I spent part of my summer pretending to be someone else. Complete with lanyard, out-of-date visitor badge and a pack of cigarettes, my character joined the pack outside the smokers’ area of an office building. When someone came out, I bluffed my way in, claiming I’d left my wallet inside.
As they held open the door, the blood was now pounding in my ears. Outwardly, I appeared calm. I’d already decided I would walk purposefully through the door and turn left. In any case, my unwitting helper directed me the right way. I found an empty desk and asked the girl in the next cubicle if I could plug into the router.
She didn’t know I had just fitted a probe that would let me hack into her company’s network.
She also didn’t know that the company, already a client of Integrity360, had asked me to do this. They wanted a ‘red team’ exercise to simulate attackers trying to gain malicious access. So, a colleague and I got to work. We assembled what looked like a router (slightly modified of course) that we needed to physically install on the network. Now for the low tech part: to install my fake router, I would go to the office during working hours and ask someone nicely to let me in.
We had scoped out the building entrances as hackers would, paying attention to details like dress code: a three-piece suit sticks out in the kind of place with a dress code of jeans and t-shirts, and vice versa. Looking like you don’t belong raises unwanted suspicions. In case someone challenged me, I had prepared a backstory that I was doing an audit, using the social engineering concept that people are more likely to help someone in authority.
I didn’t stop with installing the probe. Our client wanted to see how far we could get, and it was only when I asked someone to print a document from a USB key that they looked at me and said “is this a test?” But I already had what I wanted. The probe let us listen to network traffic and exploit commonly found misconfigured Windows services to get domain administration rights.
A genuine criminal could have used this access to get credit card details, or staff information from HR, or even set up a fake employee on the payroll and send money from the company into an account of their choosing. They could have sent emails from real user accounts, to carry out CEO fraud and scam the victim for thousands of euro.
Our customer was understandably shocked, not expecting us to get the access we did. What they learned, and we helped them discover, was where to improve. They took this straight to the board.
I’m revealing this not to shame the organisation; in fact, its technical security defenses are very good. Just because you’ve got some vulnerabilities doesn’t mean you’re failing at security. If they only ever wanted to pass an audit, they probably would have done so.
For organisations with a mature security programme they want to truly test beyond ticking a box, a red team can be a valid and valuable exercise to uncover previously unknown weaknesses – and to get the budget to fix them.
This article is courtesy of TechCentral.ie