Our company specializes in performing information security assessments and penetration tests; we pride ourselves on our expertise in techniques like social engineering. But frequently we are retained to investigate a suspect employee that might be doing something malicious or questionable on a company network. What was social can turn physical... Let me explain.
To determine if the employee is doing something illicit, we look at the persons computer remotely, watching the traffic coming and going, and logging events. But occasionally we run into a suspect who's computer savvy, knowledgeable about digital surveillance, or paranoid beyond compare. More then often the person knows he is suspect, so asking them to relinquish data or a company-provided laptop becomes difficult. In this type of scenario we are forced to social engineer our way into that person's space to get a closer look. Unfortunately this is easier said than done, and occasionally this escalates into physical confrontational with the person of interest.
Even after several years in this industry, we never cease to be amazed at what intelligent people have tried to pull off using their computers. That's topped only by the irrational behavior that follows when they're caught.
Case in point -- a large corporation recently retained us to investigate an employee suspected of stealing from the company. The executives who hired us indicated the person was extremely computer literate and carried an executive level position. They asked that we be as surreptitious as possible, trying not to alert him to what we were doing, as well as minimize the impact to the company in the event nothing was found.
They were concerned about his outside business interests and worried he might be using their resources and company finances for personal gain. The employer was also concerned that if we asked for the computer as IT staff or contractors, he would destroy the contents of the drive or possibly the entire computer. Numerous efforts were made to remotely look at his company provided laptop, all of which failed. With permission of the employer our goal then became to steal his laptop when he was in the office.
This is far easier said than done. Most people would put up a fight to stop their laptop from being stolen... Try this with someone who knows he could be incriminated with the data on it.
Posing as building maintenance, we were armed with tool belts, a ladder, and other custodial devices. Our goal was to position ourselves by his office, appear as if we were servicing something in the ceiling, then grab his laptop and make a run for it. To minimize any involvement of employees in the office we planned the attempt at quitting time, hoping that the majority of the office had left. Our suspect frequently stayed late so his hours worked to our advantage.
To prepare for our success, failure, or any mishaps our client was on high alert. We set up our ladders and equipment conveniently close to our suspect's office. Our disguises apparently were working since he appeared uninterested in who we were and what were doing. As he answered a cellphone call he rose from his desk and proceeded to walk out of his office, at that point we went in and grabbed the laptop.
Our success was short lived when he turned and saw us walking out with his machine. His polished, professional demeanor changed for the worst when he saw us trying to leave the building. He raced toward us and began trying to pry the laptop from my colleague's hands, while cursing and calling us unprintable names.
It became a tug-of-war between us and him. Finally my colleague was overpowered and lost the laptop. I was amazed at how strong this guy suddenly became, since he had to be 15 years older than my partner.
Our suspect rushed back into his office and proceeded to call security. I was puzzled as to what he was thinking, since the two "thieves" were still in his presence, not trying to escape after our failed attempt to steal his property. I knew the confrontation was not over, so preparing for the worst, we called our contact to explain what had happened.
As all this was happening we kept watching our suspect's behavior. He clutched the laptop in his arms and would occasionally crack the machine open and try to navigate the built-in mouse to do something; our assumption he was trying to delete content. When we grabbed the machine, there was no time to power it off. To discourage him from trying to use the computer, and for fear of what we thought he might be deleting, we made an occasional lunge at him and he'd slam the laptop closed.
Thankfully, when security arrived they had already been notified about the situation. As our suspect began ranting on how we tried to steal his machine, and that we should be arrested, his behavior deteriorated even more when security told him to relinquish the computer to us. He loudly questioned the security guards' role and demanded the police. Within minutes, two law enforcement officers arrived. After we told them our story and they validated it with our customer, the officers made him give up the laptop. His anger and frustration were plainly evident.
Once the laptop was in our possession, we began our digital forensics. Our results helped considerably in the legal action taken against their employee. We uncovered numerous instances of his misuse of company resources and finances.
After incidents like these, we always ask ourselves why an educated person, knowledgeable in information technology, would consider doing such things on a computer owned by his employer. Such events also remind us that people change into completely different animals when you take their data. The mild-mannered businessman or prim and proper secretary can quickly change with violent, irrational behavior -- not to mention superhuman strength. It's the part of the social engineering game that really keeps us on our toes.