Bridewell Consulting were engaged by a financial services organisation who were looking to undertake a real-world test of their security controls.
A large financial organisation engaged Bridewell Consulting to provide a testing scenario that could simulate a real-world attack scenario. The organisation placed a large focus and pride on the security of their network perimeter, providing a significant amount of confidence to their board that they would be protected from any form of external cyber-attacks.
The Bridewell team and security consultants held several meetings to fully understand the client’s requirements, agree time scales and identify the core scope and objectives of the assessment. These were identified as:
- A real-world approach would be taken, simulating attacks from all possible vectors and without scope limitations with the exception of ‘denial of service attacks’.
- Attack vectors could include social engineering, physical access attempts, active reconnaissance and full suite of technical penetration testing techniques such as infrastructure, web applications, mobile applications and controlled forms of malware deployment.
Bridewell agreed that the engagement would be undertaken over the period of 3 months and from the point of contract signature and go-live, there would be no further contact between the parties (with the exception of any validation of testing vs real-life attacks taking place).
In addition to the detailed scoping requirements, Bridewell agreed an overview of the key milestones with the client. The key milestones of the assessment were:
- Identify scope, objectives of the assessment, the client and safeguards.
- Agree start date and end dates.
- Conduct multi-faceted testing techniques.
- Conclude testing
- Presenting findings to the clients Executive Board
Getting to Work
Following on from the agreement of the engagement milestones Bridewell assembled their internal team. This consisted of various employees across the company, each with different skill sets that ranged across technical capability, physical entre and social engineering. It is key that multiple attack vectors are effective, and this requires various skills and people.
Reconnaissance is Key
Bridewell’s team of consultants devised a detailed plan and storylines for the assessment, which commenced with a reconnaissance phase to build a detailed picture of the client. It is imperative that the Bridewell team understands and discover any weaknesses in order to ensure that any attacks were credible. These areas consisted of:
- Physical – Bridewell’s consultants performed reconnaissance on several client sites across the country which consisted of assessing the physical security controls, dress code as well as lanyards, company culture in terms behaviour such as tailgating and also whether any wireless signals were broadcasting from nearside building locations.
- Online – Bridewell carried out reviews of the client’s website, job descriptions, social media accounts and Open Source Intelligence (OSINT).
- Technical Vulnerabilities – The Bridewell team performed checks against the client’s external infrastructure to ascertain any entry points or open ports that can be utilised against the client.
- Relationship Building – Several LinkedIn profiles were created and Bridewell started building relationships with the employees of the client, enquiring about roles within the company over the telephone and email.
Attack Paths to Success
Following the reconnaissance phase the Bridewell team utilised several attack methods to obtain a foothold, which were focused around physical access to enable remote access into the network and social engineering to deliver malware payloads.
Gaining Physical & Remote Access
Bridewell developed a remote access device using a Raspberry Pi. The Bridewell team were able to ascertain that there was a seven second delay between an access card being swiped and cloned the client’s badge to obtain physical access. Following successful entry into the building, the Bridewell team plugged in a remote access device and were able to successfully connect into the client network. The bridewell team started assessing the internal infrastructure where they were able to exploit a known vulnerability, which provide local access to a server and associated credential from within the server memory. Following the account compromise Bridewell accessed other services until eventually gaining Domain administrator privileges. Bridewell pivoted further into various network segments and managed t gain access to the client’s main customer database, which consisted of approximately 5 million customer records.
Social Engineering & Malware Deployment
Bridewell had built several relationships with individuals across the client’s various departments but decided to focus around the Human Resources (HR) area, applying for a role within their IT teams. This was done by creating fake LinkedIn profiles, CV’s and contacting the department via telephone to discuss the various roles. Bridewell had also developed their own malware, which if successfully executed, would provide our consultants with remote access onto the infected user device. The malware was tested in a mock environment to maximise the chances of successfully bypassing the client’s mail filters. Following further assessment of the client’s external infrastructure and liaising with the HR Department, the Bridewell team also discovered that the client was using a very well-known email filtering product. However, on further analysis Bridewell discovered a configuration within the implementation of the product that was available for Bridewell to exploit in order to bypass the mail filtering completely.
Bridewell were subsequently able to send email attachments to the client and successfully deploy the malware onto the client’s laptops, which provided Bridewell Consultants remote access to a large set of personal data files, which were screen shot for evidence gathering.
Presenting the Key Outcomes and Findings
On completion of the red team engagement, the Bridewell team met with the Executive Board to present the full details of the assessment approach and their findings. The assessment began with Bridewell Consultants having no knowledge or access of the client’s systems or premises and concluded with Bridewell having the highest levels of access to the client’s network and the highest levels of access to their key customer database – containing approximately five million records.
Bridewell walked the board members through each phase of the engagement, explaining some of the complex aspects of the test in a way that could be understood by some of the non-technical audience. The client thanked Bridewell for the assessment but also for the professional, proportionate approach in presenting the findings to the board. Following the assessment, the client requested to continue to work with Bridewell Consulting in order to help them improve their internal security architecture, to identify and prevent similar attack scenarios and a layered approach to security.