How we got into a heavily guarded research facility and took ownership of the network during a physical pen test.
You would think that a business whose business is defense intelligence and cyber security would have an impenetrable network, right?
We recently conducted a penetration test for a client that proved how simple it was for someone to send a spoofed email to gain unauthorized physical access to a heavily guarded research facility and gain full access to the internal network for that facility as well as all of their locations nationwide – all under the guise of repairing the copy machine.
Breaking and Entering with a Badge – Enter DirectDefense consultant, aka “Copier Repair Guy”
A little reconnaissance ahead of time was all it took to determine the key personnel and then send a spoofed email from a doppelganger domain to the Facility Security Officer fifteen minutes before our physical test. Our consultant impersonated the Director of IT and informed the security officer that a technician from the copier repair company was on his way over to troubleshoot a multifunction printer and to provide him any access needed.
Shortly before our consultant arrived, the security officer responded to the email and provided an affirmative regarding the spoofed request. Our consultant entered through the main door and stated that he was with the copier repair company and was there to fix a multifunction printer. Our consultant was then granted access, asked to sign in, and was provided with a visitor badge. Our client’s first line of defense – physical security – failed!
Pro-tip #1: Registering a doppelganger domain that is similar to an organization’s actual domain, but slightly off, is a pretty common attack tactic. Most of the time (as in this case) the recipient doesn’t realize it. The good news: Email security controls can be put in place to identify this type of attack and mark the email as spam.
Peeling Back the Layers of Defense
DirectDefense consultant, aka “Copier Repair Guy” was shown to the printer area, where he found a router next to the multifunction printer. He plugged an Ethernet cable into the router and his laptop. Upon connecting the Ethernet cable, he determined that the port was active and immediately provided the laptop with an IP address on the company’s internal network via DHCP. At this point, he had full unrestricted access to the internal network.
If he wanted to, he could hack into servers containing sensitive information A true attacker could (and probably would) leave a drop device to give them persistent back door access into the network. Our client’s second line of defense, Network Access Control (NAC) and security monitoring, were not in place.
With NAC controls, our consultant wouldn’t have been able to plug in in the first place. His device would have not been recognized and the port would have shut down, preventing him from accessing the network. If there were no NAC controls, properly configured security monitoring tools could have alerted the company to the unauthorized network intrusion.
Even without NAC or security monitoring controls in place, if correct network segmentation was in place, our consultant (or a hacker) would have had very limited access to, say, just the printer. Because our client’s third layer of defense – network segmentation – failed, we not only had access to all the devices at this office location, but to all devices across all the company’s locations – nationwide.
Pro-tip #2: Take the time to segment your network. The fact is that it does take more time and more work to segment your network, which is why many companies leave their network flat. But while an unsegmented network may be easier to manage, it is also less secure and easier for an attacker to hack into.
Our consultant also verified that egress filtering rules were not in place (the fourth layer of defense – properly configured network firewall rules– also failed) and that it was possible to initiate an outbound external connection over any TCP port. This configuration would allow him to take any data obtained from within the organization’s network and exfiltrate it over the Internet and out of the organization. Had our client had properly configured firewall egress filtering rules, any connection leaving the internal network that did not fit a pre-defined set of rules would have been blocked.
Once our consultant was finished “fixing the copier” (aka “owning the network”) he packed up his equipment, said goodbye, and departed the office.
Pro-tip #3: Never underestimate the copier repair guy! 😊
Lessons Learned About the Importance of Implementing Layers of Defense
While we were able to enter the building under false pretenses, the biggest issue was what we were able to do once we were inside.
Even if an attacker is able to gain permissible access into a facility through a spoofed email or some other means, they can’t do any major damage if the network has a strong defense plan in place. In the case of our penetration test, we were able to access the company network with no problem and see critical data without being detected. This exercise uncovered five specific areas in which the company’s security was insufficient:
- Ineffective Physical Security: Physical security controls were ineffective at stopping the consultant from gaining physical access to the client’s office. The security procedures and office personnel are responsible for ensuring that only authorized persons are allowed to access the facility. Although a physical door lock is in place to prevent unauthorized access and is working as intended, the failure of the human component negated the effectiveness of this control.
- Lack of Network Access Controls: The client does not have a NAC solution in place to ensure only authorized systems and devices can connect to the network.
- Lack of Egress Filtering: We were able to initiate an outbound SSH connection back to the DirectDefense infrastructure from within the client’s internal network. This connection was not prevented or terminated by network security appliances.
- Deficient Security Monitoring: The client was not alerted to an unknown device being placed on the network, the lateral movement throughout the internal network, the compromising of privileged accounts and systems, or the outbound connection initiated by the device.
- Lack of Network Segmentation: Network segmentation is not in place to prevent devices (or users connecting to network ports) within the office from accessing the rest of the client’s internal network.
Curious if Your Organization Can Pass the Test?
Find out! Our penetration testing team performs these routine tests to try and successfully compromise as much as we can within an organization to ensure someone with malicious intent won’t be able to. If your company is interested to see what vulnerabilities our penetration testing team can uncover, contact us today.