Phishing Attacks Methodology and Response
Agenda Survey Questions Spear Phishing Current State Case Study - Methodology Countermeasures And Lessons Learned
Question 1 If you had to guess, what percentage of the staff at your organization would fall for a moderately sophisticated spear phishing email? 1. 100% 2. 95% 3. 75% 4. 50%
Question 2 If you had to guess, what percentage of the Executives at your organization would fall for a highly sophisticated spear phishing email? 1. 100% 2. 100% 3. 100% 4. 99%
PhishMe BlackHat Survey How frequently do you encounter phishing emails that are not caught by filters? Have any of your top level executives been compromised by a spear phishing attack in the past year? Note: an informal survey of 250 attendees at BlackHat 2012
Yet training is still a low priority! How often does your organization require users to undergo security training?
Most Important Question! I d rather have a drink with PhishMe at their pool cabana rather than sit around debating the meaning of APT?
What is PhishMe.com? Software-as-a-Service solution for training staff to avoid phishing attacks Administrators send fully customizable mock phishing exercises Scenarios can be simple or very sophisticated Recipients who are vulnerable are immediately provided training Full reporting of participation and results
Current Landscape
All this stuff and we still get phished! Anti-Virus Super Duper AV Single Sign-On Web filters IDS, IPS, SEM Vuln Management Pen Testing Site Takedown
Current State
Why? It is very, very, very effective It is a simple and low cost method It avoids (by-passes) most detection methods Zero chance of capture or retribution In our incident response efforts over 60% of the compromises we have seen start with a spear phishing attack
General Method Recon - Mine publicly available information Attack - Execute a well crafted spear phish Exploit Several routes Solicit sensitive data Push malware to the system Compromise IDs for further exploitation Low Cost / Low Detection Bypasses Anti-Spam/Anti-Phishing/Anti-Virus Difficult to detect limited footprint
Is it Effective? On Average 58% of the time First time test 1 million users Normal IT security
and within a few minutes
Case Study
Attack Methodology Case Study Identify a potential high $$ gain target Mining publicly available information Identify specific targets Phish Rinse Repeat Exploit
Case-Shiller Reports
What s Next? From: Major, Patricia (patricia_major@mcgraw-hill.com) To: Clarke, Sean Subject: Case-Schiller Report Error Urgency: High Sean, I noticed an anomaly in cell C11 in your home price history xls. Please find attached a modified version that reflects the corrected value. The update is based on the numbers found on the San Diego Realtors Association website (http://sd.realtor-assoc.realtydata.com/1987/homeprices.chm) Hope this helps, Trish Intrepidus Group, Inc. 2007
Current Countermeasures And A Better Approach
How To Reduce Risk Part 1 Technical Controls Gateway email filtering Gateway content filtering Domain SPF Host level filtering Host level execution controls
How To Reduce Risk Part 2 Employee Education Primarily static Annual CBT Lunch and Learns Security posters Newsletters Email blasts
A Better Method Mock Phishing Key Techniques Open and transparent Psychology of immediate training Frequent, short training events Maintain recipients interest Target efforts appropriately Change behavior over time This is not pen testing!!!
Sample Customer - Long Term Trend 24,000 employees 3 global exercises in a 12 month period Numerous departmental phishes Significant Improvement
Build a Program First Steps Get buy-in from Execs, Legal, HR, Corp Comms Identify any international privacy issues Understand how this process fits your corporate culture Coordinate with IS to ensure whitelisting Enable SPF Send all staff an introduction to the program
Build a Program - Launch Start with small, simple scenarios Increase difficulty over time Make them culturally and technically appropriate Be careful as you phish your Execs!! Monitor reporting of exercises and attacks Touch each staff member every other month Provide positive feedback to those that do not fall victim to the scenario
General results Vulnerability starts over 60% Phish and teach frequently with appropriate exercises Vulnerability drops below 10% 3.5 million recipients globally
Thanks! Jim Hansen jim@phishme.com