One of today's most challenging security issues is social engineering defense. Despite evidence proving the impact of a social engineering attack, we often see inadequate incident response plans in place. In this talk, we will share our experiences about what organizations are doing when (or, more commonly, if) they detect an attack, steps to strengthen the social engineering defensive strategy, and what best practices to enforce for the strongest possible security posture.

1. TheBad, Better, andBest
Social EngineeringIncidentResponse
Rob Ragan
@sweepthatleg | Alex DeFreese
@lunarca_

2. We are Rob and Alex
Security consultants at Bishop Fox.
We help organizations secure their networks,
applications, and people.
Hello!

3. What are we
talking about here?
1

4. What are we
talking about here?
1
This talk explores the challenges of responding to social
engineering incidents and improving defense.

5. What are we
talking about here?
1
This talk explores the challenges of responding to social
engineering incidents and improving defense.
Does your organization have a social engineering-specific response
plan?

6. Bad
The worst incident responses

7. Phone Social Engineering

8. International News
Agency
• Impersonate an employee
• Call helpdesk for password reset
• Gain access to internal network and resources

9. “
Racorn/Shutterstock

10. “

11. “

12. “

13. “

14. “

15. “
REQUIRE
Verb
◉ Need for a particular purpose
◉ Cause to be necessary

16. Email Phishing

17. National Retail
Company
• Impersonate the head of Human Resources
• Convince employees to log in to fake benefits portal
• Gain access to internal network and resources

19. Incident Response
Failures
• Employees did not know who to report to
• IR team did not know who was affected
• No enforcement of IR policy
• Allowed for persistent access to the internal network

20. Incident Response
Failures
• Employees did not know who to report to
• IR team did not know who was affected
• No enforcement of IR policy
• Allowed for persistent access to the internal network

21. Incident Response
Failures
• Employees did not know who to report to
• IR team did not know who was affected
• No enforcement of IR policy
• Allowed for persistent access to the internal network

22. Quick Wins

23. Physical Access

24. National
Banking Institution
• Impersonate IT contractors
• Gain access to network ports
• Plug in rogue device and gain access to internal network

25. “
◉Picture of the mailslot
◉Picture of pwnplug

26. “
◉Picture of the mailslot
◉Picture of pwnplug

27. “
◉Picture of the mailslot
◉Picture of pwnplug

28. Quick Wins

29. Better
Improving the Incident Response

30. Phone Social Engineering

31. National Retail
Company
• Impersonate an employee
• Call helpdesk for password reset
• Gain access to internal network and resources

32. “

33. “
Kirill Wright/Shutterstock

34. Quick Wins

35. Email Phishing

36. National Retail
Company
• Impersonate automated emails
• Convince employees to log in to fake OWA pages
• Gain access to internal network and resources

37. “
wk1003mike/Shutterstock

38. “
aurielaki/Shutterstock

39. Quick Wins

40. Physical Access

41. Email Marketing
Company
• Bypass fingerprint reader to gain access to office
• Use USB device to gain code execution on a laptop
• Gain access to internal network and resources

42. “
◉Picture of the fingerprint
scanner
◉Picture of picked lock

43. “

44. “

45. “

46. Quick Wins

47. Best

48. “
Do you know
what to do?

49. “
Does anyone
else?

50. “
What happens when…
Employees start receiving large
scale phishing emails?
All network shares are suddenly
encrypted?
Malware is detected running on a
computer?

51. Tailored
IncidentResponsePlan
• Identify the most common threats facing your company
• Define and enforce incident response plans for these threats

52. Prepare
Identify
Contain
Eradicate
Remediate
Lessons Learned
IncidentResponseLifecycle

53. “
https://cert.societegenerale.com/en/publications.html

54. Tactical Recommendations

55. Phone Social Engineering

56. Authentication
forsensitiveActions
• Require authentication before accessing sensitive
information
• Focus training on employees who require access to sensitive
information
• Remove access to sensitive information for those that don’t
need it

57. Email Phishing

58. Email Protections

59. Limitattackeroptions
• Prevent email spoofing by implementing email protections
• Monitor or buy domains similar to your own
• Heuristic phishing detection
• Identification of email recipients

60. Physical Access

61. U.S. Army Korea (Historical Image Archive) via Foter.com / CC BY-NC-ND

62. monticello/Shutterstock

63. Understandtheperimeter
• Turnstiles and guards for ingress points
• Network access controls
• Badges and escorts for guests
• Screen lock policy
• Host-based and network detection capabilities

64. Strategic Recommendations

65. Policy,Processes,People
• Technical controls provide enforcement for policies and
processes
• Without enforcement, social engineers will continue to
exploit the people

66. Enforceprocesses
• When performing sensitive actions, focus on enforceable
processes
• Authentication enforces who they are
• Authorization enforces what they’re allowed to do

67. Conclusions

68. 1. Every organization will be
compromised by human error
2. Require policies and processes
be enforced
3. Continued assessment improves
risk mitigation capabilities

69. 1. Every organization will be
compromised by human error
2. Require policies and processes
be enforced
3. Continued assessment improves
risk mitigation capabilities

70. 1. Every organization will be
compromised by human error
2. Require policies and processes
be enforced
3. Continued assessment improves
risk mitigation capabilities

71. Rinse andRepeat
Social Engineering
Incident Response
Policies, Procedures,
People
Enterprise Security

72. Any questions ?
You can find us at:
• @bishopfox
• facebook.com/bishopfoxconsulting
• linkedin.com/company/bishop-fox
• google.com/+bishopfox
Thanks!

73. CREDITS
Christina Camilleri (@0xkitty) for the slide design!