Five Days, One Red Team, A Beach Like No Other: The Bank Job

good afternoon everybody uh thanks for joining b-sides thanks for being here today uh thanks for joining my talk um my name's Alex I am a 20-year veteran in cyber security probably 19 years longer than I really should have been but hey 20 plus years veteran oh I'm currently the Cyber director for trust Hogan um I also do mentoring in the industry uh under M Consulting I'm a Yorkshire cyber security cluster searing committee group so we're looking for bolstering the ecosystem um in the Yorkshire region and looking for help from anybody who is interested in cyber in our region as well so please do join up I'm also a member of the one million mentors um so trying to dedicate some time for

further mentoring of people younger Generations coming up through education and I also have a brand that I built up after lockdown which is kind of a hobby which is very interesting as Sam mentioned there baking under Michelin demali nothing Michelin about it but it is me still and yes um I do do cakes it's genuine right a big guy I do cyber but I bake as a part-time and they're [ __ ] amazing I've just got to my own home um but let's get back to the actual um Talk itself right uh the bank job so I have to Preamble this a little bit um this was an engagement that I was involved in from a project management

planning not doing the execution but I was involved with the team doing the execution through the project so I understand what they were doing and how they were doing it what until they were gathering and all that kind of good stuff this is also done for a client of mine as a subcontracting job so they weren't my client directly therefore they're still ndas in place and I have to be very careful about what I say of who I say it about the other additional Preamble piece that I want to put on here is that the organization I was doing the assessment for actually tried this themselves the week prior so they sent in a couple of guys who

walked into the bank and uh tried to get into the employee section the guard literally ran across the the branch and stopped the guys and escorted them off the premises uh Julie because they might as well turn up looking like this right um honestly it was two guys with backpacks walking into a bank uh looking very shady and trying to get into the staff members area it's never going to work the problem that we had at that point is that obviously the guards and the security and the staff are on high alert so it made our job that much more difficult so this is basically the Target that we were looking at the branch at the bottom where anybody

could go in it was a member they had a door that went in to then this multi-story office block where the head office basically was um standard things like emergency exits fire exits and all that kind of stuff withstanding but this was typically the place that we were actually looking to hit phase one of this whole entire exercise and I was actually on the uh I went down and listened to the red teaming kill chain exercise that was on downstairs and they were talking about the first phase being Recon and it is knowing what or they were talking about enumeration but still Recon um knowing what you're coming up against from day one what your target looks like what their

frequencies are coming in and out the building looks like what their comings and goings what's around is is vital to engaging going forward so we were sitting in cars with long Zoom cameras literally the stuff that's up on here um obviously LinkedIn online has a vast quantity of data about who works there who started when they started how often they or how long they've been there all that kind of good stuff but one of the best ones is the um standing in the queue at the coffee shop nearby a lot of Staff members are still going to be having their lanyards on with their IDs they might not have their lanyards on with their IDs but their

ideas are gonna be in their pocket but it gives you the opportunity to a validate identities by actually seeing their faces but also having your device in your pocket being able to get close enough to them to take that ID and strip it off and utilize it later on um NCP car Parks just again from a red teaming perspective they're great if they're local to Target you can get up in them it's public space you can get as high up in it nobody's in the question there you can sit in your car looking out of them you can stand at The Edge looking over into a client site and nine out of ten times if they're off the

ground floor they're not putting any concealment on their windows so you can literally see in straight into the windows and straight onto the machines so something to know um once you've done the Recon and you've worked on kind of getting a good idea of what the client looks like and who they are where they are we then go into engage so actually let's let's make this work um take the data that we have take all the RFID scans and the ID scans that we've got and actually Implement them and it's astounding how knowing how the hackers work on the red teaming side from the Cyber perspective and how much it costs to buy kit and buy

licensing and buy the infrastructure to actually start doing a hack from a red teaming physical perspective it's pretty cheap lanyards are cheap RFID cards are cheap 260 quid for an RFID repurposer or magnet strip repurpose or whatever you call it programmer um you know this stuff is not expensive and it gives you the ability to very quickly clone somebody's ID to be able to get in so you're coming back to the story we'd done the reconnaissance which I think the guy actually found a lanyard I don't know if it was hanging around in the branch where it was but we found the lanyard so that made life a lot easier and then we'd obviously scan somebody's

RFID so we could get in and on day one of the actual engagement itself we were walking into the building um just as if it was real staff we're a new member of Staff you know we did the whole social engineering thing where we go and stand around in the canteen in fact there's a slide on that in a minute but go stand in the canteen smoking areas and things like that make friends because these are the guys that are going to let you open doors and walk you through um I've seen one of these this afternoon as well somebody was holding on to one of these oscares in the room no he's not but flippers again just another device

you guys all know about these things so once you're into the office like I say common thing for for most social Engineers go straight to the canteen go straight for the coffee you can stand in there for 20 minutes an hour people come in and out you know make yourself a coffee make yourself another coffee talk to people it's a social environment a social area and you get to know people's comings and going to get to again cids and see who these people are and what have you make friends and again these people will see you through the building if they to see you again um I come back to when we talk about cyber

hacking and all that kind of stuff we're talking about data breaches right a data breach is a data breach it doesn't matter if it's digital or if it's physical so typically what we're looking for is the metal desk scenario you know pulling off um some documents from disks or printers printers the scanners and photocopiers you know bin diving all that kind of stuff um the the bank that we worked in um had all that information I believe we did pull some stuff off of the printer the photocopier as well um but people put stuff in photocopies and just you know go off make a coffee come back grab this stuff and walk off forget that that information's there but

it's all still valid and we love a messy office we love cables everywhere yes you can follow a cable to a network point where you can then plug something in right um and people don't notice the new device because it's just another device so we were again as part of all this project looking for all those typical places where you can plug in a USB point um obviously as you're going through or as we were going through this the the problem with physical red teaming is when are we going to get caught when are these Gunners going to find us out and catch us out and realize that we're not an employee um and the best thing is to try and keep that

persistence into the network into the business and remotely is the best option because then you're not physically there and somebody can't question you so we're looking for all these USB points to plug something in um and again Messier the office the better um the devices that we were looking at are the typical ones that I'm sure you guys have seen you land turtles and all that kind of stuff and like I say stick a good little sticker on it and uh nobody's moving is something from it particularly if you're just a normal staff member um so we got this to this point where we're in the building we're in the infrastructure technically because we're sitting there

and uh and we are two three days in um and my man's starting to sweat because he's thinking he's going to get busty he's going to get rumbled he's getting a bit paranoid again you only got so much time in these things before somebody questions you in the wrong way so we thought again well let's go back to having that Remote device back in the network plugging in and accessing it remotely um but how do we how do we do that because this is a bank and Banks kind of go this is networking 101 because you guys don't know about any of this right so traffic outbound any to any traffic inbound they want to make sure that the

inbound traffic's clean right because you don't want anybody getting into your network typical rules Banks don't they check traffic both ways obviously they don't want Account Details go now they don't want personal information going out uh any of that kind of internal data leaking out so they're monitoring traffic both ways so you can't just put a land turtle on the network connecting back to the C2 and saying yeah well it'll dial home and jobs are good because it's going to get checked it's going to get spotted so you can't do land turtles or anything like that so very quickly because I'm running through this a lot faster than I thought I was going to um if you can't connect something to the

network that's going to dial back through the firewall just quickly pronounce the room what's what could you do huh Wi-Fi cellular cellular 4g5 yeah 3G 4G that's exactly what we did um they weren't checking for um Rogue network devices they weren't checking for internal Wi-Fi 3G um data connections or anything like that so we managed to plug one of these in and at that point you've created your own external connection and bang you're back in the net we've been able to Monitor and track the traffic so easy peasy and we're nearing the end of this unfortunately because again we've only got half an hour but I'll tell you this in 15 minutes which is scary maybe I

should have breathed in between the slides but anyway so the last Point bear in mind that we've done actually breaching into the place we've done the Recon we've got the land turtle on there 3G land turtle and we've got persistent access the next thing was what can we do we've got I think we had about a day left of the actual engagement um so what more can we do well we noticed that the actual guys in the branch side and the public side were the kind of G4S typical security guards they're wearing blue primary suits um typical kind of security guard stuff you know um so my man went to go and get himself on events from around the corner

literally around the corner um and with his handheld RFID stood on the public side of the branch by the employee's door asked the first couple of employees coming through I just want to check your ID to make sure you're legitimately staff members we've had a bit of an incident as you guys already know last week and the sheeple just queued up nicely for him at that point I think we scored probably about another 100 IDs quite easily that's how we own the bank um now I'm gonna I should have probably preambled this right at the beginning rather than saying at the end but uh I have been led to believe that if you walk into a bank with a balaclava and a

gun and you steal the money from the bank you're looking at five to fifteen years depending on how badly you do it if you hack the bank it starts at 25 years so let's not let's not you know I'm not saying anybody should and that's it that's me um I hope that was enjoyable I hope you liked it have you got any questions because I might be able to answer some of them at least you said about the cafeteria and about you know it's the first place you can go to make some friends have some chats what do you actually say because you can't be like oh well I'm Dave from accounts my someone says I'm I run the

accounting and uh you're not in this mate doesn't that open you up to actually like yeah uh yeah so um if we're going into the canteen at the beginning just to repeat the question for the mic if we're going into the canteen at the beginning what are the stories that we kind of use because we might be bumping into the head of HR or wherever the case is or someone like that well again because of the reconnaissance element right at the beginning uh you're going to find out who the heads of different departments might be um and therefore you can typically face to name them right uh again uh most of the staff that are going to be coming in

there at specific times might be normal staff members so you can play on a lot of the time I'm new I've just started in Department by the department you're starting I don't know I.T starting I.T you know what I mean I I think as well if you kind of go down the I've just started in the it route basically in in a social environment like the cafeteria the it teams typically stick to their own in the IT department and they'll bring in Monster or Red Bull or whatever it is that they're doing you know what I mean they ain't in the canteen socializing with people do not mean so you can be that one that goes to the

canteen as the I.T guy and you can start having those conversations and you just you know I'm new here I've just come together you know I haven't brought my monster with me today you know what I mean and you can have that conversation you know you can start again you're building rapport with people and again hopefully as you've gone through your reconnaissance you can face the name and figure out what department they worked in very quickly and then track them back to their department and use that relationship that you've already got with them oh yeah I met you in the canteen you know I'm from it yeah well they've just sent me to come and

have a look at your machine in HR you know right right yeah any other questions

yeah yeah so typically um I mean this this was one of those cases where it was like it was an emergency job they had a deadline that my client had a deadline to meet um for their client which was the bank um so typically what we say is that a physical red teaming exercise should be three to six months it should be three to six months because that enables you to go away that do the Recon do all the planning do all the um setting up of any weaponized malware that you want to try and push out to them or whatever the case to get their persistence into the network from the Cyber side of things as well but it also

means that their team because you're going to have a point of contact in there as your mole in the company who signs everything off and gives you your get out of jail free card right but it means that you can say to them you're involved in this as well you have to react in the same way as you would if this was a malicious attack so go away with your team when we attack you in this three to six month window we're not going to tell you when it's going to happen so act like you would if it was a real hack then at the end of the engagement we'll come back and we'll put

our timeline and your timeline together and then we can say well how did your team react so I was coming in doing that validates also some of the incident response mechanisms that you have in the business and how people react to attacks yes mate really enjoyed it thank you well no actually a question that's penetration testing consultancy when we recruit we're looking for technical scaling consistency scale um what are we looking for in Social Engineers is that is yeah you're probably not going to get the types of people you can confidently rather talk to people here to plug in but what we're looking for in people and process so you are going to be looking

for somebody who is somewhat technical because you're going to need to be able to do all the RFID scanning reprogramming of cards and getting but you want somebody with massive personal skills as well somebody who's um maybe got a background in Psychology but also an interesting Tech and those guys particularly know the triggers that people are going to have ex-military ex-intelligence um definitely those people that have had training and that kind of stuff yeah but definitely people who are more personable outgoing but also I want to say not memorable because you know you want to be able to almost change your figure by changing a hat or taking a glasses off Superman style um but yeah personable people

intelligent individuals slack techy background it's after that it's good I mean it's great consultancy that you can say it's actually smaller so they might have yeah and if if a bank say you're working with the bank for a while and there are clients who also supported by team engagement

yeah I mean what I'd maybe say in that sense because again uh the physical red teaming takes a specific skill set um and there are very few of them that can do it very very well um so maybe it's more of a case that those are kind of subcontracted out again if you're very much entrenched with a specific client and the client knows your team's faces and you're maybe only a small team that means that it's gonna be really difficult for you to walk in on site without being recognized and it needs to be somebody from outside the company potentially but it's only like subcontract anything else in this industry you know there's there's enough

of us that know people who know people who could get you that person and we're all on reasonable rates just plug that one yes sir particularly if you want to get into amusement parks yes we've all seen the videos and yes it does work but again I think the the Crux of it is is basically one leveraging the fact that human beings as generalists are here to help people so if you're looking a bit confused or a bit days or a little bit like I don't know where I'm supposed to be going with my clipboard and I have this jacket somebody's going to come and go oh who are you looking for you're like oh I'm doing maintenance over there

because I can see you've got scaffolding up how do I get in there and they'll lead you through because they want to help always looking for that Health Factor um but certainly looking like you're of a point of authority helps as well and having some big hoonies to walk in does help yeah you've got to have the bottle to do it you know if you're suddenly getting to the front door and you're stumbling and earning and iring and I don't know what my backstory is and I don't know why I'm here then somebody's just going to go yeah Trotter mate but yeah I had this yeah it works um

oh go on we're here we went straight in perception just a lot if I actually said

the next morning

foreign

the fastest we've ever got access into a clients on the flip side of that instead of being busted how how quickly have we actually breached um I had a specific client that we did physical red teaming for two years on the Trot it was the same receptionist on the front door it was um yeah and I think he used the same story where he came in and was like oh I'm just supposed to do maintenance in your it she walked him through to the server opened the door now she's letting him through sometimes they frowned upon us putting people in here and let him in right that was at half past eight in the morning of the first day and I had to

phone the client because he had us there for the day I had to phone the client and say right um I've got good news and bad news you know what's the bad news we were in you're not even there we're in so what's the good news you've got in for the rest of the day to do training or the rest of your staff you're still getting billed I don't know good news the question over this side is it

that's right yeah

okay just there for the purpose of the if we are engaging with the client for three to six months and we find that we get busted or get stopped somewhere along the line in that period of time do we stop the engagement that we continue to find another hole we would certainly find another hole um you know there are enough of us in the team to be able to swap faces so we can put another person to try and do the physical again through another route we would potentially cause reevaluate The Playbook that we're running as to how we are engaging with the client and therefore trying to breach them and reevaluate that and try a different play

um so again if we were turning up and just trying to walk through the front door on the first morning and we get stopped well let's try and actually organize a meeting at the venue so therefore or they can know us they know we're coming under a guise of some kind um but certainly we we're flexible with that kind of stuff and we know that there are multiple avenues that an organization is going to get breached through

[Music] yep

yeah so again for the purpose of the mic where would we draw that line um as to where we would stop the engagement and then take a client off has been very very good um I haven't haven't had it happen yet just to say um um you know we're still leveraging the human issues that come along with with all this kind of stuff but I would say if we were we would have to have played through a couple of scenarios um you know tried different Avenues of attack different methods of attack different methods of getting to have that persistence electronically physically whichever which way we possibly could within limitations ethics and all that kind of stuff

um once we tried and failed and exhausted the ideas because again it's all time-based thing so we have limited time over a period of time because that's how we're built for it right so we've still got to think right within the time frame that we have have we got enough time to be able to execute another attempt or do we not have we tried enough scenarios to say well actually we've we've covered a really broad range of methods of trying to get into a client have we succeeded have we failed and if we failed it's a really good sign you know and and I'm looking for a client that could do that it hasn't happened so far

so challenge out there for anybody what's the pretext you use the most what you find is the most successful so if you if someone said to you watch you go to like fire and then somewhere what is um we don't really have a go-to to be fair um one that has been used quite a lot is the you know the standard BT engineer um you know it's quite easy to be able to get a uniform off of Amazon or Ebay or whatever like that you know you can pick up gear that looks similar at least um The Joy with those kind of things is you know gas Engineers electrical engineers do go on site to do reviews

from the likes of British gas um if you phone up a receptionist and you don't ask them whether you can have we have an engineer in your area today he's going to be at your office at one o'clock just so you know he's coming you don't give them the option it's not a question can he come is that okay with you no no no he's there at one o'clock because he's in the vicinity and we're busy right show him in show them where your boiler is show them where your electricity boxes whatever the case is he'll be wearing British gas I have his jacket and he'll have his clipboard with him

yes

apart from me when he breaks to 8 30 in the morning and it's going to explain that to the client um no no I mean again uh being down in the red team kill chain one ethics is massive right uh again the there's all sorts of different Avenues we go fishing's one of them to try and start that ball rolling um East Midlands rail a few years ago they fished all their users saying that they've got a Bonus after the pandemic because of their good work it wasn't it was a scam because it was a fish assessment that's unethical so there's a line to be drawn the bad guys haven't got the ethics right so they can send

those but we as legitimate companies can't so we try not to but I haven't made anybody cry and there was any more stuff so anyone else I think you've got a minute or two

collecting loss oh so going in and saying has somebody lost there somebody had it in just write that down [Music] um that would work as well though right if you're going to local areas and again we say that there's if there's public eateries coffee shops anything like that where people are likely to lose something like that ask the question why not part of the Recon stuff you know as long as it hasn't got their face on it because you go oh yeah I'm John Smith and they go no you can say oh there you go is that as well absolutely yeah let me make a note that too thank you so much [Applause]