks to collect data (identify the structure of the company) and communicate with specific people in it. Options for the sea.

Summary

So, social engineering can also be used to collect data on a goal ("Hello! I had a 4th department phone, but I forgot"), and to get confidential information ("Yeah, thanks. One other thing, it seems to me, is Suspicious client. Will you indicate the number of his card that he used to pay for last time? ”), direct access to the system:“ So, what exactly are you entering now? Can you spell that please. Seven-es as a dollar-percent-te-big ... "). And even for things that are otherwise impossible to get. For example - if the computer is physically disconnected from the network, the “processed” person will be able to connect it.

In the topic of preparing for the hacker tournament there was a task about the girl in the rescue, who was accidentally separated for 30 seconds. What would you have time to do during this time? Put something on her car? No, not enough time or user rights. Steal documents from the table or send yourself all the letters? Not a good idea, they'll notice you. Even just sitting at her computer is already dangerous because of the possible hidden camera in the office. The best answers lay in the plane of social interaction: stick a sticker with the number of technical support, invite her on a date and so on. They don't judge you for a date, but it will give you a bunch of data about the hierarchy in the company and the personal files of the employees.

So, back to the educational program. Read “The Art of Deception” (you will definitely like specific dialogues from there), a chapter about social engineering from the book of Denis Feria with the pathetic title “Secrets of a Super Hacker”, a serious “Psychology of Influence”, and for starters - an article on Wikis describing the main techniques. If you do not have a powerful security department, after reading warn the manager and carry out a simple pentest. Most likely you will learn many new things about human credulity.

Tournament Cyber ​​Readiness Challenge and Social Engineering

In addition to technical methods for the prevention of social threats (such as the introduction of a common platform for messaging within the company, mandatory authentication of new contacts, and so on), it is necessary to explain to users what exactly happens during such attacks. True, it is useless if you do not combine theory with practice, namely, from time to time to act as an attacker yourself and try to penetrate your own systems. After a couple of “training alarms” and debriefings, the staff will at least think about whether they are checking for calls.

Of course, to counter the threat, you need to “crawl into the head” of an attacker attacking you and learn to think like him. As part of the offline tournament Cyber ​​Readiness Challenge , which was originally created as a simulator for training security professionals, we could not ignore this class of threats.

If you understand server and system administration, network infrastructure and other technical things, but do not take into account such a wonderful human factor, the tournament will give you a couple of interesting ideas.