The second day of the International Cyber Expo began with a fascinating talk from Rob Shapland, ethical hacking expert and Head of Awareness at Falanx Cyber.
Shapland began his talk describing his role as an ethical hacker, followed by an explanation of his talent for breaking into buildings. From dressing up in convincing work attire to mapping out a way to physically break into a company’s office, Shapland uses every trick in the book. All to prove his ability to bypass network security controls.
Drawing on previous experiences, Shapland regaled his audience with the story of the time he was asked to steal a vaccine design from a pharmaceutical company. His objective? Getting inside the computer network to steal the vaccine design, stored on a computer not connected to the internet. Without being caught, of course.
The first step of the mission was planning, starting with Open Source Intelligence Gathering (OSIG), the operation of conducting extensive company background research. Shapland explained:
“If you’re looking to break into a company the first thing you need to do is find out Who are they? Where are they based? What do they do? What’s their social media presence like? So, I start with their website, I’ll then look at the corporate and social media pages (Facebook, Instagram, Twitter).”
His research revealed an active company social media account, 25 internet facing computers, a website, an O365 suite and at least 100 employees identified via LinkedIn. This gave him the idea to perform a potential phishing attack using the employee’s email addresses as ammunition. Shapland then went on to explain how to effectively guess a work email address:
“Taking the names from LinkedIn, it isn’t difficult to convert to their email addresses as you’ve got their name and where they work. It’s likely to be first name.last name @ company name. com and that is going to be their email address.”
Shapland shared details of his humorous attempt to find an employee’s home address, hack into their Wi-Fi and access the company network. First, he needed to find an employee’s home address. And how did he achieve this? With Strava, an athletic tracking app, as his accomplice.
“If you have an open Strava profile someone, anyone can access your profile and see all your runs and cycles. Through looking at a few of them, you can build up a picture of where someone’s runs/cycles start from and end. From this you can work out their home address if you look at enough runs…so I used this to identify an employee’s home address. I hired a van and drove to their house, sat in the van with a laptop and aerial and tried to hack into their Wi-Fi system.”
Unfortunately, Shapland’s efforts were unsuccessful as he could not overcome the employee’s 20-character home Wi-Fi password. Nevertheless, he enjoyed the experience and noted this had been an effective technique in past.
As an alternative intrusion tactic, Shapland then returned to organising a targeted phishing attack. However, after recognising that sending 100 emails all at once would create too much noise, he settled on targeting only a handful of employees. This would be a more effective way to carry out the operation. All three employees were selected because they were going abroad, as advertised on Instagram.
The phishing email was designed to convince employees they were only complying to a request sent by ‘HR’ to confirm their upcoming holiday requests. But only via a malicious link. Success! Two employees caught the bait and to his surprise, the Director of the company had fallen for the scam.
Armed with verified login credentials, Shapland’s next step was deciding which building he was going to physically attempt to break into, considering his target was a large pharmaceutical company with fifteen offices in the UK. In an attempt to escape the CCTV, security guards and motion sensors, he opted for the least secure office. The administrative HQ found on the high street.
On his arrival to the admin office, Shapland explained how he observed the office surroundings from the local coffee shop located in the high street. The most important questions he needed to answer were – What time do employees arrive? What do they wear? Are they any easily accessible entrances? What does security look like? Do they wear ID badges?
“If that badge needs to unlock a security door, I’ll take a device with me called a FRD cloner which means if I get within half a meter of someone wearing that badge, I’m able to clone their badge and use the device to unlock the security barriers or even better transfer the signal from the device onto the card and then the card will work”
As Shapland chose to target a small office with fewer employees, he couldn’t just waltz in expecting to go unnoticed. His solution? Pose as a BT Engineer. He came to this conclusion during the pretext stage, the process in which a social engineer determines their pretend persona as well as how they will act during the operation.
Armed with a Hi-Vis BT jacket, clipboard and fake ID badge copied from Instagram, Shapland was ready to initiate the next stage of his plan. He confidently entered the building, headed for the reception desk, and said:
“Hi, I’m here from BT. We’ve had a phone call from your head office saying there’s been a big network outage, they can’t talk to you at all, they’ve asked me to come in and resolve the problem to see whether it’s a BT issue with the lights in the building, do you mind if I pop upstairs? Shouldn’t take longer than half an hour, just need to run some basic diagnostics”
Shapland then shared details of how he bypassed the company’s defences. As the receptionist’s doubts regarding his arrival led to further questions and a request to consult with Head Office before letting him proceed any further, Shapland was forced to resort to plan B. Having already prepared for this obstacle during the pre-text phase, Shapland suggested a quick confirmation with a real member of IT, Adam, knowing full well that Adam was currently on his journey to the Caribbean.
Now, after failing to reach him, the receptionist suggested that Shapland call Adam himself. Quick thinking on Shapland’s part saved the day.
“I took these two numbers, left the building, and thought, I’d not really planned for this, but I reckon I could make this work because about 1000 people working at Head Office, chances are she won’t know Adam’s voice. If I get one of my team to phone up and pretend to be Adam and say, ‘have you got a BT engineer there?’ that will probably work.”
His efforts were successful, bringing him one step closer to meeting his objective. However, he was faced with the challenge of continuing with a member of IT watching his every move. To make it through, he relied on the number one lesson he’d learned as an ethical hacker: never panic. While he had to suffer through an awkward encounter with IT, he was able to continue with this mission.
Once inside the small and yet overcrowded office, Shapland calculated his next steps. How was he going to hack into the network with a real IT employee sitting next to him? Fortunately, the IT department had scheduled a meeting, leaving him alone to hack into the system.
“I accessed a computer called a domain controller which is a main system on the network. Within most domain controllers you have a file which has login scripts, and within them it tells you the name file servers that are used” explained Shapland.
Once logged into the company’s main file server as the Director with open access, Shapland could put into motion the final stage of his plan. What does that entail? Filtering through their mirrored folders, locating the vaccine design, and extracting it across the network to his laptop. Encrypted, of course. Thus, mission successful and completed.
Shapland closed his talk by offering his audience advice on how to defend against these kinds of attacks. He pointed out that when navigating onto a computer network, a hacker will need to perform certain tasks to achieve their goal. For example, stealing a file, login credentials or laterally moving around a network. In most cases, hackers need to elevate their privileges. For instance, having access files to the necessary files. It’s important to bear in mind that everything they do will have various associated signatures, leaving a trail of suspicious activity behind.
But how can your organisation pick this up? According to Shapland…
“If you have a Security Operations Centre (SOC) they can pick this up, that’s what part of Falax does as we manage detection response, in the sense where we look for weird stuff on the network and block it” -Shapland advised.
Shapland then spoke about the importance of training to his audience. And not the cyber e-learning modules kind of training. Training provided from first hand intrusion operations, as he believes this is a more effective way for organisations to learn about the detrimental impact of these attacks. Hence why he conducts training as part of his role.
Lastly, as well as investing in training, Shapland explained the importance of doing actual exercises to test existing security controls such as pen testing and red teaming. Concerningly, a lot of companies spend a fortune on the latest security controls but don’t invest in additional resources to test their effectiveness. How else would you find out how your company was attacked?