Intern Again, But This Time I Broke In - My Debut in Offensive Security
As summer fades to fall yet again, I thought it might be nice to reflect on my second internship with Security Risk Advisors. Last summer, I was working with the Advisory Blue department, writing policies and assessing compliance. This summer, however, I had the opportunity to work with the Advisory Red team, performing offensive security work such as penetration testing, footprinting, and social engineering. Here’s how it went and what I learned.
My time began with plenty of training - attacking real client infrastructure means you’ve got to know not only what tools to use, but how to use them right to avoid harming the client you’re supposed to be helping. Through “live-fire exercises” via HackTheBox, I learned the techniques, tricks, and tools of the trade. Techniques ranged from simple SQL injections to complex Active Directory scenarios. My tooling quickly went from simple premade tools to custom-written scripts, and my assignments went from holding my hand through every command to tossing you into environments where all you know is an IP address. No matter what the scenario, my goal was the same: take over the system by any means necessary. I relied on my skills from class at RIT, some advanced knowledge from my colleagues, and plenty of online guides to get the job done.
After training, it was off to the races - starting with footprints. Before a pentest can be done, you’ve got to know what targets to shoot at, and which ones to avoid. From just a company name, my task was to identify what assets they owned; domains, IP addresses, subsidiaries, and more. Footprinting taught me a lot about attention to detail; missing a single IP, or including an unrelated one, can cause a pentest to miss an important target - or worse, test a company that isn’t even the client. I was thankful for the help and patience of experienced consultants as they gave me meaningful feedback, and helped me improve my quality of work.
After footprinting came external penetration tests. In an external pentest, SRA acts as an unauthenticated attacker - we see what anyone on the internet can see. From the output of footprinting, automated and manual scans and testing are performed to identify any weaknesses. Every portal, site, and public document is looked at under a metaphorical microscope, looking for credentials, keys, out-of-date software, and known vulnerabilities. Externals taught me about inspecting what you’re expecting - a login page that seems fine? Check how long it takes to return an error, and what the error says. That GitHub repo that seems to just be a public site? Look closer and you might find an API key. I also learned a lot about how a modern threat actor operates. I learned that almost always, adversaries log in - not break in. Compromise comes very often from stolen or re-used credentials - not a CVE.
Finally came the most fun part of all - social engineering. I often joked with friends that my job consisted of “stalking, prank calling, and lying”, but sometimes that description wasn’t that far off from my work. Of course, my work was legally and ethically cleared, and we would call it “OSINT and voice phishing” instead. We impersonated executives, the IT desk, HR employees, and even explored using AI-powered voice clones to attack the weakest element of any organization’s cybersecurity program: the humans. Computers are programmatic: they will always block a sign-in from an unrecognized IP address, and will never do anything that contradicts what they are configured to do. Humans (and, notably, AI models), on the other hand, are a little more pliable. You can do all the training you want, but there is never a guarantee that a user won’t give up sensitive info over the phone to a convincing fake of an IT helpdesk worker. I had a lot of fun doing these social engineering engagements, and it taught me a lot about confidence. The statement “fake it till you make it” never proved more true until I was actively in a call attempting to get some sensitive information, pretending I knew why I couldn’t ping someone on Teams to confirm my identity. Be confident and if they aren’t very technical, throw in some buzzwords and jargon. Social engineering also taught me the value of OSINT (Open Source INTelligence); we were able to utilize leaked employee IDs and home locations to make a pretext even more believable and successful.
These social engineering tactics are actually in the news as of the time of writing - the Scattered Spider cybercriminal group recently used this to breach Clorox via third party service provider Cognizant. According to the press, all the attackers did was ask for a password. The relevant XKCD comic comes around yet again.
Just like last year, I enjoyed having a traditional job and schedule rather than a school schedule - I took advantage of my free time by going fishing and biking, and was even able to explore some new state parks near Ithaca. My volleyball addiction was fed through a few grass tournaments, a few indoor pickup games, and some beach time with friends. As always, I took one week off to serve at Camp Mantowagan, a place that my summers can’t be without. Seeing new and old faces at such a special place was refreshing to my soul.
This summer was an awesome look into the world of offensive security consulting - something that I think I really like doing. A huge shoutout to everyone at SRA for making this possible! For now, it’s back to RIT for the start of my fourth year!
“Many are the plans in the mind of a man, but it is the purpose of the Lord that will stand.” Proverbs 19:21