Offensive Security Rants & Threat Actor Roleplay
22 February 2022
As an offensive security consultant, I regularly help perform social engineering assessments. These often consist of sending phishing emails, breaking into a building to test the physical security of an organization, and making vishing calls to see how much confidential information employees are willing to divulge to a simulated bad actor. This leads me to the engagement which inspired this blog post.
The vishing engagement was aimed specifically at coronavirus implications to cyber security for a well-established medical-treatment company. I noticed some stark contrasts to previous engagements, as well as between employees still in the office and those working from home. Anecdotally, I thought this was worth sharing as the shift to a remote workforce may be impacting other businesses.
Employees who were working remotely appeared unable to follow previously established procedures. In this case, they likely lacked access to their employee directory. Confirming my proposed identity may have been impossible.
The employees who answered their phones were more gabby than usual. Perhaps it’s because isolation had made us all a bit hungrier for social interaction. Having longer, more human conversation isn’t bad in itself. The danger is that it provides more opportunity for a bad actor to relate and build false trust. These types of calls increase the likelihood of bad outcomes.
The remote employees were much harder to reach than typical. In fact, even though I spoofed the company’s phone number, most didn’t answer their phone. Whenever I’ve hosted tabletop exercises in the past, I’ve asked, “Will you be able to reach this team outside of business hours?” Companies always answer, “Yes.” However, this is hard to test for some companies, and often there is no need to unless a major incident occurs. Should a cyber security issue arise, companies with unresponsive staff will have time working against them.
This pandemic presents a new security risk in itself. What bad habits may they be prone to when working from home? Can they be reached in a timely manner?
Based on my observations, I recommend increasing communication with your team. Make sure they have needed tools and encourage them to maintain security procedures. Ensure that team members have access to your VPN. Confirm they know who to contact about any phishy emails or phone calls.
Finally, strongly consider using this shift in workplace to your benefit. If you have the ability, consider having the security habits of your employees tested. The vulnerabilities discovered from testing during this time will be beneficial into the future. They may help your company institute new procedures that tighten security or improve business practices for the long run.
Please note that this post was originally written at the beginning of the COVID-19 pandemic. Remote and/or hybrid work has become ‘the norm’ since this blog post was written. I thought it would be worth sharing this on my personal blog as the trends noted in this post are still relevant.
It’s also worth noting that I did a talk at CactusCon on this topic which pairs well with this blog post: