By nature, humans are inclined to trust. Unfortunately, attackers are often successful in breaching large enterprises by targeting specific individuals and utilizing social engineering to obtain confidential information. Once an adversary is able to gain enough data through social media or other channels, they can pose as an authentic user with valid credentials, bypassing traditional security measures.
Join Lancope’s Joey Muniz, aka The Security Blogger, to hear about his successful, real-life experiments in using social engineering to easily compromise high-profile targets.
Learn about:
· The dangers of insider threats
·How attackers are leveraging social media to compromise targets
· Best practices for defending network interiors from attackers with authentic credentials
2. This talk focuses on Facebook & LinkedIN
HOWEVER
these are not the only Social Engineering attack vectors
• Fake Police Department for DOJ
• Fake Emergency Responder To Gain Access
• Scary Take a job, gather info, leave
Warning!
5. People send 64 million tweets per day. Lady Gaga has
more followers than the president.
The Facts
1 in 5 Couples meet online.
1 in 5 also blame divorce on Facebook
Facebook passed Google - most visited internet site.
• 11% of world’s population has Facebook account.
• More Facebook accounts than automobiles.
• If Facebook were a country, it would be the 3rd largest
in the world
7. Robin Sage
Fictional American cyber threat analyst created to
abstract sensitive information. She graduated from
MIT and had 10 years of experience despite she
was 25 years old.
Despite the fake profile, she was offered
consulting work with notable companies such as
Google and Lockheed Marti. She had friends in the
FBI, CIA and even offered dinner invitations from
male friends.
8. Emily Olivia Williams
Fictional CSE created to abstract sensitive
information from a specific target. She graduated
from MIT and had 10 years of experience despite
she was 28 years old.
Despite the fake profile, she was offered sensitive
information from our target’s AM and CSEs. She
had friends in large partner vendors and even
offered dinner invitations from male friends.
9. The Impact of Social Media
10 minutes: 20 Facebook connections
6 LinkedIn Connections
15 hours: 60 Facebook connections
55 LinkedIn Connections
24 hours: 3 job offers
Total Connections: 170 Employees
71 Cisco; 22 NetApp; 10 EMC;
35 McAfee
300+ Facebook friends
Endorsements: 22 LinkedIn Endorsements
For Expertise and Experience
From Partners and co-workers
Offers: 4 job offers, Laptop and office
equipment, network access.
10.
11. What we Did
What?
Created fake FaceBook and LinkedIn profile to gain information using social media.
How?
Social engineering techniques that allowed us to participate as a New Hire
What was captured?
Salesforce Logins, Issued Laptops, Jobs offers, Endorsements, Meet up requests
What was the real threat?
Published a Christmas card on social networks that gave us remote access to anyone
that clicked on the link. This gave us significant access to devices and data.
12.
13. The Social Engineering Kill Chain
Reconnaissance Gain Access through Facebook and learn lifestyles
Privilege escalation Gain C Level friends through other friends
Infiltrate
• Post links to hide attacks, collect information and fingerprint target
• Email rootkit / Trojan horse applications
Establish Foothold
• Build backdoors and map out target’s internal network
• Compromise Authentication – Create Email and Admin account
Own Remove sensitive data
14. What Does Emily Teach Us?
• Identities are a very Valuable commodity
• Humans are naturally trusting
• People use the same passwords for everything!
• Attractive women can bypass procedures in a male dominated
industry (Yes I said it … and its true!)
• Common security products do not protect your employees
from Social Engineering
• Social Engineering threats can impact your business.
• There isn’t a silver bullet product that can protect you from a
future Emily Williams
15. Emily Williams Good News
Some people asked “Do I know you”?
Some people on Facebook flagged
suspicious activity
16. Emily Williams Bad News
What do you leave on social networks that could be used
against you?
Some people pretended to know her after using data from
their facebook page
17. Social Engineer Countermeasures
• Question suspicious behavior
• Forward any possible threats to HR
• Be aware of what is public
• Never share work intel on social networks
• Protect your data with STRONG passwords.
• Don’t share devices used for work.
18. Your Infrastructure Provides the Source...
Interne
t
Atlant
a
San Jose
New York
ASR-1000
Cat6k
UCS with
Nexus
1000v
ASA
Cat6k
3925 ISR
3560-X
3750-X
Stack(s)
Cat4k
Datacente
r
WAN
DMZ
Access
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlo
w