Once inside, "the rest of the folks there were really friendly and helped me get into locked rooms and even their server room," he recalls. And, for that engagement, none of the remaining branches caused him such stress.
Think such social engineering engagements are unnecessary and don't correlate to real-world attacks? Think again. Jon Heimerl, Solutionary's senior security strategist, recalls a number of social engineering exercises from recent engagements. Solutionary was hired to test a client's social engineering resiliency following completion of a security awareness training effort. "I called a random number in the company's phone number range and reached a voice mail of an employee who was out of the office on an extended vacation. I was able to call the company's helpdesk (number provided in the out of office voicemail) and pretend to be the employee with a sore throat, under pressure about a critical project (revealed in the out of office voicemail), Heimerl recalls.
What was he able to accomplish with that information? "I was able to get the helpdesk to change the employee's password," he says.
Heimerl then was able to use that new password to log on to the employee's Outlook Web Access email, where the employee stored a wide variety of sensitive information, including usernames and passwords for many critical systems in the company. The entire social engineering engagement took less than three minutes, Heimerl says, but within half an hour Solutionary was able to log on to the company's domain controller — with valid usernames and passwords. "Nothing we did would have generated any alerts or looked like an attack. I was able to use the information provided in the out of office voicemail to convince the helpdesk I was that employee," Heimerl says.
That's all he needed.
In another engagement, during a breach remediation Heimerl's team was on, the attackers had infiltrated the company for some time using advanced malware. "We were in the process of shutting down the attack vectors when a non-IT employee received a call. The caller identified himself as someone working with the CISO who knew that the CISO was working on a special project — the breach — with some outside contractors, and asked if he could get the names of those contractors," he says.
Heimerl believes that the attacker(s) were both trying to confirm whether the company knew it had been breached, and they wanted to know who they were up against (on defense and investigation). "Often, bad guys will go dormant if they think their victim is onto them, waiting for the smoke to clear before starting right back up again. Sometimes this works. Other times, when the investigation is more thorough, it doesn't," he says.
Sign up for CIO Asia eNewsletters.