Saturday, March 12, 2016

The Commonalities of Fly Fishing, Pentesting and Social Engineering

I spend a lot of time thinking about these topics, so seeing illustrations of them in each other is expected.  This post is intended to share some of these.  But first, some concept definitions.

Pentesting is the art of testing an organization's defenses and security posture by exploiting (with appropriate written permission) computer software, hardware, and in the case of social engineering, people.

Social engineering is the art of getting someone to do something that they would not normally do (the psychological manipulation of people into performing actions or divulging confidential information).  It is not uncommon to obtain remote access to an organization's network via social engineering someone to execute a backdoor (by sending them a carefully crafted email with the backdoor as a link or an attachment), or by physically gaining access to one of their computers within their facilities.

Fly Fishing is an angling method in which an artificial "fly" is used to catch fish.

Sometimes fly fishing feels like a form of social engineering.  What I mean is that when we fish with artificial flies, we are essentially lying to fish.  We are putting something right in front of them that is fake, something that may or may not closely resemble something that they eat, and hoping they will fall for it.  I generally spend most of my time fly fishing for wild trout in mountain streams.  And if you didn't already know, trout are way smarter than we think they are. Which is why fly fishing is not easy, is a lifelong learning process, and is so incredibly interesting and fun.

That's essentially what we do when we attempt to socially engineer someone.  We put something fake in front of them that looks so real that they will fall for it.  And that fake thing often gives us access to networks and computers and facilities that we need to complete our penetration testing engagements.

Here are some thoughts from fly fishing on its similarities to to social engineering and pentesting...

Preparation.  It's about choosing the right fly for the fishing situation.  That's way harder than it seems.  Trout are picky about what they eat, and unless they are extremely hungry, they focus on what they expect to see.  They see Midges in the water, emergers on the surface, or mayflies falling to the surface.  Trout flies need to match (as closely as possible) what the trout expect on that day (and even that time of day).  It's often referred to as "matching the hatch", which makes a basic understanding of entomology very important.  It's often a hit-and-miss thing, where you have to try quite a few different flies before one works.  And you are doing this in an environment that is their home, not yours. It's not an easy thing to do, and if it was I probably wouldn't be very interested.

Preparation for a social engineering attempt is similar, especially if it's a targeted attempt.  We have to create and present something that the user would expect, or at least make it look like something they would consider legitimate.  That involves understanding what's normal in an organization, and includes knowing who knows who, who know what, who trusts who, etc.  Similar to knowing bug entomology and what trout eat, you must know your target.  If you are targeting a "big fish", you will definitely have to "match the hatch", focusing on the people and events that the target knows and finds relevant, making it harder to resist.
Presentation. This is one of the hardest parts of fly fishing.  It involves good casting techniques to place the fly exactly where you want it so it drifts naturally in front of the trout.  The cast has to land just right so as to not scare the trout away.  Good casting and presentation techniques take a long time to master.  Then comes the drift.  The fly has to drift naturally without "drag", as if it is floating or swimming in a manner a real bug in the water would.  It has to look real to the trout.  That isn't easy, because you have a fly line in between you and your fly.  Currents are often different in different sides of the river.  "Mending" the line is critical to maintain a "dead drift" so your fly line doesn't disturb the natural drift of the fly. If a fly acts differently in the water than a real bug does, trout are are smart enough to know to ignore it.

Watching some of Jayson Street's (@jaysonstreet) talks on physical pentesting remind me of this concept.  Jason walks into physical facilities (with proper permission from the facility owners) and pretends to be somebody who is supposed to be there.  His goal is to infiltrate their facility and demonstrate its security weaknesses. He's really good at it too. His presentation isn't nervous or out-of-place at all.  It is natural and relaxed.  That gives those he is trying to trick a sense of ease and normality.  People give him what he wants and needs.  He looks "normal."  It's a perfect "dead drift" and it works time after time.

Setting the hook and the fight.  The trout takes the fly.  But do you know for sure it's a trout (unless your fish literally jumped out of the water for it)?  What if your fly just bumped on a rock as it is floating by?  Setting the hook with subtle tugs whenever the line or fly appears to stop is very important.  Because when trout initially take a fly, they quickly realize it isn't real and will attempt to spit it out.  Split second action is critical to set the hook. And when you realize you have a fish on, the adrenaline hits big time.

I usually only end up "landing" the fish I hook (getting the fish to the net) only about 70% of the time (fishing exaggeration in progress ;).  That's partly because I fish with barbless hooks (hooks without a "barb" that normally keeps the fish from being able to easily get off the hook). I "catch and release" wild trout.  That means I try to get them to the net safely so they can easily recover from the fight.  Then I take a selfie with them, give 'em a pet and put them back in the water to fight another day.  Because I fish a lot in areas where "catch and release" is popular (a really good thing), the fish I catch aren't stupid.  They know the drill.  Some just fight a little and let me do my meet-and-greet with them and get it over with.  Others fight like mad men.  And they often know just how to move or jump into the air or twist just right during the fight to get off the hook.

So what does that have to do with pentesting? To me it relates to getting the "beach head", securing a persistent backdoor, and creating a backup backdoor if at all possible.  Maintaining persistent access to the network you are pentesting is critical during a pentest engagement so you can consistently continue your post-exploitation efforts.  Then there's the fight.  I liken that to all the post-exploitation work we do in order to "land the trout".  Good defenses can and should put up a fight.  Getting to the "end game", taking a selfie with the "trout" equates to demonstrating real business impact, meaningful results that can help an organization become better at defense.  And pentesting is truly "catch and release" as we don't want to do harm to the organization.  Watch Ed Skoudis (@edskoudis) present about taking the right trout selfie that results in meaningful business results in "How to Give the Best Pentest of Your Life":

Defenses.   As I mentioned before, trout can be smart.  And it's the smart trout that don't go for the fly if it isn't perfect, and know how to keep from getting "landed" if they do happen to inhale the fly.

Organizations can be these smart trout by being very suspicious of anything out of the ordinary (and verifying it), monitoring their environments closely, watching for unusual connections and terminating them, and having strong internal defenses that include segmentation and tiered/strong authentication.  Defense in depth means that if an organization accidentally swallows a hook, they have the ability, time and energy to try to break free from it before real damage is done. become a better pentester, learn to fly fish!  :)))

The tactical river is where the thrill is.  This isn't lake fishing where you sit and wait.  It involves detailed tactics and hard fought techniques to find the real gold.  Trout live in the most beautiful places in the world.  And that's where the gold is.

For more, check out the targeted attack portion of my presentation, "The Fly Phishing Hack that Cost Millions" here:

No comments:

Post a Comment