Today we are going to explore what a Red Team Engagement looks like with our company. To do this best we are going to take you with us on a previous experience we while conducting a Red Team Engagement. To comply with Non-Disclosure Agreements and to keep with our high standard of confidentiality; we will change the name of the company and people involved. With all that said, let's begin....
When a company wishes to test the quality of their protection of data and decides to take the extra step to assure this protection; they hire us. Once we get the call, there are a couple of things that we ask from the company:
That only a max of three people within the company knows what we are conducting the testing. (Usually the CEO, CISO, COO or equivalents)
That the duration of the project be given the expected minimum of three days. This is to assure that we provide the best and most customized engagement. (A faster timeline is possible if necessary)
Then of course with any service we provide; contracts, NDAs, confidentiality agreements, etc. will be provided and agreed upon by both parties involved. This is all to protect the your company, our company and provide the best service possible.
The Social Engineering Begins
Now, that all the business aspects are complete, we begin the engagement. We do this from the comfort of wherever we are in the world at the time. Social Engineering is the art of exploiting the human psyche and manipulating that knowledge we have gained to access networks, buildings, and data.
So, how did this apply to the story we are telling? Lets begin, we had been hired and had began our social engineering. When conducting this research we us Open-Source Intelligence (OSINT). Basically, we utilize social media, web searches, public records, etc. and we find who works for the company (keep in mind the company does not give us any of this information). We then narrowed our list, we asked ourselves out of these employees, who would be the best to manipulate. In this case, we decided to use five employees in different departments and the information we had learned about each individual.
We then by a domain and email addresses, these are usually the cheapest of the project. With these domains, we used the business' actual name and ended it with .co instead of .com. This making the emails we send harder to catch. Then the emails were sent.
We were able to get replies from all five employees and choose to narrow on one of the employees in marketing. We conducted ourselves as a marketing member from another office of the company. We took what we had learned during our research, utilizing a conference that the employee was attending in a couple of weeks as our inside to the building. We wanted a tour, a tour of the office that "we had never visited". The employee agreed to the tour and a date of the tour. We knew then that we would be able to get inside, but the job was not done there.
Beware of the Attack
Now that we have our "in" to gain access the building, we travel. When doing Red Team Engagements, we always utilize a team of at least two people. We also travel where we hide our tracks, just like the malicious attackers would. This is to get the full experience and understand how difficult it would be to catch the attackers. We were up there two days prior to my tour with marketing. This was to gain visual reconnaissance on the building. During these days, what we call "Recon Days" (original we know), we also test the strength of external network security. Here we utilize several different tools and software to gain access to the network outside of the building. This is always conducted off the company's premises. During this certain instance we were able to gain access utilizing different methods. Then it's the day of our meeting.
When contacting and meeting these people, we utilize different names and take on a whole different personality. I met our marketing person in the front lobby, they passed us through the security card reader and the tour began. As I go through the tour, I am looking at every room. I am looking who sits where and which office belongs to who. I am also looking at every individual laptop, computer station, network equipment and even phones. However, I have to keep the marketing side of me going through the tour, as that is who I am to my tour guide. The tour was great and I had 4 different options and knew which systems I will try to access.
I could tell the tour was ending, as we were almost back to the marketing department; I knew this was my time. I asked casually, "Hey I need to utilize the restroom, do you mind if I ran there real quick?" In this building you needed an escort, hence the having to ask to use the restroom as an adult. I received the response I was hoping for, "Yeah that's fine, just meet me back at my office down the hall." I knew then the plan would work. Instead of going to the bathroom I went into an empty conference room where there were two CPUs, a laptop, and a mess of cords. This mess of cords was perfect cover for my "Rubber Ducky" ( an thumb drive with network penetration tools). After about three taps of the keyboard, I had access to their network and my teammate who was at the hotel received the packet and was starting to access their entire network. This was all done within five minutes, reasonable for a bathroom break. I met my contact back at their office and after casual conversation, we ended the tour and they walked me out.
The Review and Apologies
Back at the hotel, we collected all of our information and produced the "Initial Report". The next day we met with the Chief Information Security Officer and Chief Executive Officer to give them the initial report. During this meeting we talk about every little thing we did, how we did it and how we can help with training. With this company, we scheduled the training for the following week with each department (a two day process).
In the initial contract, we put that the person or people we decide to social engineer and utilize in our inside to the building, can not be fired solely based on our testing. Therefore, my team, the CEO and CISO went to see my contact in the marketing department. There we explained who I was, what we were doing and said my apologies. It's always the hardest part manipulating the person we had chose. They took it fairly well and apologized to their leadership.
We will talk more about our training after Red Team Engagements in future blogs.
This is not a spy thriller nor is it impossible to happen to your organization. This is real life, this happens more often than you think, and it's easier than you think. No matter if you are a small business, medium size business, large size business, fortune 500, or government entity, it has and can happen.
Contact us to set up a Red Team Engagement today!