P A G E
Protect Your Organization from Phishing Threats Andy Rappaport, Chief Architect
Tom Smit, Customer Experience Manager
P A G E 2
Agenda
• The Evolving Phishing Threat
• Attacker’s mentality - What CORE’s penetration testers tell us
• 5 minute Identity Harvest Challenge
• Best Practices – What You Can Do
• Organizational Preparedness with CORE Insight
P A G E 3
Phishing is Not the Same as Spam
• Spam: Unwanted email (and possibly texts)
• Phishing: malicious email – social engineering attack
− Pretending to be from someone you trust
− Designed to look like legitimate email from a trusted source.
• Types of Phishing: − Spear Phishing – Targets select individuals
− Clone Phishing – use previous emails to create legitimate appearances while changing the links in the email. Use existing trust.
− Long-lining – Mix of large volume of highly customized emails – intended to defeat filter-type defenses.
P A G E
• Frequency is declining1 but sophistication is increasing
• Spearphishing effectiveness has significantly increased2
• $1.5 Billion – total loses from phishing in 20123
• Why? Lowered barriers to achieve online trust − Decreased face-to-face contact: remote offices, outsource, partners, social nets − Tech by-pass the human: Single-sign-on, federation, browsers save a password − Mixed personas (personal & biz): BYOD.
Sources 1. Anti-phishing Working Group Attack Trend Reports: http://www.antiphishing.org/resources/apwg-reports/ 2. http://threatpost.com/spear-phishing-remains-preferred-point-entry-targeted-persistent-attacks-113012 3. http://www.emc.com/collateral/fraud-report/rsa-online-fraud-report-012013.pdf
4
The Evolving Phishing Threat
P A G E
• Social Engineering is the preferred attack vector.
• Users are easier: “We can always phish someone [in an engagement.] Its just a matter of how hard we need to try.”
• Establish, escalate and leverage trust: “until you get
someone [or something] you want”.
• Value of compromising an identity − Email account: send email as them leverage their trust network
− Browser or host: passwords logon as them
Note the significance of trust in each statement.
5
What CORE’s Pen. Testers Tell Us
P A G E
• Establish trust with non-threating message to small group. − We have been experiencing some errors with the XYZZY system. Sorry
for any inconvenience.
− We are scheduling an upgrade for the XYZZY system.
• … then send the Phish email − Sorry. Please use this temporary XYZZY system <some link>
• Make it look right − Use corporate branding / images. Duh.
• Personalize - if possible − Title: Attendee list for your XYZZY conference keynote
o (A person’s future conference schedule might be easy to discover)
6
What CORE’s Pen. Testers Tell Us – The Approach
P A G E
• Pick an important corporate user – your company or another
• Search for just 5 minutes to get spear-phish info
• Pick a few places to look: − Corporate site, news
− Financial: scheduled stock trades
− Search engine: blogs, conferences, speeches, planned travel
− Social: Linked-in (college – home-coming), Facebook (social, family)
− Physical Addresses: work, home, vaca
What could an attacker do with more time?
7
Try the 5 Minute Identity Harvest Challenge
P A G E
Phish Defenses – What You Can Do
• Defend - Technology deployments Blacklisting known phishing sites Spam filters Anti-virus software
• Educate - User awareness − Regular 2-way communication. Make humans part of your sensor network. − Share real-world examples
• Understand the risk - Establish Policy
− Ex: CSR or IT password reset – are they being helpful or insecure?
− Zip files through the firewall?
− Mixing personal and business.
• Test and measure your own exposure and risk − Test your own defenses
− Hands-on employee assessments
8
GOTCHA!
P A G E
• Goal: Understand and lower phish risk
• Systematic testing − Data-driven. Objective.
− Create an easily-repeatable process
− Not a one-time gotcha. (Hook-and-release)
• Test people and defenses/controls
• Different levels of sophistication − E.g. obvious form letter; targeted message w/specific but publically-
available information
9
Self-Phishing Best Practices
Test
Improve
Assess
P A G E
• Goal: understand/measure own risk from phish exposure.
• Questions: − Does the A/V on our IT ‘golden images’ detect spam/phish messages.
− Do our defenses provide useful clues to employees?
− Which of our users are susceptible to phishing?
− How much does our user awareness program reduce the risk?
• Metrics: Understanding effectiveness of your training − Measure over time and identify areas to improve
− Approach: Mix baselines (Nigerian prince) with more focused (spearphish)
• Identify users and groups who need additional education − Adequately trained? New hires? Admins? IT? Devs?
1 0
Benefits of Self-Phishing Data-driven Security - Goals-questions-metrics
P A G E
CORE Insight
1 1
P A G E 1 2
Insight Can Assess Over Time
Investments in training has proven productive.
Next quarter’s focus can be clearly identified.
On going evaluation is critical to minimizing risk.
P A G E 1 3
Insight Identifies Critical Areas
Identify current weaknesses in an organization.
Focus limited resources on more critical activities
Campaigns focus on different users. • Marketing Executives • Contractors • Web Developers
P A G E 1 4
Insight Builds Focused Campaigns
General Phishing
Spear Phishing
Clone Phishing
First Generic Bank <[email protected]
Please update your account information
Mar 12, 2013 3:23PM PST
P A G E 1 5
Reporting
P A G E
Go to www.coresecurity.com/videos/protecting-your-organization-phishing-threats to watch the recorded
presentation
For more information please contact Core Security at (617)399-6980 or [email protected]
1 6