At the start of the year, the UK Office for National Statistics reported that cybercrime against businesses had climbed by 63% in 2017. But what, if anything, is being done to tackle the problem?
One rather obscure method of testing a company’s security is the hiring of a cybersecurity red team. These teams of professional hackers are challenged to take on the role of would-be attackers, infiltrate high profile businesses and uncover any flaws in the company’s security.
The exploits of red team hackers are detailed by Tom Van de Wiele, principal security consultant at F-Secure, in the latest issue of cybersecurity magazine Verdict Encrypt.
8 tricks cybersecurity red teams use to break through a company’s defences
Cybersecurity red teams like to begin by gaining as much intelligence as possible about the physical location of a business, so any potential security weak spots can be identified. This often involves the purchasing of building blueprints which are readily available from government departments in most European cities.
Van de Wiele told Verdict Encrypt:
“For a few euros they will give you the architectural maps and that will show us the entrances, exits, stuff like that, via a courtyard or garden, because maybe it’s not apparent from the outside; not even Google Maps has that information.”
Searching through social media to see what company employees are posting online can also help red teams to gain vital information.
“This guy takes this screenshot of his new work station that’s fantastic, but now you’re showing me all the applications that you use the most, which allows me to target you,” Van de Wiele said.
Information found in rubbish bins can reveal a lot, such as the kind of printer that a company uses or the company in charge of maintenance.
A member of the red team can then ring up the company that they are trying to infiltrate posing as an employee for the maintenance company. According to Van de Wiele, this is a useful way of gaining access to the building.
“We ask one of our colleagues with a nice warm female voice to call up the IT manager to say ‘yeah there’s been this security fix for Canon printers. It happened in the factory so it’s on us. When can we send a guy?’ and the next day one of our colleagues shows up saying ‘Hello I’m here for the printer’ and they leave you alone.”
Rubbish can also provide a red team with printed emails or letters which highlight other companies that are in correspondence with the target business. The red team can then ring employees posing as a colleague to gather more information, using details of transactions to support their claims.
Applying for jobs
If sifting through garbage doesn’t prove fruitful, members of the cybersecurity red team may apply for jobs at the company they’re trying to infiltrate using fake CVs.
However, the goal is not to get a job, but an interview. Once inside the building, the hacker can find an excuse to be left alone and use a computer to gain persistent access to the company network.
“You’re inside the building and you say: ‘Look my wife is pregnant, it’s the doctor, do you mind if I just stay in the meeting room for five minutes?’ And they’ll leave you,” Van de Wiele says. “You log in with the computer that you’ve brought and then you call your colleagues saying: ‘Did you get in?’ and they say: ‘Yep we have persistent access’.”
A classic method of gaining network access is through the use of phishing emails, which are designed to trick internet users into clicking a malicious link.
“You will click on my phishing email. Why? Because maybe I determine that you’re running Outlook. Maybe I know that you have one of these pop-up notifications on, I know when you’re sitting in a meeting, you’re presenting your new stuff to your colleagues,” Van de Wiele explained.
“You see the pop up coming up saying: ‘Thank you so much for subscribing to the adult content newsletter, if you did not sign up for this please click this link’, which doesn’t go there obviously it goes to my server with a really nasty captcha to start off and you’re not gonna get it and by the time you’ve solved the third attempt at my captcha, my code has finished running and we’re done.”
Emails regarding fake LinkedIn complaints can also have this desired effect.
Van de Wiele explained that using tactics which attack emotions can remove people from a headspace where security is their main concern.
WiFI and Bluetooth
Being close enough to an office to have access to the company’s WiFi and Bluetooth services can help hackers target the network.
Some wireless office devices, such as keyboards and mice, have a security vulnerability which enables hackers to take control of them. If the company does not appear to use these devices then cybersecurity red teams will happily send them some under the pretence that they are a gift from a different company.
WiFi is also easy to manipulate. One common approach is to create a WiFi network which looks exactly the same as the one used inside the building. This can be used to insert malware on to devices that connect to it.
Cybersecurity red teams have also been known to clone local networks which require passwords, such as those found in nearby cafes. The phones of employees who have previously used the WiFi at this local café will then join the fake network automatically. The clone network can then insert malicious code into any unencrypted apps on their device.
The device owner will then receive a fake password prompt for any services that the red team knows the company uses.
Breaking and entering
Perhaps the most old-fashioned method on this list is the process of physically breaking into buildings.
Companies often given red teams permission to break windows as a means of entering a building, according to Van de Wiele. However, a stealthier method involves using compressed air to trigger motion sensors on doors that only open from the inside.
Key cards can also be easily cloned from those who wear them on lanyards around their neck during their morning commute. For office entrances with keypads, there is a tool which can show heat signatures on a keypad to reveal the pin number.
Some businesses, such as banks, require fingerprints to gain entry into certain parts of the building or complete certain actions.
The residue of oil and fat on fingers can leave prints that can be lifted from the likes of a keyboard, mouse or glass.
According to Van de Wiele, lifting a print can be done using a toy detective set, the dust from a printer cartridge and scotch tape.