O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Who Clicked? Who Cares?
24, March 2015
right now
Chris Nickerson
Founder
Lares
hi. =)
Thanks
• Cursing
• Racism
• Religious Prejudice
• Sex
• Drugs
• Daddy /
Abandonment issues
• Socio Economic Hate
crimes
• Thin Sk...
Anyway...
I’m Chris
AKA
@indi303
cnickerson@laresconsulting.com
https://vimeo.com/laresconsulting
http://www.scribd.com/Lares_
LARES
Custom Services
OSINT
SIGINT
TSCM/ Bug Sweeping
Exploit Development
Tool Creation
Attack Planning
Offensive Consultation
A...
What Do We Know?
www.socalengineer.org
Dumpster Diving
Shoulder Surfing
Phishing
Target PHONE Support Staff
Human Resources
Smoking is Bad
Transit Systems
Social Functions
Client Side Attacks
But that’s not phishin’
chris…. Phishing is all
about EMAIL!
Directed Phishing
lather
Choose
an
attack
Rinse
Send out
an
attack,
get basic
metrics
Repeat
Send em
a cbt
and
phish
em
again
Slide 41
CLICKS
Slide 42
huh?
Slide 43
Slide 44
Slide 45
PHISHING
CLICK RATIO
Slide 46
 Training
 Metrics
 Testing of layered defense
 Creating durability
 Testing Identification skills
 EXPERIE...
Slide 47
Slide 48
“If it weren’t for the users we
would be secure”
– Some idiot in infosec who should have taken a job as a used ca...
Slide 49
Slide 50
Slide 51
Intelligence Leakage
 Contact info
 emails [userID]
 phone numbers
 Metadata
 Dox reference checks
 Pastebi...
Slide 52
Mail Configuration
 Pure vanilla spoof (forged internal from Internet)
 Validate/verify addresses
 Recipient a...
Slide 53
Spam/Proxy Configuration
 In line spam detection
 Proxy in use
 Content inspection
 Content filtering
 Excep...
Slide 54
Malicious Attachments/Content
 Malicious Attachments
 Java applet
 Excel macros
 Calendar invites
 PDFs
 Ex...
Slide 55
Browser Attacks
 Corporate Standards
 Vulnerable type/version
 Frame injection/Keyloggers
 3rd party add-ons/...
Slide 56
Malicious Detection
 IPS/NIPS/HIPS
 AV process protection
 100% coverage
 File integrity monitoring
 System ...
Slide 57
Ingress/Egress Filtering
 Can an attacker call home?
 What are all the ways?
Slide 58
On Device Vulnerability
 Does the user have rights
 Can you priv esc
 Can you get to the “Mothership”
 Is the...
Slide 59
Post Phish Value
 Did your IR team catch it?
 How long did it take to kick in response
 How effective was resp...
Slide 60
What other metrics do you need to be
tracking to make informed decisions and
ACTUALLY reduce the risk of phishing
Slide 61
 User data (Demographics)
 User Role
 Position
 Paygrade
 Education level
 Etc.
 Automated Defensive measu...
Slide 62
 Response timing
 Time for emails to get delivered
 Time til first detection
 Time til enterprise notificatio...
Slide 63
 After we analyze metrics we need to make a REAL plan
to stop this from happening the SAME way again
 Increased...
THANK YOU!
[Chris Nickerson,
cnickerson@lares.com]
Please Remember To Fill Out Your
Session Evaluation Forms!
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
InfoSec World 2015: Who clicked Who Cares?
Próximos SlideShares
Carregando em…5
×

InfoSec World 2015: Who clicked Who Cares?

A history of breaches and why even companies with massive awareness
programs are still getting compromised
 Why phishing exercises and user awareness programs are not enough to stop
the attacks
 How to effectively phish for relevant metrics
 Learn to analyze the real attack surface of phishing and social engineering
attacks
 How to stop pouring money on the fire and start empowering employees

Giving the users the tools and protections needed to combat phishing

New metrics to be tracking when trying to understand the likelihood of a phishing campaign compromising your enterprise and EXACTLY what you need to do to stop it.

  • Seja o primeiro a comentar

InfoSec World 2015: Who clicked Who Cares?

  1. 1. Who Clicked? Who Cares? 24, March 2015 right now Chris Nickerson Founder Lares
  2. 2. hi. =)
  3. 3. Thanks
  4. 4. • Cursing • Racism • Religious Prejudice • Sex • Drugs • Daddy / Abandonment issues • Socio Economic Hate crimes • Thin Skin • Lack of sense of humor • Sexual orientation • Sexism • Violence • Vomiting • Abuse • Truth • Honesty • Facts
  5. 5. Anyway...
  6. 6. I’m Chris AKA @indi303 cnickerson@laresconsulting.com https://vimeo.com/laresconsulting http://www.scribd.com/Lares_
  7. 7. LARES
  8. 8. Custom Services OSINT SIGINT TSCM/ Bug Sweeping Exploit Development Tool Creation Attack Planning Offensive Consultation Adversarial Intelligence Competitive Intelligence Attack Modeling Business Chain Vuln Assessments Custom Physical Bypass Tool Design Reverse Engineering Other stuff I can’t write down…
  9. 9. What Do We Know? www.socalengineer.org
  10. 10. Dumpster Diving
  11. 11. Shoulder Surfing
  12. 12. Phishing
  13. 13. Target PHONE Support Staff
  14. 14. Human Resources
  15. 15. Smoking is Bad
  16. 16. Transit Systems
  17. 17. Social Functions
  18. 18. Client Side Attacks
  19. 19. But that’s not phishin’ chris…. Phishing is all about EMAIL!
  20. 20. Directed Phishing
  21. 21. lather Choose an attack Rinse Send out an attack, get basic metrics Repeat Send em a cbt and phish em again
  22. 22. Slide 41 CLICKS
  23. 23. Slide 42 huh?
  24. 24. Slide 43
  25. 25. Slide 44
  26. 26. Slide 45 PHISHING CLICK RATIO
  27. 27. Slide 46  Training  Metrics  Testing of layered defense  Creating durability  Testing Identification skills  EXPERIENCE  Solidarity  USER EMPOWERMENT  BUSINESS What’s it about then?
  28. 28. Slide 47
  29. 29. Slide 48 “If it weren’t for the users we would be secure” – Some idiot in infosec who should have taken a job as a used car salesperson “Users are our BIGGEST vulnerability” – Some Infosec “professional” who diesn’t know what vulnerability means
  30. 30. Slide 49
  31. 31. Slide 50
  32. 32. Slide 51 Intelligence Leakage  Contact info  emails [userID]  phone numbers  Metadata  Dox reference checks  Pastebin, support forums, wikis, etc
  33. 33. Slide 52 Mail Configuration  Pure vanilla spoof (forged internal from Internet)  Validate/verify addresses  Recipient and Sender  MX, SPF, RBL, Spam  Block known bad senders/Blacklists  Throttle after X in an hour
  34. 34. Slide 53 Spam/Proxy Configuration  In line spam detection  Proxy in use  Content inspection  Content filtering  Exceptions  Inspect (Decrypt) SSL
  35. 35. Slide 54 Malicious Attachments/Content  Malicious Attachments  Java applet  Excel macros  Calendar invites  PDFs  Executables and more  Linked (hosted) executables
  36. 36. Slide 55 Browser Attacks  Corporate Standards  Vulnerable type/version  Frame injection/Keyloggers  3rd party add-ons/Plugins  Mobile platforms  Credential theft (SCORING)  Integration with Red Team
  37. 37. Slide 56 Malicious Detection  IPS/NIPS/HIPS  AV process protection  100% coverage  File integrity monitoring  System process protection  Injection  migration
  38. 38. Slide 57 Ingress/Egress Filtering  Can an attacker call home?  What are all the ways?
  39. 39. Slide 58 On Device Vulnerability  Does the user have rights  Can you priv esc  Can you get to the “Mothership”  Is there IP I can take?  Can I pivot and “Go for the gold”
  40. 40. Slide 59 Post Phish Value  Did your IR team catch it?  How long did it take to kick in response  How effective was response  Is there skill gaps  What do you need to do to close the gaps?
  41. 41. Slide 60 What other metrics do you need to be tracking to make informed decisions and ACTUALLY reduce the risk of phishing
  42. 42. Slide 61  User data (Demographics)  User Role  Position  Paygrade  Education level  Etc.  Automated Defensive measurements  Technology effectiveness REAL METRICS REAL DECISIONS
  43. 43. Slide 62  Response timing  Time for emails to get delivered  Time til first detection  Time til enterprise notification  Time required to create incident team  Time to identify threat vectors  Time required to identify/quarantine threat  Time to analyze indicators accurately  Mean time to incident eradication REAL METRICS REAL DECISIONS
  44. 44. Slide 63  After we analyze metrics we need to make a REAL plan to stop this from happening the SAME way again  Increased user training  Increased technology and automated defenses  Process improvement opportunities  Blue team Improvement  IR process review  War boarding advanced threat  Always asking, WHAT IF we didn’t get it ALL! FOLLOW THROUGH
  45. 45. THANK YOU! [Chris Nickerson, cnickerson@lares.com] Please Remember To Fill Out Your Session Evaluation Forms!

×