The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON...
Transcript of The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON...
11/8/2016 [email protected] 1
TheDEFCON24SocialEngineering
CapturetheFlagReport
POBox62,Brooklyn,PA18813|800.956.6065|www.social-engineer.org
Social-Engineer,LLC
©AllrightsreservedtoSocial-Engineer,LLC,2016.
Nopartofthispublication,inwholeorinpart,maybereproduced,copied,transferredoranyotherrightreservedtoitscopyrightowner,includingphotocopyingandallothercopying,anytransferortransmissionusinganynetworkorothermeansofcommunication,anybroadcast
fordistancelearning,inanyformorbyanymeanssuchasanyinformationstorage,transmissionorretrievalsystem,withoutpriorwrittenpermissionfromtheauthor(s).
11/8/2016 [email protected] 2
TableofContentsExecutiveSummary............................................................................................3
OverviewoftheSECTF........................................................................................4BackgroundandDescription....................................................................................................................4
2016Parameters.................................................................................................................................6TargetCompanies....................................................................................................................................7Competitors.............................................................................................................................................7Flags.........................................................................................................................................................8Scoring...................................................................................................................................................10RulesofEngagement.............................................................................................................................11
ResultsandAnalysis.........................................................................................12OpenSourceIntelligence.......................................................................................................................12Pretexting...............................................................................................................................................16LiveCallPerformance............................................................................................................................17CompetitorSummary.............................................................................................................................19FinalContestResults..............................................................................................................................20Discussion..............................................................................................................................................23
AbouttheSocial-EngineerVillage.....................................................................27
Conclusion........................................................................................................28
AboutSocial-Engineer,LLC...............................................................................29
Sponsors..........................................................................................................30
11/8/2016 [email protected] 3
ExecutiveSummary
Social-Engineer.org(SEORG)hostedtheSocialEngineeringCapturetheFlag(SECTF)contestatDEFCON24inLasVegas,NevadafortheseventhyearinarowinAugustof2016.Thisyear’scompetitiontargetedinformationsecuritycompanies.
Fromover150entries,weselected14competitorsfromdiversebackgroundsandexperiencelevelstotesttheirsocialengineeringabilities.Belowisatablehighlightingsomebasicstatisticsfromthisyear’scompetition:
Asinyearspast,theoverallgoalsofthiscontestweretoraiseawarenessoftheongoingthreatposedbysocialengineeringandtoprovidealivedemonstrationofthetechniquesandtacticsusedbythepotentialmaliciousattacker.Therewereverystrictrulesofengagementinplacetoensurenosensitiveinformationoncompaniesorindividualswasdisclosed.Tofurtherprotectemployeesoftargetcompaniesfrompotentialnegativerepercussions,identitiesofthosecontactedisneitherrecordednorretained.
Itisimportanttonotethatthereportingofatargetcompany’soverallperformanceisacombinationofpointsscoredbytheirassignedcontestantinbothOpenSourceIntelligence(OSINT)gatheringandlivecallphasesofthecontest.Thescoringalonecontainedwithinthisreportdoesnotnecessarilyindicatethatonecompanyislesssecurethananothercompany.However,itisanindicatorofthepotentialvulnerabilitiesthatexistanddemonstratesthatdespitetraining,warningsandeducation,socialengineeringisstillaveryseriousandviablethreattocorporations.
Targetcompanies 14Competitors 14Completedcalls 160Totalpointsscoredonreports 1698Totalpointsscoredoncalls 4352
Table1:SECTFgeneralsummary
11/8/2016 [email protected] 4
OverviewoftheSECTF
TheSocialEngineeringCapturetheFlag(SECTF)isanannualeventheldwithintheSocial-EngineerVillageattheDEFCONHackingConferenceinLasVegas,NV.TheSECTFisorganizedandhostedbySocial-Engineer.Org(SEORG),thenoncommercial,educationaldivisionofSocial-Engineer,LLC.
Thecompetitionwasformedtodemonstratehowserioussocialengineeringthreatsaretocompaniesandhowevennoviceindividualscouldusetheseskillstoobtainimportantinformation.Thecontestisdividedintotwoparts,theinformation-gatheringphasethattakesplacepriortoDEFCON,followedbythelivecallphasethatoccursattheDEFCONconference.
BackgroundandDescription
TheSECTFisacontestinwhichparticipantsattempttoobtainspecificpiecesofinformation,calledflags,fromselectprivate-sectorcompanies.Thepurposeofthecontestistodemonstratehowmuchinformationcanbefreelyobtainedeitherthroughonlinesourcesorviatelephoneelicitation.
MonthspriortotheDEFCONevent,wesolicitedforindividualswhowishedtocompeteviaoursocialmediaoutletsandwww.social-engineer.orgwebsite.Wealsoaskedparticipantstosubmita90-secondvideooutliningwhytheyshouldbeincludedinthecontest.Ourpanelmadeselectionsbasedonanumberoffactorstoincludedesiretolearnaswellasourperceptionofthecontestant’sintent.Asthisisaneducationalevent,wewishourparticipantstohaveaverystrongemphasisonultimatelyhelpingthestatusofcorporatesecurityasopposedtothesingulargoalof“winning”anengagement.Fromover150applicants,weselected14contestantsandrandomlyassignedthemtoacompany.
Contestantswerenotmadeawareofanyothercompetitorsortargetcompaniesotherthantheirownpriortotheircalltimeattheliveevent.ThetargetcompanieswerenotinformedoftheirinclusionintheSECTF,norwastheindustryannouncedpriortoourcontest.Forthisyear,weselectedinformationsecurityasthetargetindustry.Thesearebrandsthatbusinessesrelyontoassisttheirpopulationsinthedefenseofconfidentiality,integrity,andavailabilityofinformation.
Contestantsweregiven3weekstogatherasmuchinformationabouttheirtargetcompanyaspossibleandgenerateaformalreport.TheywereallowedtouseonlyOpenSourceIntelligence(OSINT)thatcouldbeobtainedthroughsearchenginesortoolssuchasGoogle,FOCA,Maltego,etc.Duringthisinformation-gatheringphase,contestantscouldattempttocaptureasmanyofthepre-definedflagsaspossible.Theinformationgatheredwastobeassembledintoaprofessionallookingreport.Contestantswereprovidedwithasamplereporttoassistthem,but
11/8/2016 [email protected] 5
werenotrequiredtousethistemplate.Inadditiontotheflags,pointswerealsoawardedbasedontheprofessionalismandqualityofthereport,with10bonuspointsawardedforreportssubmittedearly.
ContestantswerethenassignedatimeslottoperformtheirlivecallsoneitherFridayorSaturdayduringDEFCON24inLasVegas,NV.
Greatcarewastakeninthedevelopmentofthecontesttoensuremaximumsuccessforthecontestants.SincethecontestwasheldontheWestCoast,companieswhoseheadquarterswerelocatedontheEastCoastwereassignedearliertimeslots.Furthermore,companieswhoweremoreeasilyaccessibleduringnon-standardbusinesshourswereassignedSaturdaytimeslots.
Contestantswereplacedinasoundproofboothandrequiredtoprovidealistofphonenumbers(obtainedduringtheinformation-gatheringstage)atthetargetcompanytocallalongwithphonenumberstheywishedustospoof.CallerIDspoofingisamethodthroughwhichone’sincomingphonenumbercanbeforged,or“spoofed”.Thisisatacticcommonlyusedbysocialengineerstoincreasetheircredibilitywithrecipients.
Eachcontestantwasfreetousetheirentireallotted25-minutetimeslottoperformasmanyorasfewcallsastheywished.AlthoughUnitedStatesfederallawonlyrequiresonepartytobenotifiedintheeventofrecordingatelephonecall,manystates(Nevadaincluded)havecreatedadditionallawsrequiringbothpartiestoconsent.Sincewecouldnotobtaintheconsentoftargetcompanieswithoutjeopardizingtheintegrityofthecontest,norecordingofanytypewaspermitted(includingthatbytheaudience).Photographswereallowedwithpermissionofthecontestant.
Scoringwasaccomplishedduringeachcallbythreejudges.Basedonverypositivefeedbackfrompreviousyears,weagaintookopportunitiesaftereachcalltodiscussthecallwiththeaudience.Duringthattime,weanalyzedthesuccessofthetechniquesused,andansweredasmanyquestionsdirectedtoeitherjudgingpanelorcontestantastimeallowed.Subsequenttothecontest,scoringandcommentswerereviewedalongwiththereportssubmittedpriortoDEFCONtodeterminethewinners.
Itshouldbenotedthatall14contestantswererequiredtoplacea$20USDfullyrefundabledeposittoreservetheirspotatthecontest.AllcontestantswererefundedthisdepositimmediatelyaftercompletingtheircallattheDEFCONportionofthecontest.
11/8/2016 [email protected] 6
2016Parameters
Overall,weattempttokeepthemajorparametersofthecompetitionasconsistentaspossiblefromyeartoyear.However,wedomakechangestoensurethatthecontestcontinuestobechallengingandeducationalforbothcontestantsandaudience.Primarychanges:
o Theabilitytospoofwasallowedforallcontestantso Thetargetcompanieswereallinformationsecuritycompanies
11/8/2016 [email protected] 7
TargetCompanies
TheSocial-Engineerstaff,throughanopennominationandvotingprocessaccomplishedtargetselection.Wemadeeveryattempttoensurethatnobiaswasintroducedthroughattitudesorpreconceivednotionsregardinganyparticularcompany.Ingeneral,weattemptedtoselectFortune500orlargercompaniesfromtheinformationsecurityindustry.Asbusinessesmustfocusontheircorecompetencies,manydonothavetheinternalresourcesforin-houseinformationsecurityteams.Theymustrelyontheexpertiseofexternalserviceproviders,andascompaniesresponsiblefortheprotectionofclientinformation,theseprovidersmustthemselvesbeextremelycognizantoftheirowninformationsecurity.Asinpreviousyears,wemadethecallforcompaniestobewillingparticipantsintheSECTF.Nocompaniesvolunteered;therefore,noneofthecompanieschosenwereawareoftheirselectionpriortotheDEFCONconference.Thetargetlist(inalphabeticalorder):
1. AkamaiTechnologies2. CiscoSystems3. ComcastXfinity4. DellSecureWorks5. DeloitteToucheTohmatsuLimited6. EMCCorporation7. Fortinet8. InternationalBusinessMachinesCorporation(IBM)9. OracleCorporation10. PaloAltoNetworks11. RSASecurity12. SophosGroup13. SymantecCorporation14. SYNNEXCorporation
Competitors
Asinallpreviousyears,oneofourcorerulesisthatnooneisvictimized.Thisincludesthosewhochoosetoparticipate,thosewhoarecalled,andthecompaniestheyworkfor.Ourcontestant’spersonalinformationisneverrevealedandtheyareonlyphotographediftheyprovideexplicitverbalpermissionpriortotheirlivecallsegmentatDEFCON.Novideo
11/8/2016 [email protected] 8
recordingofcontestantsduringtheircallsiseverpermittedduetotwo-partyconsentlawsinthestateofNevada.
Therewere14competitorsselectedfromanoriginalpoolofover150applicants.Notallwereskilledcallersorexperiencedsocialengineers.Formany,thiswastheirfirstattemptateverplacingadeliberatesocialengineering-basedcall.Someofthecontestantswereredteamorsecurityspecialists,butmanywerefromotherfieldsnotrelatedtosocialengineeringorinformationsecurity.
Flags
A“flag”isaspecificpieceofinformationthatthecontestantsattemptedtoobtaininboththeOSINTandlivecallportionsofthiscompetition.
Everyyear,wesendanoverviewofflags,rules,targetsandotherpertinentinformationtoourlegalcounsel.Wedothistoensurewearestayingwithinthelegalboundarieswesetforourselveswhenwestartedthiscompetition.
Table2outlinesthelistofspecificflags,theircategories,andpointvaluesfor2016:
11/8/2016 [email protected] 9
Table2:FlaglistforSECTFatDEFCON24in2016
DEFCON24SECTFFlagList
Reportpoints CallpointsLogistics IsITSupporthandledinhouseoroutsourced? 3 6Whodotheyusefordeliveringpackages? 3 6Doyouhaveacafeteria? 4 8Whodoesthefoodservice? 4 8 OtherTech IsthereacompanyVPN? 4 8Doyoublockwebsites? 2 4Ifwebsiteblock=yes,whichones?(Facebook,EBay,etc.) 3 6Iswirelessinuseonsite?(yes/no) 2 4Ifyes,ESSIDName? 4 8Whatmakeandmodelofcomputerdotheyuse? 3 6Whatanti-virussystemisused? 5 10 CanBeUsedforOnsitePretext Whatisthenameofthecleaning/janitorialservice? 4 8Whodoesyourbug/pestextermination? 4 8Whatisthenameofthecompanyresponsibleforthevendingmachinesonsite? 4 8Whohandlestheirtrash/dumpsterdisposal? 4 8Nameoftheir3rdpartyorinhousesecurityguardcompany? 5 10Whattypesofbadgesdoyouuseforcompanyaccess?(RFID,HID,None) 8 16 CompanyWideTech Whatoperatingsystemisinuse? 5 10Whatservicepack/version? 8 16WhatprogramdotheyusetoopenPDFdocumentsandwhatversion? 5 10Whatbrowserdotheyuse? 5 10Whatversionofthatbrowser? 8 16Whatmailclientisused? 5 10Doyouusediskencryption,ifsowhattype? 5 10FakeURL(gettingthetargettogotoaURL)www.seorg.org N/A 26 EmployeeSpecificInfo Howlonghavetheyworkedforthecompany? 3 6Whatdaysofthemonthdotheygetpaid? 3 6Employeesscheduleinformation(start/endtimes,breaks,lunches) 3 6Whatisthenameofthephone/PBXsystem? 4 8Whenwasthelasttimetheyhadawarenesstraining? 5 10
11/8/2016 [email protected] 10
Scoring
Social-EngineerhadaproprietaryapplicationdevelopedforthepurposeofscoringboththeOSINTandlivecallportionsofthecompetition.FlagsobtainedduringtheOSINTphaseofthecontestwereworthhalf-points(pleaseseeTable2).OSINTreportswerescoredpriortothelivecallevent.Scoringduringthetelephonecallswasaccomplishedliveusingthesameproprietaryapplicationmentionedabove.Judgeswereabletoinputscoresintoadatabasefortheflagsastheywereobtained.Flagscapturedduringthisportionoftheeventwereawardedfullpoints(pleaseseeTable2).Thesameflagcouldbecapturedmultipletimesbythecontestanteitherbycontactingdifferenttargetsonthesamecall(e.g.,throughbeingtransferred)oronsubsequentcallswithintheallotted25minutes.Forexample,ifthecontestantreachedthreedifferentpeopleandconvincedallthreetonavigatetothewebsiteofthecontestant’schoosing(aflagworth26points),theywouldhavereceivedseventy-eightpoints.Everyattemptwasmadetoensureconsistencyinscoringforallcontestants,regardlessofthejudge,althoughourscoringprocessdoesprovidesomesubjectivitythroughtheabilitytoincludenotesandcommentsbyeachjudgeforeachcontestant.Attheendofthecompetitionthescoresweretotaledbytheapplicationtodeterminethewinningscore.InadditiontodeterminingtheSECTFwinnerbasedonpointstotals,wealsoconductedananalysisofhowthetargetcompaniesfaredinresponsetoasocialengineeringattack.Itfollowsthattheinterpersonalskillsandoverallpreparationofthecontestantwashighlypredictiveintheoutcomesindicatedbybothscoresaswellassubjectiveassessmentsofperformancebythejudges.Unfortunately,acompanycannotrelyonthehopethatamalicioussocialengineerwillbeinexperienced,unskilled,orunprepareduponwhichtobasetheirsenseofcorporatesecurity.
11/8/2016 [email protected] 11
RulesofEngagement
Contestantsareheldtoverystrictrulestoensuretheprotectionoftargetcompaniesaswellastheiremployees.Thecorerulesremainedthesameasinpreviousyears.Wedidnotallowthecollectionofsensitivedatasuchascreditcardinformation,socialsecuritynumbers,andpasswords.OnlyOpenSourceIntelligence(OSINT)wasallowed.Wedidnotallowphysical(i.e.facility)ortechnical(i.e.network)penetrationintocompanies.Inaddition,wedidnotallowthecontestanttovisitanylocationoftheirtargetforinformationgatheringpurposesorinteractwithanypersonfromthetargetbeforethecallsatDEFCON.Wealsospecificallyavoidedsensitiveindustriessuchasgovernment,education,healthcare,andfinance.
Themostimportantrulestressedtoallcontestantsisthattherewastobeabsolutelynovictimizationofanyindividualsortargetcompanies.FormorespecificinformationontheROE,pleaseseeourrulesandregulations:http://www.social-engineer.org/ctf/def-con-sectf-rules-registration/.
11/8/2016 [email protected] 12
ResultsandAnalysis
Highprofileeventsasaresultofmalicioussocialengineeringareillustrativeofthefactthatcorporationscontinuetobepooratprotectingcriticalinformation.Unfortunately,thisyear’sSECTFsupportedthistrendasourcontestants,bothexperiencedandnewcomerswereabletoobtainflagsboththroughOSINTandthelivecalls.Ourfindingsaredetailedinthesectionsthatfollow.Itshouldbenotedthatanycomparisonstopreviousyears’performanceisforsubjectivetrendanalysisonly.Sincepopulationsandsamplesizesarenotequivalentacrossyears,statisticalanalysisisnotappropriateandwasnotperformed.
OpenSourceIntelligence
Preparationpriortoanysocialengineeringengagementiscritical.Itisthisphasethatisthemosttime-consumingandlaborious,butcanmostoftendeterminethesuccessorfailureoftheengagement.Theprofessionalsocialengineermustbeawareofalloftheinformation-gatheringtoolsfreelyavailableaswellasthemanyaccessiblelocationsonlinethathousevaluablepiecesofdata.
ThefollowingtableisalistoftoolscommonlyusedbyprofessionalsocialengineersaswellasourcontestantsduringtheOSINTphaseoftheSECTF:Google
Maltego
LexisNexis
FOCA
PiPl
Plaxo
GoogleMaps
Shodan
PicasaWeb
WhoIs
WGet
Vimeo
Tineye
WaybackMachine
Monster
GlassDoor
Yelp!
Craigslist
Spokeo
YouTube
FourSquare
Friendster
theHarvester
GoogleImages
Telnet
EchoSec
DuckDuckGo
JigSaw
Table3:CommonlyusedOSINTtoolsandwebsites
11/8/2016 [email protected] 13
Thequalityandresearchdedicatedtothereportscontinuestobeimpressive.However,continuingthetrendfromtheprevioustwoyears,thescoresforcallsoutperformedthoseforthereports.Thisreversesthetrendsetintheearliestyearsofthecompetition.Figure1showsasimilarpointdistributiontolastyear’scompetition.ItshouldagainbenotedthatpointsawardedforflagawardedduringOSINTareworthhalfthevalueofthoseawardedduringlivecalling.
Figure1:ComparisonofOSINT/CallsPointsAwarded2015-2016
Thefollowingsmalllistofthisyear’sfindingsdemonstratesthatthedangerposedbysocialengineeringinformationgatheringisextremelyprevalent.Anyofthefollowingpiecesofinformationcouldbeusedbyamaliciousattackertofurtherdevelopvishing,phishing,oronsiteimpersonationattacks.Majorcategoriesareasfollows:
EmployeeInformation
- Keypersonnelwerediscoveredtobesharingpersonalinformationviasocialmedia–activities,interests,purchasinghabits,homelocation,relationshipstatusandfriends/familymembers.
- Severalcontestantswereabletofindemployeespostingpicturesfromtheirdesksonsocialmedia.Thesecontainedviewsofthecomputersusedbytheemployees,andinsomecasesviewsoftheemployee’scomputerscreenwithsensitiveinformationdisplayedonit.
11/8/2016 [email protected] 14
- Employeeslistedverydetailedinformationontheirexperienceandbackgroundonsocialmedia.
- Somecontestantswereabletofindseveralpostsfromtargetemployeesdiscussingworkschedule.
Technologies
- InformationonoperatingsystemsaswellashardwarewasdiscoveredbyseveralcontestantsduringtheOSINTportion.Thiswouldallowanattackertoselectexploitsspecificallytargetedatacompany’sinfrastructure.
- Informationonsystemarchitecture,operatingsystems,andhardwaredevicesusedbyseveraltargetswasfoundbylookingonjobpostings.
- Multiplecontestantswereabletolocateafullmapoftheirtargetcompany’sVPN.ThiswouldexposetheVPNportaltopotentialattacks.
- SeveralpicturesdisclosedthemakeandmodeloftheWiFiaccesspointsbythetargetcompanies.
- Onetargetdisplayedthemakeandmodelfortheirrouters,firewall,andseveralotherpiecesofhardwareusedtosecureenterprisedata.
PhysicalPlant
- Onsitecafeteriawasdiscoveredtobeopentothepublic,makingbothfacilitiesandemployeesvulnerable.
- Informationregardingofficespaceswasreadilyavailable(e.g.,buildingowners,officermanagers,vacantoffices,othertenants).
- Severalimagesfrominsidetheofficesoftargetcompaniesweredisplayedviasocialmedia.
- ManydetailsaboutthephysicalspacewerelocatedusingtoolssuchasGoogleMaps(e.g.,locationofATMs,security,etc.).
Contractor/Vendor/OtherCompanies
- Avendorlistedatargetastheircustomerforcafeterias.
11/8/2016 [email protected] 15
- Manycompaniesemploycontractors,manywhoaresuppliedthroughwell-knowncontractingcompanies.
- AGoogleStreetViewimagediscoveredbyacontestantdisplayedthenameofthetrashpickupcompanyusedbyatargetcompany.
- Onetargetcompanyreceivedarewardforrecycling/compostfromtheirtrashpickupcompany.
- Ajanitorialservicelistedatargetcompanyasaclientontheirwebsite.
SpecialNotes
- Socialmediaaccountsofnumeroustargetemployeeswerelocated.Employeesoftendisclosedinformationtoincludedetailsregardingtechnology,systems,andinfrastructureemployedattheircompanies,aswellasotherpertinentdetailssuchaspayscheduleandspecificjobfunctions.Manyemployees(particularlyexecutivelevelindividuals)possessLinkedInaccountsthatarenotprivate,providingsignificantinformationtoattackers.
- Securitybadgeswereprominentlydisplayedinseveralpicturesdiscovered.Thiswouldallowanattackertocreateaveryrealisticcopytouseinanimpersonationattempt.
- Onecontestantwasabletodiscoveraleaseagreementbetweenthetargetcompanyandthelandlordavailableonline.
- TheESSIDandpasswordforonsitewirelesswasmadepublicviaatweetbyanemployeeforonetarget
- AcontestantwasabletouseknowledgegainedfromobservingGoogleEarthimagesofatargetlocationinhiscalltoobtainaseveralflags.
Werecognizethatmuchoftheinformationlistedaboveisbeyondthecontroloftheorganizationsandindividualsconcerned.However,itisimportanttobeawareofinformationfreelyavailableinordertomitigatepossibleexploitationbymaliciousattackers.
Figure2providesaside-by-sidecomparisonofpointsscoredbycompetitorsagainsttheirassignedcompanyduringtheOSINTportionofthecontest,outofapossible225points.TheX-axisrepresentsthecompetitors,andtheY-axisthepointvaluesfortotalpointsawardedforthisphaseofthecompetition.
11/8/2016 [email protected] 16
Figure2:OSINTScoresbyCompetitor
TheOSINTportionofourcompetitionstressesafewkeypoints.First,thisemphasizestheoverallimportanceoftheinformation-gatheringphaseofanysocialengineeringengagement.Athoroughonlineinvestigationcanprovideanindividualwithaverygoodunderstandingofwhen,where,andhowcompaniesconductbusinessaswellastheonlineactivitiesoftheiremployeesthroughvectorssuchassocialmedia.Second,anyimagesfoundcanbeextremelyusefulformaliciousattackers.Forinstance,ifanattackerknowswhatbuildingslooklike,thelocationofentrancesandbreakareas,andperhapsevenfindspicturesofcorporatebadges,theseareallpotentialvulnerabilities.Finally,ourOSINTexercisestressestheissueofonlinedataleakagebyorganizations.Networkpenetrationwasnotallowed;theflagsduringtheOSINTphasewereobtainedthroughinformationfreelyfoundonlinewithoutanyliveinteractionwithindividualsatthetargetcompanies.
Pretexting
Selectingaproperpretextisakeycomponenttothesuccessofavishingcampaign.Thisyeartherewereavarietyofpretextsusedwithvaryingdegreesofsuccess.Newcomerspredictably
11/8/2016 [email protected] 17
struggledthemostwithbothbelievablepretextsaswellaswithmaintainingthepretextforthedurationofthecall.
Somecontestantsattemptedtouseaccentswhichwerenotnaturaltothemandfoundverylittlesuccess.Animportantthingtorememberwhenselectingapretextistoselectonewhichisthemostbelievable.Severaloftheyoungersoundingcontestantswereabletoobtaingoodresultsusingintern/collegestudentpretextswherethesewouldbeinappropriateforoldersoundingcontestants.Severalnewcomersdemonstratedanabilitytousetheinherentnervousnesspresentwhencompetingaspartoftheirpretext.
OneofthemostimportantrulesfortheSECTFisthatcontestantsarenotallowedtousenegativepretexting.Thisincludesthreateningdisciplinaryaction,and/orusingextremefearorangertowardsatarget.Thisruleisinplacetokeeptargetsfrombeingleftinfearfortheiremploymentaswellastoprovideachallengetothecontestantstoformulateapretextthatismorecreative.Thisyear,onecontestantdidattemptapretextwhichthejudgingpanelfeltincitedextremefearinatarget.Hiscallwasinterruptedandhewasinstructedtorecallthetargettorectifythesituation.
LiveCallPerformance
ThelivecallportionoftheSECTFisaninterestingtrialforthecontestant.Itisnotonlyatestinmentalagilityandtheabilitytoinfluenceapersoninreal-time,butalsoataskthatmustbeaccomplishedinfrontofaliveaudience.TheluxuryoftimeandtrueanonymityenjoyedintheOSINTphasearenotapplicable.Itisforthatreasonwecongratulateallofourcontestantsincompletingthisphaseofthecompetition.Figure3quantifiespointvaluesscoredbythecontestantsagainsttheirassignedcompanyduringthelivecallportionofthecontest.TheX-axisrepresentsthecontestantsandtheY-axisthepointvaluesawarded.ItshouldbenotedthatsomecontestantsfounddifficultyreachingcompaniestowardstheendofthebusinessdaywhileotherswereillpreparedwithveryfewphonenumbersdiscoveredduringtheOSINTportionofthecompetition.
11/8/2016 [email protected] 18
Figure3:LiveCallScoresbyCompetitor
Thefollowingareobservationsmadeduringcalls.
- Competitorswhowerethemostsuccessful:o Wereverywellprepared.TheyhadconductedthoroughOSINTandpossessed
morethanenoughpossibletargets/phonenumberstocall.Theywerealsofamiliarwithinternalterminology,systems,processes,andinonenotablecase,veryrecentcorporatenews.
o Developedgoodrapportwiththetarget.Inonecase,thecontestantestablishedapretextwhichallowedhimto‘assist’atargetwithfiguringoutwhyafakelinkwasn’tworkingwhichledtoachievingahighnumberofflags.
o Dealtwellwithanunpredictableenvironment.Thiscontestillustratesthedifficultyoflivecalling.Ourbestcompetitorsthoughtquicklyontheirfeetandwereabletoadjustpretextsandquestionsevenwhenthecallappearedtobegoingpoorly.
o Carefullyplannedtheorderoftheirquestions.Themostexperiencedcontestantstendedtostartwithnon-threateningquestionsandgraduallypressedthetargetsintodisclosingmoresensitiveinformation.
o Werepersistent.Inonecase,acompetitorwasunabletoreachhistargetsandwalkedhistelephonenumberscalledupbyonedigitinanattempttoreachpeople.Inanumberofcases,competitorsrecalledindividualswhenunabletoreachothertargets.
- Competitorswhohadthemostdifficulty:
11/8/2016 [email protected] 19
o Werenotabletomaketheirpretextsimmediatelycleartotheirtargets.Withoutbeingabletoestablishwho,what,andwhyimmediately,thesecompetitorsoftenrambledandwereunabletodevelopproperrapport.
o Werequicktoabandonacalliftheymeteventheslightestresistance.o Didnotproperlyresearchthecompanybeforethelivecallingphase.
- Techniques:
o Anumberofsuccessfulcompetitorsescalatedtheirrequestsfromsmalltolarge.o Onecompetitoraddedanincentivetohispretextbyofferingagiftcardfor
completingasurvey.Uponcompletionofabriefsurveythecompetitorwasabletoobtainseveralmoreflagsbyassistingthetargetwithreceivingthegiftcard.
o Anumberofsuccessfulcompetitorsphrasedtheirelicitationsasconfirmationofinformationtheyalreadyknew(collectedintheOSINTphase).
o Successfulcompetitorsalsouseddeliberatefalsestatementstohavethetargetcorrectthemwiththecorrectflag.
o Anumberofcompetitorsuseda“rapidfire”styleofquestioning,essentiallyoverwhelmingtheirtargets.Dependingontheamountofrapportestablished,thiswasasuccessfultechnique.
- AdditionalObservations:o Onecompetitornoticedthattherewasadumpsternexttothesmokingareafor
acompanyduringtheOSINTphaseandusedthistoobtainthetrashpickupcompanyflagduringthecalls.
o Twoofourcompetitorswereunabletoobtainflagsduetopersonnelnotansweringcalls.Thismirrorsactualsocialengineeringengagementsanddemonstratesthelackofpredictabilityandcontrolinherentinvishingcalls.
o Inmorethanonecase,acompany’scorporatedirectoryprovidedthefullnamesofindividuals,providingmultipletargetopportunitieswithasinglecall.
CompetitorSummary
Thisyearwehadourtypicalrangeofnovicesocialengineerstoprofessionalpenetrationtesters.AverageOSINTperformanceforthisyearremainedidenticalcomparedtolastyearasdemonstratedinFigure4.However,sincewemakechangestotheconditions,numberofcompetitors,andscoringeachyear(e.g.,extrapointsfor“tag-outs”in2014),theseaveragesareonlyvaluableintermsofidentifyinglargetrendssuchasthedatareversalwesawin2014.Callscoreappearstohavefallenthisyearwhichmaybeattributedtothedifficultysomecompetitorshadinreachingemployeesatthetargetcompanies.Themathematicalaverageisalsoimpactedbyoutlyingscores(eitherveryhighorverylow),soarerelativelylimitedinthe
11/8/2016 [email protected] 20
informationitconveys.OnecansurmisethatperhapscompetitorsthisyearcontinuedtoemphasizecallphasepreparationandperformanceovertheOSINTphase.
Figure4:MeanPerformanceforSECTF2013-2016
FinalContestResults
Attheconclusionofthelivecallportionofthecontest,thejudgingpanelmetandreviewedallscores.Figure5isatallyofOSINTscores,callscores,andgrandtotalbycompany.Thehigherscoredenotesthatahighernumberorvalueofflagsweresurrendered,andisindicativeofpoorerperformanceonthepartofthecompany.
11/8/2016 [email protected] 21
Figure5:CompanyRanking
Keepingwiththetrendfromlastyear,contestantsreliedheavilyonthecallportionfortheirscore.Unfortunately,itshouldalsobenotedthattherewereseveraltargetsthisyearcompletelyuntestedduringthecallportionduetopersonnelsimplynotansweringtelephonecallsatall.Finally,everytargetcompanydisclosedatleastsomeinformation(eitherdiscoveredduringOSINTorduringlivecalls)whichcouldbeusedasapossibleattackvectorformaliciousactors.Therankingofcompaniesfrombestperformance(lowestscore)toworstperformance(highestscore)isasfollows:
1. Symantec2. IBM3. Oracle4. EMC5. SYNNEX6. PaloAlto7. Fortinet8. SecureWorks9. Sophos10. Akamai11. CISCO12. RSA13. Deloitte
11/8/2016 [email protected] 22
14. ComcastXfinity
Wedonotreleaseinformationonspecificvulnerabilitiesofthecompaniestothegeneralpublic.NOTE–WedoprovidethisinformationdirectlytotheinvolvedcompaniesuponrequestOnepositiveaspectofthelivecallportionoftheSECTFeachyearistoseewhenacompanyshutsdownthecontestant.Thatis,thepersonfromthetargetcompanyfollowsappropriatesecurityprotocolanddoesnotansweranyquestionsorhangsuponthecall.Eachyearwhenapersonfromatargetcompanystopsacontestant,theroombreaksoutintoapplause.Thisyearwedidhavecallsduringwhich:
- Thetargetattemptedtoverifythecontestantandrefusedtodiscloseanyinformationwhenthecontestantcouldnotbelocatedintheemployeedirectory.
- Thetargetlookedupthedomainandcompanyfromthecontestant’spretextandrefusedtohavefurtherconversationwhentheseturnedouttobefake.
- Thetargetpolitelyshutdownthecontestantinsistingthatanyrequestsforasurveyshouldgotothetarget’smanager.
- Atargetcompanysentabulletincompany-widethatthefirmwasunderattackfromDEFCON.
Despitethesepositivenotes,overall,thisyear’scontestprovedonceagainthatpotentiallydamaginginformationonorganizationsisstilleithereasilyaccessibleonlineordiscoveredviatelephonecallsbyeventhemostnovicecompetitor.Figure6illustratesthenumberoftimeseachflagwasobtainedduringbothOSINTandlivecallphases.Whilenotallflagswererequestedthesamenumberoftimes,thisisatleastanindicatoroflikelyvectorsintoanorganization.Inspectionwillrevealthatthemostcommonlyobtainedflagthisyearwaswhattheamountoftimethetargethadworkedforthecompany,followedbywhetherornottherewasanonsitecafeteria,thenemployeeschedule.Thefirstflagcouldbeusedbyamaliciousattackerindetermininghowdifficultitmightbetoescalateanattackusingthisindividualaswellasthevalueoftheinformationtheymayhold.Anewcomertoanorganizationmaybeaneasiertarget,butmayalsoprovidelessvaluableinformation,dependingontheirjobfunction.Theotherflagscouldbeusedtoperpetratebelievableattacksviaonsiteimpersonationattempts.Thetake-awayhereisthatsocialengineeringisnottheendgame,butisusedastheentrypointtoperpetratetheftofidentityorresources.Themotivatedindividualwillcompileinformationfromanumberofdifferentsourcesandcreatebelievableattacksthataredifficulttorecognizeandresist.
11/8/2016 [email protected] 23
ItisinterestingtonotethatEVERYapplicableflagwassurrenderedatleastoncebythetargetcompanies.
Figure6:FrequencyofFlags
Discussion
Thiswas,onceagain,aninterestingandinformativeyear.Basedonallofthedataandourownobservations,wecanconcludeafewpoints.Firstandforemost,socialengineeringcontinuestobeasecurityriskfororganizations.Thiswasourseventhconsecutiveyearhostingthisevent;inthattimeanddespitenumeroushigh-profilesecuritybreachesthatoccurredthisyear,wehavenotseenconsistentimprovementsthatdirectlyaddressthehumanelementinorganizationalsecurity.Evenascompaniesarereportedlyinvestingmoreinsecurityawarenesstrainingandpolicydevelopment,theresultsagainthisyearsupportourbeliefthatoverall,companiesarestilldoingarelativelypoorjob.Notallofourcompetitorswereexperiencedinformationsecurityprofessionals;however,allwereabletoobtainflags.Itdoesnotappearthatemployeesarebeingeducatedtounderstandthevalueoftheinformationtheyholdorhowtoappropriately
11/8/2016 [email protected] 24
protectit.Ratherthanacceptarequestatfacevalue,employeesneedtobetrainedandencouragedtoquestion,challenge,andmakegooddecisions.Ifthetrainingtaskistoodifficulttoovercomeimmediately,thenatminimum,employeesneedtohaveproperprotocolsinplacethatallowthemtoquestioncallers.Forexample,ifallemployeeswereforcedtoverifythemselveswithanemployeeIDorotherdailycode,thiscouldgreatlyreducetheriskoftelephone-basedattacksandtheneedforemployeestodecideforthemselvesthecorrectcourseofaction.Ifanorganizationcreatesanambiguoussituationeitherthroughunclearpoliciesorinadequatetraining,employeeswillmakechoicesthatareeasierandlessuncomfortable(e.g.,disclosinginformationasopposedtopolitelydecliningtoanswer).Oursecondconclusionisthatcompaniesarestillallowingsensitivedatatobepostedonline.Indirectoppositiontosecurityisthebasicnatureofconductingmodernbusiness.Clearcommunicationwith,andaccessibilityofinformationby,clientsandpartnersismandatory.Thisplacescompaniesinapositionwheretheyneedtomaketheirresourceshighlyavailable,andperhapsvulnerable.Inadditiontomonitoringcorporateinformation,anotherchallengeforallorganizationsistheinabilitytocompletelycontrolthesocialmediaandotherpostingsofcurrentandpastemployees.Ourcompetitorsclearlyfoundvaluableinformationthroughthesesources,andtheyarecertainlyusedbyprofessionalsocialengineerstocraftphishing,vishing,andonsiteimpersonationattempts.Althoughitisunlikelythatthisvulnerabilitycaneverbecompletelymitigated,clearpoliciesandtrainingcanassistmakingemployeesawareoftheriskinwhichtheyplaceboththemselvesandtheircompaniesbyoversharinginformation.Wesincerelyhopeourfindingsareusefulinmakingtheinformationsecurityindustrysafer,andasecureplaceinwhichtoconductbusiness.MitigationTheongoinggoaloftheSECTFistoraiseawarenessofthethreatthatsocialengineeringpresentstobothorganizationsandindividuals.Thecruxofthisreportistoinformcompaniesofthedangersassociatedwithmalicioussocialengineersaswellashowtheycanmitigatevulnerabilitiesandprotectagainsttheseattacks.Basedonourpracticeandinreviewingthetrendsoverthepastseveralyears,wewouldexpecttheuseofsocialengineeringtocontinuetobeasignificantthreattoorganizations.Technicalcontrolsareonlypartofasolutionthatshouldincludeongoingeducationandauditingasastandardpracticetodefeatmaliciousattackers.Belowareafewsuggestionsforpotentialmitigationofthisthreat.
11/8/2016 [email protected] 25
1.DefensiveactionsTheOSINTphaseofthecontestrevealedhowmuchdataonatargetcompanycanbegatheredthroughthesimplestonlinesearches.Companiesmustbalancethebusinessrequirementsofmanagingtheirbrandswiththerisksassociatedwithhavingopenandapproachablecommunicationswiththeiremployeesandtheworld.Tofurthercomplicatetheissue,corporatepoliciesoninformationhandlingaswellasemployeesocialmediausecanoftenbeeithervagueorunrealistic.Companiesneedtosetcleardefinitionsofwhatisandisnotallowedwithregardtothehandlingandpostingofinformation,particularlywithrespecttosocialmedia.Individualswilloftennotmaketheconnectionthatpersonallifebeingdiscussedinanopensocialforumcanbeleveragedtobreachtheiremployers.Inaddition,clearlydefinedpoliciesonhow,where,andwhatkindofinformationcanbeuploadedtounsecuredareasoftheInternetcangoalongwaytosafeguardingcompanies.Finally,companiesMUSThelptheiremployeesunderstandwhatinformationisvaluableandhowtothinkcriticallyaboutitsprotection.Guidelines,policies,andeducationcanhelptheemployeesunderstandtherisksassociatedwithinformationexchangeinboththeirpersonalandprofessionallives,creatingasecurity-focusedculture.2.RealistictestingOneofthemostnecessaryaspectsofsecurityisthesocialengineeringriskassessmentandpenetrationtest.Whenaproperriskassessmentisconductedbyprofessionalswhotrulyunderstandsocialengineering,real-worldvulnerabilitiesareidentified.Leakedinformation,socialmediaaccounts,andothervulnerableaspectsofthecompanyarediscovered,cataloged,andreported.Potentialattackvectorsarepresentedandmitigationsarediscussed.Asocialengineeringpenetrationtestincreasestheintensityandscrutiny;attackvectorsarenotsimplyreported,butexecutedtotestacompany’sdefenses.Theresultsarethenusedtodevelopawarenesstrainingandcantrulyenhanceacompany’sabilitytobepreparedforthesetypesofattacks.Weconcludethatifthecompaniestargetedinthisyear’scompetitionpossessedregularsocialengineeringriskassessmentsandpenetrationtesting,theymighthavebeenmoreawareofpossibleattackvectorsandbeenabletoimplementeducationandothermitigationtoavoidthesepotentialthreats.3.SecurityawarenesseducationOneoftheareasthatappearstobelackingacrosstheboardisquality,meaningful,securityawarenesseducation.Educatingthepopulationtomeetcompliancerequirementsisnotsufficient.Inourexperience,thereisadefiniterelationshipbetweencompaniesthatprovide
11/8/2016 [email protected] 26
frequentandrelevantawarenesstrainingandtheamountofinformationthatcompanysurrenders.Anorganizationthatplacesapriorityoneducationandcriticalthinkingissuretopossessaworkforcethatisfarmorepreparedtodealwithmaliciousintrusions,regardlessoftheattackvector.Securityawarenesstrainingneedstobepractical,interactive,andapplicable.Italsoneedstobeconductedonaconsistentbasis.Itdoesn’trequirethatacompanyplanslargeeventseachmonth,butregularsecurityremindersshouldbesentouttokeepthetopicfreshintheemployees’minds.Inaddition,wehavefoundthroughourpracticethatcompanieswhoemployongoingphishingandvishingawarenesscampaignsthroughrealworldtestingoftenfarebetteratthesethreatsthanthosethatdonot.Manytimes,thedifficultyliesinbusinessesmakingtrainingandeducationaprioritytotheextentthatappropriateresourcesareallocatedtoensurequalityandrelevance.Securityeducationreallycannotbefromacanned,pre-madesolution.Educationneedstobespecifictoeachcompanyandinmanycases,evenspecifictoeachdepartmentwithinthecompany.Companieswhotrulyunderstandthechallengesandrewardsassociatedwithhighqualitytrainingandeducationwillfindthemselvesmostpreparedfortheinevitable.Thesearejustthreeofthemanystrategiesthatcanbeutilizedtoimproveandmaintainsecurityandpreparefortheattacksbeinglaunchedoncompanieseveryday.Ourhopeisthatthisreporthelpsshedlightonthethreatspresentedbysocialengineeringandopenstheeyesofcorporationstohowvulnerabletheyreallyare.
11/8/2016 [email protected] 27
AbouttheSocial-EngineerVillage
DEFCON24broughtbacktheSocial-EngineerVillagebypopulardemand.InadditiontohostingtheSECTF,wecreatedafour-dayeventtoentertainandeducateDEFCONattendeesonallthingssocialengineering.Thisyearweofferedarebootoflastyear’s“MissionSEImpossible”challengethatsimulatedanofficebreak-inandemphasizedthecriticalthinkingskillsnecessarytoperpetratesuccessfulcorporateespionage.Wealsohostedanumberofpresentationsbywell-knownsocialengineerstoprovideouraudiencewiththeiruniqueperspectivesinthefield,theSocialEngineeringCTFforKids,aswellasourownliveSEORGpodcast.Basedonanoverwhelminglypositiveresponse,theSocial-EngineerVillagewillreturnin2017andwillonceagainhosttheHumanTrackatDEFCON25.WewillbereleasingaCallforPapersalongwithourcallfor2017SECTFcontestantsincoordinationwithDEFCONannouncements.Pleasewatchourwebsitewww.social-engineer.organdoursocialmediaaccounts@HumanHacker@SocEngineerInc,andhttps://www.facebook.com/seorg.orgforthemostcurrentinformation.
11/8/2016 [email protected] 28
Conclusion
ThiswasanotherfantasticyearfortheSECTF.Thereweremanyfirsttimecontestantsaswellassomereturningfrompastyears.Withsomeofthenovicecompetitorsoutperformingexperiencedsecurityprofessionalsthecompetitioncontinuestodemonstratethatsocialengineeringcanbeapowerfulskillforpeopleatanylevel.Unfortunately,asinyearspast,ourlimitedfindingsshowthatcompaniesarestillvulnerabletosocialengineeringattacks.Itisourhopethatthiswillchangeaswecontinuetoexpandoureventandstressongoingpreparation,notjusttheattentiongarneredatDEFCON.
Ifyou,oryourorganization,haveanyquestionsregardinganyaspectofthisreportpleasecontactusat:[email protected].
11/8/2016 [email protected] 29
AboutSocial-Engineer,LLC
Social-Engineer,LLCisthepremierconsultingandtrainingcompanyspecializingintheartandscienceofsocialengineering(SE).Socialtacticsareanestablishedandquicklygrowingtrendininformationsecurityintheformsofphishing,phoneelicitation(vishing),andimpersonation.
Withmorethanthreedecadesofcombinedexperience,Social-Engineer,LLCassistsorganizationsingovernment,lawenforcement,andtheprivatesectorindetectionandmitigationofthedevastatingeffectsofbothphysicalandinformationbreaches.Social-Engineer,LLCfocusesontheabilitiesofahostileattackertoexploitthehumanelementofbusinessestogainaccesstocorporateassets.Throughassessment,education,andtraining,Social-Engineer,LLChelpsorganizationsprotectthemselvesandtheirtradesecrets.Tolearnmoreaboutprofessionalsocialengineering,servicespleasevisit:http://www.social-engineer.com/social-engineering-services/.
11/8/2016 [email protected] 30
Sponsors
The2016SocialEngineeringCapturetheFlagcontestandtheSocial-EngineeringVillagewould
nothavebeenpossiblewithoutthegeneroussupportofthefollowingorganizations:
www.social-engineer.com
www.trustedsec.comhttp://www.phishline.com/
www.pindropsecurity.comhttp://www.asgent.com