You are viewing 'WarStoryWednesday'
Businesses that are adjacent to hotels are the best…for security consultants. When you have a high-gain wireless antenna, a rogue access point plugged into a network or able to compromise a vulnerable wireless access point, you pretty much don’t have to leave the comfort of your hotel room or parked vehicle for the assessment. I have been on a handful of these fortunate layouts and it certainly helps when staying under the radar. One of my first red team assessments had a hotel right next to the business we were assessing. The only thing separating the extended stay hotel and business was waist-high foliage, with little to no lighting or camera coverage. With this assessment, after hours testing was in scope, thus making the assessment that much easier.On-site Social Engineering... read more >
Many types of red team and physical security assessment toolkits are utilized across the industry. Through our experiences in the NTT Security Threat Services group, we have developed a mixed bag of devices and tools that we commonly use with hybrid assessment types.
The lists below are not intended to be comprehensive, but a quick reference for red team specific toolkits - which often include technical devices and physical tools.
As always, it is assumed that you have permission from your client, have the proper documentation on hand and the defined scope is your primary consideration before attempting to compromise a target facility. Please make sure that you have plenty of experience with bypass and lock picking tools in order to reduce the risk of damaging doors, locking cores and mechanisms etc. Always be... read more >
While there are many articles directed at assessors and consultants on “what not to do” during a penetration assessment, I haven’t seen many blogs directed towards what things clients should avoid when preparing for a penetration assessment. I wanted to address this topic, and share from experience, pitfalls that can often hinder the progress and quality of a penetration assessment.What is a "Penetration Assessment"?
Penetration assessments are a way to identify an organization’s risks by simulating common threats. These assessments can target a wide range of scenarios; such as, external service attacks, insider threats, social engineering and physical intrusion. Once these vulnerabilities have been identified and exploited, that information is then compiled into a report and passed on to the client for... read more >
#WarStoryWednesday: Quick and Dirty Social Engineering
Every now and then, I work on the assessments that normally Brent White and Tim Roberts blog about. When I’m privileged to get such an assignment, I typically create unnecessary pressure on myself in an effort to compete with the likes of my aforementioned teammates and their overwhelming success on Social Engineering Assessments. I find myself feeding off the pressure and nervous energy, turning it into excitement and focus. By drawing on my past experiences in the Broadcast Television industry, I convince myself that this will only help me succeed on such a project. Then, when I get word of the increased challenge level, whether due to the small size of the company being assessed, a shared work environment or building, or armed guards present, I actually find myself... read more >
#WarStoryWednesday: Most incident response plans don’t survive first contact
This is not technically a war story, however, it is an experience that I would like to share. I recently attended an event featuring a speaker from a large company that had experienced one of the most high profile and extensive breaches in recent history. For the sake of the company I will not name them in this blog, but I do want to stress that the company is very large and the breach was extensive, affecting millions of customers and their entire network. What was interesting is that the speaker was from the company’s legal department, and as such, is not a “technical” person. This provided a brand new perspective to incident response.
In my line of work as an incident response analyst, working in a Managed Security Services Provider company, I routinely help companies that suffer from security incidents. I have first-hand knowledge as to how devastating such an event can be to a company. This speaker stressed that their company lost well over a billion... read more >
Earlier this year, a friend (5tubb0rn) and I toyed around with some ideas at a local hacker workspace. I had been using a Proxmark/BishopFox build to steal proximity badges during some of our Professional Security Services on-site Social Engineering Assessments and covert Physical Security Assessments. The Proxmark/BishopFox build was handy in that I didn’t have to bump into anyone in order to snag their badge for replication. The only problem I’ve had with this device is the size – it is a garage badge reader after all, and about the size of a laptop. There are smaller devices out there but we wanted to create something from scratch, utilizing a Raspberry Pi and some plug-and-play sensors that could be easily hidden by someone in the guise of a contractor. So, the two of us came up with a... read more >
Another Wednesday, another war story. As a Senior Security Consultant here at NTT Security, I am constantly performing assessments on-site for our clients. At a recent on-site social engineering and physical security assessment, we exploited some vulnerabilities that could easily have been avoided with the right security measures in place.
Also, as many of you are aware, October is National Cyber Security Awareness Month (NCSAM). The theme for this week is STOP. THINK. CONNECT, however, I’d like to change it to fit the theme of my blog: STOP. THINK. FACT CHECK. As I’ve said in previous war stories, always ask questions and check that the person is who they say they are. And no matter how nice someone may look or act, always fact check. Use your instincts and don’t let someone with seemingly legitimate credentials fool you.Assessment Background
The... read more >
#WarStoryWednesday: so many hosts, so little time
Every now and then, while performing a penetration assessment, we’ll get a large set of hosts considered in scope. This is often a nice change of pace from the compliance-based penetration assessment where the scope is smaller and more focused on the Cardholder Data Environment (CDE). With the larger scope, we can come a bit closer to simulating an actual attacker from the perspective of the internal network. I say closer because as security consultants we are still limited by time, often only having a week to perform an assessment. If the scope is big enough, we will typically send two or more consultants. This blog will detail just one of those assessments and will hopefully give insight into effective time management for large scopes that offer more than one method of compromise.Background
Let me set up the scenario a bit. My co-worker Adam Steffes and I were tasked with performing an assessment with... read more >
Preventing Incident Response Frustration #WarStoryWednesday
Ever try to chop down a tree with a fork? Any type of skilled labor requires the use of proper tools, and incident response is no different. In my experience as an incident responder, many organizations often lack both the proper incident response tools and staff trained to use those tools. In this war story, we take a look at what that can mean for rapid response and remediation.Incident Response War Story
In a recent incident response engagement, a victim of a data breach contacted us regarding the loss of credit card data. This company had received a notification from a Federal law enforcement agency, which, during an investigation, had observed the organization’s IP addresses in relation to stolen credit card data. Further investigations showed that the stolen credit card data had been taken from the organization’s network. The notification had little for the organization to go on, which is typical in this type of situation. Yet,... read more >
With consulting work comes travel. Over the years, I have traveled extensively and stayed in a variety of hotels and suites. Through this experience, I have noticed several issues with hotel (specifically room) security. In this blog, I am going to walk you through some of the consistent issues that I notice in hotel room security, due diligence and awareness.
As many of you probably know, you never want to leave your valuables laying around your hotel room when you aren’t in it. This is one of the reasons hotels provide a safe, a lock on the door and hotel staff. At least one of these should stop a criminal, as well as keep me, my valuables and my room safe, right?Replacement Room Keys
I cannot tell you how many times I have observed people casually walk up to the front desk and ask for a replacement room key. Depending on how you deliver this request will probably land you a room key without having to say anything but the room number. Just... read more >
The most important weapon in your arsenal will be your ability to adapt.
-Batman (Bruce Wayne): Batman and Robin V1 #24
I LOVE to research things. Unfortunately, that constant drive to learn also results in a (perhaps not so) healthy level of paranoia. To that end, I take every precaution a security advisor can with their data while still functioning normally in an advanced society, much less a technical career. Because I also advise those in my life to do the same; I am the “go to guy” whenever anything technical happens to them.
Recently, one of these situations occurred. Someone near to me (Let’s call him Alfred) was following a common piece of guidance, “Frequently check online account statuses,” a few hours before taking his family on a multi-state road trip. Much to his surprise, he discovered 59 transactions with matching international fees, all under $3.00.
... read more >
I recently had the pleasure of performing a combined Social Engineering and Physical Security Assessment over the course of a national holiday. While my story may not come close to what Solutionary Security Consultants' Tim Roberts or Brent White have enlightened you with, I must say this assessment certainly opens one’s eyes to the challenges that an organization, similar in size to the assessed business, faces when growing rapidly and trying to fit in an Information Security program.
While there are many lessons learned, two top takeaways stand out:
- Having the proper corporate structure is one of the most important components in standing up a successful information security program.
- Perceived security is just that – perceived. As my co-worker Andrew Weed put it: “This is like an M&M – a hard candy shell, soft on the inside.” To some extent he is correct. The amount...
Cyber security is an ever-changing landscape. As technology changes so must security procedures and techniques. Often in the cyber security realm of incident response, I am astounded by the lack of forethought given to newly emerging tools and tactics, such as threat intelligence.
Threat intelligence is important and must be properly dealt with if we are going to utilize it to its fullest capacity in cyber security. Sadly though, we are seeing a true lack of thought and strategy when it comes to actually implementing threat intelligence in the incident response process. This war story displays the wrong method of utilizing threat intelligence, both as a part of incident response and as a way to react to ongoing threats.War Story
A company experienced what was classified as a breach, when several customers’ personally identifiable information (PII) was used to... read more >
Most of our assessments focus on large corporate environments. This comes with pros and cons, just as smaller engagements can also have their pros and cons. Some of the pros to performing an on-site social engineering, physical security or red team assessment against a large employee group is that you have the benefit of blending in a lot more easily. Unfortunately, the engagement I am about to walk you through was against a financial institution’s local offices that assist in processing their client data and housing applications, and apparently their turnover rate wasn’t that high. The client had some small offices (built into the houses and on the property that they sell) scattered throughout the U.S. and the two in scope were right in the middle of a congested housing district.
Since this was a black box assessment, I had very little client-provided data, and the target... read more >
When performing a social engineering assessment, you never know what type of person you’re going to encounter, especially when trying to enter the client’s facility.
Sometimes you’ll run into that person who ignores what you have to say, is a stickler for protocol, and is intent on verifying your story and your legitimacy for gaining access. These individuals are the ones who understand that security doesn’t equal convenience. They stick to their security awareness training and incident response procedures, and take the well-being of the company to heart. These are the employees that penetration testers want to avoid when playing the role of an attacker. Unfortunately, this type of employee is often rare in corporate security.
More often, you’ll encounter a very trusting and kind individual who is eager to help out without wanting to inconvenience you... read more >
Several Penetration Testing assessments that I’ve worked on lately, as a Security Consultant for Solutionary Professional Security Services, have really made me think about the challenges organizations face within corporate information security programs. Recently, the biggest issue I’ve seen has to do with risk management, legacy applications, and network protocols that assist users requesting resources on the network or Internet. I’ve been finding a specific vulnerability that should not exist on any network, even those supporting legacy applications. It seems that alternative solutions for supporting those applications, however, may be pretty scarce.
So what can a business do to mitigate the risk associated with supporting legacy applications until those applications can be upgraded? In order to answer this question, let’s first look at a recent assessment... read more >
Are you prepared for a security incident? #WarStoryWednesday
“Before anything else, preparation is the key to success.” Alexander Graham Bell
Most security personnel follow a six-step process when it comes to incident response. These six steps are outlined as follows:
- Preparation (before any incident)
- Detection and...
On nearly every assessment I have performed, I have been able to piggyback my way into target buildings and sensitive areas. If you walk in with confidence and even attempt to “badge in,” most employees will pay little attention to the error sound or the red light of an illegitimate swipe. So, to the unaware, you can easily pass as an authentic employee as long as you look the part and appear to have the right badge; especially at a facility with a large employee body.
Using this technique, it is often inevitable that you will encounter a security guard, especially in the lobby area. If an area with a guard is unavoidable, I will wait for a guard to become engaged in conversation with another employee, receive a phone call sign for a delivery or become distracted in some other way in order to take advantage of the distraction. In my experience, a security guard will also pay little attention to the color of the light or... read more >
As security consultants for Solutionary Professional Security Services, we sometimes work multiple engagements with the same client. If we’re doing our job correctly, each time we assess the same client we will ideally encounter a more difficult time compromising hosts. This means that after each assessment the recommendations we provide are being implemented or, when a new environment is deployed for the same business purpose, our clients are taking the time to heed our recommendations from the environment being replaced.
Once in a while we run into a situation where a client will acquire another company and we will have the opportunity to assess the environment associated with the acquisition. Personally, I have the most fun in these situations because it’s an opportunity to look at something fresh and perhaps add more value to our assessments. It usually means we’ll also find several vulnerabilities that... read more >
With a loose-fitting patterned tie, white button-up shirt, some gray slacks and a fake badge draped around my neck (that I had made up and printed at the hotel earlier that morning while eating breakfast), I was dropped off at the target facility by a fellow Solutionary Professional Security Services consultant. The delicious aroma of BBQ filled the air, so I followed my nose and eventually my ears, to the sound of music at the back of the facility. The beat of “today’s hits” was being played via a live DJ and swarms of business casual employees, with badges dangling back and forth, lined up at a buffet of delicious country food. I could see a handful of tents set up and several employees mingling in and out of the doors. It was the quarterly employee appreciation BBQ and a perfect time to piggyback with a smoked pig ‘sammich’ in hand.
I texted my partner and... read more >
Not too long ago, I was tasked with performing an Application Security Assessment while on-site at a client location. I had worked with this client before, and was eager to see how they had matured their applications over the past couple years. Originally, I had performed an Application Security Assessment on an older version of the application and I was curious to see the direction they went with the new version of the application.
As I began my normal testing routine, I quickly realized this particular application was built on top of the Google Web Toolkit (GWT) and most of the responses were JSON formatted. Seeing this, I knew this would be a tough nut to crack as both GWT and JSON were built with security in mind.
At the start of this assessment, I decided to start with a quick walkthrough of the application. While my intercepting proxy tool spidered each... read more >
Mirror, mirror on the wall, what does my website reveal about my business to all? #WarStoryWednesday
If you run a business, chances are that you have a presence on the Internet. A website is considered a critical aspect of a business. Establishing your product or business online is a must. As important as a website is, it is also a vulnerability point for your business – think about the Ashley Madison hack. Hackers can use your website to conduct reconnaissance and then infiltrate your company. When contracted to conduct a penetration test, white hat hackers try to simulate the actions of an actual attacker.
If your organization has a Web presence, this war story is for you.Website Pen Test War Story: Background
In a recent penetration test, I was hired to simulate an attack against a company that handled PII (personal identifiable information). The company wanted the test to simulate an attack from external sources (online), to be followed... read more >
A wide-open physical security assessment war story - #WarStoryWednesday
War Story Wednesday is a Solutionary Minds blog feature series. On the first Wednesday of the month, Solutionary is publishing a blog from one of our security practitioners that discusses a real-world engagement or “war story.” This blog, featuring Security Consultant Brent White, is the second submission in the series.
This physical security assessment was fun, easy and a bit alarming. It was fun and easy for how completely simple it was. On the other hand, it was alarming because of how simple it was — as well as there being no security presence.
How can we get in?
This is usually the thing we try to answer first when conducting a physical security assessment. Through basic reconnaissance, my co-worker and I quickly figured out the following information:
- The front doors automatically locked every day at 4:30 pm.
War Story Wednesday is a new feature series. On the first Wednesday of the month, Solutionary will publish a blog from one of our security practitioners that discusses a real-world engagement or “war story.” This blog is the first submission in the series.Assessment Background
One of our Red Team Assessments started with a client who was very confident that we could not compromise their physical or network security. This sort of boldness can often fuel tenacity; regardless of what color hat (white, grey, black, Technicolor) you wear. This assessment was a free-for-all. That meant we were free to do whatever we could, without breaking anything and within scope, of course. Great, right? Well, the catch was that we only had a few of days of remote work and a couple of days onsite.
During the Open Source Intelligence (OSINT) gathering phase of the assessment, and after performing some remote phishing and charming phone calls, we were able to gather a... read more >
This year, during CircleCityCon in Indianapolis, Indiana, Brent White, a fellow security consultant here at Solutionary, and I shared methods for owning layers of identities as well as different guises that have worked for us as part of the Solutionary Professional Security Services team. During the presentation we shared multiple real-world scenarios where armed security guards have opened the doors to server rooms or assisted the "employee" by providing information about company flaws and systems.Assessment Background
One of our favorite stories involves an onsite Red Team Assessment (Social Engineering and Physical Assessment) that started off by exploiting the "daily grind". This particular assessment was a challenge because we were informed of the number of armed security guards onsite and... read more >