The term “ethical hacker” is becoming more widespread as organizations start to realize the value such a mindset can bring to improve their cybersecurity posture. That said, many people still know very little about what techniques, processes, and tools are utilized in ethical hacking. When an ethical hacker is contracted to find and exploit vulnerabilities in an organization, often the only output a customer sees is the final report without knowing exactly what happened in the background to reach that outcome. This blog dives into what a day in the life of an ethical hacker looks like.
My heart is pounding–lying, manipulating, and thinking on my feet make me a bit uncomfortable. But vishing (phone phishing), requires a little bit more improvisation. Reminding myself that I am teaching and ultimately protecting this client from a real malicious actor, I pick up the phone and begin to dial their help desk phone number.
It is important to note that our clients’ security and privacy are paramount. Although this is based on real events, this article remains a culmination of several engagements, and names and titles have been changed.
Leading up to this moment, we spent hours of behind-the-scenes planning, research, and plotting in the form of open-source intelligence (OSINT) gathering. All of the information collected from the OSINT process allowed us to develop an understanding of the company’s service offerings, vendors, customers, staff, and technology stack. We built our social engineering campaigns by collecting all publicly available information from the company’s website, LinkedIn, and more with tools such as LinkedInToUsername, Maltego, and SpiderFoot.
By the time we pick up the phone, we know more about the target company’s hierarchy and personnel than most real employees. OSINT data might include who reports to whom, how long our target has been working there, what they did before, where they went to school– even their current mailing address. This information is important for developing a convincing pretext; pretexting is a social engineering technique where a malicious actor creates a fictional backstory that is used to manipulate a target into providing private information or to influence behavior. Real malicious actors often impersonate a person of authority, co-worker, or trusted organization to engage in back-and-forth communication prior to launching a targeted attack against their target.
Our job as a Red Team is to emulate real malicious actors by simulating how they would attack systems, so companies can plan and protect accordingly. Becoming a target is inevitable; companies should take every opportunity to prepare for an attack, so it does not catch them off guard.
For this scenario, we chose Linda, a senior legal executive at the firm, with a high level of access to company data and authority. Since we do not have access to Linda’s real email address, we purchased a typosquatted domain, for $1 a month, that simply added “legal” to the end of their actual domain, hoping to pass it off as Linda’s ‘new’ email address. A typosquatted domain is, for example, a similar domain that would easily be mistaken as being a legitimate domain owned by the company, but used by a malicious actor.
During our research, we found that the company used Office365 and undoubtedly held a multitude of confidential documents and agreements therein. My mission was to call the company’s IT help desk, impersonate Linda, and convince them to urgently change my (Linda’s) Office 365 password so that I could access the portal in time for my (Linda’s) next meeting.
To improve our chances, we played a recording of loud construction noises in the background, creating a false sense of stress and urgency, a very common psychological tactic utilized in social engineering.
I also used pretext, by frequently referencing the importance of resolving my Office365 login issue quickly by emphasizing that I needed to provide critical legal information to the CEO, Mark, as soon as possible.
I felt sufficiently prepared, yet nervous to make the first move and dial the IT help desk number. Luckily, the IT help desk representative who answered the phone, Sam, seemed to know Linda immediately and accepted my assumed identity. I quickly moved on to detailing my issue around logging into Office365. Sam asked if he could remote into my work computer, so I quickly pivoted and stated that I was on my personal laptop. Many companies have a policy in place mandating that company data should not be accessed from personal computers, however, many executives and VIP’s are provided security exceptions given their authority. Had this policy been consistently enforced, Sam would have denied my request and escalated my issue to the IT help desk manager for further review.
After several minutes of further explaining the fictitious problem, Sam said that he would email me a temporary password but asked me for my employee ID number. Each of these roadblocks could have stopped us in our tracks but we narrowly avoided them. This is what we do – we look for holes in what should be consistent protocol, and we make them clear to our clients so they are not an easy target.
I panicked. My throat went dry; we had not found employee ID numbers for anyone during our reconnaissance process. So, I simply said I did not have it on me at the time and reiterated the urgency of my request to obtain information from the portal for my boss, our CEO, Mark. Clearly, they have a policy in place where an Employee ID should have been required in order to continue the password reset process.
I instructed Sam to send the password to my “other work email” which was the new, fake domain we had purchased, and he agreed. Many companies also have a policy that if an email address isn’t already on file in their systems, they cannot send any company data to that email, let alone critical data such as a password. Sam should have escalated my issue to the IT help desk manager and looked further into the situation at hand.
A moment later a temporary password for Linda’s account came through to the fake email we created. I could not believe it. My jaw dropped as I felt victorious, yet increasingly guilty. But then I remembered that if I could obtain their executive’s password, so could a malicious actor who would cause true damage to their business–fiscally and reputationally.
I thought we were in the clear, but a window popped up asking for a SMS Multi-factor Authentication (MFA) code. We did not have Linda’s cell phone number so thinking on my feet, I told Sam I recently got a new phone and therefore my number had changed. He reset the phone number for MFA to my own personal number. Enforced, layered security could have stopped our attempted unauthorized access, but any security that can be bypassed by one person without an escalation process is a major security issue. The cybersecurity posture of an organization is only as strong as its weakest link.
My successful login provided access to sensitive data that a malicious actor could leverage in executing a ransomware or extortion attack. This included confidential communications to numerous company business units, access to thousands of emails and Microsoft Teams chats, compliance and company security reports, and legal documents related to their entire customer base. The company file server also provided access to substantial tax and financial information, legal documentation related to their subsidiaries, and more.
If we could accomplish this with a few hours and a couple of dollars, imagine what real malicious actors can do to an unprepared organization.
This is what GoVanguard specializes in. Not only is it important to have security controls in place, but also to apply them with a defense in-depth approach that doesn’t rely on a singular person or system to ensure a robust security posture, but rather multiple controls at different levels so that if one fails, another will provide protection.
It is not just important for employees to adhere to security policies but to have to compensate technical controls in place, such as Office365 Impossible Travel detection and blocking. If a person is logged in in New York and then a new log-in attempt comes from Florida, it would be impossible for that person to travel that distance in an instant, so Microsoft would block the log-in attempt.
If a singular human didn’t have the ability to bypass process without a manager’s approval (for example requiring an Employee’s ID number verification before sending a new password or only sending an SMS Multi-factor Authentication (MFA) code to the phone number on file), then they could have prevented this attack.
What I enjoy the most about performing cybersecurity red teaming work such as social engineering is that we can contribute some good to the world by creating teachable moments.
I love working with our clients to ensure we deliver valuable insight and quality reports so that even non-technical leadership can easily understand their security posture and the actionable recommendations we provide. We enable our clients’ to bolster their defenses so they are less susceptible to reputation damage and data breaches.