Welcome to The Red Team Crypt, where we keep the most riveting testing stories. Join me, the Crypt Keeper, through this week’s episode. Not everything is as it seems, and you know what they say when you assume…
You know the answer, isn’t that right Alfred? Oh, if only.
“Who is that…” Alfred peered out the window at John Doe standing outside, looking him up and down. “Is he lost?” Alfred racked his brain for an answer. “Why is he here? I don’t see any identi-” His mind trailed off as he noticed the sports cap, notepad, phone, the personal effects any employee would have with them. A wave of relief swept over him and he opened the door for The Stranger.
Clearly, The Stranger had simply forgotten his badge at his desk and worked in the building. After all, he was in the outdoor seating area and that’s “employee only”.
The Stranger entered and thanked Alfred with the tip of his cap as a cold air passed between them. The Stranger walked swiftly down the hall, seemingly knowing where he was going. Alfred watched our John Doe turn the corner and Alfred went about his day. The Stranger went about his day, too. He turned the corner and connected to the internal network; and began his work. Just moments later, darkness fell across the building. The data exfiltration had begun.
How did this come to be?
Let’s travel back three days…
The Assessment Team arrived at the target location (let’s call them The Good Company, yes?) that evening with plans to perform their initial reconnaissance. It was hot and humid, the pressure of the air and their mission weighed on the team’s shoulders. The night unfolded without an event. The team recorded the comings and goings of the building. Employee only areas noted, security cameras identified, every detail of The Good Company’s building was noted.
As the three days unfolded, the team continued recon, around the clock. On their third day, an opportunity fell into their laps. The Good Company was hosting a job fair in their building for prospective candidates. One team member, Tester A, was sent to the event. Tester A (he likes TA for short) dressed the part; an average joe seeking a job.
TA’s “job search” proved fruitful, providing the team with even more information. TA was able to observe The Good Company’s security station and their team. While inside, the layout of the building revealed itself to TA like land emerging to a weary sailor. “Too simple. tsk, tsk,” TA noted on his mission. The building’s cold chill (the Ghost of Hackers Past, perhaps?) kept TA’s mind focused and alert to details.
TA left the building, his recon coming to an end. He felt relieved to be back outside in the sun. With a new spring in his step, he returned to the team to hatch a plot for a daytime incursion.
That night, the team collectively dreamt of returning to the building. The cold spectral presence, the ominous security guards, and of course the large number of employees going about their day. This was their Omaha Beach. As the team approached The Good Company the next day, they remembered their fears from the night before. Team Member One went to the front entrance dressed in a suit and tie (the works, or at least the business-formal version) brandishing a fake audit authorization form. TMO’s role was to entice the security operations desk into dealing with an imposter while part two of their plot unfolded elsewhere.
Within minutes of entering the building, security personnel began to converge on TMO. A call was made to the CSO. “Was the approved?” TMO could overhear The Good Company’s employees. “No? That’s what I thought.” The guards became agitated insisting that TMO leave, immediately. His protests fell on deaf ears and left the building. TMO noticed a security car trailing behind him as he drove off into oblivion (or at least, into the parking lot of a nearby Starbucks).
As TMO was walking to his car, part two was commencing. Test Member Two, (TMT for short, we see a theme?) was able to slip into the outdoor seating area. TMT was decked out with The Good Company employee disguise: notepad, cellphone holstered, business casual attire and a cap with a local sports team logo. TMT was fearful and paused at a picnic table before approaching the door (the same door he had been working at with a lock pick two nights prior). TMT walked forward and tapped on the glass, hoping for someone to pass the window.
Alfred heard a faint sound and headed in its direction, his curiosity pushing him towards the door. “Who is that…” Alfred peered out the window at TMT standing outside, looking him up and down. His thoughts took off with his fears. Security training had highlighted that employees needed to be diligent, but then Alfred noticed TMT’s notebook, cellphone, attire, and cap. “Clearly,” Alfred thought, “He’s forgotten his badge at his desk and works in the building. He is in the outdoor seating area and that’s Employee Only.”
The Good Company employee opened the door and TMT walked in confidently. TMT thanked Alfred with the tip of his cap as cold air (the Ghost of Hackers Future) passed between them. Alfred was painfully unaware of the doom that approached.
TMT turned the corner and found a quiet area to work. He connected his laptop to the network (no controls prevented this) and set about his mission. His objective was to target and exfiltrate critical process data (in this case, a customer database). Using a “pass the hash” attack, the primary target was breached, and the data was copied over. Only thirty minutes later TMT exited the building victoriously and headed towards the rendezvous.
Alfred continued about his day, not realizing the horror that had unfolded or what could have been if the “attacker” wanted to do more than access a database…
Oh, poor Alfred. Fortunately, we can learn from Alfred and all of our tales from The Red Team Crypt. Tune in next time for a new episode at https://occamsec.com/insights
Key takeaways from the curse of the innocent cap:
Security awareness training, everyone does it, everyone needs it (if only for compliance) but is it actually effective? No doubt it can be, but the majority of the time it’s a couple of training videos, maybe a presentation, and a poster. That’s not going to override the human instincts that social engineering targets.
If anyone can plug a device into your network they can cause your problems. NAC is touted as the solution, but NAC is difficult to implement. Monitoring can help, just need to implement some rules to detect rogue devices.
Blended attacks pose a real threat. Combining cyber-attacks with physical and social engineering can greatly increase the probability of a successful attack. Gaining physical access to a site bypasses all network perimeter controls, and internally, networks tend to be a little more swiss cheese like.
NOTE: These events are from a real assessment, they have just been given a fictional wrapper (we don’t really know what was going through the mind of the guy who opened the door).