A couple of stories
This post was sent by Neal Bridges, he is a contributing editor at the Red Team Journal.
RTJ Red Team Law #51 (“The Obvious”): Sometimes your red team will execute what you think is an ingenious attack and borderline impossible. It must not be too impossible if they were able to pull it off.
I want to tell you a couple of stories. These stories come from real penetration tests that I have executed in the first half of 2015, but they will share a common theme. The names of the companies have been changed to protect the innocent.
In March of 2015, we began an engagement for a very large collections company. They were the second largest in the state and were in possession of over eight million unique pieces of credit card information, and twice as much personal information including social security numbers, names, addresses and phone numbers. They had hired us to come in and do an engagement in preparation for a compliance inspection. We performed open source intelligence (OSINT), we targeted their personnel, we reviewed as much of the physical areas that we could from the internet, and we attempted to attack from the outside. Not surprisingly, their external was relatively secure. This, of course, meant that we had to go to their physical location.
Upon arriving at the client’s location, we noticed a very prominent back door. We would later learn that this was the back door to the break room, near the rear of the building. After examining the habits of the individuals entering and exiting the building we decided that was our way into the facility. We had taken a thumb drive and programmed it in such a way that the computer would recognize it as a human interface device (i.e. keyboard or mouse) instead of a thumb drive. We labeled it as "Pay adjustments and layoffs" and placed it in their break area. As expected, we were successful in gaining access to their networks.
Upon talking to the leadership of the organization, we were discussing the merits of the attack vector. When we explained to the client that this attack vector was not what we would have done, it sparked a conversation that the client would not soon forget.
Client: Well, why didn't you do the attack you wanted to do?
Us: We didn't have the funds.
Client: Ah...it was expensive?
Us: In a way. When we observed the individuals coming in and out of your break room, and combined it with what we knew about your organization, we wanted to do something a bit more...direct.
Client: How so?
Us: Well, when we researched your organization, none of your employees had a LinkedIn profile claiming to work for your organization. We interpreted that to mean no one was proud to be working here enough to brag about it as a career path. When we arrived on site and started to observe your people we noticed that most of the folks were very casually dressed. On their breaks, they would check their phones or go to their cars. We profiled them as being run-of-the-mill overhead and presumed that most would be around the minimum wage market, if not much above that.
Client: Wow - so far you are about spot on. However, what does that have to do with your attack?
Us: Well, put yourself in my shoes. I am a Russian hacker. I make my living hacking and selling credit cards on the black market where I have a 1,425% return on investment. What if I profiled the single mom or dad who is trying to make a living for their family? The one who does not really hang out with the group. What if I offered that individual $1000 to plug this thumb drive into their computer? How many of your employees would turn down $1000?
The blood drained from my clients faces. They had never considered their employees were an attack surface in that way.
The next story involved a large healthcare organization in the Midwest. Our process was the same as the previous story. In this scenario, however, I noticed that there was a hotel less than a quarter of a mile from the client's data center. In addition to that, I could use "Street View" on Google Maps to see that it was pretty much an unobstructed line of sight to their building. With this being the case, I procured a two-foot Yagi directional antenna ahead of flying to the customer’s site.
Upon arriving at my hotel, I applied a little social engineering (I asked nicely) and was able to obtain a room on the side of the building directly facing my target. I proceeded to the client’s site, where I walked into their data center without confrontation and wandered my way around to the corner that faced my hotel. It happened to be in a massive training room, with numerous connected computers. I unplugged one of them and plugged in my wireless access point. Later that night, in my hotel room, I successfully connected to my Wi-Fi access point with my Yagi directional antenna and subsequently accessed their internal network.
The next day I spoke with the leadership of the organization. I showed them pictures of the setup and the view of their building from my hotel room. I showed them the path I took into their facility and explained that no one had challenged me. I showed them how I hid my access point. Ironically enough, they had a meeting in there sometime after I executed my attack and no one noticed my equipment. Their response and I quote was "W-O-W".
So with those two stories, I present to you Red Team Rule #51. Your adversary has the benefit of looking at your organizational defenses and asking itself "how can we defeat these". You don’t have the luxury of money, time, or personnel to look at their attacks and ask yourself, "how can we defend against these". The red teamer will always just come up with something else.