Thoughts on exploiting trust and targeting security’s weakest link

Social engineering, including Phishing, is my favorite form of attack. Hands down, it’s the most cost effective, and often the simplest method of cracking an organization’s defenses.

Some say this isn’t hacking, arguing that it takes little “skill” and therefore isn’t worthy of a “true hacker’s” toolkit. I disagree with those arguments, and have for some time, because being an effective social engineer is far from easy. There’s more to it than telling convincing lies and sending emails. Besides, Phishing (and social engineering as a whole) is a proven viable threat. There are entire vertical markets dedicated to defending organizations from it.

Again, people are unpredictable. They have patterns. They have habits too, and you can exploit those. But that isn’t prediction. Exploiting patterns or habits means knowing what comes next and taking advantage of the situation. That’s leveraging established intelligence for your own gain. That’s not prediction.

The key to launching effective social-based attacks is intelligence; knowing more about the situation than your mark does. After that, you combine the intelligence with misdirection, and/or emotional pretense, to make the mark perform an action of some kind, or share information.

With Phishing, the action revolves around opening something, or clicking a link to somewhere. With social engineering (verbal communication), the goal is still information in most cases, but actions are a viable option depending on the circumstance.

When it comes to social-attacks, trust is the main objective from the start. If you don’t gain trust instantly, or at the very least establish a solid rapport, the game is over. However, establishing a baseline of trust isn’t all that hard. People tend to trust other people, and they trust things they’re familiar with, such as social networking, business groups, communities based on shared interests, etc.

This is where intelligence comes into play. Reconnaissance is the official word for it, but the point remains the same no matter what you call it. Knowing who to target, why, and what they’re about personally and professionally.

In a past life, my favorite part of an awareness program was live-fire testing. The best part about it was that the training was done by a group (four of us) and the employees at the firm didn’t meet me until test time. I was the unknown.

The objective, usually data and information, was clearly defined before the testing started. So I knew what to get, but how I obtained it was entirely up to me. I miss those days sometimes, but I like the idea of a steady paycheck and healthcare, so I’m happy where I am now too.

The reason for this trip down memory lane is due to a report a reader sent me, published in February (based on the metadata in the PDF) by Proofpoint. They’re an email security firm based in Sunnyvale, California. In it, they talk about the human factor, and the pain that comes with attempts to protect the weakest point in the security chain.

The report got me thinking, because when the marketing aspects are removed, it’s a solid study. The numbers are clearly rounded, but for argument’s sake they’re a good example.

Proofpoint says that 10 percent of the people within a given company are responsible for 100 percent of the clicks on malicious links in a given Phishing campaign. They also note that while a majority of clicks in said campaign come from repeat offenders, 40 percent of the clicks come from “one-off” offenders.

This same stat can be applied to personal interactions (direct social engineering) as well. Again, I’ve always found that at least one person within a group will be willing to assist someone in need as long as it’s within their ability to do so. And friends of that person tend to follow the pack. All I needed to do was ask. So I agree with Proofpoint on their stats, but I don’t agree with their recommended solution to the problem:

“User training is a necessary strategy and can pay dividends depending on the nature of the attack can pay dividends. But it is an insufficient strategy for dealing with such threats; technical and automated capabilities to minimize risk from user clicks must be explored.

“Enterprises should invest in training users, especially repeat clickers. However, since the one-off clickers can vary with each wave and account for a large quantity of risk, solutions with technical capabilities to predict and detect threats, as early as possible, are critical.”

I get it, they sell technical controls to deal with this problem, and naturally they’d recommend it. But it won’t help. Technical controls, such as email protections primarily designed to stop Spam, are barely able to keep-up with generic Phishing attacks as it is. They won’t stand a chance against a real Phishing attack.

What is a real Phishing attack? A real Phishing attack originates from a trusted environment, and focuses on the mark personally. It’s not something that comes out of the blue and uses resources that would be flagged by reputation and IP filtering. It’s not going to contain questionable links or attachments at first.

In fact, if the attacker is smart, and the overall objective is worth it, they’ll never include such things. They won’t need to, as the mark will trust attacker so fully, they’ll do as directed; be it visiting a link, downloading something, or sharing information.

Phishing has been sold as an email problem.

This is because most organizations are forced to deal with kits that have been used by criminals for years. And these kits – the ones that claim to be a notice from a bank, while offering a Trojan as an attachment or a link pointed to a malicious domain under the attacker’s control – work great. They are a legit threat.

They work wonders in volume too. In fact, volume is why vendors like Proofpoint exist. When it comes to Phishing kits and Spam, vendors like Proofpoint see millions of samples and variants a day, so once something’s detected at Company A, the other customers are protected instantly. But at volume, things get missed. It’s no one’s fault, but it’s proof that no single solution is perfect.

Phishing is a human problem too.

So while kits are one thing, real Phishing attacks are something else entirely. Real Phishing attacks take time, some research, and basic contact. They don’t trigger warnings or alerts. Real Phishing attacks are the equivalent of network asset assassins, who come to the conversation wearing smiles, while hiding a dagger behind their backs.

In time, a real Phishing attack might conclude with something that looks like this:

Hi Julie!

First, it was great talking to you, and while Mark is out of town, I appreciate you taking the time to help the newbie. The number you saw on Caller ID is my cell, which is the best way to reach me until I get settled. Also, while I’m using webmail at the moment, I’ve CC’d my Gmail account should you need to reach me and Exchange is out.

I’m still getting up to speed on what you and your crew need over in DEV/QA, but at least now I know it’s best to start with the provisioning. I should have that done before Mark returns week after next. (I swear, his auto responder changed, and he added another week of vacation time. 😛 )

So, I have a question for you. Last week, I was scanning the SharePoint site, and I noticed a post referencing a Visio workup for the DEV/QA networks.

The post was written by “sliao” but I don’t know who that is. Are they in your office? AD isn’t being too helpful, and emails sent directly to them just bounce. Then again, you said AD was just changed-over before I started, so maybe that’s an old ID assignment.

I looked around for it on the shares, but found nothing on Z or Q. It’s revision 3a, so it has the network maps and the passwords for the hardware in your area. Do you have a copy? Any revision will work really. I just assume 3a is the latest, as that’s what’s mentioned on SharePoint.

If you do have a copy, and if it isn’t too large, can you email it to me? If not, it isn’t a big deal, I can re-map the network and reset all the passwords, but I’m trying to keep disruptions to your crew down to a dull roar as we get this build-out completed. 🙂

If you do have it, but it’s over the email limit, let me know and I’ll send you the login to the Box account a few of us use for IT work when we’re offsite.

Speaking of IT’s Box account. If you want, I can upload those GoT episodes there. Like I said, it’s good to have someone I can geek out with over the books and the show, I was the only one at the satellite office that was a fan. Maybe when I get to town, you, the hubby, and I can go get some dinner and go to that GoT meet-up.

Again, thanks for the help. (Hodor!)

-Steve

Consider the information in this email.

How much intelligence gathering would be required to obtain the data needed for the passive references in it? Where would this information come from?

What are the odds that someone, somewhere in your organization, would befriend a newbie and help them? Given a common interest in a specific topic, how long before they were at ease enough to move from business to casual conversation? One call? Two? A simple email?

If an outsider accessed a Visio map of the network, how much damage could they cause? How many policy violations can you spot in this “harmless” email between co-workers?

Would this email be flagged by your anti-Spam/Phishing product?

Is this real conversation, something I’ve used before, or did I make it up on the spot?