Social Engineering Attack-Defend
ACTIVITY COMPLETED: August 4, 2023
This is a video I made for the capstone project during Fullstack Academy’s Cybersecurity Bootcamp. In it, my group and I created a mock cyber consulting firm, Bigfoot Consulting, that we’re all team members of.
A fictional company, Patterson-Gimlin LTD, hired our firm to perform a series of social engineering attacks against their employees, infrastructure, network, and devices. Three of our attacks were unsuccessful: a vishing attempt, invoice scam, and phishing.
Three other attacks were successful: a malicious QR code that harvested credentials through a fake employee portal, a keylogger installed on free USB drives given to all employees, and a tailgating attack executed on a group of new hires returning from lunch.
With each attack, our team gave insight into how to notice and prevent them in the future. Here’s the full mock scenario we created:
Scenario
Recently, Bigfoot Consulting was approached by Robert Gimlin, the CISO at Patterson-Gimlin LTD, a film production company. The company has made headline news with the premier of their heavy hitting films about the Ukrainian-Russian conflict, North Korean labor camps, and China’s PLA.
After these film premiers, Robert Gimlin noticed an uptick in public threats posted on social media and across internet forums directed at the company. These threats all say something to the effect of:
“Patterson-Gimlin beware. Your enemies will be among you soon, living and working, and they will work to sow your demise. Every day. The clock is ticking…”
Given the specific nature of these threats, Robert Gimlin is highly concerned with social engineering attacks against the company. Which is where Bigfoot Consulting comes in.
We were hired to help the company harden their security posture.
Over a three month time period, we attempted a variety of social engineering attacks on the employees and infrastructure of Patterson-Gimlin LTD. The goal was to leverage any bit of intel, no matter how innocuous, to obtain privileged information about the company and access to networks and devices.
Aside from Robert Gimlin, the C-Suite executives, and Bigfoot Consulting, no other employees at Patterson-Gimlin LTD will be aware that this test is being conducted. That’s because we wanted the test to simulate conditions a real attacker would face, and we didn’t want to bias or disrupt normal employee behavior in any way.
After the test concluded, we reported our findings back to Robert Gimlin. At that point, he informed the entire company of the test and called an all hands meeting to discuss further. During that meeting, Bigfoot Consulting presented a recap video that walked through each attack, what worked, and what didn’t.