Trends in Social Engineering: Securing CERT Insider Threat Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Jason W. Clark, Ph.D. April 25, 2017
Copyright 2017 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon and CERT are registered marks of Carnegie Mellon University. DM-0002262 2
www.bankofthevvest.com 3
Why Phishing Matters? https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=485782 4
Introduction to Social Engineering and Phishing 5
Social Engineering Social engineering may be defined as obtaining information or resources from victims using coercion or deceit. During a social engineering attack, attackers do not scan networks, crack passwords using brute force, or exploit software vulnerabilities. Rather, social engineers operate in the social world by manipulating the trust or gullibility of human beings [1]. 6
Phishing A form of social engineering that uses email or malicious websites (among other channels) to solicit personal information from an individual or company by posing as a trustworthy organization or entity [2]. 7
Phishing: Single-Stage 8
Phishing: Multi-Stage 9
Walkthrough 10
Social Engineering Related Cases 11
No One s Emails Are Safe 12
Background Personal AOL email account of CIA Director, John Brennan was hacked. Obtained access via social engineering techniques by posing as a Verizon worker (the hacker knew Brennan was a Verizon customer by doing a reverse lookup of his phone number) Tricked a fellow Verizon employee into revealing Brennan s PII Using PII such as last 4 digits of bank account, the hacker reset Brennan s AOL email password on numerous occasions Several Government documents (SF-86) were found stored as attachments Brennan said the whole incident is a case study in the power of ill-intentioned actors in a cyber-enhanced world [6] 13
Robin Sage Social Media Engineering Note: This experiment and the associated findings were briefed by security researcher Thomas Ryan at the 2010 Blackhat conference in Las Vegas [3] 14
Accepting Friend Requests 15
Profile of Robin Sage According to Sage s social networking profile (from 2009): She is a 25-year old cyber threat analyst at the Naval Network Warfare Command in Norfolk, Virginia She graduated from MIT She had 10 years of work experience 16
Results of the Robin Sage Experiment What were the implications? The issue of trust and how it is easily given out. The amount and type of info that is sent out via various social media outlets. People sought Sage s opinion and put themselves in vulnerable positions. Hiring managers wasted countless hours pursuing false identities like Sage to fill positions. Despite the completely fake profile and no other real-life information, Sage was offered positions at various notable companies. 17
Brief Overview - Social Engineering Cases 18
Students on the Attack Case 1: A student obtained his professors credentials and used them to change their own grades and the grades of other students. Case 2: Students social engineered teachers into providing their credentials under the façade that the computers needed patches installed. The pre-installed malware easily captured these credentials. Middle school students gained control of more than 300 computers by social engineering teachers to provide their administrative codes. 19
Taking Advantage of Clients Case 1: A bank employee took advantage of their knowledge of clients to siphon money, open unauthorized credit cards, additional accounts, and make fraudulent purchases. Case 2: Financial industry employees specifically targeted senior citizens and minorities to take out unnecessary loans with high interest rates and to invest in risky stocks. 20
Gaining Physical Access Case 1: A disgruntled, former employee convinced a coworker unaware of their termination to let them into the victim organization s office, where they used a logged-in computer to delete critical business records. Case 2: A contractor went in after work hours and switched the name plates on office doors, tricking a janitor into granting them access to a coworker s office. The insider planned to steal source code. 21
IT and Telecom News service staffers clicked on what appeared to be a link to an article on another news organization s blog, infecting their computers with malware and allowing a hacker to capture passwords to the news service s Twitter account. Using the compromised Twitter account, the hacker sent an erroneous Tweet warning of two explosions in a Government building. Despite being warned after previous phishing incident, the staffers fell for the scam. Staffers had to change their passwords and the Twitter was closed. 22
Phone / Voice Phishing ( Vishing ) The phisher impersonated the victim organization's bank, requesting information to address security concerns. The insider clicked on a link in a phishing email and entered confidential information. From there, attackers used spear-phishing to target executives with likely wire-transfer authority. The disclosure included credentials and passwords that enabled outsiders to transfer funds to accounts in several countries. The bank was unable to reverse 30% of total money lost. A lawsuit between the victim organization and the bank followed. 23
Operation Red October 24
Background On January 13, 2013 Kaspersky Lab announced the discovery of Red October, a high-level cyber-espionage campaign that has been active for over 5 years. This campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment. https://kasperskycontenthub.com/wpcontent/uploads/sites/43/vlpdfs/redoctober-indicatorsofcompromise.pdf [4] 25
Spear Phishing 26
Main Findings Advanced Cyber-espionage network Unique architecture Broad variety of targets Importation of exploits Attacker identification Main objective of the attackers was to acquire sensitive documents Geopolitical intelligence Credentials to classified computer systems Data from mobile devices Kaspersky said over 7 terabytes of data has been stolen https://securelist.com/analysis/publications/36740/red-octoberdiplomatic-cyber-attacks-investigation/ [5] 27
Insiders Using Social Engineering A Brief Research Study 28
The CERT Insider Threat Center Center of insider threat expertise Began working in this area in 2001 with the U.S. Secret Service Our mission: The CERT Insider Threat Center conducts empirical research and analysis to develop & transition socio-technical solutions to combat insider cyber threats. 29
Malicious Insiders Using Social Engineering Malicious insiders are those that intentionally caused harm to a victim organization for which they worked. These insiders exploits are documented in a non-public database that the CMU/SEI/Insider Threat Center maintains. From our study, 52 insiders launched attacks using social engineering. 30
Associations Eleven insiders (21%) were involved with criminal enterprises. Two insiders (4%) were involved with organized crime. One insider (2%) was involved with the Internet underground. 31
Incident Metrics Case Type 32
Incident Metrics - Sector 33
Incident Metrics Attack Time 34
Incident Metrics Attack Location 35
Incident Metrics Technical Methods 36
Incident Metrics Financial Impact 37
Insider Metrics Age 38
Insider Metrics Tenure 39
Insider Metrics Employee Type & Status 40
Insider Metrics Access Authorization 41
Contributing Factors Organizational Factors Security system, policies, and practices Management and management systems Job pressure Human Factors Attention Knowledge Reasoning and judgement Stress and anxiety 42
Trends and Costs 43
Trends Courtesy of APWG The APWG recorded more phishing in 2016 than in any year since it began monitoring (2004). These stats come from the 4 th quarter of 2016. The total number of phishing attacks in 2016 was 1,220,523, a 65% increase over 2015. By comparison, in the fourth quarter of 2004, the APWG saw 1,609 phishing attacks per month. In the fourth quarter of 2016, APWG saw an average of 92,564 phishing attacks per month, an increase of 5,753% over 12 years. 44
Trends Courtesy of APWG (continued) Fraudsters in Brazil are using both traditional phishing and social media to defraud Internet users. They are also using technical tricks to make it harder for responders to stop theses scams. Phishers concentrated on fewer targets during the holiday season, and hit fewer lower-yielding or experimental targets. Phishers didn t need to choose domain names that help fool victims. The country that is most plagued by malware is China, where 47.09% of machines are infected, followed by Turkey (42.88%) and Taiwan (38.98%). 45
Statistical Highlights 46
Costs of Phishing Courtesy of CSOonline [8] The average 10,000 employee company spends $3.7 million per year dealing with phishing attacks The average employee wastes 4.16 hours a year on phishing emails 27% of the costs were the risk of having to respond to a data breach caused by compromised credential 10% was the direct costs of addressing compromised credentials 9% was the risk of a data breach caused by malware 6% was the direct costs of containing the malware 47
Mitigation, Defenses, Best Practices (Technical and Non-Technical) 48
Social Engineering Tactics, Vulnerabilities, and Mitigations 49
Mitigation Strategies 50
Non-Technical Best Practices Develop and deploy effective training Minimize employee stress Encourage employees to monitor and limit information they post on social networking sites 51
Technical Controls / Defenses Filter emails at the gateway Stop as many malicious emails as possible from reaching users' inboxes. Blocking all attachments or certain file types, strip URLs from messages, analyzing sender domains, and performing natural language processing (NLP) on messages to detect phishing. Implement host-based controls Host-based controls may stop phishing payloads that make it to the end user from running. Basic host-based controls include using antivirus and host-based firewalls, which stop certain file types and known payloads. Implement outbound filtering With proper outbound filtering, attacks that circumvent all other controls can potentially still be stopped. Even with filtering, two common weak points that can allow for successful exploits include HTTPS and DNS. 52
Summary and Future Work The unintentional insider threat, including social engineering: Is a human problem May be prevented, detected, and mitigated using both non-technical and technical measures Humans remain the weakest link We recommend further research with a particular focus on: The best ways for the whole community to record incidents Better management practices to foster effective work environments More effective training Identify deceptive practices to better recognize suspicious patterns 53
References 1. Bosworth, Seymour, and Michel E. Kabay, eds. Computer security handbook. John Wiley & Sons, 2002. Chapter 19 Social Engineering and Low-Tech Attacks Karthik Raman, Susan Baumes, Kevin Beets, and Carl Ness. 2. https://www.us-cert.gov/ncas/tips/st04-014 3. Ryan, Thomas, and G. Mauch. "Getting in bed with Robin Sage." Black Hat Conference. 2010. 4. https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/redoctoberindicatorsofcompromise.pdf 5. https://securelist.com/analysis/publications/36740/red-october-diplomatic-cyber-attacks-investigation/ 6. http://www.cnn.com/2015/10/27/politics/john-brennan-email-hack-outrage/ 7. http://www.antiphishing.org/resources/apwg-reports/ 8. http://www.csoonline.com/article/2975807/cyber-attacks-espionage/phishing-is-a-37-million-annualcost-for-average-large-company.html 54
CERT Insider Threat Resources Insider threat awareness training Insider threat certificate programs Insider Threat Program Manager Insider Threat Vulnerability Assessor Insider Threat Program Evaluator Insider threat vulnerability assessments Insider threat program evaluations www.cert.org/insider-threat CERT Common Sense Guide to Mitigating Insider Threats Unintentional Insider Threats: Social Engineering Technical reports Insider threat technical controls Insider threat blog 55
Contact Information Jason W. Clark, Ph.D. jwclark@cert.org Member of the Research Staff CERT Insider Threat Center Email: insider-threatfeedback@cert.org U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA 15213-2612 USA Web www.sei.cmu.edu www.sei.cmu.edu/contact.cfm Customer Relations Email: info@sei.cmu.edu Telephone: +1 412-268-5800 SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257 56