Technology changes and defenses get better, but some things stay the same—like human gullibility, which can be easily exploited through social engineering.

What is social engineering?

Social engineering, at its core, is taking advantage of human nature. Humans are innately trusting, often try to help, and want to avoid confrontation. A big facet of social engineering is taking advantage of our social trust in order to further some type of malicious goal.

Social Engineering generally falls into four (4) attack vectors:

Phishing (email-based)
Vishing (voice/phone-based)
Smishing (text-based)
Physical (in person)

Each one of these attack vectors could take a blog all on its own to break down into detail. For the purposes of this blog, we are going to concentrate on social engineering from a physical perspective.

Several tactics and phases are employed when social engineering humans during a physical breach attempt. These include:

• Pretexting (creating a story to add legitimacy)
• Impersonation (posing as an employee of the company targeted, or a maintenance worker, contractor, visitor from another office, etc.)
• Redirection/Distraction (redirecting the focus of your target from yourself/your actions to something else)
• Psychological Subversion (verbally manipulating folks to obtain bits of information)
• Tailgating/Piggybacking (following another person closely, usually to gain access through a secured entry, such as a card reader-controlled door)
• De-escalation (de-escalating a situation, or an individual, such as an irate guard)

How is social engineering used from a physical perspective?

Using what we have discussed, let’s look at a breakdown of how a typical physical breach might go:

Before attempting a physical breach, whether covert or overt, I usually spend several hours researching the company in the pretexting phase of the engagement. I will check social media sites such as LinkedIn, Facebook, YouTube, and Instagram, looking for insight into the company culture, types of employees, and pictures of employee uniforms or badges. Oftentimes, I am also able to determine building layouts through satellite imagery or publicly available building interior maps. This helps in development of a believable pretext. I may even call the primary phone number in an effort to discern whatever additional information I can (using subversion or impersonation), such as if more folks are working from home or on a staggered schedule. Depending on the pretext, I may even create a fake work order and gather items related to the job I’m claiming to be on-site for (i.e., impersonation).

Once on-site, I will typically spend several hours observing the premises, which includes the employees and employee traffic patterns, employee gathering areas such as smoking, break, and lunch locations, and any other entry or exit doors. This often provides ample opportunities for tailgating/piggybacking into the main building or into sensitive locations within the building. I will use tactics such as redirection/distraction (such as being on a call) to avoid answering pesky questions like, “Who are you?”, having my hands full with donuts so I can’t quite reach the card reader, (who doesn’t like donuts?), or even being a polite gentleman and letting folks ahead of me (after you!).

Once inside, I will often use impersonation to make myself fit in and seem like I belong. Depending on the pretext and engagement goals, I may visit the employee break room and make myself some coffee or grab a bite at the on-site cafeteria. This also provides ample opportunity for more observation, more tailgating/piggybacking, and a chance to clone employee access cards, if they are utilizing a cloneable technology such as low-frequency badging system (see more about this attack here) If I am approached by an irate guard or employee, I may use de-escalation techniques to quell any suspicion that may arise.

How do you defend against this?

Teach your employees/end-users/staff good security awareness. Ally with your users. They are often a first line of defense, especially in regard to things like physical security and social engineering. If your organization utilizes building security or guards, make sure your users know how to contact them. Have the building security/guards make it a point to introduce themselves to your employees, so that they are more at ease in case they need to call.

It is very important to regularly communicate security awareness materials in various ways to maintain general awareness of core security concepts. Attacks like this are on the rise. As more folks are returning to the office from more than a year of the work-from-home model, there are likely to be a ton of unfamiliar faces around the office. That once a year PowerPoint presentation isn’t cutting it anymore. Awareness communications should be provided monthly and ideally via different delivery mechanisms each month. Hammer the point home. Here are some ideas for better awareness training:

• Monthly emails
• Posters
• Placards placed near entryways and sensitive locations reminding folks not to tailgate/piggyback, promoting the phrase, 'One swipe, one entry'
• Creative wallpapers and screensavers
• Provide handouts, such as stress balls, mousepads, pens, etc. (Everyone likes free stuff.)

Hopefully this blog gives you some better insight into the social engineering aspect of Physical Penetration Testing.

If you have questions or comments, I would love to hear from you. Feel free to reach out on Twitter or find me on the TrustedSec Discord.

@fir3d0g