Phishing: It’s Not Just for Pentesters Using Phishing to Build a Successful Awareness Program

Phishing: It’s Not Just for PentestersUsing Phishing to Build a Successful Awareness Program

Intro

www.hackerhalted.com 2

• Enterprise Security Consultant at Sword & Shield Enterprise Security• 2017 DerbyCon Social Engineering Capture the Flag (SECTF) winner• Served in the US Navy, Navigating Submarines• Holds the CISSP-ISSMP, GSNA, and GCIH certifications• Frequent Guest Blogger

• AlienVault• Tripwire• ITSP Magazine• Sword & Shield’s Blog

• Maintains blog and podcast at https://advancedpersistentsecurity.net• Trains (spoken taps out a lot) in Brazilian Jiu Jitsu

https://advancedpersistentsecurity.net/


Goals


• Open Source Intelligence (OSINT)

• Social Engineering• Pretexting• *ishing (Spear phishing, Vishing, and Smishing)• Whaling• Baiting• Dumpster Diving

• Applied Social Engineering

• OSINT in enabling more effective social engineering

• Tools and Techniques for collecting OSINT

• OSINT and Social Engineering integration

• Mitigations of Social Engineering

• Training of Teams

What is Social Engineering?


• Human Hacking

• Exploits the human factor and often bypasses technology and expensive equipment

Pioneers of the Art



Examples of Social Engineering


• Phishing

• Spear Phishing

• Whaling

• Vishing

• Smishing

• Baiting

• Pretexting

• Dumpster Diving

• Tailgating

Psychology of Social Engineering


• Everything goes back to Dr. Cialdini’s 6 Principles of Persuasion1. Reciprocity

2. Commitment and Consistency

3. Social Proof

4. Liking (Likability)

5. Authority

6. Scarcity (Urgency)

Applicationof Social Engineering


• Social Engineering aims to influence the users to:• Provide some sort of data (ideally, sensitive data)

• Tell us something that is not online and readily available

• Tell us who could do something or tell us more (give us better targets)

• Tell us about the operating environment and issues within

• Perform an action• Clicking a link

• Making a change to the firewall rules

• Open an email

What is OSINT?


OSINT is drawn from publicly available material, including:

• The Internet

• Traditional mass media (e.g. television, radio, newspapers, magazines)

• Specialized journals, conference proceedings, and think tank studies

• Photos

• Geospatial information (e.g. maps and commercial imagery products)

Where can one gather OSINT?


Gathering OSINT


• Public conversations (borderline HUMINT)• Bars• Malls• Restaurants

• Family and Friends

• Back Windshields

• Mostly, the internet• Forums• Job Boards• Search Engines• Social Media

Goals of OSINT


An example of OSINT


Another Example


…another…


…last one…


OSINT Demo


Timing


SE and OSINT Relationship


• They share similar properties in terms of human psychology

• OSINT can be used to build a dossier or profile about a SE target• This can provide context for the contact

• Better pretexting

• Better (spear) phishing

• Better “other” technical stuff like password guess (or even passwords)

Attribution?


Law Enforcement


Sales and Retail


…more examples…


…even more…


Is this one and done?

• Several rounds may be required.

• You may find something interesting towards the end that causes you to look at everything again from a different angle.


Collection Considerations

• What is the Endgame?

• Is what you’re doing ethical? • Do you have an ethical obligation to do this a certain way?

• Is this legal?• Does the state that I am doing this in require Private

Investigator Licensure?

• I have collected all this data, how do I protect it?• How long do I retain it?• How do I dispose of it?• What value could be assigned to it?


Weaponizing OSINT

• We can’t be like the South Park underpants gnomes…


Social Engineering Demo


Contact Me

Social Media

• Twitter: @C_3PJoe / @advpersistsec

• LinkedIn: linkedin.com/in/billyjgrayjr

• Facebook: facebook.com/joegrayinfosec

Email

• [email protected]

• [email protected]

Blog and Podcast

• advancedpersistentsecurity.net

Podcast is also on iTunes, Stitcher, Google Play, and other fine platformswww.hackerhalted.com 31

Future Speaking Engagements

October 17-18: EDGE Security Conference, Knoxville, TN

October 20-22: SkyDogCon, Nashville, TN

October 26-17: Lone Star Application Security Conference

(LASCON), Austin, TX

November 11: Bsides Charleston, Charleston, SC

November 15: Metro Atlanta ISSA Conference, Atlanta, GA


Contacting Sword & Shield


Questions?


OSINT Resources35

(All in no particular order; except the book section)

• Blogs:• Automatingosint.com• learnallthethings.net• Osint.fail

• Podcasts:• Complete and Privacy Security Podcast• Social Engineer Podcast

• Book:• Open Source Intelligence Techniques (Michael Bazzell)

• Slack:• Openosint.slack.com• Aps-opensource.signup.team

OSINT Resources36

(All in no particular order; except the book section)

• People to Follow:• @beast_fighter• @baywolf88• @jms_dot_py• @jnordine• @upgoingstar• @_sn0ww• @sarahjamielewis• @webbreacher• @andrewsmhay• @dutch_osintguy• @infosecsherpa• @sweet_grrl• @inteltechniques• @cybersecstu• @jennyradcliffe• @ginsberg5150• @iv_Machiavelli• @GRC_Ninja

Phishing: It’s Not Just for Pentesters Using Phishing to Build a Successful Awareness Program

Technology