Imagine such a situation. Cold October morning, design institute in the regional center of one of the regions of Russia. Someone from Human Resources visits one of the job posting pages on the institute's website a couple of days ago and sees a picture of a cat. The morning quickly ceases to be boring ...
In this article, Pavel Suprunyuk, Group-IB's Technical Head of Audit and Consulting, talks about the place sociotechnical attacks occupy in practical security assessment projects, what unusual forms they can take, and how to protect yourself from such attacks. The author clarifies that the article is of an overview nature, however, if any aspect is of interest to readers, Group-IB experts will be happy to answer questions in the comments.
Part 1
Let's get back to our cat. After a while, the HR department deletes the photo (the screenshots here and below are partially retouched so as not to reveal the real names), but it stubbornly comes back, it is deleted again, and this happens several more times. The personnel department understands that the cat has the most serious intentions, he does not want to leave, and they call for help from a web programmer - a person who made the site and understands it, and now administers it. The programmer visits the site, once again deletes the annoying cat, reveals that it was placed on behalf of the HR department itself, then makes the assumption that the password of the HR department was leaked to some network hooligans, and changes it. The cat doesn't show up anymore.
What really happened? With respect to the group of companies that included the institute, Group-IB specialists conducted penetration testing in a format close to Red Teaming (in other words, this is an imitation of targeted attacks on your company using the most advanced methods and tools from the arsenal of hacker groups). We talked in detail about Red Teaming . It is important to know that when conducting such a test, a very wide range of pre-agreed attacks, including social engineering, can be used. It is clear that the placement of the cat itself was not the ultimate goal of what was happening. And it was the following:
- the institute's website was hosted on a server on the institute's own network, and not on third-party servers;
- HR account leak found (email log file at the root of the site). It was not possible to administer the site with this account, but it was possible to edit job pages;
- by changing the pages, it was possible to place your scripts in the JavaScript language. Usually they make the pages interactive, but in this situation, the same scripts could steal from the visitor's browser what distinguished the personnel department from the programmer, and the programmer from a simple visitor - the session identifier on the site. The cat was the trigger for the attack and the picture to draw attention. In the HTML markup language, it looked like this: if you had an image loaded, JavaScript had already been executed and your session ID, along with data about your browser and IP address, had already been stolen.
- With the stolen administrator session identifier, it would be possible to gain full access to the site, host executable pages in the PHP language, and therefore get access to the server operating system, and then to the local network itself, which was an important intermediate goal of the project.
The attack ended in partial success - the administrator's session ID was stolen, but it was tied to an IP address. It was not possible to bypass this, we could not increase the privileges on the site to administrator privileges, but we improved our mood. The end result was eventually obtained on another section of the network perimeter.
Part 2. I am writing to you - what more? I also call and trample in your office, dropping flash drives
What happened in the situation with the cat is an example of social engineering, albeit not quite classical. In fact, there were more events in this story: there was a cat, and an institute, and a personnel department, and a programmer, but there were also e-mails with clarifying questions that were allegedly written by “candidates” to the personnel department itself and personally to the programmer in order to provoke them to go to the site page.
Speaking of letters. Ordinary email - probably the main vehicle for social engineering - has not lost its relevance for a couple of decades and sometimes leads to the most unusual consequences.
We often tell the following story at our events, as it is very revealing.
Usually, based on the results of projects with social engineering, we compile statistics, which, as you know, are a dry and boring thing. So many percent of the recipients opened the attachment from the letter, so many followed the link, but these three generally entered their username and password. In one project, we received more than 100% password entry - that is, more came out than sent out.
It happened like this: a phishing letter was sent, allegedly from the CISO of a state corporation, with the requirement to "urgently test changes in the mail service." The letter got to the head of a large division that was engaged in technical support. The leader was very diligent in executing orders from high authorities and sent them to all his subordinates. The call center itself was quite large. In general, situations where someone forwards “interesting” phishing emails to their colleagues and they also come across is a fairly common occurrence. For us, this is the best feedback on the quality of writing a letter.
A little later, we were figured out (the letter was filmed in a compromised mailbox):
Such success of the attack was due to the fact that a number of technical shortcomings of the client's mail system were used during the mailing. It was configured in such a way that it was possible to send any letters on behalf of any sender of the organization itself without authorization, even from the Internet. That is, it was possible to pretend to be CISO, or the head of technical support, or someone else. Moreover, the mail interface, watching letters from "its" domain, carefully substituted a photo from the address book, which added naturalness to the sender.
In truth, such an attack does not apply to particularly complex technologies, it is a successful exploitation of a very basic mail configuration flaw. It is regularly analyzed on specialized IT and information security resources, but nevertheless, there are still companies that have all this present. Since no one is inclined to thoroughly check the service headers of the SMTP mail protocol, the letter is usually checked for "danger" by warning icons in the mail interface, which do not always show the whole picture.
Interestingly, a similar vulnerability also works in the other direction: an attacker can send an email on behalf of your company to a third-party recipient. For example, he can fake an invoice for a regular payment on your behalf, indicating other details instead of your details. Antifraud and cashout issues aside, this is probably one of the easiest ways to steal money through social engineering.
In addition to stealing passwords through phishing, a classic sociotechnical attack is the distribution of executable attachments. If these investments overcome all the protections, which modern companies usually have a lot of, a remote access channel to the victim's computer is formed. To demonstrate the consequences of an attack, the resulting remote control can be extended to access critical sensitive information. It is noteworthy that the vast majority of attacks that the media scare everyone with start just like that.
In our audit department, for the sake of interest, we consider approximate statistics: what is the total value of the assets of companies to which we gained access to the "Domain Admin" level, mainly through phishing and sending executable attachments? This year it has reached approximately 150 billion euros.
It is clear that sending out provocative emails and posting pictures of cats on websites are not the only ways of social engineering. In these examples, we have tried to show the variety of forms of attack and their consequences. In addition to letters, a potential attacker can call to obtain the necessary information, scatter media (for example, flash drives) with executable files in the office of the target company, get a job as an intern, and gain physical access to the local network under the guise of a CCTV camera installer. All these, by the way, are examples of our successfully completed projects.
Part 3
A reasonable question arises: well, there is social engineering, it looks dangerous, but what should companies do with all this? Captain Evidence hurries to the rescue: you need to defend yourself, and in a comprehensive manner. Some part of the protection will be aimed at security measures that have already become classic, such as technical means of protecting information, monitoring, organizational and legal support of processes, but the main part, in our opinion, should be directed to direct work with employees as the weakest link. After all, no matter how you strengthen the technique, or write harsh regulations, there will always be a user who will discover a new way to break everything. Moreover, neither the regulations nor the technology will keep up with the flight of the user's creativity, especially if he is prompted by a qualified attacker.
First of all, it is important to educate the user: to explain that even in his routine work situations related to social engineering may arise. For our clients, we often on digital hygiene - an event that teaches basic skills to counter attacks in general.
I can add that one of the best defenses is not to memorize the rules of information security at all, but to assess the situation a little detached:
- Who is my interlocutor?
- Where did his proposal or request come from (after all, there never was such a thing, and now it has appeared)?
- What is unusual about this request?
Even an unusual type of letter font or a style of speech unusual for the sender can set off a chain of doubts that will stop the attack. Prescribed instructions are also needed, but they work differently, while they cannot specify all possible situations. For example, IS administrators write in them that you cannot enter your password on third-party resources. And if the password asks for "his", "corporate" network resource? The user thinks: “Our company already has two dozen services with a single account, why not add another one?” This implies another rule: a well-organized workflow also directly affects security: if a neighboring department can request information from you only in writing and only through your manager, a person “from a trusted partner of the company” will certainly not be able to request it over the phone - for you it is will be nonsense. You should be especially wary if your interlocutor demands to do everything right now, or “ASAP”, as it is fashionable to write. Even in normal work, this situation is often not healthy, and in the face of possible attacks, this is a strong trigger. No time to explain, run my file!
We notice that users are always exposed to topics related to money in one form or another as legends for a sociotechnical attack: the promise of promotions, preferences, gifts, as well as information with supposedly local gossip and intrigue. In other words, the banal “mortal sins” work: greed, greed and excessive curiosity.
Good learning should always include practice. This is where penetration testing experts can come to the rescue. The next question is: what and how will we test? We at Group-IB offer the following approach - immediately choose the focus of testing: either assess the readiness for attacks only of the users themselves, or check the security of the company as a whole. And test with social engineering methods, simulating real attacks - that is, with the same phishing, sending executable documents, calls and other techniques.
In the first case, the attack is carefully prepared together with the customer's representatives, mainly with its IT and information security specialists. Legends, tools and attack techniques are agreed. The customer himself provides focus groups and lists of users for the attack, which include all the necessary contacts. Exceptions are created on the means of protection, since messages and executable loads must reach the recipient, because in such a project only the reaction of people is of interest. Optionally, you can put markers into the attack, by which the user can guess that this is an attack - for example, you can make a couple of spelling mistakes in messages or leave inaccuracies in copying corporate identity. At the end of the project, the same “dry statistics” are obtained: which focus groups and to what extent reacted to the scenarios.
In the second case, the attack is carried out with zero initial knowledge, using the “black box” method. We independently collect information about the company, its employees, the network perimeter, form legends for the attack, select methods, look for possible means of protection used in the target company, adapt tools, and create scenarios. Our experts use both classic open source intelligence methods (OSINT) and Group-IB’s own product Threat Intelligence, a system that, when preparing for phishing, can act as an aggregator of information about a company for a long period, using, among other things, classified information . Of course, so that the attack does not become an unpleasant surprise, its details are also agreed with the customer. It turns out a full-fledged penetration test, but it will be based on advanced social engineering. The logical option in this case is the development of an attack within the network, up to obtaining the highest rights in internal systems. By the way, we use sociotechnical attacks in a similar way in , and in some penetration tests. As a result, the customer will receive an independent comprehensive vision of their security against a certain type of socio-technical attacks, as well as a demonstration of the effectiveness (or vice versa, inefficiency) of the built line of defense against external threats.
We recommend conducting such training at least twice a year. Firstly, in any company there is a staff turnover and previous experience is gradually forgotten by employees. Secondly, the methods and techniques of attacks are constantly changing and this leads to the need to adapt security processes and defenses.
If we talk about technical measures to protect against attacks, then the following help the most:
- The presence of mandatory two-factor authentication on services that are published on the Internet. Releasing such services in 2019 without Single Sign On systems, without password protection and without two-factor authentication in a company of several hundred people in size is tantamount to an open “break me” call. Properly implemented protection will make it impossible to quickly use stolen passwords and give time to eliminate the consequences of a phishing attack.
- Control of access control, minimization of user rights in systems and compliance with the guidelines for the secure configuration of products that are released by every major manufacturer. These are often simple in nature, but very effective and difficult to implement measures that everyone to some extent neglects for the sake of speed. And some are so necessary that without them, no means of protection will save.
- A well-lined email filtering line. Antispam, total check of attachments for malicious code, including dynamic testing through sandboxes. A well-prepared attack implies that the executable attachment will not be detected by antivirus tools. The sandbox, on the other hand, will check everything on itself, using files in the same way as a person uses them. As a result, a possible malicious component will be revealed based on the changes made inside the sandbox.
- Means of protection against targeted attacks. As already noted, classic anti-virus tools will not detect malicious files in a well-prepared attack. The most advanced products should automatically monitor the totality of events occurring in the network - both at the level of an individual host and at the level of traffic within the network. In the case of attacks, very characteristic chains of events appear, which can be tracked and stopped if you have this kind of event-focused monitoring.
Original article in the journal "Information Security / Information Security" # 6, 2019.
Source: habr.com