Alice (and Bob) in Blunderland

The client

For us, client confidentiality is key. So, while we can’t reveal names, know that the world’s leading organizations trust their offensive cybersecurity needs to us.

In this case, the client is a financial services company with a large employee base at offices in many countries.

The brief

CovertSwarm were tasked with assessing both the client’s physical and technical security controls, by simulating a physical and network-based attack at their head office location.

The mission

Our engagement team comprised two Swarm members. Let’s call them Bob and Alice.

The engagement started at around 9.30am, with Bob and Alice observing the office building from across the street in their car. They identified what appeared to be a publicly accessible smoking shelter and made their way across to it.

Initial access

As staff approached, Bob struck up a conversation with an employee under the guise that they were from another office and just visiting for a few days. Using his knowledge of the business and experience of the typical ‘noise’ that happens in all companies, Bob was able to have conversations with several members of staff. When their new ‘friends’ began to filter back in, Bob and Alice went into attack mode and tagged along.

Maintaining conversation as they approached the publicly accessible door, Bob made a point of holding the door open for one of the employees to ensure they reciprocated by opening the secure door that gave access to the stairwell and secure office areas.

Alice, who had been following just behind Bob, pretended to be engrossed in conversation on her mobile, so was also able to slip into the secure area of the building thanks to the time delay provided by the soft-close door mechanism.

On the inside

Now that Bob and Alice were both inside the secure office areas, Bob continued talking to his new friend until they reached the second floor, where the reception area was located.

Once at the secure door, Bob copied his friend’s action by waving and greeting the receptionist, making it appear as though he had been collected by the staff member who was, in fact, just returning from a cigarette break. Once again, the secure door was opened for Bob, who now had access to the office area.

Bob immediately located an empty desk, sat down and covertly connected a dropbox device to a spare ethernet port. He then connected to the network before kicking off a script designed to test for vulnerabilities.

The nature of the script meant that it was going to take some time to gather data and work on the exploit. Time which Bob spent stealing several corporate devices (authorized as part of the brief, of course).

So, what about Alice?

After hanging around a secure door on the first floor, still engrossed in that mobile conversation, Alice soon gained access when an employee exited.

After making straight for an empty meeting room, Alice deployed her own dropbox and immediately left the building. Once outside, she settled herself back into the car, got out her laptop and connected to her dropbox. Within minutes she was able to obtain highly-privileged domain administrator level-rights, along with numerous files containing sensitive company and client-related data.

Discovered, but still more to uncover.

On returning to the office after taking the stolen corporate devices off site, Bob was challenged and caught. Thinking they had identified and neutralized the threat, a company employee asked him to remain in the reception area.

While waiting to be debriefed by the onsite client contact, Bob was left alone for a few minutes. So he thought he’d test the security of the reception area. In a drawer next to the reception desk he found and ‘borrowed’ three key fobs, which were later found to grant access to all secure doors in the building.

During the debrief the client contact was happy that staff had acted so quickly in identifying and apprehending Bob. That was until Bob informed them that, while all the attention was on him, his colleague Alice had gained access, installed a dropbox, left the building and then fully compromised their domain.

The takeaway

Bob and Alice continued their covert attack for a further four days, only revealing themselves to the entire company at the end of the engagement during security awareness training sessions based around their onsite activities.

This engagement proved incredibly valuable as it identified process-based gaps that the client was able to remediate. It also became a relatable lesson for the entire company due to Bob and Alice’s numerous interactions with various employees over the course of the week.

To combat the ever-present risk of attacks against arguably the most vulnerable component of an organization, its people, we recommend that staff should receive regular security awareness training to better understand the risks of social engineering and their responsibilities as employees when faced with such situations.