Social Forensication: A Multidisciplinary Approach to Successful Social Engineering

No ratings

Presented at BSidesNova 2019 by

Joe Gray

This presentation outlines a new twist on an existing social engineering attack. In the past, we have worked on getting users to plug in USB devices to drop malicious documents and executables. While this attack sometimes proves our point, it is the tip of the iceberg that can be done. Enter Social Forensication. This is a two-pronged attack, consisting first of collecting a memory image for offsite offensive forensic analysis, the second being a rogue Wi-Fi access point attack. During this presentation, we will walk through the steps to perform each attack. Since defense is just as (if not more) important as the attack itself, we will also discuss mitigations (technical and procedural) and relevant windows detections for these attacks. Detailed Description Intro (1:00) The basics of Social Engineering? (6:00) General discussion about the methods of social engineering *ishing, Spear Phishing, Whaling, Baiting, Dumpster Diving, etc Goals of social engineering Principles of Persuasion Existing techniques and research (9:00) Discussion about Jayson Street and others’ methods of introducing USB devices and the goals of such attacks. Attacks overview (10:00) Introduction to Forensics Attack Introduction to Rogue Wi-Fi Access Point (WAP) Attack #1: Forensics (17:00) Required Gear Steps: Planning Building the Pretext Gaining Access Building Rapport Playing the Part Getting the Memory Image Analysis Attack Defenses Basics of Volatility and Useful Commands (22:00) Steps to Collect Memory Image (dump) Volatility usage Useful commands (examples) Mimikatz Hashdump Connscan Privs DumpCerts Applicability in attacking Ideas for future research and wiki for more modules Mitigations and Considerations (30:00) Considerations for Attacking Legal Ethical Impersonation Detections Physical Windows events EDR/IDR Mitigations Training Timing Attack #2: Rogue AP (34:00) Required Gear Steps Planning Building the Pretext Standing up the infrastructure Gaining Access Planting the device Attack Defenses Mitigations and Considerations (42:00) Considerations for Attacking Legal Ethical Detections Physical Asset Management Mitigations Training Asset Management Routine Scanning Questions (45:00)