Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Protect your organization from phishing attacks
1. Protect Your Organization from
Phishing Threats
Andy Rappaport, Chief Architect
Tom Smit, Customer Experience Manager
PA G E
2. Agenda
•
•
•
•
•
The Evolving Phishing Threat
Attacker’s mentality - What CORE’s penetration testers tell us
5 minute Identity Harvest Challenge
Best Practices – What You Can Do
Organizational Preparedness with CORE Insight
PA G E 2
3. Phishing is Not the Same as Spam
• Spam: Unwanted email (and possibly texts)
• Phishing: malicious email – social engineering attack
− Pretending to be from someone you trust
− Designed to look like legitimate email from a trusted source.
• Types of Phishing:
− Spear Phishing – Targets select individuals
− Clone Phishing – use previous emails to create legitimate appearances
while changing the links in the email. Use existing trust.
− Long-lining – Mix of large volume of highly customized emails –
intended to defeat filter-type defenses.
PA G E 3
4. The Evolving Phishing Threat
• Frequency is declining1 but sophistication is increasing
• Spearphishing effectiveness has significantly increased2
• $1.5 Billion – total loses from phishing in 20123
• Why? Lowered barriers to achieve online trust
− Decreased face-to-face contact: remote offices, outsource, partners, social nets
− Tech by-pass the human: Single-sign-on, federation, browsers save a password
− Mixed personas (personal & biz): BYOD.
Sources
1. Anti-phishing Working Group Attack Trend Reports: http://www.antiphishing.org/resources/apwg-reports/
2. http://threatpost.com/spear-phishing-remains-preferred-point-entry-targeted-persistent-attacks-113012
3. http://www.emc.com/collateral/fraud-report/rsa-online-fraud-report-012013.pdf
PA G E 4
5. What CORE’s Pen. Testers Tell Us
• Social Engineering is the preferred attack vector.
• Users are easier: “We can always phish someone [in an
engagement.] Its just a matter of how hard we need to try.”
• Establish, escalate and leverage trust: “until you get
someone [or something] you want”.
• Value of compromising an identity
− Email account: send email as them leverage their trust network
− Browser or host: passwords logon as them
Note the significance of trust in each statement.
PA G E 5
6. What CORE’s Pen. Testers Tell Us – The Approach
• Establish trust with non-threating message to small group.
− We have been experiencing some errors with the XYZZY system. Sorry
for any inconvenience.
− We are scheduling an upgrade for the XYZZY system.
• … then send the Phish email
− Sorry. Please use this temporary XYZZY system <some link>
• Make it look right
− Use corporate branding / images. Duh.
• Personalize - if possible
− Title: Attendee list for your XYZZY conference keynote
o (A person’s future conference schedule might be easy to discover)
PA G E 6
7. Try the 5 Minute Identity Harvest Challenge
• Pick an important corporate user – your company or another
• Search for just 5 minutes to get spear-phish info
• Pick a few places to look:
−
−
−
−
−
Corporate site, news
Financial: scheduled stock trades
Search engine: blogs, conferences, speeches, planned travel
Social: Linked-in (college – home-coming), Facebook (social, family)
Physical Addresses: work, home, vaca
What could an attacker do with more time?
PA G E 7
8. Phish Defenses – What You Can Do
• Defend - Technology deployments
Blacklisting known phishing sites
Spam filters
Anti-virus software
• Educate - User awareness
− Regular 2-way communication. Make humans part of your sensor network.
− Share real-world examples
• Understand the risk - Establish Policy
− Ex: CSR or IT password reset – are they being helpful or insecure?
− Zip files through the firewall?
− Mixing personal and business.
• Test and measure your own exposure and risk
− Test your own defenses
− Hands-on employee assessments
PA G E 8
GOTCHA!
9. Self-Phishing Best Practices
• Goal: Understand and lower phish risk
• Systematic testing
− Data-driven. Objective.
− Create an easily-repeatable process
− Not a one-time gotcha. (Hook-and-release)
• Test people and defenses/controls
• Different levels of sophistication
Assess
Test
Improve
− E.g. obvious form letter; targeted message w/specific but publicallyavailable information
PA G E 9
10. Benefits of Self-Phishing
Data-driven Security - Goals-questions-metrics
• Goal: understand/measure own risk from phish exposure.
• Questions:
−
−
−
−
Does the A/V on our IT ‘golden images’ detect spam/phish messages.
Do our defenses provide useful clues to employees?
Which of our users are susceptible to phishing?
How much does our user awareness program reduce the risk?
• Metrics: Understanding effectiveness of your training
− Measure over time and identify areas to improve
− Approach: Mix baselines (Nigerian prince) with more focused
(spearphish)
• Identify users and groups who need additional education
− Adequately trained? New hires? Admins? IT? Devs?
PA G E 1 0
12. Insight Can Assess Over Time
Investments in training has
proven productive.
On going evaluation is
critical to minimizing risk.
PA G E 1 2
Next quarter’s focus can be
clearly identified.
13. Insight Identifies Critical Areas
Identify current weaknesses
in an organization.
Campaigns focus on different users.
•
•
•
PA G E 1 3
Marketing Executives
Contractors
Web Developers
Focus limited resources
on more critical activities
14. Insight Builds Focused Campaigns
Clone Phishing
Spear Phishing
General Phishing
First Generic Bank <accounts@firstgenericbank.com
Please update your account information
Mar 12, 2013 3:23PM PST
PA G E 1 4