I Can Has Your Password
Red Teaming: Can I has your password?
Greetings to no. 3 of our ‘Breakfast Series’ by PR’s senior consultant Abdul Ikbal.
Abs specialises in cyber security, has been in the industry for over five years, and is a valued member of our Red Team. Here he shares advice on password security.
You can catch Abs’ previous breakfast posts here: How I break into your building and Pentest interview do’s and don’ts.
I will find the flaws in your internal network
My Red Team objective is to gain free access to your internal domain without your knowledge or consent. And I will achieve this without leaving my dark, geeky dungeon.
How do I access your network? Your precious external facing infrastructure is flawed, be it technical, human or otherwise.
What do I target? I could identify vulnerabilities within the technology you employ, or guess the passwords to your employees accounts. The former may not reveal any flaws, the latter may force me to use intrusive means such as brute force accounts, although this could alert you to my presence. During Red Team engagements I don’t want you to find out what I’m doing, so what’s my strategy?
My strategy is to target your weakest link. And what’s your weakest link? It’s not what, but who: your employees. I will call them, ask for their password, and they will give it to me. Why? Because I’m credible and convincing.
More than a Phishing Exercise
The scenario I use depends on the employee I target. This is not a basic phone phishing exercise where I contact your employees with the same story, e.g. I’m calling from dept X of your organisation and need their password for reason Y. I will research each individual and base my attack vector on them.
There are several resources I use for my research, including LinkedIn, your company website, haveIbeenpwned and my Google foo (other search engines available). Scenarios that have worked for me in the past:
- Calling from your organisation’s IT, Finance or HR team etc
- Create a sophisticated, but fake, website based on your company which my victim can visit for more information
- Send an email to your employee from a like for like domain based on your company
- Name drop; use a senior manager’s name for authenticity
To be frank, getting an employee to click on a link/open an attachment in an email I send is usually all that’s necessary, but more of that for a future breakfast post.
Now I have you employee’s password, what next? From here I will use my experience to identify all of your external assets and use the credentials your people gave me to login. The rest is history.
The ‘It Won’t Happen to Me or My Team’ belief
You may be thinking ‘My employees aren’t that uninformed. They would never give someone their full or partial password!’ Are you certain? I’ve yet to do a Red Team project where an employee hasn’t given me their password. Modesty aside, 100% success rate speaks for itself.
How can you protect yourself and your team from the predators out there?
- Train your employees to never reveal their password, no matter the situation
- If you’re suspicious of the person on the other end of the phone or at your reception desk, ask numerous questions, frustrate them. If they’re not legitimate they will simply put the phone down or leave.
- Promote a culture where it’s OK to challenge. If your team mistakenly manhandles your VIP out the door one day, that’s fine, you should have told them they were coming.
- Monitor trends and patterns by ensuring your employees report all incidents, and that they know who to report them to.
- If you’re an employee reading this, take a step back, think, put the person on hold and contact your IT department or manager.
Perspective Risk offers coaching, including SecAware gamified online learning and Security Awareness workshops. To learn more about our training or any of our security solutions, feel free to contact us.
