Social Engineering for Intrusion Testing
How difficult would it be for someone to physically break into your organisation and steal your secrets? How about accessing the most protected parts of your infrastructure? Given the layers of physical security: security fences, perimeter sensors, lighting, regular security patrols, and a myriad of video surveillance cameras, where would you start? What kind of team do you need?
What might surprise you, is that Fortune 500 companies and other interesting organisations often hire people to break into their own facilities— places they consider to be highly secure. These physical intrusion tests are designed to evaluate existing systems and procedures, and to identify potential vulnerabilities.
In this article I’ll share one example of a physical intrusion test to demonstrate what’s possible (in limited timeframes, and on a tight budget).
“Can you draw a picture of the layout of the inside of the entrance area for me? Where does this door lead to?”
The security officer carefully drew a detailed picture of the entrance area, the very area he is supposed to be protecting.
“If one of the perimeter alarms was activated in the early hours of the morning, what would the guard response be? How many guards would come out to check? Where would they come from?”
The security officer talked me through the response procedure in detail.
Less than a week later, after conducting reconnaissance and surveilance to identify potential blindspots in their video surveillance system, generating a few key artefacts through publicly available information, and scaling a high security fence with alarm sensors installed, I had managed to get inside the facility and was able to start identifying potential access points into the building. Phase 1 was successful.
Why would someone share confidential information less than an hour into their first meeting with a stranger?
The person I was interviewing was not under my control. I wasn’t paying them. I had no leverage over them. As all I had was an honest smile, a firm handshake and – via a fake social media profile as a recruiter – a compelling reason for them to betray their organisation and share sensitive security information.
These activities occurred as part of a physical intrusion test, and this provides one simple example of how social engineering can be used to support efforts to breach the physical defences of buildings and other infrastructure. In fact, I applied similar techniques to target the facility’s security vendors as well, gleaning detailed information about the non-visible aspects of security technology and infrastructure at the site.
In this post I’ll share some aspects of that project, focusing a few of the key challenges I faced and how I overcame them.
A complementary practice
To me, targeted intelligence collection from human sources within the client organisation is a central part of any physical security testing project. While I will always conduct intensive surveillance and reconnaissance before any intrusion attempt, this never provides the full picture. For example, the areas immediately inside an access point are often an unknown if they can’t be observed from outside — the last thing you want to do is make your way through a door only to find yourself standing like a lemon with nowhere to go in the middle of the staff cafeteria (although in some cases, that may actually work).
It also helps to know, for example, whether security cameras are monitored live, and the response procedures when security officers are mobilised. I can’t see these things from the outside — this information can only be gathered from human sources.
Like dating, but for intelligence
So how did the security officer find himself sitting down with me, offering vital information?
The process began with me setting up a pretext as a recruiter for corporate security positions, and identifying several potential targets in the client organisation. I initiated contact indirectly, via the friends of my targets, using social media. The indirect and referred approach generally has a good chance of success because it extends credibility, appearing to de-risk the encounter. This reduces the risk that the target will try to check up on me before we meet — why would they need to this when I’m already referred by a friend?
In this case it was a relatively simple matter to use social media networks to find employees who had worked in the same company as the target, and that had left a few months ago (ensuring the currency of relationships). I connected with them, mentioned that my client was looking for good people for a specific role, and asked who they thought might be interested in jumping ship from their old company.
This was an important point. I was deliberately targeting individuals who were already thinking about leaving, and who were therefore potentially less loyal to their organisation. This enabled the recruiter pretext to work, and didn’t require as much social gymnastics to convince the target that I was someone who was legitimate.
For the referrer, they believed they were gaining social capital amongst their network (helping an old colleague find a better job). Because I wasn’t meeting them, they had no reason to check up on me. For the target, they were exciting that their ex-colleague had referred them. Both were looking for evidence to affirm their respective beliefs about what the situation was, ignoring cues that might disprove it.
Establish a confidential relationship
The most powerful aspect of using a recruiter pretext is that it’s relatively easy to establish a confidential relationship.
“I won’t tell anyone else in your company that I’ve been speaking with you, and that you may be interested in leaving. Please don’t tell anyone else in your company we’ve met.”
With that simple statement, I reduced the risk that they would leave the meeting and immediately report my approaches to their security department. This provided me with more time to develop them as an asset. In addition, it provided me the flexibility to target additional people in the company, in the knowledge that they were unlikely to compare notes.
One of the goals of the first meeting was to establish the target’s motivation for being in the room (something that overlaps with the research practices for a lot of consumer and user research, familiar to those that follow Studio D). The recruiter persona provides considerable leeway to probe this question in order to find them a suitable job, to the point of asking challenging and very detailed questions, such as those that identify potential weaknesses in their security system.
The power of praise
Praising someone and recognising their accomplishments is a highly effective technique, and is part of a range of behavioural techniques that built trust and encouraged sharing.
“I’ve heard some pretty great things about you.”
What a great opener to a conversation. It sets the pretext of being referred by a colleague, and makes them more open to telling you why they’re great, by demonstrating how much they know about their security systems and procedures. It really is a win-win.
Peeling the onion
Of course, it’s not all about praise and exploiting human weaknesses. At some point you need to get your hands dirty and get inside.
Once you do get inside a high security facility, the job’s far from done. You still need to be able to access the building itself, then make your way through various internal layers of the building’s defences (the most vital assets are almost always behind several layers of secured doors, sometime alarmed or manned by security officers). To find a way in is never easy. Without a valid access card you really only have two options – break in manually, or follow behind someone as they enter (or try to slip in behind them as they exit). This is actually easier to do during business hours when there are predictable flows into and out of the facility.
On most projects done in the dead of night, it invariably requires significant lengths of time standing in the shadows just outside doors that you know may be used occasionally hoping that someone will exit at some point. Sometimes they do, sometimes they don’t.
This is when you’ll feel most exposed. Standing with minimal concealment with no valid reason for being there, just hoping people don’t glance over your way…
Of course, the ultimate objective is to use social engineering to get all the way in. This works for some facilities, but it’s significantly difficult for higher security facilities with well designed access control and solid visitor and vendor management procedures. At this point going low tech and just trying to follow someone in may be the best option.
The real art is to know when to proceed, and when to withdraw. If you extend too far, you’re done. But without a significant degree of audacity and chutzpah, you’ll probably end up hunched in the shadows, afraid to move forward. Finding the balance between the two takes experience (and some chutzpah).
As an interesting footnote, after the operational phase of the project was over, I visited the site to provide a briefing to their security team and talk through the operation from the perspective of an intruder, sharing my perspectives on what aspects of security were effective and what weren’t.
As I walked up to the gate to obtain my security pass, my target was sitting inside the security office. My target looked up to scrutinise me, checked my identification, but didn’t recognise me (despite the fact that we had several meetings over several hours only two weeks before). While I did disguise my appearance slightly during our meetings, this also shows a human weakness – he couldn’t associate the person in front of him with the context in which he’d met me previously. As you would expect, as I started briefing the team on the different aspects of the operation, the target started squirming in their chair. Only then did the target realise their role in the operation. Of course, I didn’t call the target out by name, but they knew.
It’s easy to point to the target as being the weakest link in their security chain. However, I guarantee that there would have been half a dozen viable candidates, including many of the professionals that were sitting in that room. Someone with suficient training and experience will always find a way‚ it’s just a matter of time and persistence.
Yes, but what about ethics?
There are numerous ethical issues with conducting this type of work. Clearly I was operating in some fairly gray areas.
Before I initiated the project I worked with the client to establish clear boundaries, defining what was permitted and what wasn’t. I couldn’t, for example, surveil the target at their home. Nor could I offer any financial inducements. I reported in after each meeting with an update on progress and an assessment of the potential impacts on the target. At all times, the welfare of the client’s employees were a primary concern.
You need to weigh these risks against the potential gains. When carried out correctly, social engineering and physical penetration testing provide an opportunity to build competence and increase an organisation’s resilience to similar attacks.
A useful set of skills
The techniques I’ve shared here might sound exotic, but they are grounded in an understanding of the nuances of human behaviour.
Many of the techniques used in this project you’ll use in your everyday jobs, whether you’re designing a new product or service and are understanding user or customer needs, looking to influence your colleagues, or figuring out the growth strategy. The mindset required to think through these complex and unorthodox challenges in the real word can be learned.
Grant Rayner is the founder of Spartan9, a security and crisis management consultancy firm that specialises in solving complex problems in challenging environments.