Checking a company's security system involves not only pentests and phishing emails, but also spy operations with penetration into the customer's territory. This is what the most undercover Bastion employees do. We caught them during a break between projects to ask a few questions about this non-standard work.
For obvious reasons, we do not disclose the real names of our specialists, so in this conversation they will speak under the pseudonyms Alice and Bob. They have been doing this work for several years, but this is the first time they have agreed to tell the general public about it.
Warning: This post may trigger paranoia.
Alice: Actually, that's close to the truth. We do penetration testing using social engineering.
Bob: Usually, clients are interested in targeted visits with penetration to a facility, to the company's territory. The ultimate program is to get an all-terrain pass that opens all the doors, penetrate the server room and leave unnoticed. In the process, we look for access to any confidential information, establish which information security tools are used in the organization, and check how employees treat information hygiene.
In fact, we notice unlocked computers, rummage through documents, look into desks and trash cans, and question employees.
Alisa: Another case is to come to an interview under the guise of a recruit. This works especially well if the company has an open IS position. This way you can find out details about the software used, the information security system, the network structure - a lot of specific sensitive and confidential information.
Bob: It works well for wireless network checks, plus the inside scoop if you find a cable lying around.
Alisa: I would like to add that we sometimes have the task of distributing USB drives with a payload. The most banal thing is to simply spread them around the office. Someone will find them and plug them into a computer at work or at home. If I see an unlocked computer, I can do it myself. I can also ask an employee to print a document from my flash drive.
Bob: Yes, there is such a thing - we prepare the media so that they transmit the login from the Windows account and the password hash to the server. Then we calmly brute-force these hashes for two or three days. If nothing works during this time, it usually means that the password is so complex that it cannot be cracked in a reasonable amount of time.
Alice: We get permission. Legal social engineering differs from illegal in that all these activities are agreed upon and reflected in the contract with the company.
On the customer's side, only one or two people are aware of the audit. This is necessary for secrecy. The fewer people know, the less chance of a leak. Employees will not prepare specially and their vigilance will be at the usual level.
Bob: That's true, but we don't have strict protocols that we have to follow. Just a set of rules.
You cannot perform actions that slow down the work of employees or prevent them from fulfilling their duties. For example, there is a pass on the table. You can clone it unnoticed and use the copy, but you cannot steal it.
You can't break down doors or cause any material damage. As for computers, you just take photos of unprotected ones, you can plug in a flash drive, but you don't get into them or do anything there. As with pentests, no actions that could lead to a denial of service. You just show that the employee is irresponsible about this.
Bob: There are two types of jobs. In the first case, you have nothing. You only know the name of the legal entity, even the address of the office you have to find out yourself. Then you look for a way to get inside yourself.
The second type simulates working with an accomplice inside the company. It is usually chosen when the customer rents a floor in a business center. The perimeter is guarded by a third-party organization, and we do not have the right to check its security service as well. Then the customer issues passes to the territory, and then we are on our own.
Alisa: Sometimes they also explain who to avoid inside the office, for example, asking not to bother top managers and information security specialists who are not aware of the audit. There was a case when a customer brought a building plan, spread it out on the table and crossed out the offices that should not be entered under any circumstances.
Bob: You could say that preparation comes down to finding a suitable cover story under which you will enter the facility.
To do this, you need to study the company and its subject area well, and then come up with a story that will work and not fall apart even if something goes wrong. For example, we often choose legends associated with reliable contractors or partners of our client. They have a high level of trust. Then we prepare the clothes, props and technical equipment that we take with us.
Alice: There are situations for which it is impossible to prepare in advance, and you have to act according to the circumstances.
For one project, we initially planned an accounting audit as a cover story. But when I entered the territory, I realized that it wouldn’t work here. It turned out that the accounting department was in the same office. I would accidentally bump into someone who was in the know, and there would be a lot of questions that were very difficult to answer.
I had to act according to the circumstances and pretend to be an employee of a department from another city. In addition, I decided to call myself not a real person, but simply Maria, because there are Marias in any large company. I approached and introduced myself only by my first name, so that I wouldn’t have to give my last name.
Alisa: When you come supposedly from the parent organization. It is very effective. Sometimes the employees are almost afraid of the management from the center. They do everything you ask and ask a minimum of questions.
Bob: It's convenient to pretend to be an employee of the business or shopping center where the office is located. The image of an air conditioning technician also works well. No one pays attention to the service personnel.
Bob: Politically correct, you pull the wool over people's eyes. You meet them, you lie through your teeth, and you purposefully get what you want. Social engineering hasn't changed at all since Mitnick, except that there are new technical tools that make the job easier.
Alisa: When I first started working, I thought that one wrong move and I would be exposed. In fact, this is not true, as a rule, people do not expect a catch. Here is one case:
I was walking through the office. Then a woman came out of a separate office and asked: "Girl, are you looking for something?"
I found myself and answered that I was an employee from another office and I needed to wait for the meeting. I looked for a suitable place. No more questions followed. She pointed to the desk of an employee who was not in the office that day. There were a lot of papers there. I sat down, taking advantage of the kindness of this nice lady, and began to look through the documents.
Other employees saw this, saw that I was not a local, but they did not take any action even when I began to photograph everything openly: contracts, bills. Nothing! As if everything was as it should be. If you behave confidently and calmly, you are allowed to do a lot.
Bob: I take chocolates with me. I can take them to the HR department or the accounting department. By the way, this works in everyday life too - a good excuse to drink tea, chat and find out something in passing. Once I got access to employees' personal files in 20 minutes of conversation.
Alisa: To be a girl. Seriously. Sometimes customers directly write that a girl should go to the site, and this is not just like that. In companies with an all-male team, employees are more willing to help girls, especially if you pretend that you don’t understand anything and blink your eyes.
Bob: There was an incident on a recent project.
Alice: Then we got a little cheeky. We'd been hanging around the office center for four hours and by the end of the day we had three passes between us. I gave a couple to Bob and suggested checking how the receptionists would react if I gave them two passes at once. Bob came to give them the passes, but then a row ensued.
Bob: Security stops me and the girls at the reception say, "They were looking for you here, asking who this young man is walking around the office and talking to everyone." And I answer that everything is fine, that I have already talked about the project with... and I remember the name of the big boss who supervises their project managers.
I thought it wouldn't work and I'd have to figure it out somehow, but they immediately took the alarm off and changed the subject. They said they thought I hadn't found anyone and was lost. Just giving the boss's name and saying I'd spoken to him was a very stupid trick, but suddenly it worked.
Alice: Bob then attacked them, saying, what kind of farewell procedure do they have? The girls were completely confused and said that everything was fine and they were glad that the meeting took place. And then he hands them two passes.
They ask: "The second one for yesterday?" He replies that no, not for yesterday. And they say: "Okay then..." and they both take it.
It was a big mistake that they didn't bother to find out where this unknown person got two passes from. After all, they are issued according to a special procedure.
From the office we went straight to a cafe to meet with the information security specialist who supervised the project. We sat with him for 20 minutes, telling him about the flaws and what we managed to find. And only then did they start writing to him, calling him and sounding the alarm. The attackers could have already gone to another city with the data they had obtained.
Bob: There were borderline situations, like the time I talked to the technical director of the company, and then stayed around the office for a while. And the director had doubts about me. He called the company I was supposedly from, and the legend fell apart. They started looking for me, and it was tough.
Bob: I am mentally prepared for the fact that some time will pass before I reveal myself, and they may not stand on ceremony with me. The security will be hot-tempered... But there have never been any really dangerous situations in my practice. Besides, there is always a phone for emergency communication with the client.
The really unpleasant thing about this job is when you come across chatterboxes. Sometimes I was practically given a state secret, but I had to report who told me what. I don't know what happens after my reports, but I won't get a pat on the head for it. However, I think it's better than being held responsible for a real incident.
Bob: I've had a desire to do something like this for a long time, I always wanted to be a spy and now I've found a way.
Alisa: And I got there almost by accident. It so happened that the client wanted a girl to participate in the inspection of the object in St. Petersburg. No one could go, and I was going to St. Petersburg on my own business, and I was persuaded to drop in there with Bob.
Alisa: Exactly. I communicate very closely with penetration testers and for a long time I couldn't understand why their mood changes so abruptly. They can be angry, and then rejoice like children the next minute. And when I went to the site for the first time, at first I couldn't help but find some information. Only an hour later I got lucky and all this fell into my hands - then I felt this excitement, pure adrenaline. If work can cause such emotions, it's something incredible.
Bob: You need good preparation, an understanding of what and how to do. You can learn a lot from books. It is worth getting acquainted with the declassified manuals of the KGB First Chief Directorate, the CIA and KGB (FSB) instructions on collecting facts of conspiracy and disinformation. You can read Kevin Mitnick and the memoirs of former special forces operatives. Such books often romanticize this work, but they are still useful.
Alisa: I think that soft skills are the most important thing here, a huge number of soft skills, and also life experience and the ability to get into someone else's shoes. For example, I worked at the reception at the beginning of my career, and I know how people who work there think. I remember that experience and tell them what would have convinced me in the past.
Confidence is very important. When you have a confident demeanor, as if you've been here a hundred times and know everything, you don't arouse suspicion and people trust you. And most importantly, if you can't quickly find a way out of a stressful situation, you shouldn't even try to engage in social engineering. You need to be easy-going, flexible - a very good word - flexible. In this context, it's just right.
Leave questions for our social engineers in the comments. If enough messages are collected, we will select the most interesting and upvoted ones and ask them to our social engineers in the next interview.
Source
For obvious reasons, we do not disclose the real names of our specialists, so in this conversation they will speak under the pseudonyms Alice and Bob. They have been doing this work for several years, but this is the first time they have agreed to tell the general public about it.
Warning: This post may trigger paranoia.
Sometimes your colleagues jokingly call you spies. So what does your job really entail?
Alice: Actually, that's close to the truth. We do penetration testing using social engineering.
Bob: Usually, clients are interested in targeted visits with penetration to a facility, to the company's territory. The ultimate program is to get an all-terrain pass that opens all the doors, penetrate the server room and leave unnoticed. In the process, we look for access to any confidential information, establish which information security tools are used in the organization, and check how employees treat information hygiene.
In fact, we notice unlocked computers, rummage through documents, look into desks and trash cans, and question employees.
Alisa: Another case is to come to an interview under the guise of a recruit. This works especially well if the company has an open IS position. This way you can find out details about the software used, the information security system, the network structure - a lot of specific sensitive and confidential information.
What other scenarios are there? How does social engineering fit in with other types of attacks?
Bob: It works well for wireless network checks, plus the inside scoop if you find a cable lying around.
Alisa: I would like to add that we sometimes have the task of distributing USB drives with a payload. The most banal thing is to simply spread them around the office. Someone will find them and plug them into a computer at work or at home. If I see an unlocked computer, I can do it myself. I can also ask an employee to print a document from my flash drive.
Bob: Yes, there is such a thing - we prepare the media so that they transmit the login from the Windows account and the password hash to the server. Then we calmly brute-force these hashes for two or three days. If nothing works during this time, it usually means that the password is so complex that it cannot be cracked in a reasonable amount of time.
Is this legal?
Alice: We get permission. Legal social engineering differs from illegal in that all these activities are agreed upon and reflected in the contract with the company.
On the customer's side, only one or two people are aware of the audit. This is necessary for secrecy. The fewer people know, the less chance of a leak. Employees will not prepare specially and their vigilance will be at the usual level.
Bob: That's true, but we don't have strict protocols that we have to follow. Just a set of rules.
You cannot perform actions that slow down the work of employees or prevent them from fulfilling their duties. For example, there is a pass on the table. You can clone it unnoticed and use the copy, but you cannot steal it.
You can't break down doors or cause any material damage. As for computers, you just take photos of unprotected ones, you can plug in a flash drive, but you don't get into them or do anything there. As with pentests, no actions that could lead to a denial of service. You just show that the employee is irresponsible about this.
Tell us more about the interaction with the customer. Do they help you, maybe give you tips?
Bob: There are two types of jobs. In the first case, you have nothing. You only know the name of the legal entity, even the address of the office you have to find out yourself. Then you look for a way to get inside yourself.
The second type simulates working with an accomplice inside the company. It is usually chosen when the customer rents a floor in a business center. The perimeter is guarded by a third-party organization, and we do not have the right to check its security service as well. Then the customer issues passes to the territory, and then we are on our own.
Alisa: Sometimes they also explain who to avoid inside the office, for example, asking not to bother top managers and information security specialists who are not aware of the audit. There was a case when a customer brought a building plan, spread it out on the table and crossed out the offices that should not be entered under any circumstances.
How do you prepare for trips?
Bob: You could say that preparation comes down to finding a suitable cover story under which you will enter the facility.
To do this, you need to study the company and its subject area well, and then come up with a story that will work and not fall apart even if something goes wrong. For example, we often choose legends associated with reliable contractors or partners of our client. They have a high level of trust. Then we prepare the clothes, props and technical equipment that we take with us.
Alice: There are situations for which it is impossible to prepare in advance, and you have to act according to the circumstances.
For one project, we initially planned an accounting audit as a cover story. But when I entered the territory, I realized that it wouldn’t work here. It turned out that the accounting department was in the same office. I would accidentally bump into someone who was in the know, and there would be a lot of questions that were very difficult to answer.
I had to act according to the circumstances and pretend to be an employee of a department from another city. In addition, I decided to call myself not a real person, but simply Maria, because there are Marias in any large company. I approached and introduced myself only by my first name, so that I wouldn’t have to give my last name.
Do you have any favorite legends?
Alisa: When you come supposedly from the parent organization. It is very effective. Sometimes the employees are almost afraid of the management from the center. They do everything you ask and ask a minimum of questions.
Bob: It's convenient to pretend to be an employee of the business or shopping center where the office is located. The image of an air conditioning technician also works well. No one pays attention to the service personnel.
You've got inside, what next?
Bob: Politically correct, you pull the wool over people's eyes. You meet them, you lie through your teeth, and you purposefully get what you want. Social engineering hasn't changed at all since Mitnick, except that there are new technical tools that make the job easier.
Do people trust you easily?
Alisa: When I first started working, I thought that one wrong move and I would be exposed. In fact, this is not true, as a rule, people do not expect a catch. Here is one case:
I was walking through the office. Then a woman came out of a separate office and asked: "Girl, are you looking for something?"
I found myself and answered that I was an employee from another office and I needed to wait for the meeting. I looked for a suitable place. No more questions followed. She pointed to the desk of an employee who was not in the office that day. There were a lot of papers there. I sat down, taking advantage of the kindness of this nice lady, and began to look through the documents.
Other employees saw this, saw that I was not a local, but they did not take any action even when I began to photograph everything openly: contracts, bills. Nothing! As if everything was as it should be. If you behave confidently and calmly, you are allowed to do a lot.
Share a couple of professional tricks. What helps you find a common language with people?
Bob: I take chocolates with me. I can take them to the HR department or the accounting department. By the way, this works in everyday life too - a good excuse to drink tea, chat and find out something in passing. Once I got access to employees' personal files in 20 minutes of conversation.
Alisa: To be a girl. Seriously. Sometimes customers directly write that a girl should go to the site, and this is not just like that. In companies with an all-male team, employees are more willing to help girls, especially if you pretend that you don’t understand anything and blink your eyes.
What is the dumbest trick you've ever used that worked?
Bob: There was an incident on a recent project.
Alice: Then we got a little cheeky. We'd been hanging around the office center for four hours and by the end of the day we had three passes between us. I gave a couple to Bob and suggested checking how the receptionists would react if I gave them two passes at once. Bob came to give them the passes, but then a row ensued.
Bob: Security stops me and the girls at the reception say, "They were looking for you here, asking who this young man is walking around the office and talking to everyone." And I answer that everything is fine, that I have already talked about the project with... and I remember the name of the big boss who supervises their project managers.
I thought it wouldn't work and I'd have to figure it out somehow, but they immediately took the alarm off and changed the subject. They said they thought I hadn't found anyone and was lost. Just giving the boss's name and saying I'd spoken to him was a very stupid trick, but suddenly it worked.
Alice: Bob then attacked them, saying, what kind of farewell procedure do they have? The girls were completely confused and said that everything was fine and they were glad that the meeting took place. And then he hands them two passes.
They ask: "The second one for yesterday?" He replies that no, not for yesterday. And they say: "Okay then..." and they both take it.
It was a big mistake that they didn't bother to find out where this unknown person got two passes from. After all, they are issued according to a special procedure.
From the office we went straight to a cafe to meet with the information security specialist who supervised the project. We sat with him for 20 minutes, telling him about the flaws and what we managed to find. And only then did they start writing to him, calling him and sounding the alarm. The attackers could have already gone to another city with the data they had obtained.
Have you ever been caught?
Bob: There were borderline situations, like the time I talked to the technical director of the company, and then stayed around the office for a while. And the director had doubts about me. He called the company I was supposedly from, and the legend fell apart. They started looking for me, and it was tough.
You talk about this very calmly, but this could turn out to be quite serious?
Bob: I am mentally prepared for the fact that some time will pass before I reveal myself, and they may not stand on ceremony with me. The security will be hot-tempered... But there have never been any really dangerous situations in my practice. Besides, there is always a phone for emergency communication with the client.
The really unpleasant thing about this job is when you come across chatterboxes. Sometimes I was practically given a state secret, but I had to report who told me what. I don't know what happens after my reports, but I won't get a pat on the head for it. However, I think it's better than being held responsible for a real incident.
How did you get this job?
Bob: I've had a desire to do something like this for a long time, I always wanted to be a spy and now I've found a way.
Alisa: And I got there almost by accident. It so happened that the client wanted a girl to participate in the inspection of the object in St. Petersburg. No one could go, and I was going to St. Petersburg on my own business, and I was persuaded to drop in there with Bob.
And you liked it so much that you continued working?
Alisa: Exactly. I communicate very closely with penetration testers and for a long time I couldn't understand why their mood changes so abruptly. They can be angry, and then rejoice like children the next minute. And when I went to the site for the first time, at first I couldn't help but find some information. Only an hour later I got lucky and all this fell into my hands - then I felt this excitement, pure adrenaline. If work can cause such emotions, it's something incredible.
What does it take to be a good social engineer?
Bob: You need good preparation, an understanding of what and how to do. You can learn a lot from books. It is worth getting acquainted with the declassified manuals of the KGB First Chief Directorate, the CIA and KGB (FSB) instructions on collecting facts of conspiracy and disinformation. You can read Kevin Mitnick and the memoirs of former special forces operatives. Such books often romanticize this work, but they are still useful.
Alisa: I think that soft skills are the most important thing here, a huge number of soft skills, and also life experience and the ability to get into someone else's shoes. For example, I worked at the reception at the beginning of my career, and I know how people who work there think. I remember that experience and tell them what would have convinced me in the past.
Confidence is very important. When you have a confident demeanor, as if you've been here a hundred times and know everything, you don't arouse suspicion and people trust you. And most importantly, if you can't quickly find a way out of a stressful situation, you shouldn't even try to engage in social engineering. You need to be easy-going, flexible - a very good word - flexible. In this context, it's just right.
Leave questions for our social engineers in the comments. If enough messages are collected, we will select the most interesting and upvoted ones and ask them to our social engineers in the next interview.
Source
