When less is more (Spear-Phishing and Other Methods to Steal Data) Alexander Raczyński

Size: px

Start display at page:

Download "When less is more (Spear-Phishing and Other Methods to Steal Data) Alexander Raczyński"

Solomon Cameron
8 years ago
Views:

1 When less is more (Spear-Phishing and Other Methods to Steal Data) Alexander Raczyński 1

3 Agenda Spear-Fishing the new CEO Fear How to Fight Spear-Fishing It s All About the Data

4 Evolution of the bad guys modus operandi EASY TO PROTECT HARD TO PROTECT

5 The Enemy is in your Blind Spots SSL Spear Phishing AD, SAM, Password extraction Custom Encryption Malware

6 Security Trends Spam huge volumes ensure penetration often used as the first stage in many attacks 92 % of spam contains a URL The total percent of spam that can be categorized as leading to a traditional phishing is approximately 1.62 % The percentage of virus-related spam is only 0.4 % phishing attempts outnumber malicious executables in volume 6

categorized as leading to a traditional phishing is approximately 1.

7 How to Lure? Four out of the top five phishing subject lines are related to security. These types of attacks represent the largest volume of recent subject lines designed to lure in victims. Top five phishing subject lines: Your account has been accessed by a third party (Bank Name) Internet Banking Customer Service Message Security Measures Verify your activity Account security Notification *Based on July September 2012 research 7

Top five phishing email subject lines: Your account has been accessed by a third party (Bank Name) Internet

8 Time for Phishing 8

9 Lures Prey on Human Curiosity Spear-Phishing The key to major data theft attacks last year 92 % of spam contains a web link Defenses focused on high volume known attacks which are less effective 9

email spam contains a web link Defenses focused on

10 Attack Scenario A typical attack of this type would have the bad guy doing the following: Find a URL that can be easily compromised but do nothing at that time. Leave it as is for now. Craft an that will not trigger spam, AV or other security measures based on its content, but include links to the currently safe URL. Since they typically pretend to be something legitimate, it is best to simply copy a legitimate message and only change one link to the safe URL. Send the over the weekend, or late at night, so defenses will approve the and deliver it into the user s mailbox. Just before you believe employees will begin accessing , compromise the URL and install that part of the attack strategy. 10

Since they typically pretend to be something legitimate, it is best to simply copy a legitimate message and only change one link to the safe URL.

11 New Defense Game 11

12 The decline of AV effectiveness NUMBER OF MALWARE THREATS DETECTED BY WEBSENSE ADVANCED DETECTION PER DAY NOT DETECTED BY FIVE TOP AV ENGINES

13 30% 25% 20% What is your best security solution? AV? Firewall? 15% 10% 5% 0% Web Security Gateway SIEM- Intelligence Vulnerability Mgmt DLP Endpoint IDM IDS/IPS Encryption GRC Firewall Security (AV, 2012 etc.) Websense, Inc. Security & IT Exec s Surveyed

Vulnerability Mgmt DLP Endpoint IDM IDS/IPS Encryption GRC

14 14

15 Three Ways to Stop Spear-phishing Websense recommends a three-pronged approach designed to stop percent of spear-phishing attempts: Employee education Inbound sandboxing Real-time analysis and inspection of your web traffic 15

spear-phishing attempts: Employee education Inbound email

16 The human element is incredibly important. Employee education is fundamental to preventing a spear-phish attack. Consider pen-testing your users. Show them why they need to think before they click. 16

Email security sees a clean link Sunday Monday Email

17 Sandboxing Spear-phishing technique Embedded web link in lure Time malware infection after delivery security sees a clean link Sunday Monday Security OK Target Web Site Web Target Site Infected 4am Web 17

18 ACE: Composite Security Engine Security Technologies Embedded in ACE 18

19 Advanced Classification Engine (ACE) 19

ACE New Defenses Advanced Classification Engine Predictive Inline Analytical Engine 10 New Defenses in ACE to protect against Advanced Threats & Data Theft New ACE Analytics/Defenses: Advanced

20 ACE New Defenses Advanced Classification Engine Predictive Inline Analytical Engine 10 New Defenses in ACE to protect against Advanced Threats & Data Theft New ACE Analytics/Defenses: Advanced Malware Payloads Potentially Exploited Documents Mobile Malware Criminal Encrypted Uploads Files Containing Passwords Advanced Malware Command & Control Unauthorized Mobile Marketplaces OCR (Optical Character Recognition) Behavioral (Drip) DLP Geo-Location INBOUND WSG OUTBOUND WSG OUTBOUND WSGA 20

Documents Mobile Malware Criminal Encrypted Uploads Files Containing Passwords Advanced Malware Command & Control

21 aceinsight.com 21

22 Spear-Phishing examples The White House became the victim of a spear-phishing attack. It is alleged that Chinese hackers attempted to gain access to an unclassified network within the office. Last year, an spear-phishing attack succeeded at Oak Ridge National Laboratory before the organization cut off internet access to workers. The Oak Ridge facility handles classified and non-classified research for the federal government and is known for researching cybersecurity initiatives. A targeted was sent to specific employees masquerading as an employee benefits from the human resource department. In March 2011, executives from security company RSA announced a possible breach of SecurID product information from a spear-phishing attack. A spear-phishing was sent to two small groups within the company. Though the was automatically marked as Junk, the subject of the message ("2011 Recruitment Plan") tricked one employee into opening it anyway. GhostNet, Night Dragon, and the Operation Aurora attack against Google, Adobe and approximately a dozen other companies, and many of the other so-called advanced persistent threats (APT) that have been publicly documented have been initiated at least in part through targeted spear phishing s. 22

23 Watering the hole: the new way to hunt In May 2012, the Websense ThreatSeeker Network detected that the Institute for National Security Studies (INSS) website in Israel was injected with malicious code. INSS is described in its website as an independent academic institute that studies key issues relating to Israel's national security and Middle East affairs. 23

24 Even more water... Nepalese government websites were compromised to serve Zegost RAT in August Also, in May 2012, the Amnesty International UK website was compromised to serve Gh0st RAT. All of these used the same vulnerability (CVE ). 24

25 New Defense Game 25

26 Criminal Encrypted Uploads Proprietary encryption Cloak comms & data theft Crimeware toolkit enabled Blind spot for defenses Web 26

27 Password File Data Theft Password files Active Directory/SAM database Expand reach/control within target First priority once inside Web 27

28 Non-Document Data Theft Image files Confidential information Smart phone pictures Blind spot for defenses Web 28

29 Slow Data Leaks Remain below the radar Low record count per request/incident Steal data in small chunks Persistence and patience One data record One data record Web 29

(Stateful) DLP Cloud Sandboxing for Email Monday Redirect

30 Protection & Containment One data record Criminal Encrypted Uploads Password File Data Theft Image OCR/Text Analysis Drip (Stateful) DLP Cloud Sandboxing for Monday Redirect Wrapper Real-time web security analysis Target Site Infected 4am Web 30

31 31

32 Threat Dashboard 32

33 Forensic Reporting Know WHO was compromised Know HOW the malware operates (intent) Know WHERE the data was being sent Know WHAT was prevented from being stolen 33

34 During the presentation 34

CyberSecurity Intelligence Services "It's becoming clear that many of these emerging threats cannot be defended against in-house, creating a shift in security posture toward being more proactive.

35 CyberSecurity Intelligence Services "It's becoming clear that many of these emerging threats cannot be defended against in-house, creating a shift in security posture toward being more proactive. IDC Senior Analyst Christine Liebert IDC press release, Jan. 31, 2012, CSI: On-Demand ThreatScope malware analysis sandbox Priority access to research tools/services Video resources from research presentations & TAB events Online security training CSI: Live Direct access to Security Labs researchers Forensic investigation partner 3-day classes w/hands-on labs Regular security reviews Customer Allow/Deny lists Full security posture Includes CSI: On-Demand 35

36 Questions 36

TRENDS IN THE THREAT LANDSCAPE

TRENDS IN THE THREAT LANDSCAPE Guy Eilon, SEE Regional Manager April 2013 geilon@websense.com TRITON STOPS MORE THREATS. WE CAN PROVE IT. 2013 Websense, Inc. Page 1 CHANGING CUSTOMERS NEEDS 90% of companies