the humanity of phishing attack and defense 2016 alabama ... · the humanity of phishing attack and...

© Copyright 2015 PhishMe, Inc. All rights reserved. © Copyright 2015 PhishMe, Inc. All rights reserved.

The Humanity of Phishing Attack and Defense

2016 Alabama Cyber Now

Aaron Higbee

Co-Founder & CTO of PhishMe

@higbee @phishme

© Copyright 2015 PhishMe, Inc. All rights reserved.

What you are in for…

• A LOT of slides – don’t worry, they will be on Slideshare.

• Is Phishing easy? The operation examined from the Attackers perspective

• Multiple data points – Highlights from our Enterprise Susceptibility Report

– Examples of effective and popular phishing themes

– How much time do users spend consuming phishing education?

• Does it matter?

– New data from recent survey. Do we have an awareness problem?

• Why do humans fall for phishing?


A TALE OF WOE

OPM


Notice anything interesting?


What likely caused the breach…


The DHS Response…

“The campaign will feature short videos,

posters and literature on the do’s and

don’ts for better cyber hygiene”


OPM Needs an extra 21 million (for encryption)


2002

• Incident Response

• Penetration Testing

• Taught a lot of Ultimate Hacking Classes

– Hands on, learn by doing

• Met a lot of these types


Attackers Perspective: Is phishing easy?

The classic Attackers vs. Defenders arguments seem to

gloss over the effort involved…


Phishing operations examined: Recon

• Reconnaissance for targeting

– Email addresses from simple internet searches

– Mining social networks

– Spam lists

– Paid private lists

*Image created by Seculert


Phishing operations examined: Weaponization

• Exploit writers

• JavaScript expertise

• Code packers and obfuscation

• Remote Administration Tools – Custom or Modified

• Data-Entry credential stealing phishing?



Phishing operations examined: Delivery

• Send email collect shells. Easy right?

• Brand protection & site take down. E.g. login.peypal.net

• Spoofing still viable? SPF, DKIM, …

• Attachment delivery? Zip it? Password zip it?

• Anti-Spam products are a problem…

– Attackers using gmail.com, yahoo.com, hotmail.com, etc..

• Time of day?

• Mobile devices?



Phishing operations examined: Exploit

• x86 Win32 – time of day matters

• Advances in end-point protection

• Application whitelisting

• Email scanning gateways

• URL detonation

• Sandboxes

• Phishing with only links? – Site categorization

– Evolving browser protections



Phishing operations examined: Recap

Let’s recap…

We found targets, prepared our email sending environment to ensure delivery and we’ve overcome the problems of exploitation. We can either get exploit attachments in, or lure phishing victims to our prepared, whitelisted, categorized site designed to deliver the payload. We are either defeating sandboxes or our malware is designed in such a way that analysis either takes too long or provides inconclusive results in the sandbox to set off alerts. Game Over?...



Phishing operations examined

… But you are still not done.

Plant backdoors, connect outbound, exfiltration



Now let’s look at some Crimeware examples

Common themes: – Faxes, Voicemails, ACH notices, Package Delivery

– The PhishMe blog has many examples

– Cryptolocker


Locky Message


Notice the variations


MOST USED AND HIGHEST

SUSCEPTIBILITY


Introduction – Study Demographics • 400 PhishMe customers

• Fortune 500 and public sector organizations across 23 verticals

• 8 million simulation emails over a 13-month span

• 75% of organizations training 1000+ employees


Questions Asked • Are certain themes or levels of complexity more difficult than others for

employees to recognize?

• What is the impact of emotional motivators on the likelihood of phishing

responses?

• Does timing of the phish influence user vulnerability?

• Can we see positive trend success metrics over time?

• What makes a phishing simulation program successful?


Key Findings

• 87% of the employees who opened a phishing simulation email

opened it the SAME DAY it was sent.

• Most employees responded to a phishing email in the morning hours,

particularly at 8:00 AM local time.

• Employees who open a phishing email are 67% more likely to

respond to another phishing attempt.

• The most effective phishing emails contain a business communication

theme.

• Behavioral conditioning decreased susceptible employees’

likelihood to respond to malicious email by 97.14% after just 4

simulations.


Scenario Themes and Complexity

What is a Phishing

Theme? PhishMe’s term for a collection of email

scenario templates that use the same context,

motivation, or topic to elicit user action.

– Office Communication

– Employee Wellness

– Computer Updates


Theme Averages and Benchmarks


Top Emotional Motivators

The strongest emotional motivators (above 20% average) were related to connection and reward (e.g.,

winning a prize).

Top Motivators: • Connection

• Reward

• Curiosity

• Urgency

• Fear


Most Popular Simulations…

Type % Popularity Primary Motivators

Sent From Phone Attach (DB) 13.9 High Curiosity, Urgency

Package Delivery Click (BM) 18.43 High Curiosity

Inbox Over the Limit Click 19.7 High Fear, Urgency

eCard Alerts Click 25.98 High Curiosity, Reward, Social

File from Scanner Click 24.05 High Curiosity

Order Confirmation Click 17.38 High Curiosity, Fear

Unauthorized Access Data 29.16 High Curiosity, Fear, Urgency

Password Survey Data 16.58 Medium Fear, Urgency

Awards Season Click 5.6 Medium Entertainment

Scanned File Attach

(BM)

16.95 Medium Curiosity


Highly Susceptible Themes

Type % Popularity Primary Motivators

Manager Evaluation Data 31.55 Low Curiosity, Fear, Reward

Time Off Request - Negative

Balance

Click 30.92 Medium Fear, Urgency

Unauthorized Access (Adult-

Oriented)

Data 30.02 Low Curiosity, Fear, Urgency

Unauthorized Access Data 29.16 Medium Curiosity, Fear, Urgency

Browser Update Required Data (DB) 26.8 Low Fear, Urgency

eCard Alerts Click 25.98 High Curiosity, Reward, Social

Employee Raffle Data 25.85 Low Reward

Financial Information Attach 25.5 Medium Curiosity


Unauthorized Access 29.16% - Popular


Unauthorized Web Use: 30% - Low popularity


eCard Alerts – 29.58% - Popular


Manager Evaluation 31.55% - Low popularity


CREATING PHISHING AWARENESS


“Sit down, let me aware you about Phishing…”


Dear Awareness Professional, it’s not you…


PhishMe Content Team


Too Chinese…


Too Alluring…


Too American…


27 seconds…


Time spent improving “Awareness”


How is it that susceptibility rates decline?

• People don’t read the education

• Yet there is a consistent reduction in susceptibility


How is it that susceptibility rates decline?

• People don’t read the

education

• Yet there is a consistent

reduction in susceptibility

• People respond to emails

quickly

• Empowered and encouraged

users report

• IR & SOC teams get relevant

and timely threat intelligence

Potential threat intelligence

Can resilient humans be threat detectors?


What customers tend to focus on


Results: Conditioning vs. Awareness


Yes!


IS PHISHING AWARENESS THE

PROBLEM?

A survey conducted on the basics of Phishing…


Introduction – Survey Demographics • PhishMe carried out a contracted survey in March 2016

• Sample: 216 US office workers who use email (outside of the IT & Security department)

Opening Question: Phishing is a term used to describe a deceptive email designed to infect your computer or steal your passwords. Were you already aware of that before reading this definition?

– Four follow-up questions about phishing tactics • Did you know that clicking a misleading link in an email has the potential to infect your

computer?

• Did you know an email taking you to a deceptive website designed to trick you into entering your username and password is also known as phishing?

• Did you know opening an attachment has the potential to infect your computer?

• How far do you agree / disagree with the following statement? ‘Mobile devices are equally susceptible to phishing as PCs’


Spoiler: They are aware of phishing

‘Phishing’ is a term used to describe a deceptive email

designed to infect your computer or steal your passwords.

Were you already aware of that before reading this

definition?

0 10 20 30 40 50 60 70 80 90 100

6%

94%

Yes

No

94.4% aware

5.6% not


Based on your knowledge of phishing emails today, please answer the following:

Did you know that clicking a misleading link in an email has the potential to infect your computer?

– Yes 98.1%

– No 1.9%

Did you know an email taking you to a deceptive website designed to trick you into entering your username and password is also known as phishing?

– Yes 91.2%

– No 8.8%

Did you know opening an

attachment has the potential

to infect your computer? – Yes 97.2%

– No 2.8%


Bonus Question

How far do you agree / disagree

with the following statement?

‘Mobile devices are equally

susceptible to phishing as PCs’ – Strongly agree 58.8%

– Slightly agree 31.5%

– Slightly disagree 9.3%

– Strongly disagree .5%

90.3%


Key Findings: Aware, but vulnerable

• 94.4% are aware of phishing – Some confusion remains about mobile and other attack vectors

Awareness is not the problem


What do phishing simulations accomplish?

So you do awareness, but better?...


Changing Behavior Ain’t Eazy…


K3wp doesn’t like me… reddit/r/netsec

Aaronhigbee wrote: If you think that conditioning humans to avoid phishing should be part of every organizations security hygiene.... I'll raise a beer and toast you. Not everyone agrees.

K3wp responds:

I absolutely do not agree. You should be designing systems and networks that cannot be compromised via phishing attacks vs. trying to train a bunch of useless meat tubes to be competent.


Security Engineers want to Engineer


Behave Humans!

• For many it’s an intellectual challenge

– When the human doesn’t conform to the system as designed, they

want to fix their Engineering mistake. They want to contain it.

When they can’t, they get upset. They blame the human. Not their

system.


What does history say?


Optical Sensors

Defeating coin optical sensors: Shaved Coins


Defeating Optical sensors

Light Wand aka Monkey Paw


• File.exe

• File.scr

• File.zip

• File.cab

• …

• http://Dropbox.com/file.exe


Consider the malware sandbox…


My Reaction

(sure you do)

“We STOP Phishing!”


How does your security sandbox stop this?

Or This?


Predictable response

After the tantrum is over… they blame the user

“the human is the weakest link”

“PEBKAC”


Thinking Fast and Slow

• Nobel Prize Winner in Behavioral Economics

• System 1: Intuitive brain process

– Operates automatically

• System 2: Deliberate thinking process

– Requires effort

*Not Bernie Sanders


How many emails do we process daily? • Receive ~71 legit emails

• Send 41 emails

• Must mentally discard 13 emails

• Assume 2 hours of meetings and 1 hour lunch break

• We perform 33 email related tasks per hour

• Source: http://www.radicati.com/wp/wp-content/uploads/2014/01/Email-Statistics-Report-2014-2018-Executive-Summary.pdf


Consider the following…

2+2 = ? 10 x 2 = ?

1+8 = ?

7+4 = ?

5+5 = ?

85 x 97 = ?


Another example…

LEFT

LEFT LEFT

LEFT

LEFT

Right

Right Right

Right

Right


Another example…

LEFT

LEFT

LEFT

Right LEFT

Right

Right LEFT

LEFT

Right


System 1 and 2 are always active


This should not trigger System 2


This should trigger System 2


System 1 to System 2 Success!


So what you are saying is…

Simulations creates experiences using tactics similar to real

phishing emails to jolt repetitive lazy intuitive cognitive

functions into a deliberate thinking process that requires

effort!


System 1 Recently Failed Me


Failure in System 1

• Wow, This is a nice hotel! The bathroom is so clean.

• (washing my hands now)

– Hrm, no urinals?

• Hrm, what is this thing for?

• I have made a critical mistake


You admit some useless meet

tubes will fail!


“Can’t fix stupid” “The weakest link”


Conclusions

• Good news! Phishing Awareness is solved

• Bad news! We are still susceptible to phishing -

• Somewhere, some technology vendor is creating an

Advanced Machine Learning - Hadoop clustering

engine to perform User Behavior Analytics to end the

Phish Du Jour.

• Or you could consider conditioning the user to avoid

and detect tomorrows attacks, today.

the humanity of phishing attack and defense 2016 alabama ... · the humanity of phishing attack and...

Documents