When less is more (Spear-Phishing and Other Methods to Steal Data) Alexander Raczyński 1
Agenda Spear-Fishing the new CEO Fear How to Fight Spear-Fishing It s All About the Data
Evolution of the bad guys modus operandi EASY TO PROTECT HARD TO PROTECT
The Enemy is in your Blind Spots SSL Spear Phishing AD, SAM, Password extraction Custom Encryption Malware
Email Security Trends Spam huge volumes ensure penetration often used as the first stage in many attacks 92 % of email spam contains a URL The total percent of spam that can be categorized as leading to a traditional phishing is approximately 1.62 % The percentage of virus-related email spam is only 0.4 % phishing attempts outnumber malicious executables in email volume 6
How to Lure? Four out of the top five phishing email subject lines are related to security. These types of attacks represent the largest volume of recent subject lines designed to lure in victims. Top five phishing email subject lines: Your account has been accessed by a third party (Bank Name) Internet Banking Customer Service Message Security Measures Verify your activity Account security Notification *Based on July September 2012 research 7
Time for Phishing 8
Lures Prey on Human Curiosity Spear-Phishing The key to major data theft attacks last year 92 % of email spam contains a web link Defenses focused on high volume known attacks which are less effective 9
Attack Scenario A typical attack of this type would have the bad guy doing the following: Find a URL that can be easily compromised but do nothing at that time. Leave it as is for now. Craft an email that will not trigger spam, AV or other security measures based on its content, but include links to the currently safe URL. Since they typically pretend to be something legitimate, it is best to simply copy a legitimate message and only change one link to the safe URL. Send the email over the weekend, or late at night, so email defenses will approve the email and deliver it into the user s mailbox. Just before you believe employees will begin accessing email, compromise the URL and install that part of the attack strategy. 10
New Defense Game 11
The decline of AV effectiveness NUMBER OF MALWARE THREATS DETECTED BY WEBSENSE ADVANCED DETECTION PER DAY NOT DETECTED BY FIVE TOP AV ENGINES 153 298 409 641 2008 2009 2010 2011
30% 25% 20% What is your best security solution? AV? Firewall? 15% 10% 5% 0% Web Security Gateway SIEM- Intelligence Vulnerability Mgmt DLP Endpoint IDM IDS/IPS Encryption GRC Firewall Security (AV, 2012 etc.) Websense, Inc. Security & IT Exec s Surveyed
14
Three Ways to Stop Spear-phishing Websense recommends a three-pronged approach designed to stop 95-99 percent of spear-phishing attempts: Employee education Inbound email sandboxing Real-time analysis and inspection of your web traffic 15
The human element is incredibly important. Employee education is fundamental to preventing a spear-phish attack. Consider pen-testing your users. Show them why they need to think before they click. 16
Sandboxing Spear-phishing technique Embedded web link in email lure Time malware infection after delivery Email security sees a clean link Sunday Monday Email Security OK Target Web Site Web Target Site Infected 4am Web 17
ACE: Composite Security Engine Security Technologies Embedded in ACE 18
Advanced Classification Engine (ACE) 19
ACE New Defenses Advanced Classification Engine Predictive Inline Analytical Engine 10 New Defenses in ACE to protect against Advanced Threats & Data Theft New ACE Analytics/Defenses: Advanced Malware Payloads Potentially Exploited Documents Mobile Malware Criminal Encrypted Uploads Files Containing Passwords Advanced Malware Command & Control Unauthorized Mobile Marketplaces OCR (Optical Character Recognition) Behavioral (Drip) DLP Geo-Location INBOUND WSG OUTBOUND WSG OUTBOUND WSGA 20
aceinsight.com 21
Spear-Phishing examples The White House became the victim of a spear-phishing attack. It is alleged that Chinese hackers attempted to gain access to an unclassified network within the office. Last year, an email spear-phishing attack succeeded at Oak Ridge National Laboratory before the organization cut off internet access to workers. The Oak Ridge facility handles classified and non-classified research for the federal government and is known for researching cybersecurity initiatives. A targeted email was sent to specific employees masquerading as an employee benefits email from the human resource department. In March 2011, executives from security company RSA announced a possible breach of SecurID product information from a spear-phishing attack. A spear-phishing e-mail was sent to two small groups within the company. Though the e-mail was automatically marked as Junk, the subject of the message ("2011 Recruitment Plan") tricked one employee into opening it anyway. GhostNet, Night Dragon, and the Operation Aurora attack against Google, Adobe and approximately a dozen other companies, and many of the other so-called advanced persistent threats (APT) that have been publicly documented have been initiated at least in part through targeted spear phishing emails. 22
Watering the hole: the new way to hunt In May 2012, the Websense ThreatSeeker Network detected that the Institute for National Security Studies (INSS) website in Israel was injected with malicious code. INSS is described in its website as an independent academic institute that studies key issues relating to Israel's national security and Middle East affairs. 23
Even more water... Nepalese government websites were compromised to serve Zegost RAT in August 2012. Also, in May 2012, the Amnesty International UK website was compromised to serve Gh0st RAT. All of these used the same vulnerability (CVE-2012-0507). 24
New Defense Game 25
Criminal Encrypted Uploads Proprietary encryption Cloak comms & data theft Crimeware toolkit enabled Blind spot for defenses Web 26
Password File Data Theft Password files Active Directory/SAM database Expand reach/control within target First priority once inside Web 27
Non-Document Data Theft Image files Confidential information Smart phone pictures Blind spot for defenses Web 28
Slow Data Leaks Remain below the radar Low record count per request/incident Steal data in small chunks Persistence and patience One data record One data record Web 29
Protection & Containment One data record Criminal Encrypted Uploads Password File Data Theft Image OCR/Text Analysis Drip (Stateful) DLP Cloud Sandboxing for Email Monday Redirect Wrapper Real-time web security analysis Target Site Infected 4am Web 30
31
Threat Dashboard 32
Forensic Reporting Know WHO was compromised Know HOW the malware operates (intent) Know WHERE the data was being sent Know WHAT was prevented from being stolen 33
During the presentation 34
CyberSecurity Intelligence Services "It's becoming clear that many of these emerging threats cannot be defended against in-house, creating a shift in security posture toward being more proactive. IDC Senior Analyst Christine Liebert IDC press release, Jan. 31, 2012, http://www.idc.com/getdoc.jsp?containerid=prus23290912 CSI: On-Demand ThreatScope malware analysis sandbox Priority access to research tools/services Video resources from research presentations & TAB events Online security training CSI: Live Direct access to Security Labs researchers Forensic investigation partner 3-day classes w/hands-on labs Regular security reviews Customer Allow/Deny lists Full security posture Includes CSI: On-Demand 35
Questions http://securitylabs.websense.com/ 36