Phishing Attacks Methodology and Response GridSecCon 2012

Size: px

Start display at page:

Download "Phishing Attacks Methodology and Response GridSecCon 2012"

Meryl McCoy
8 years ago
Views:

1 Phishing Attacks Methodology and Response

2 Agenda Survey Questions Spear Phishing Current State Case Study - Methodology Countermeasures And Lessons Learned

3 Question 1 If you had to guess, what percentage of the staff at your organization would fall for a moderately sophisticated spear phishing ? % 2. 95% 3. 75% 4. 50%

4 Question 2 If you had to guess, what percentage of the Executives at your organization would fall for a highly sophisticated spear phishing ? % % % 4. 99%

5 PhishMe BlackHat Survey How frequently do you encounter phishing s that are not caught by filters? Have any of your top level executives been compromised by a spear phishing attack in the past year? Note: an informal survey of 250 attendees at BlackHat 2012

Have any of your top level executives been compromised by a spear

6 Yet training is still a low priority! How often does your organization require users to undergo security training?

7 Most Important Question! I d rather have a drink with PhishMe at their pool cabana rather than sit around debating the meaning of APT?

8 What is PhishMe.com? Software-as-a-Service solution for training staff to avoid phishing attacks Administrators send fully customizable mock phishing exercises Scenarios can be simple or very sophisticated Recipients who are vulnerable are immediately provided training Full reporting of participation and results

Administrators send fully customizable mock phishing exercises Scenarios can

9 Current Landscape

10 All this stuff and we still get phished! Anti-Virus Super Duper AV Single Sign-On Web filters IDS, IPS, SEM Vuln Management Pen Testing Site Takedown

11 Current State

12 Why? It is very, very, very effective It is a simple and low cost method It avoids (by-passes) most detection methods Zero chance of capture or retribution In our incident response efforts over 60% of the compromises we have seen start with a spear phishing attack

of capture or retribution In our incident response efforts over

13 General Method Recon - Mine publicly available information Attack - Execute a well crafted spear phish Exploit Several routes Solicit sensitive data Push malware to the system Compromise IDs for further exploitation Low Cost / Low Detection Bypasses Anti-Spam/Anti-Phishing/Anti-Virus Difficult to detect limited footprint

malware to the system Compromise IDs for further exploitation Low Cost / Low

14 Is it Effective? On Average 58% of the time First time test 1 million users Normal IT security

15 and within a few minutes

16 Case Study

17 Attack Methodology Case Study Identify a potential high $$ gain target Mining publicly available information Identify specific targets Phish Rinse Repeat Exploit

18 Case-Shiller Reports

25 What s Next? From: Major, Patricia (patricia_major@mcgraw-hill.com) To: Clarke, Sean Subject: Case-Schiller Report Error Urgency: High Sean, I noticed an anomaly in cell C11 in your home price history xls. Please find attached a modified version that reflects the corrected value. The update is based on the numbers found on the San Diego Realtors Association website ( Hope this helps, Trish Intrepidus Group, Inc. 2007

26 Current Countermeasures And A Better Approach

27 How To Reduce Risk Part 1 Technical Controls Gateway filtering Gateway content filtering Domain SPF Host level filtering Host level execution controls

28 How To Reduce Risk Part 2 Employee Education Primarily static Annual CBT Lunch and Learns Security posters Newsletters blasts

29 A Better Method Mock Phishing Key Techniques Open and transparent Psychology of immediate training Frequent, short training events Maintain recipients interest Target efforts appropriately Change behavior over time This is not pen testing!!!

30 Sample Customer - Long Term Trend 24,000 employees 3 global exercises in a 12 month period Numerous departmental phishes Significant Improvement

31 Build a Program First Steps Get buy-in from Execs, Legal, HR, Corp Comms Identify any international privacy issues Understand how this process fits your corporate culture Coordinate with IS to ensure whitelisting Enable SPF Send all staff an introduction to the program

32 Build a Program - Launch Start with small, simple scenarios Increase difficulty over time Make them culturally and technically appropriate Be careful as you phish your Execs!! Monitor reporting of exercises and attacks Touch each staff member every other month Provide positive feedback to those that do not fall victim to the scenario

33 General results Vulnerability starts over 60% Phish and teach frequently with appropriate exercises Vulnerability drops below 10% 3.5 million recipients globally

34 Thanks! Jim Hansen

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Threat Intelligence: The More You Know the Less Damage They Can Do Charles Kolodgy Research VP, Security Products IDC Visit us at IDC.com and follow us on Twitter: @IDC 2 Agenda Evolving Threat Environment