330 likes | 355 Views
Anatomy of a Phish. Derek Rush Manager. September 5, 2017. Today’s Agenda. The anatomy of a phishing attack and what IT can do to help prevent, detect, and respond to phishing campaigns. Types of Phishing. One phish, two phish, red phish, blue phish. Phishing
E N D
Anatomy of a Phish Derek Rush Manager September 5, 2017
Today’s Agenda The anatomy of a phishing attack and what IT can do to help prevent, detect, and respond to phishing campaigns
One phish, two phish, red phish, blue phish • Phishing • Generic attempts via email to acquire sensitive information by tricking users. • Vishing • Cold calls to an entity attempting to trick the recipient of the phone call into performing some action. • Spear phishing • Targeted phishing attempts aimed at specific individuals or groups within an organization where the attempts are personalized to increase credibility. • Whaling • Highly targeted attempts using email as the communication medium to gather sensitive information from high-value individuals within an organization.
High Level Overview of Phishing • Today we’ll be focusing on how a threat actor may achieve the initial foothold on a corporation’s systems.
The Initial Foothold – One Approach Let’s bring the phishing process to life by going through a process from the start with a fake company called False, Inc. How does this process begin? • Research False, Inc. to understand organizational structure, business drivers, vendors, employee’s social media content, and other information repositories. • Initial reconnaissance is the most important step • Reveals phishing approaches that would likely succeed • Technical and non-technical in nature • LinkedIn, PGP keys, corporate websites, search engines, whois points of contact, identifying remote access services, FaceBook, Instagram, Twitter, GitHub, professional resumes, document metadata, SEC filings, and other publicly available information.
The Initial Foothold – One Approach Now we know a lot about the company and likely have some good phishing approaches that are likely succeed, let’s get a list of emails. • Obtain email addresses for the company by harvesting publicly available emails, and “mangling” known employee names . • Some clients prefer us to gather our own email addresses for a more real world attack scenario. • Some clients prefer to communicate a list of employee emails for testing to test the effectiveness of corporate security awareness campaigns. • Once the syntax of one corporate email is known, employee names can be mangled to the syntax of corporate email to derive a list of employees to phish.
The Initial Foothold – One Approach Now that we have knowledge of the company, internal personnel, and a list of emails, let’s figure out where our email should come from. • Purchase a domain name similar to false.com or a company that False, Inc. does business withand select a person for the emails to be sent from. • Usage of tools can help identify mangled domain names if our approach involves creating an email that appears as if it is from someone internal to the company being phished. • When we identified known vendors during the reconnaissance portion, we could also register mangled vendor domains such as microsofton1ine.com, trustvvave.com, or even lbnnc.com. • Are we sending the message from a Director of IT, from the account rep at a vendor, perhaps from a headhunter from a fake recruiting firm to HR, or from a business development analyst to their supervisor?
How To: Mangling a Domain – Part 1 Mangling a domain is a common technique for phishermen to use when they want their message to appear as if it’s from someone at a given company. Here’s an example of what mangling a domain looks like—
How To: Mangling a Domain – Part 2 Mangling a domain can be performed with multiple tools. In the first example, URLCrazy was used against false.com and came up with 74 mangled domains. The next example is from DNSTwist and what it was able to come up with 138 variants.
How To: Mangling a Domain – Part 3 Mangling a domain consists of taking a list of known ways to mistype a domain while still having it resemble the original domain. Here are the techniques used for false.com by both URLCrazy and DNSTwist These of course aren’t all the possibilities, but this is a great starting place.
The Initial Foothold – One Approach To recap, we now have knowledge of the company, internal personnel, a list of emails, and where our emails are going to come from. Now let’s think of what we’d like to try and get our phishing targets to do. • A common approach is to clone a familiar website that resembles a false.com login portal users would authenticate to or develop a document with malware that someone inside the company would be likely to open. • A critical failure in an email system occurred overnight and had to be replaced. Take action now to restore your access. • Business development leads from an internal resource with a malware macro. • Sending a social media link from a known associate’s spoofed email. • Posting a link on Twitter about the company if they have a Twitter presence.
The Initial Foothold – One Approach If we’re running short on creativity there are some great tools out there that come with templates for phishing that might get the creativity flowing—
Why Site Cloning? Site cloning is a popular tactic used by phishermen where a login portal is cloned, hosted on a threat actor’s server, and modified slightly so that whatever a user types in for the username and password is sent back to the attacker. Alternatively, the threat actor could include an exploit on the cloned site that they believe would be effective. Email portals, remote access portals, social media login portals, and anything else a user may login to are good choices.
Why Documents with Malware? Malware within electronic office documents is another popular tactic used by phishermen where a purportedly legitimate document contains malicious code that will either trigger when the user opens the document or when the user opens the document and enables macros. Macros and recent exploits for Microsoft, Java, Adobe, and other common third party products are used to conduct successful phishing campaigns.
Phishing Example 1 Here’s a phishing campaign where someone in need of a job sent their resume to an IT Recruiter that worked at a company.
Phishing Example 2 Here’s a phishing campaign that was sent out by a “Helpdesk Supervisor” letting employees know they need to take action to restore access to their email.
Phishing Example 3 Here’s a phishing campaign that was sent out by a “Helpdesk Supervisor” trying to educate employees with security awareness training for phishing attempts.
How IT Can Help The role of education, technology, and policies in limiting damage of phishing attempts if successful or preventing phishing attempts from the start.
Multi-factor Authentication • All remotely accessible services that are facing the Internet should be secured with multi-factor authentication. • In the event of a successful phish where credentials are disclosed to an attacker, multi-factor authentication, when appropriately configured, can prevent the attacker from successfully using the credentials. • Third party services that are not on the company’s premises should also be secured. • Office365, a technology more and more organizations are moving to, is an example of a third party service that does provide multi-factor authentication that should be enabled.
Employee Awareness • All employees should be regularly educated to raise their awareness of phishing attacks. • Phishing quizzes • Monthly phishing email reminders with actual phishing attempts • Visual reminders around the office, such as educational posters • An especially good idea for preventing tail-gating
Assess Training Effectiveness • The level of awareness of employees can be assessed by conducting regular phishing campaigns either internally or by having a third party do it. • Metrics from a simulated phishing campaign can highlight areas where training can be improved or identify employees who need additional help. • Social assessments should include multiple types of phishing (vishing, spear phishing, and whaling).
Keep Systems Patched • In the event of a successful phishing campaign, having systems patched is critical to preventing further damage. • Many phishing payloads deliver recent exploits that allow for remote code execution in the event that a user takes the action that the attacker is attempting to elicit. • Remote code execution = attacker is in your computer and has a degree of control over the computer depending on the permissions of the user who was phished. • Microsoft AND 3rd party products should be patched • Weaponization of exploits after a patch is released usually occurs before the time allotted for patching within an organization’s patch policy
Spam Detection • While not a cure-all, an email gateway with spam detection capabilities will have an impact on the amount of spam and phishing attempts that reaches each end user. • Preventing excess spam from being delivered to end users will prevent message fatigue and make it more likely that users will spot phishing attempts with a higher level of sophistication.
Limit Access – Least Privilege • Users need access to do their jobs, but many companies suffer from access creep or allotting more permissions than needed for an employee to do their job effectively. • Enforcing least privilege at the operating system level may limit an attacker to a low privileged account (non-administrative). • Enforcing least privilege at the mapped drives and file shares will also limit the impact of ransomware and what it is able to encrypt.
Visual Indicators for Employees • Additional visual cues to assist employees in identifying phishing attempts. • Utilize the mail gateway to append [EXTERNAL] to emails that originate from outside of the company. • Have corporate photos displayed within the mail client so that when a picture is not present but the email appears to be from someone internal, users will report the phishing attempt. • Use plug-ins within the mail client that displays a button to a user that can be clicked if a suspected phishing attempt is identified. When clicked, the button will forward it to the helpdesk.
Contact Information:Derek Rushdrush@lbmc.com615.309.2422Long Links:http://www.tennessean.com/story/sponsor-story/lbmc/2016/08/03/protect-against-phishing-thinking-like-hacker/87914958/http://www.tennessean.com/story/sponsor-story/lbmc/2016/10/12/lbmc-top-ways-protect-your-business-against-phishing-attacks/91723658/Shortened Links:https://lnkd.in/ewfdY-Chttps://lnkd.in/ehZnx_h
LBMC Information Security - a full spectrum of services Complianceand AuditServices • Navigate the complex maze of compliance regulations • HIPAA / HITRUST • Security Controls Assessment (SCA) • CMS / FISMA / NIST • FedRAMP / CSA CCM • Service Organization Control (SOC) • SOX / COSO • Payment Card Industry (PCI) • Minimize threats and respond • Intrusion prevention and detection services • Security information and event management • Incident response and forensics • Vulnerability and threat management • Tap in to our unaffiliated and objective assessments • Risk assessment / current state assessments • Security program design and implementation • Penetration testing • Web application assessments ManagedSecurityServices Security Consulting