Chapter 8
Attack Strategy
Before we get into the meat of attack strategy, I want to take a moment to round up the mindset. The Attacker Mindset is formed by cognitive skills applied to four laws. The mark of a good attacker is the ability to come into contact with information, weaponize the valuable information and disregard the rest, and then leverage it in an attack. Sometimes the information will come to you already weaponized; other times, you will have to mold and shape it into something to be leveraged. Notably, you do not need the skills to understand the laws. You do not need to know or care about the laws to have or use the skills. It is, however, the use of both in tandem that forms the mindset.
The skills you need are curiosity and persistence, which are interdependent, since one will not pay off without the other. The other skills are information processing, mental agility, and self-awareness. Mental agility is a fancy way of saying you must be able to adapt the information to the situation in which you find yourself. Applying your self-awareness as an attacker results in leaving someone feeling a certain way, which is most often accomplished by your demeanor, your choice of words, your body language, and your general way of being. All in all, it's knowing what you have and how to leverage it for the objective. It's knowing when to push and when to pull when evaluating your own strengths and deficiencies.
The laws that these skills are applied to are as follows:
- Start with the end in mind.
- Gather, weaponize, and leverage information.
- Never break pretext.
- Every move you make should be in the interest of the objective.
Law 1 means that you are always thinking ahead; you need to be able to think far enough ahead to the end goal, to be able to keep it in your mind, and know what your short-term goals are. Then you must employ laws 2, 3, and 4 to reach the end.
Law 2 states that you gather, weaponize, and leverage information as a means to that end. Law 2 takes practice, but information is everywhere. Used in tandem with curiosity and persistence, you will see results.
Law 3 means you are never yourself. You can switch “characters” or pretexts when it serves you, not just because you are bored or want to show off your acting range. A pretext is a way to disguise yourself as a threat. It's a narrative you're presenting that allows you to be exactly where you are, doing exactly what you need to do. Some pretexts will let you do this overtly, whereas others require a more covert approach. For instance, posing as an office cleaner won't get you in the server room, but it might get you deep enough into the building.
Law 4 states that every move you make after deciding the objective of law 1 will benefit it. Everything you do must get you closer to the objective. If you need to take a new route because the one you tried is a dead end, do it. If you have to sacrifice entry one day due to new intel but wait to try again the next day, you should do so. In any attack, convenience isn't a factor or concern.
Attacks always have a gain in mind. The attacker is only concerned with how to achieve that objective in the most efficient way.
Undoubtedly, there is an element of opportunity that shows up in every attack, but the art of an attack is still formula- and skill-based.
Attacks in Action
Attacking is defined as engaging your opposition with your objective in mind. Some of the art of attacking relies on engaging and deceiving your opposition with the objective in mind—keeping them in the dark about the facts that are indeed part of an active attack. Offensively, an ethical attacker (EA) takes on the role of the adversary, and ultimately the most cost-efficient way to perform an attack is under the radar and with as little resistance as possible from the opposition. Concealing your identity as an attacker is always prudent, though not always as easy as you might first think. It's important to know your pretext, and ensure that it gets you all the way to your objective or that there is an opportunity to pivot into a new pretext once inside.
Remember that the third law of AMs is never to break pretext. That essentially means you are never yourself. You can draw on multiple pretexts in one engagement, but they must have a purpose. For example, if your job is to get to the bank's vaults, you will need a finely crafted pretext to get you from the entry point to the vault. The best-case scenario is that you've had time and permission to perform vishing and phishing attacks, gaining enough details to know how to facilitate a good pretext for that endeavor. However, that might not all be within scope. If it is not, then you must be able to come up with an agile pretext. You will have to infer where needed and adapt where possible. Your offensive attacker mindsets (OAMs) will fight to overtake your defensive attacker mindsets (DAMs) in this situation. You must overcome this urge in part. Your DAMs will allow you to look at the risks your OAMs will not care about in the moment.
There will also be times when your pretext will slightly alter depending on who you are speaking to. If you have been tasked with getting into a bank's vaults, you may enter the bank as an auditor, which may be enough to get to into the perimeter, but the deeper you get into the building and its defenses, the more layers you may need. When you reach the bank's vaults, you will, in all likelihood, not get into them as an auditor. If you cannot tailgate in or brute-force your way in with tools, you may have to pivot and ask for assistance as a fellow employee.
Opportunities that arise in the course of an engagement make a one-track offensive strategy impossible. In fact, sometimes pivoting becomes the offensive strategy. There are two ways to pivot: there's a single person adjusting and adapting the deeper they get into their target environment, and there's team pivoting, which is like a team of baton runners doing a hand-off. In the latter case, there may be less flexibility when advancing to the next stage of an attack if it is contingent on one attacker within a group. For example, if one attacker from the team needs to get into the building in order to let another in from an alternative entrance point, then more rigidity is introduced to the setup.
This was the case for me on a recent job. I was to gain entry to one of multiple buildings and test the visitor system. My teammate and I coordinated as I walked through the building, entering from a far-off alternative entrance. Initially I tried to let my teammate in the side door of the cafeteria, but there was a locked gate that prohibited him from getting to it. He could have jumped the gate, but law 4 prevented it. In broad daylight, jumping a gate in a busy professional complex would've stood out. Note that the building was glass on three sides, and the crowded cafeteria looked out onto the gate.
Our plan failed there, so it was on to the next plan. I soon made my way to reception and ultimately signed my teammate in as my guest. It has been one of the few times I have used an authoritative approach on a target. As I approached the reception desk from the side, I waved to my teammate and ordered the desk receptionist to sign him in without much in the way of amiability. I made a point of being brisk with her and yet friendly with him from the other side of the barrier I was trying to remove. It worked. I used all the laws in one moment and they paid off.
We used the same tactic to enter another of the buildings the next day. Two of my teammates made their way to stand with a small crowd of actual employees waiting for service at the food truck in the parking lot. They then nonchalantly walked back in with some people from the crowd, effectively tailgating into the building. Making their way from the back of it to the front, they greeted me and one other team member, again asking a receptionist to grant us entry via the visitor system. Ultimately, and sadly for us, this maneuver got us caught. We got a little cocky and greedy.
We didn't actually have to enter this building since we'd compromised all the others within the scope. But we also had nothing to lose by that point because we were hours from calling the job to a stop. After around 15 minutes in the building, taking photos and collecting sensitive information from desks, as was the objective of that operation, we were escorted out by security. The woman who had let us in didn't fully buy all the way into our scam, and in the end, she alerted security and her bosses. We did not adhere to law 4 here. It was on me, too; I was adamant we could get into that building.
As you can see, a misallocation of the economy of force can increase the complexity of a job. However, it's a fine line to tread; in trying to employ all available combat power in the most effective way possible, you can inadvertently create rigidity and extra work for all. In cases where you cannot enter and remain alone, remaining frill-free is vital. The offensive mentality of the team's AMs must outperform the best or most successful attackers alone; otherwise, too many variables are introduced.
Strategic Environment
The strategic environment that you enter as you perform attacks remains as it has always been—complex. In the book Foundations of Homeland Security: Law and Policy by Martin J. Alperen (pp.55-78), the strategic environment insofar as a military definition is described as “a broad range of strategic factors that influence an understanding of the operational environment… .” For you as an attacker, strategic factors in your operational environment include a wide range of people inside the target environment, as well as the security protocols it has in place and the location.
Beginning with the people part, you will run into three types of people in your target environment: lucrative, neutral, and opponent. In and of itself, this is not cause for concern if you can easily identify people within their category. However, more often than not categorization will not be possible until you've had that initial interaction and you are left to either steer the interaction to your benefit or be a subject of its outcome. So, for example, you might walk by 10 people sitting in their cubicles with their heads down or walk by one security guard who doesn't look up; these two fall under neutral and lucrative, respectively. However, you might interact with someone you hoped would turn out to be in the lucrative category but immediately begins to challenge you, moving them to the opponent category.
Moreover, these three cohorts will interact in an uncoordinated manner to produce a complex environment for you to navigate. And so, because of this complexity, you must be able to employ a certain amount of mental agility in your approach, either by gently steering the conversation and outcome or by employing chameleon tactics and reacting to any targets you come into contact with in a way that seems favorable to them. This takes quite a lot of AMs's bandwidth, as you will have to subtly adapt to interaction with a target in order to advance. To do so, you will have to read them correctly, which takes a certain amount of active engagement. It's done through information processing, mental agility, and self-awareness. If you can read them, you can adjust in a beneficial way, but you will need accurate self-awareness. The strategic environment thought of this way presents broad challenges. But there are concepts that can control the use of your AMs to meet the demands of the environment, the most important of which is strategic agility.
Strategic agility is the timely application and sustainment of your AMs, and at a speed and tempo that your adversaries cannot match. In other words, you must always aim to be ahead of your targets; you must always be preemptively assuming their next move. Being faster than your opponent doesn't mean always accurately predicting the future. It can mean steering the present to create the future. Typically, people do what you expect them to do. A security guard will try to stop an obvious intruder, which is great if you have a team member to spare as a distraction—in this case, you're already ahead of your opponent.
In network pentesting, if you are noticed, the incident responders work to take the impacted applications or systems off the network. They will also check for backdoors or block associated accounts.
Your targets may know how to stop one style of attack, but your AMs allows you to see what is invisible to them and to exploit those unknown (to them) variables. This is attacker agility, and it creates opportunity and momentum in the moment from target reaction, which takes definite social skill. Attacker agility is an important skill that will help you combat the uncertainty you face given the three types of people you will come across. Offensive strategy allows an attacker to see vulnerabilities and valuables invisible to the organization and exploit them in plain sight, such as the visitor system, which is any process that helps an organization keep track of the people that visit their location. Some businesses and buildings simply collect the visitor's name, but others have higher security standards, such as badges, legal documents, employee escorts, and sign-in systems.
The Necessity of Engagement and Winning
As an EA, you advance the fundamental and enduring security needs—the protection of livelihoods, information, and data—of businesses, institutions, and governments. Effectively, your goal is always to enhance security. You are an instrument for ensuring it. Accordingly, the primary purpose of an EA is to deter threats against an organization and its interests, and to help them defeat such threats should deterrence fail, by empowering them with awareness of what an attack looks and feels like. As an attacker you stand with the other instruments wielded by these organizations—typically technology which can be a deterrent.
Deterrence via technology focuses on forcing bad actors to consider the costs of doing attacking, as well as the consequences that might come from a counterattack. There are two main principles of deterrence typically at play. The first is denial, which (hopefully) results in bad actors being convinced that they won't succeed, at least not without enormous effort and cost. The second principle at play is punishment, which focuses on making the bad actors believe that there will be a strong response with serious consequences.
Of course, deterrence doesn't always work. Threats such as those posed by nation-states. Some criminals are simply not afraid of the law or consequences and often are affected by other mitigating factors such as greed or abject behavior tendencies.
As an attacker, your immediate task is to attack and win against a client. To do so well, you will have to be well organized, trained, equipped, and work against the deterrence in place and note where there none. However, attacking to win isn't your overarching goal. Ethical attacking is a structured process that seeks to better understand the capabilities of an organization to secure itself against malicious threats. It's safer to do this process through simulations rather than waiting for the real thing to occur. You test defenses and identify blind spots in the hopes of hardening your client's defenses. Winning at all costs doesn't teach an organization. Sure, you could scale the building, use a glass cutter, and escape down the trash chute from the 20th floor, but that's really the absolute last sequence you should try; otherwise, you leave them vulnerable because the least resource-intensive, least costly ways are left open—visible to malicious attackers, invisible to the future victims of them.
Certainly, there are some jobs where you will have to resort to extreme measures; the higher and more advanced a business's security, the more advanced your attack will have to be. In any case, your job is to attack and identify vulnerabilities that are invisible to the client but that put them in grave danger. The EA's job exists because of the necessity of engagement.
The essential nature of engagement lies in its ability to enhance security through integrated approaches, such as network and physical pentesting as well as awareness. This allows organizations to structure their environments, deal with the full spectrum of threats, and prepare for an unclear and ever-changing future. By using all tools and tests that are essentially instruments of destruction, including physical and network-based engagements, as ways to strengthen security, one-by-one the national landscape is made less penetrable. Ethical attackers play the key role in this effort. As an EA able to think maliciously but not become hostile, you form the foundation of mutually beneficial alliances and security partnerships, bolstering security stability in the long run for the organization you serve. But perhaps more importantly, you bolster and stabilize the security of their customers, which are typically the public, our families, communities, and the wider socio-ecological networks. Short-term malicious activity for the greater good makes the world safer for everyone, and in any attack strategy, there are asymmetric dangers. Thankfully, as an attacker with an offensive strategy, they are often to your benefit.
As an EA doing what is necessary, you will often resort to asymmetric means to counter the target's defenses. This might include unconventional approaches that circumvent a target's strengths, exploit their vulnerabilities, or confront them in ways they cannot match. For example, a target environment's location can severely go against them—if they are the only buildings on a street, then waiting until everyone is home for the night and entering (scope permitting) is probably a good idea. If your target is located on an extremely busy street, diverting and (mis)directing traffic can be of great use if you have to lock pick your way in. You should look at how adjacent neighborhoods are connected, ensuring that you can take the most efficient low-key routes as it's valuable information for your client. Surrounding landscape is a huge variable in how adversaries pick and execute attacks. Robbing a bank in New York would be easier due primarily to a lack of aerial views—deep “canyons” created by the tall buildings make getting away a little more likely than in say, London, where there aren't huge skyscrapers lining every street. Now, I am not condoning robbing banks anywhere, but this is how criminals and other adversaries think. They look at the whole, and so should we.
Circumventing a target's strengths and exploiting their vulnerabilities extends to network attacks, too. Let's say your target company has a bring-your-own-device (BYOD) policy in place. Targets have the freedom to choose whatever device they want to work with, which makes the process of keeping track of vulnerabilities and updates considerably harder for system administrators. It also makes being prepared for an array of potential malware attacks on different devices quite difficult.
An average hacker can make quick work of creating a hotspot to trick targets into connecting. If credentials are available to them on the connecting device, there's no reason they couldn't soon find themselves on the target network. Viruses are also a big problem when implementing BYOD strategies because potential targets can access sites or download mobile apps that would otherwise be restricted.
We have discussed information weaponization in a few chapters, but touching upon it now seems prudent as giving out information is most often a function of something most businesses need to do: A company must be able to market itself and perform its core functions; if these are inherently vulnerable, you are at an unfair advantage as an attacker. In other cases, the media will report information for general consumption that, with AMs applied, results in the identification or creation of a vulnerability. For example, I was able to enter that bank's Manhattan headquarters by piecing together information from the items placed in news articles and inference via off-the-cuff comments made by top-ranking employees on social media and in articles.
These sorts of risks have the potential to threaten most organizations directly, and it is important to use this against them so that they are no longer blind to seemingly innocuous information's potential for weaponization. Other challenges your targets generally face are things like denying them access to their own assets and owning their defenses, rendering them useless. Your target's environment is best protected through deterrence. For this to happen effectively, you illuminate what must be deterred.
The Attack Surface
Every attack surface varies slightly. But generally speaking, the attack surface is the full and integrated area of an organization (or system) that is susceptible to attacks. It is everything from the boundary of a system, some element of the system, or environment where an attacker can attempt entry. It includes all systems, all locations, all physical and digital assets, and for us, as attackers, everyday information about the company/operation.
For every defense a company or system has in place, like infrastructure, network security, endpoint security, building location, asset location, physical security, surveillance, human resources, policy understanding and execution, there are conceivable and proven breach methods for those defenses. Things like phishing, vishing impersonation, social engineering, malicious insider, physical theft, recon, unpatched vulnerabilities, zero day exploits, unpatched systems, DNS leaking, IOT attacks, breach data, network attacks, and covert entry methods—some overlap in execution at times.
This is a good way to gain an understanding of an attack surface (broadly speaking), which should ultimately translate to the identification or creation of vulnerabilities.
Vulnerabilities
…or as I like to call them: FUNerabilites. See what I did there…?
Vulnerabilities are where the security provisions employed do not properly defend against the hazards of their counters. As stated by Ross Anderson, professor of computer security at University of Cambridge, in his book Security Engineering (Wiley, 2008): “Vulnerabilities are where a property of a system or its environment, which in conjunction with an external threat, can lead to a security failure.” Vulnerabilities are like magic to you as an attacker; they are your means of achieving the objective. You can find them; you can also create them. You have the unfair, asymmetrical advantage. A studying of the attack surface deserves your full attention throughout any job.
AMs Applied to the Attack Vectors
As you have noted by now, attackers exploit businesses and people through a variety of means—phishing, vishing, impersonation, physical, and smishing—all of which require a custom solution for each client. They also all require AMs to be executed well. We haven't explored phishing or smishing in this book because the examples used to illustrate points from my career haven't often included them.
However, to ensure you have a view of all the means available to you in which to execute your attacks, we will discuss phishing, looking at the subcategories of spearphishing and whaling as well. We will also look at smishing and impersonation. Viewing each of these through the lens of AMs requirements, we can break them down and see how we can garner enough information through each of these vectors to steal, change, or destroy information, one of which is typically the objective.
In the notes section of this book, you will also find other books and materials to read if you want to learn more about each of these vectors, beyond what is relevant for this chapter.
Phishing
Phishing may have been what gave social engineering its rise to fame—it's prevalent and easy to understand for most of the public. I would go as far as to say, it's basically the common pigeon of Internet attacks. We've all seen one, we've all recognized one, they are all too common now. However, phishing makes headlines because, try as we might, the infosec community cannot seem to quash the veracity of which phishing campaigns conquer.
Most typically, phishing relies on a simple method: emails are sent under false pretenses, like Amazon wanting to update your payment information or your bank detecting unusual activity with a link straight to the evidence. The emails are often sent to multiple targets at a time, although spearphishing sees them heavily customized and extremely convincing for most.
The goal of a typical phishing attack is, most often, to get a target to reveal their logins, passwords, and payment information. Viruses are sent that gather sensitive logon information, and others that recruit target machines into botnets that are used to send illegal spam through networks. Others can be used to obtain intellectual property. Deciding which one of these to use doesn't truly matter from an AMs perspective, because generally the scope is the deciding factor.
There are two important components of a phish for your AMs to consider. The first is messaging and the second is how that is malicious, although the latter is beyond the scope of this book. A single phish can often do most of the heavy lifting for you as an attacker, which is both anticlimactic for most people and deliciously empowering to know (and use). The next few sections will look at the various types of phish and which AMs features they should employ.
Mass Phish
Arguably, a mass phish is the easiest phish to write because it benefits from the Barnum effect, but with a twist. The Barnum effect is a common psychological phenomenon that allows people to be convinced that the developed statements are personal to them. The statements are so vague or broad that people can interpret them in their own way, finding their own meaning and sometimes feeling in awe of their accuracy. A good example is a horoscope. Mine today, from Astrology.com, says the following:
This time of year is all about getting out of your comfort zone. Don't be afraid to stretch yourself and refresh your perspective. This story is highlighted today, as the creatively rich Pisces moon aligns with your ruler, action-taking Mars. Use this energy to push ahead with personal projects …
… You could have a new idea, spark of inspiration or work on a project that allows you to tap into this side of yourself. Even if your job is quite analytical, today will require you to flex a different mental muscle.
There's not a single sentence in there that cannot be applied to one of the tens of millions of people who believe in horoscopes and partake in pseudo-spirituality.
Now for the simple twist: although the Barnum effect allows individuals to give high accuracy ratings to descriptions of their personality, a phish plays on generalities specific to an environment—if you work for a bank, you may well be expecting an email about HR updates in January. If you live in the United States, you might expect to be contacted about your vote in an election year. If you have an email account that was active before February 2020, you definitely got email about COVID-19.
As far as AMs is concerned, a lesser amount of effort goes into these types of phish. They have to be themed for their audience and sent in a way that makes sense (e.g., time of day). They don't have to be 100 percent believable; they just need to have enough believability to pique the target's curiosity. For example, the target might not need to know about “Changes to Capital Gains Tax” for their current bank role, but it's a familiar term, and here is a general call from—seemingly—the right department telling them that they must sign this acknowledgment. They may not need to know about “WFH Policy Updates,” but they might click anyway, because the email has made it sound important, has given them a call to action (the link, usually in disguise), and has made it easy for them to follow that line of action.
Almost all AMs here is channeled into making it believable for the masses and not too specific, overbearing, or long. No one enjoys a long email.
Make it short.
Make it pointed.
Make it clear.
Give it a call to action.
Give it believability.
Tie it to the objective you've been given (through its theme).
Spearphish
A spearphish targets specific people or specific positions within organizations. Whereas most phishing attacks implement a “throw 1,000 daggers in the water, and see if you can hit a fish or two,” spearphishing is often carried out with some knowledge about the target. Spearphishing emails will often be personalized by name and appear to come from someone the target knows. Some recent studies, including one from TrendMicro ( https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/spear-phishing-is-the-favored-targeted-attack-bait), suggest that up to 91 percent of data breaches within organizations start with a spearphishing email.
Where mass phishing expeditions typically use broad strokes to create a malicious email, spearphishing attacks are slightly more sophisticated. They involve documents containing malware or links to credential-stealing sites, including cloned sites, to steal sensitive information or valuable intellectual property.
But what do they require of you as an attacker, you may wonder? Spearphishing is a campaign built with a goal of penetrating an organization, not often the individual themselves. The research needed is mid-level; you will have to know names, as spearphish attacks are most typically addressed to the recipient; roles and job level are also things you must research for this type of phish.
The message itself will have to be believable and centered on the target. You will have to theme it according to your objective—meaning you should give them a reason to click the link or open the file that makes sense and that they can't resist and it can be personalized.
It will still have to be short, although I typically allow for a sentence or two more in a spearphish.
It will still have to be pointed.
It will still have to be clear.
Whaling
Whaling is somewhat similar to spearphishing but directed toward upper management and C-suite positions at an organization. There's no immunity from whaling within an organization, and that's a pretty good position to start off in as an attacker. Even Facebook and Google have been scammed at the highest levels—they were scammed out of $100 million in 2019 according to CNBC (https://www.cnbc.com/2019/03/27/phishing-email-scam-stole-100-million-from-facebook-and-google.html). Whaling emails were sent to some whales that had some authority and ultimately got counterfeit invoices paid.
What do whaling phishes require from an AMs perspective? They require research, as you want to hit the right whale or whales, taking into account susceptibility, vulnerability, and scope.
You will be required to investigate three categories:
- First, you explore the company landscape in two ways:
- You will have to learn about the company—what do they do, what their reputation is from a client/consumer point of view, and what it is from an employee point of view.
- You will also benefit from getting a sense of what things look like on the inside—you'll want to know how they communicate as a company both in terms of vernacular and technology-wise; you may benefit from learning the distance between the C-suite and the D-suite, for example, or how casual the corporate culture seems and how busy upper management is.
- The second thing you will have to investigate is the individual you want to send the email to. You won't need everything you come across, but you might note it in case the track you decide to follow ends up fruitless. For example, you might find that the CEO you are targeting was divorced, usually an emotive topic that could override most logic, ultimately allowing a reply or otherwise inadvisable action. However, you might also find out that although the news outlets are marking the occasion, he was actually divorced 20 years prior and his ex-wife is actually now his late ex-wife. There would be little point in emailing him as her attorney, and even if she were alive, typically most things have been taken care of 20 years after a divorce in terms of legalities, so it's a somewhat fruitless track. It would take up too much of your time to bend this information into a believable story, so you'd be better off to look elsewhere.
However, if you've gotten to know your target and company and you've arrived at a dead end with one attack, you hopefully have enough information to lead you to another attack.
To execute a whaling attack well, your AMs—specifically your curiosity, persistence, and law 2—is best applied to the following areas: public records, legal subpoenas, news sources, and social media accounts. Friends of the target's social media often provide information, too, even if they don't have much of a presence themselves. This is because people like to know people deemed important. If you are targeting someone with any level of celebrity (micro or macro), it's likely that someone, somewhere is talking about them on social media, talking about the good times, commenting on photos, and so forth.
Research of any kind will aid you on your phishing quest. For example, a malicious attacker was able to successfully attack Mattel—a multinational toy manufacturing company—using research. Through investigation, the attacker learned there was some internal turmoil in the company. The attacker researched the company's organizational chart and found that Mattel required signatures for payments. The attacker also used social media to learn the names of key individuals sending requests for funds. On top of this, the attacker also recognized the company had just hired a new CEO and was looking to expand into China. A request for a wire transfer to the Bank of Wenzhou seemed like a good bet for the attacker and authentic from the target's perspective.
- It is the level of sophistication of the whale that matters most. You cannot afford generalities; everything must be targeted, including who it comes from, which should be a trusted source. Usually, a trusted source is someone with whom the executive expects to communicate, which is the third branch of a whaling phish you must investigate.
You have to look for information on the source, whether you are sending the phish from inside or outside the organization, so that you can replicate their communication style. Whale phishing attacks are successful because they are well planned. You must seek to find the behavior of the target, their patterns, and business headlines relevant to them. This level of deception will make it hard to tell the difference between a whale phish and a real email.
In all honesty, the thing that makes whaling hardest for me is that I cannot gauge who they are, what they are like, or how they operate. I often find myself navigating to YouTube or some version of it where I can see them, whether it be in an interview or in a casual conversation.
Whaling requires a sort of superiority that some of the other types of phishing can lack and yet still be successful. Whaling will require more of your AMs than the others.
Make it high-level.
Make it relevant.
Make it pointed.
Make it clear.
Lend it credence through investigation and research.
Vishing
I enjoy conducting a vishing call. They are often similar to a phishing attack, insofar as they are typically used as a way to extract information, but a vish is conducted over the phone. Unlike a phish, you have immediate data on the target—many things can be conveyed through a voice, which means that AMs can be employed in one of its most natural states: as agility in reaction. If the target answers, you can infer a lot from their voice. If you are right—great, proceed. If you are wrong—great, pivot. It's the same in the field.
Vishing can be used to learn many things, but it all boils down to either gathering information or using the vish in conjunction with a phish. I will break these two methods down so as to be clear.
When gathering information, you might vish a target belonging to the organization you've been hired to test in order to ascertain how much information they will willingly hand over. Typically, banks employ people to vish their workforce this way. I will call up as a member of the HR team citing the “recent company changes,” which, even if there are none, tends to work. Before long I will ask them to confirm some items on their record, such as marital status, the best contact number for them outside of work, their Social Security number, and so forth.
Another pretext often used is that of IT, usually calling about a database that was cloned incorrectly and thus leading to discrepancies in the data. If the target doesn't wish to answer and they are low enough on the rung, I will pivot and ask for their email and their manager's name so that I can gather the needed information from them. People are usually willing to oblige—their manager will, after all, know what to do and be pleased that they themselves did not give out information, only that of someone else within the organization.
The second reason to vish is to use it along with a phish. My favorite.
When vishing, it's the three first laws of AMs that have the most impact. The first law states that you start with the end in mind. It is a way of taking information in and applying it to an objective, and in this case steering the call through the information you provide in order to get to the objective. The second law states that you must weaponize information for the good of the objective. The third law states that you never break pretext. I tend most often to focus on the hardest flag to get. (A flag is a piece of information or asset you are aiming for. The objective can consist of multiple flags or just one.) I do this because it informs my pretext well. As an example, if my objective is made up of three flags—getting the target's full name, their job title, and their Social Security number—I will focus first on the Social Security number because in doing so, I immediately take the threat out of the scenario. Of course, I, posing as Tina from HR, shouldn't be asking for your SSN over the phone, but I do so only after I've “proved” to you that I am who I say I am by reciting your name and job title (which you will confirm for me). That counts as two of my flags. In doing this, I build up some trust and lend myself some credence. These are the cornerstones of rapport building. Rapport is a Swiss army knife for the attacker, so to speak. It can help you persuade people to take actions they ordinarily would not if the request came from a perfect stranger or from someone they did not feel comfortable around. Rapport can divert or misdirect the attention of an individual, too.
Misdirection itself is a form of deception in which you draw the target's attention to one thing to distract it from another. For example, there are temporal misdirection's of attention whereby you can walk into location or start a call and be clear with the target that you are under the pressure of time to get something done. The something could be getting the database fixed, which you might need their assistance with or it could be performing checks around a physical location. As a network pen tester, it might simply be a diversion. Whatever it is, it's a lengthy departure from the real reason you are making contact. Add rapport to the equation and you are even more likely to find success.
Rapport can be struck up with something as seemingly insignificant as creating a (false) shared experience: “I know we are all flat out just now, so sorry to call this late…” or, my favorite, “I love your name. My mum's name is [Christine].” This works for me specifically on the phone because I am quite soft-spoken and can sound young, especially when I make you think of my mom, who is definitely not called Christine or any other target names I've had to date. Rapport can be developed many ways, but the level of rapport is actually decided by the other person, not by you. If the other person doesn't really care that she shares the same name as my mom, then I don't get to act like she does. In vishing, developing a worthy pretext, is the first step required of your AMs, but your AMs's staying power should emerge during the call. It must never let you break from the pretext, and everything you say must be steering the way to the objective.
AMs applied to vishing relies most heavily on two things. The first is agility for the good of the objective. Think through the call; play that game of mental chess whereby you imagine all the scenarios you can—it will warm you up for the real thing, including the chance that the target asks you details about yourself or your job. The second thing is to never falter in the pretext you have chosen. You must be acting exactly as your chosen character would in a real-life scenario.
An average vishing call for my team lasts three minutes. They are clear and effective in their approach. They get through hundreds of calls in a day this way. I, on the other hand, have had calls that last 25 minutes.
I got my target's number from our internal list and dialed her number, spoofing my own so that it appeared I was calling from her workplace rather than my own. When she answered and, I'm not being facetious when I say, she had the voice of an angel. I explained who I was and was happy to hear her reply each time. A minute or two into the call, I asked for the first flag, her user ID. The tone changed immediately, and she tried for 20 minutes to verify who I was.
The real story of the call is that she asked me who my manager was. I made up a name, which obviously didn't pass her internal checks; then she asked who my manager's manager was, which due to its fictitious nature also did not pass her internal check. Then she asked me who my manager's manager's manager was. When I again pulled a name out of my fake name generator, it was, in fact, the name of a manager of a manager of a manager.
My target said, “Oh, Bob Smith! I know Bob, hold on.” She typed his name into the internal database, and sure enough “Bob Smith” existed but he was off this particular day. “I can't verify with Bob,” she told me with a hint of disappointment, given that we were now about 20 minutes into the call. “He's out of the office.”
“Really!” I exclaimed, feigning disappointment but feeling relief. I really did not want to speak to Bob. Eventually, after her following all of her internal procedures and doing so as a professional, we went our separate ways. I marked her name as “Shutdown” so that when we sent the data to the client for the day, they would see who within their organization was acting in the exact way they were training them to. There was no need for me to mark it, it turned out.
Mere hours after the call, I was sitting on my living room floor trying to get a kink out of my back when my cell rang. It was my boss. Surely, he was calling to congratulate me, given I had heroically stayed on a call about eight times longer than our average in order to gain a couple of flags. Negative. He was calling to let me know our client's substantial and prominent legal team had given him a call to threaten ending the contract as one of his employees had name-dropped a point of contact, an action that was strictly forbidden within the terms of the scope. Not the most comfortable conversation we'd ever had.
We were going to lose a very large contract—and I'd probably lose my job—thanks to my using a very dad-like name. In picking a common dad's name in Scotland, at random, and giving it as the third name I had made up for the call, not including my own made-up name, I had unfolded all of this mayhem.
The next few minutes were spent getting my boss to believe I had made up the name, which was an easy start given I had never seen the contract, and didn't know the name I'd inadvertently spat out was actually a C-suite employee.
And I spent the next few hours trying to convince the legal team that I had made the name up. We went through the call what must have been 10 times, listening to me making up names and letting legal ask questions about how I could've possibly arrived at such a name at the drop of a hat. We also listened to what might be the most epic response to a declaration of country, too. The woman who had the voice of an angel also had the ear of a rubber chicken. She was basically in need of a translator—she could not get her ear around my Scottish accent, no matter how much I slowed down or annunciated. About midway through the call I said, “I'm Scottish,” as if that was somehow an excuse for my not having any presence at her organization. Her reply: “I am sorry.” This, mixed with the fact that I had no real way to know who was listed on our contract, allowed the bank to forgive us, and we lived to vish another day.
However, the point remains: never break pretext, and stick with the goal until you've exhausted every option and you've won or been defeated in a valiant effort.
Smishing/Smshing
Smishing stands for SMS phishing, and it's executed via the target's mobile phone. Many social engineering methods associated with phishing are implemented here, too. You will typically still pose as a representative or as someone familiar with the organization. Smishing works best on individual targets, but there are times when the organization at large can be targeted, too, as famously occurred with the alleged hack of Amazon CEO Jeff Bezos's phone via a link sent through WhatsApp.
I find these sorts of attacks to require short, sharp jabs of AMs. An SMS phish need only inform the target of something, like an account that is not operational, or give a call to action, typically in the form of a link.
Smishing is largely seen as the least creative form of social engineering, but getting a target to believe their bank or organization or delivery service is legitimately texting them takes a fair amount of AMs, for hardened targets, at least. Smishing, by all accounts is an underrated vector, and they matter in the world of security Smishing matters so much, not only because each time one is sent in an organization's name their brand is diluted and trustworthiness is chipped away from a consumer point of view, but also because each Smish puts their customers and employees at risk. Businesses should be taught to think of Smishing the same way they do phishing: a real threat with real consequences.
Make it personal.
Make it urgent.
Make it clear.
Make it concise: Because of this, do that for this, more optimal and solution-based result.
The sheer number of variations on the term phishing may seem extreme, but each represents a potentially catastrophic threat to businesses and their data. But they also represent a way to show an organization how easy and effortless it can be to circumvent their defenses. As I said previously, defensive measures often lag behind offensive measures because it is hard to tell the future accurately. Even if security professionals could see how the future would unfold, how their measures would be circumvented or brute-forced, they would not be able to see how the countermeasures would be exploited. So, yes, defense lags offense. As an EA, your role is to exploit the current shortcomings of a client's defenses and allow them a speedier, smoother road to defense and deterrence.
Impersonation
Impersonation is one of several social engineering tools used to gain access to a system. Most often, impersonation tactics make use of the human tendency to trust or obey. Impersonation can require a lot of preparation and, depending on the person you want to impersonate, you might have to get permission. It will have to be clear, unambiguous permission, too.
I recently led my team on an exciting vishing engagement in which we were targeting a prison service company. We were allowed, per the scope, to impersonate internal employees below the C-level, but one of the flags was a copy of some counterfeited inmates' criminal records placed within the system. For this particular engagement, we impersonated civil servants—nongovernment employees—a technique that was somewhat effective. We also used the title lawyer for our pretexts, which yielded good results. Apparently, people will give lawyers a fair amount of information, which seems reasonable—a lawyer may need a copy of a criminal record. However, when we were planning the engagement, we reached out to a friendly contact within law enforcement to ask if we could impersonate one or two officers. We were, in no uncertain terms, told no. However, a real attacker will have no qualms about impersonating an officer or anyone else who would help them achieve their goals. Just like us, they use all the laws of AMs without the rules of engagement.
Ubiquiti Networks, a manufacturer of technology for networking, lost almost $40 million in a 2015 attack. After sending a phishing email, the hackers used the technique of employee impersonation to request fraudulent payments, which were, rather unfortunately, made by the accounting department.
A lawyer, Richard Luthmann, chose a different course of impersonation. He created social media accounts in the names of politicians. He created fake Facebook and Twitter accounts that impersonated political candidates and power brokers and set a myriad of small, figurative fires. For example, he created a page about city councilwoman who talked about “SRO Welfare Hotel Full of Criminals and Drug Addicts” that “she” planned to develop.
Luthmann was apparently unaware that any of this came close to what could be recognized or classified as a crime, stating that he was only engaging in “dirty tricks.” A special prosecutor disagreed, and he was indicted on 17 misdemeanor counts, including identity theft.
You can play many roles as an impersonator. The ones I most often come by are repair or maintenance, auditors, fellow employees, and system manufacturers. The list goes on; it's only as short as our imagination. Impersonation works best when you come in full character, so to speak. If your chosen pretext wears a uniform, you should make every conceivable effort to have that uniform. The same goes for an authentic-looking ID badge. The less tangible things you will need are knowledge that appears to be insider information, such as jargon, technical data, and industry-insider terms; names and details about employees; and details on the skills needed to do the job of your chosen pretext. These tricks work because we all regularly interact with people we don't know. It's commonplace and acceptable to trust credentials—a badge or a uniform—and, thankfully for you as an attacker, these things can be forged.
As a network pentester working in Australia, I was part of the team that got to venture out as what I can now identify as social engineers, but what at the time seemed like an inherent part of being a network pentester. I got into a small industrial complex as instructed, but my pretext was based on what would become one of my best fails. My pretext was that I was Swedish, there to inspect the machinery. The co-founder of the business was Swedish, and I was acting as his ambassador.
To the culturally untrained eye, I suppose I could get away with saying I am Swedish. However, as a man with stark white hair and glassy blue eyes approached me yelling what seemed to be exclamations of joy at seeing one of his countryfolk, I noted internally that I could not fake knowing Swedish. Alas, it did not stop me from trying. As our paths collided, he held out his hand, saying, “Hej trevligt att träffas!” I replied, “Ya!” and quite enthusiastically, too. (I know this because my whole team watched this scene on repeat for about a week after thanks to iPhone's recording possibilities.) He then asked me some follow-up questions, also in Swedish, which was not ideal for me. Soon thereafter, he switched to English and eventually had me escorted out.
He'd started out with, “Hi, nice to meet you!” and had quickly moved to, “Okay, well, she does not work for the company, we should call the police.”
Your pretext should be slightly more airtight than that.
Physical
In performing physical social engineering assessments as an EA, you are a company's capability in defending against unethical attackers. A walk-through of how you executed your attack and how you achieved the objective, or at least partially achieved it, gives organizations a wealth of knowledge about just how secure they really are, what issues they can fix, and what measures they can take to fix those issues.
However, you also have to be aware enough to observe the paths you didn't take. For instance, on one engagement I could have gained unfettered access to the facility where my client's production took place by jumping up onto the loading dock and walking through the fire door that was propped open, taken the physical keys left on the office table, and then enjoyed unrestricted access to the facility thereafter. And I for sure had a look at that route, even photographing it. The reason I didn't take it all the way to its fullest potential was, and this is not to sound arrogant, but it would have been too easy. This client would have learned nothing of the actual dangers. In just telling them of this observed one, they could easily remedy it. Proving it seemed unnecessary and like taking a liberty.
Physical assessments are often seen as specialized, but they are a growing trend, with many businesses seeing them as the next “must-have” service. My hope is that these assessments are not treated as special ops missions in all cases. As an attacker, you must be able to confidently tread the thin line of what's a substantial find for your client and what is essentially special-operations theater. There will be cases when you will have to get extremely tactical and creative with your attacks. However, those types of attacks should be reserved for the clients who are extremely well protected and who will benefit from such extremes and creativity. Underwater data centers that require physical testing is an example of this. Protected government buildings are another.
In a related, but different, topic, keep in mind that attacker mentality doesn't always point outward; it can also be introspective, protecting us from doing things that will ultimately work against our interest, such as taking illegal, dangerous, or unprofitable actions. Such actions include stopping an entire group of people as they walk toward you, who were almost oblivious to your presence, in a bank you aren't supposed to be in.
Back to the Manhattan Bank
As the words, “I'm Jeff and I'm not expecting any papers” hit me, I got what is surely evolution's way of punishing me for my trade—a nerve rash that spread all the way up my neck and pushed out into patches on my cheeks. I could literally feel my face heat up. I had no contingency plan for this.
“Jeff. Hi. Diana. Sorry for turning up on such short notice!” I said in my best impression of an apologetic lawyer and not an imposter. I held out my hand for him to shake. “I've brought papers from Sullivan's for you to look over.”
“This is very unusual,” he said, not raising his hand to shake mine. The group he'd been walking with dispersed around us, grunting their goodbyes to Jeff. “My office is just down here; let's take a look.”
As we headed to his office, I barely had the confidence to make small talk. I'd agreed to put a brief moratorium on calling myself an idiot internally, but it hadn't immediately kicked into action. “Good day, so far?” I struggled out, feigning a nonchalant spirit I did not feel.
“Yes,” he replied tartly, without looking away from our current course. I said nothing in reply; I just nodded. As we reached his office, I committed to the only rational path I could think of at the time: the fourth law of AMs: never break pretext. “Let's see these papers, Diana,” he said, looking me dead in the eyes, hunched over his desk and giving off an air of being inconvenienced.
“Sure thing!” I slammed the briefcase down on the desk. At the time, I did so mainly to show him I was not scared of his tone; he seemed to want to intimidate me. Looking back, my action was a bit weird. He was just a little abrasive, but my adrenaline was too high to work these things out in real time. Fighting fire with fire just makes a bigger, hotter fire, it turns out.
I clicked the case open and inside was what looked like the whole of the Amazon rainforest scattered around it. “Ah! Yeah, there was an incident downstairs. I might just take a minute to reorganize these, if you don't mind?” I wasn't really asking as much as saying, “I am going to make up a new plan in my mind behind the lid of this case. Please allow me to sit here and do that.”
“I actually don't have all day, Diana. You've interrupted me on my way to a very important meeting.”
Jeff was becoming a very good target.
“I am so sorry! How about this? I have all the papers on this USB. It will be faster to reprint them than to reorganize them. Do you mind?” I asked as I looked from the USB to his computer a few times to make my point.
“I do mind! What are these papers about? Why are you here today? Why have I not been told about this?” His face flashed anger like a blinking light.
“All good questions. Listen, maybe I've caught you at a bad time, but I am just going to step out now as you obviously have a lot going on and I don't want to frustrate you further.” I gathered the case and placed the USB back into its safehouse: my pocket. Unceremoniously, I opened his office door; before stepping out and walking down the hall like a bat out of hell, I said, “I'll have the firm reach out to you for a better time,” and then I crossed the threshold to what seemed like freedom from the indignation of Jeff.
“As you should!” he spat back, his words chasing me down the corridor.
“That did not go to plan at all!” I said half-jokingly to myself. Back to the bathrooms. Upon sitting on the very uncomfortable throne of porcelain shame, at the end of the cubicle line, I thought about two good things I'd learned from my brief time with Jeff: he did not lock his office door, and he definitely had a meeting to go to. I let 10 minutes go by, slid out of my top layer of clothing, folded it down and slid it into the briefcase, tied my hair up, and made my way back to Jeff's office.
The good thing about the setup in the office was that the middle of it was like a large pit for people, with the peripherals only offices. There was one sort of tunnel that shielded some of the executive offices from pit view. Jeff's had a partial view of the floor, but his space was private enough from most angles that few people would likely see me parading around his office as an unwanted guest for the second time in a day. There were also a few communal hubs splashed around the huge floor. I made my way to the closest and smallest hub that was currently unused. Slid in, pushed the briefcase to the far end of the table, and waited a beat. I pulled out a sheet of paper from it, placed it next to the case, and left it there, hoping that people, for a while at least, would just think the hub was occupied and keep on walking. I didn't want to carry it into Jeff's office again and leave it in the bathroom; that would have been far more suspicious. I slid out from the table and chair and walked toward Jeff's office. As I approached, keeping my body pointing forward as if I my intention was not to go into his office, I could tell he had vacated it. I pivoted on the spot and raced into it, flipped the light switch off, plucked the USB from my pocket, and shoved it into his computer.
Jeff also had not locked his computer. I snapped a picture and was just about on my merry way when his phone lit up the room like a '90s disco. The caller's number appeared in big, bold, black digits and, what's more, I recognized it. Without having to double-check, my gut told me what I absolutely did not want to know. It was security. “Dammit, Jeff, why!” I whispered to myself. I retreated from the office and made my way through the pit of people paying little attention to me, thankfully. I got back into the little hub and gathered my things. Sitting there for a second, I pondered my best move. I had absolutely no way to predict how long Jeff's meeting would take, but I did know I did not want to be on the floor when he made his way back to the office, lest he see me.
Back to the toilet cubicle.
Summary
- As an ethical attacker, you advance businesses', institutions', and governments' fundamental and enduring security needs: the protection of livelihoods, information, and data.
- Effectively, your goal is always to enhance security. You are an instrument for ensuring security. Accordingly, the primary purpose of an ethical attacker is to deter threats against an organization and its interests, and to help them defeat such threats should deterrence fail, by empowering them with awareness of what an attack looks and feels like.
- There are asymmetric challenges in being a target and an attacker, often skewed to the attacker's benefit. This is a legitimate concern for businesses the world over. But, alas, just worrying about it won't do.
- As ethical attackers, you are to increase your targets' capabilities to counter these threats and adapt to them defensively via training.
- Much goes into attack strategy, including all the AMs Laws. Furthermore, to defend and protect your clients after they've been your targets, your objective must become the promotion of stability and the ability to defeat real adversaries.
Key Message
Attackers always have a gain in mind—also known as the objective. The attack strategy is only concerned with how to achieve that objective in the most efficient way.
Even in this data-driven era, many people can be tricked by mass emails and calls that seem to apply to their environment—an important point to consider in an attack.