top of page
Search

Circumventing the security bubble

  • Writer: Keith Kerr
    Keith Kerr
  • Mar 2, 2022
  • 4 min read

Updated: Mar 8, 2022

Security awareness programs play a critical role in hardening the defensive posture of any organisation. Effective education arms employees with an understanding of common or trending attack techniques utilised by threat actors and the appropriate processes and procedures to follow in response. This is a critical branch of any organisation’s security roadmap and addresses the common view that the weakest link in the security chain is often human.


Raising employee security awareness reduces the likelihood and impact of threat actors compromising the organisation through social engineering attack vectors. However, the breadth of such programs often contains gaps, especially where the supply chain and third parties are concerned. This post will explore the concept of supply chain compromise, to indirectly target an organisation. To coin a phrase embraced by threat actors and security practitioners the world over “if the door’s locked, use a window”.


Trusted vendors and suppliers are commonly found in any medium or large sized organisation. These third parties can require access to corporate information and infrastructure, and while this is typically restricted access, security has been known to take a back-seat to functionality. One of the most overlooked examples of this is security awareness training, educational programs enforced by the organisation should cast a net over all parties with access to company resources, not just employees.


In 2021, the European Union Agency for Cybersecurity published the following report:

The report identifies that targeted attacks against the supply chain are on the rise, with threat actors realising the potential to achieve a compromise through the path of least resistance. Such attacks can also be more difficult for an organisation to detect, as that would rely on their security posture being adequately mature to enforce tailored security practices and safeguards on all relevant third parties, as well as ensuring internal security processes and procedures are implemented regarding employee interactions with them.


An example of this scenario is the compromise of a medium sized organisation executed by my team, via a targeted attack against their cleaning contractors.


Reconnaissance


Most employees were observed vacating the office by no later than 6pm, and promptly at 6:30pm a team of cleaners would arrive and enter the premises for approximately one hour to conduct their activities. Observing the cleaners through the building’s windows, they were witnessed accessing restricted (locked) areas within the office. In other words, they had the access that we required to achieve the goal of infiltrating the building and installing a remotely accessible device within their internal network.


Planning


An attack scenario was hatched, whereby a consultant would attempt to gain access to the office by representing himself as a network engineer performing a maintenance task. This alone would likely not be sufficient to overcome the suspicions of the cleaners however, some form of authority or authorisation would be required to increase the likelihood of success. Therefore, I would impersonate the organisation’s IT manager, under the premise that I was running late and required the cleaner to grant access to the network engineer. A phone call would be initiated between the myself and the other consultant prior to the attack and I would speak directly with the cleaner, giving authority to the cleaner to allow access to the network engineer. My contact details were edited on the first consultant’s phone to ensure that the name and role of our impersonated IT manager would be visible to the cleaner on the phone’s display. Additionally, the network engineer would carry with them a fake ID card that was created for a fictitious IT company.


Execution


Making Contact:

The consultant impersonating a network engineer approached the entrance while on the call with myself (impersonating the IT manager) and knocked on the glass to call over the cleaner. The cleaner was visibly suspicious and uncomfortable, as expected, but they opened the door a little to talk. The network engineer then casually explained why they were there and offered the phone to the cleaner, explaining that the IT manager wanted to speak with them directly.


Transferring Responsibility:

After introducing myself as the IT manager, I explained frantically that I was stuck in traffic on my way to the office and I needed them to let the network engineer in to perform their task. This alone may have been enough to have the cleaner grant access, but it’s likely that it would not have alleviated all suspicion. And so, before granting access I instructed the cleaner to verify the ID of the network engineer, describing exactly as it should appear and the details that it should contain. This additional step may seem unnecessary, however it served an important purpose in alleviating any remaining suspicion that the cleaner may have had, as they themselves have now been granted the authority and responsibility of confirming that the network engineer is indeed legitimate. After the ID was verified, I instructed the cleaner to give the network engineer access to the communications room, thanked them for their help and terminated the call.


Achieving the Objective:

After gaining access to the office the cleaner unlocked the communications room for the consultant and left them to their work. The consultant covertly installed a remote access device, giving the team access to the internal network and bypassing perimeter security controls entirely. After the task was completed, the consultant informed the cleaner he was leaving and thanked him for his help. Good manners build rapport and trust, so this should never be overlooked. The incident was not reported by the cleaners and the rogue device was not identified over the next week, during which time the team was able to gain full control of the organisation’s environment.


Outcome


While the nature of this attack may seem far-fetched to some, the security gaps that were identified and exploited are glaring. They highlighted a lack of awareness and controls regarding the behaviours and authority of trusted third parties. It would be short-sighted to simply lay blame at the door of the third party, as the responsibility to ensure they are not posing a risk to the organisation’s security, should be governed by the organisation.

Recent Posts

See All
By hook or by crook

Establishing a workable social engineering approach is a creative process, enabled by careful research and a core understanding of your...

 
 
 

Comments

Copyright © 2022 ExploitingSapiens.com

bottom of page