Cyber Security 4.0 conference 30 November 2016
1 like540 views
This document discusses social engineering and related projects. It begins with an introduction to social engineering, defining it as manipulating people to take actions they normally wouldn't. It then discusses the Project SAVE, a Danish project that conducted reconnaissance and 185 social engineering attacks on 3 infrastructure companies, with a 47% success rate. It also discusses the Dogana project, an EU-funded effort to develop an advanced social engineering platform and test it in field trials. It concludes with speculation about future social engineering, such as fully automated Twitter spear phishing bots and ransomware targeting IoT devices and impacting physical systems.
Cyber Security 4.0 conference 30 November 2016
- 2. O u r W o r k Danish Institute of Fire and Security Technology S O C I A L E N G I N E E R I N G C Y B E R I N V E S T I G A T I O N I T F O R E N S I C S P HY S I C A L & E L E C T R O N I C S E C U R I T Y
- 3. Future of Social Engineering Current trends and future expectations on the phenomenon of Social Engineering. Dogana 3-year EU project with the aim of developing next generation Social Engineering attacks and mitigation methods. Project SAVE National R&D project for The Royal Danish Defence College (FAK) on Social Engineering 2.0. Overview Presentation 01 02 03
- 4. I n t r o d u c t i o n t o S o c i a l E n g i n e e r i n g
- 5. Social Engineering ”Social Engineering is the art of getting someone to do something, they would not otherwise do – using psychological manipulation ,, DEFINITION
- 6. Social Engineering Attack Cycle SE Attack Cycle SE Cycle Execute attack by requiring the target to conduct an action, the target would not otherwise do. 3. Attack Employing an exit strategy is typically only required if the target is to be left unsuspecious or if the attackers expect additional contact with the target in the future. 4. Exit Conduct the necessary research to understand the target at hand. 1. Reconnaissance Initiate contact with the target based on the insights gained from the reconnaissance phase. 2. Contact
- 7. Social Engineering 2.0 Social Engineering has evolved from the physical domain as a platform for elication of information to employing cyberspace as the new battleground. With new means of communications between individuals comes new attack vectors for the social engineer, including: phishing emails, smishing, CEO Fraud, Ransomware, etc. NEW METHODS
- 8. P r o j e c t S A V E : Social Vulnerability & Assessment Framework R&D for The Royal Danish Defence College
- 9. P r o j e c t S A V E National Project National project developed for the Royal Danish Defence College with the purpose of uncovering the threat of Social Engineering against critical national infrastructure (CNI) in Denmark. • Development of advanced OSINT methods, deception planning and SE 2.0 attacks. • Execution of simulated attacks against three companies that are directly part of, or supports, critical national infrastructre. • The purpose is to uncover how vulnerable CNI is to Social Engineering 2.0 attacks and disseminate the results of the study.
- 10. SAVE: Reconnaissance • Crawling of email addresses • Social media personality profiling (sentiment analysis) • Social Network Analysis (SNA) • Systemic network footprinting (Maltego, metadata) • Darknet investigation for leaked/sold information
- 11. Reconnaissance Project SAVE • Crawled from the companies’ own websites • Crawled from open sources • Indexed results from Google • Indexed documents Email crawling:
- 12. Reconnaissance Project SAVE • Crawled content targets’ facebook profiles • Coded a script • Emulated human browsing with Selenium to avoid crawling countermeasures • Conducted sentiment analyses of the content using a ‘bag of words’ approach • Based on the sentiment analyses we categorized the users’ in the ‘Big Five’ personality framework Sentiment Analysis & Personality Profiling:
- 13. Reconnaissance Project SAVE IP Network footprinting and Metadata Analysis:
- 14. Reconnaissance Project SAVE • Systematic analysis of information sold on Darknet • Correlated sold information on +45 darknet markets for the involved companies in the study • We could not request information Darknet Investigation Methods:
- 15. Reconnaissance Results Project SAVE • ID layout for business deals • ID of stakeholders and voting rights within the organisation • ID of critical database system and how to access it • ID of complete guide to the database • ID of users with access to the database • Full list of emails and phone numbers Critical Results from the Recon Phase:
- 16. Reconnaissance Results Project SAVE • ID of useful information from metadata, incl. long list of software in use • Design of Guest ID Card • Social network analysis revealed critical nodes within the company network, which were highly interconnected, making them ideal targets for a SE attack Critical Results from the Recon Phase:
- 17. • Phishing emails • Spear-phishing emails • Credential harvesting • Whaling • Smishing • Evil USB • PDF attack SAVE: Attack Vectors
- 18. Executed Attacks Project SAVE Three companies that are either directly, or support, critical infrastructure in Denmark participated. Objective is to target CNI Complete cyber reconnaissance of the companies and select employees. Conduct Cyber Reconnaissance A total of 185 SE 2.0 attacks were executed as part of the field trial testing. 185 social engineering 2.0 attacks Vector Target #1 Target #2 Target #3 Spear- Phishing 3 1 3 Whaling 1 1 3 Conventional Phishing 2 4 146 Smishing 3 5 9 USB Attack 0 0 3 PDF attack (follow-up) 1 2 (3) 0
- 19. Aggregated Results Project SAVE 47 pct. of all executed SE 2.0 attacks were successful in convincing the targets to click on phishing links or execute a file. Criteria for success was dependent on the registration of the attempt on our web server log. Successful Attacks A little more than half of all executed attacks were unsuccessful in the study. From qualitative interviews with some of the targets, we can conclude that minor details in the wording, the sender spoofed, and/or lack of information (e.g. a phone number in the email) were the reasons behind their lack of trust in the email. Failed Attempts 47% 53% 47% 53% Success Rate of SE 2.0 Attacks
- 20. D o g a n a : Advanced Social Engineering and Vulnerability Assessment Framework R&D For The EU Commission
- 21. The Dogana Consortium The Dogana Project 18 partners from 11 countries in a 3-year Horizon 2020 project about advanced Social Engineering 2.0. Partners http://www.dogana-project.eu
- 22. The Dogana Project Developing a next generation platform for social vulnerability assessment via simulated attacks. Next Generation SE Attacks Using innovative awareness methods to mitigate the risk of social engineering. Innovative Awareness Methods Full scale field trial testing of the platform, testing +1,000 of employees to evaluate the recon, attack and awareness phases. Full Scale Field Trials http://www.dogana-project.eu Overview of Dogana
- 23. Dogana Platform The Dogana Project End2End platform, which embodies both advanced reconnaissance methods for uncovering the digital shadow of targets as well as psychological profiling. End-to-End SE Platform The advanced recon methods are integrated into a one-stop platform where full assessment of targets can be conducted. Adv. Recon and Assessment of Targets The platform integrates social engineering 2.0 attack vectors, thus becoming a holistic attack solution for conducting socially driven vulnerability assessments of companies. Integrated SE 2.0 attacks http://www.dogana-project.eu
- 24. Innovative Awareness Methods The Dogana Project Gamification is the concept of using serious games as a delivery method for improving the security consciousness of the recipients. Gamification Serious games are interactive and can be either single- or multi-player. Serious games can prove to be more effective than conventional learning methods. Interactive learning 2 min. of playing a game every day for six months contra spending 6 hours at a frontal lecture once every sixth month. Which has the greatest impact in maintaining security consciousness for the recipient over time? Less is more http://www.dogana-project.eu
- 25. F u t u r e o f S o c i a l E n g i n e e r i n g
- 26. Introducing SNAP_R Future of SE SNAP_R auto-analyses and selects targets, and generates proper and relevant responses to tweets, which inclulde a phishing link. Aut. E2E Spear Phishing on Twitter It utilizes deep learning for analysing data from users and data about users, in order to select the most susceptible targets to spear phishing attacks. Neural Network / Deep Learning Given that grammatical errors are widely accepted on twitter, that the tweet is limited to 140-characters and that URLs are almost always shortened, the SNAP_R gets away with most of the obstacles of machine learning for automated spear phishing attacks. Deception through Obfuscation
- 27. Introducing SNAP_R Future of SE SNAP_R is up to five times as effective compared to other automated spear phishing bots, which typically has a success rate ranging from 5% to 14%. However, SNAP_R reports success rates ranging from 30% and 66%. Manually constructed spear phishing attacks has an average success rate of 45%. 5x More Effective SNAP_R is open source and available for everyone to test. The script can be found on Github: https://github.com/getzerofox/SNAP_R Open Source Example
- 28. IoT Ransomware Future of SE IoT ransomware is no longer hypothetical. We foresee a development in ransomware attacks moving to IoT as soon as more standards are implemented in the making of IoT devices. Internet of Things Ransomware When all of your devices become connected to the Internet, ransomware attacks will be able to move from focusing on locking access to data to locking access to your actual devices. From Digital to Physical Lockdown • Your Smart Car • Your Smart Home • Pacemakers • Hospital Equipment • Real Examples: Smart Thermostat & Smart TV Examples
- 29. T h a n k y o u Dennis Hansen Email: [email protected] Tel.: +45 31 53 43 44