Overview

Social engineering is manipulating individuals into divulging confidential information or performing actions that may compromise security. Unlike technical hacking, which exploits software and hardware vulnerabilities, social engineering preys on an individual’s psychology and behavior. TraceSecurity works closely with clients on our Onsite Social Engineering engagements to develop scenarios tailored to the environment to give them the best possible assessment. With stories about successful breaches becoming more prevalent, organizations have ramped up training regarding security awareness and social engineering scenarios. Most of the scenarios, however, are focused on external threats. What happens when the threat seemingly comes from within?

The Story

For this engagement, the client requested a step above our standard pretexting in an effort to seriously test the employees. After considerable brainstorming, our team decided on a two-front approach; a rogue employee (Analyst 1) arriving onsite to escort a local alarm company technician (Analyst 2) who had recently completed some work onsite. The goal was to have the rogue employee successfully infiltrate each location, gaining the trust of employees and then authorize the fraudulent alarm employee to conduct the "work" he needed to do.

The TraceSecurity Team took to the web to gather information about the alarm company to create our disguise. The contracted organization supplied a company polo to keep from having spoofed materials of their logo created. Once the disguises were made, we dug a little further. From publicly available photos, we were able to determine the type of Key Fobs and door access systems utilized and obtained a inactive copy of the fob. The final step was to determine who exactly I was going to pretend to be. Conveniently, the organization had just onboarded a new member of IT.

We had to operate under the assumption that the new employee, "Joe" (Analyst 1), would be new enough that not all branch locations had personally met with him. Arriving at the first location, I unsuccessfully attempted to tailgate various employees. The employees had obviously been trained well, intentionally closing the door behind them and not allowing anyone else inside with them, despite the fact that I was seemingly another employee. On the last attempt to tailgate, another member of IT made an alarming observation.

“Hey Joe, I cannot believe you shaved your head bald.” Now, we will pretend that the fact I was bald and the employee I was impersonating was not, was due to intentional oversight. I took the question in stride and explained that it was a spur of the moment decision that I was struggling to adjust to. Ultimately, our time at the first location was cut short due to some management meetings causing our point of contact to cross our paths.

The next location fared much better (for the analysts that is). I walked in and made some small talk with the front desk employees, and then attempted to badge myself into the non-public areas. Of course, my fake key fob didn’t work, and I expressed that maybe I didn’t have the right access due to being freshly hired. Without any fuss, the branch manager allowed me access to the network closet. And, almost like it was planned (it was), the alarm technician (Analyst 2) walked through the front door. Having already secured the win, I, as the rogue employee, decided to solidify my cover. "Joe" declined the alarm technician entrance due to him not having a proper appointment. Words cannot express the look on my coworkers face as I told him he was not allowed to enter non-public areas. We had not planned for me to throw him under the bus, but I had to take the opening. After returning to the network closet, making some documentation for our report, and pretending to “work,” I walked back to the front and exited the location.

Once the engagement ended, I returned to the main office to return the organization’s polo and got the chance to meet the individual I was impersonating. The resemblance… was not even remotely close.

Our Recommendations

A few procedural improvements could have prevented this engagement from getting very far.

First, new hires could be announced organization-wide and include the photo-ID, headshot, or work badge of the new hire to assist in familiarizing current employees. Additionally, all visits regardless of internal or external employees, should be vetted and confirmed by the appropriate authorizing entities. Lastly, all visits from employees from other branches should be communicated clearly to management at the target branches.

Dylan Pellegrin, Information Security Analyst

Dylan has 7 years of experience as a managed service provider and a helpdesk supervisor. At TraceSecurity, he primarily focuses on IT audit and configuration review services. Dylan earned a Bachelor of Science in Computer Information Systems Management from Nicholls State University. He currently holds Security+, A+, and CRISC certifications, and is working toward his CISA.