Phishing and Spear Phishing attacks are the number one starting point for most large data breaches. But there is currently no efficient prevention technology available to mitigate this risk. Learn what capabilities organizations need to have in order to respond to phishing attacks and lower the risk.
- Learn how to detect and respond to phishing attacks
- Understand how an average user behaves when faced with a phishing attack and why they are so successful
- Get insight into the questions that you will need to answer if a phishing campaign is running against your organisation
- Learn the capabilities organisations will need to have in order to answer those questions and protect against phishing attacks
- Learn how you improve your incident response capabilities
4. Verizon DBR2015
Source: Verizon DBR2015
23%OF RECIPENTS
OPEN PHISHING
MESSAGES
11%OF RECIPENTS
CLICK ON
ATTACHMENTS
50%CLICK ON PHISHING LINKS
WITHIN THE FIRST HOUR
5. The traditional way
Focus on mass mailing
Direct delivery or indirect
delivery of malware
Spam filters and
sandboxing technologies
are good to detect
Tax return picture from https://www.proofpoint.com
6. True Story: State of Michigan (SOM) – User
account spoofing
• Phishing Mail: Mailbox reached storage
limit...
• Outlook Web Access Portal custom
design of SOM was rebuilt by attacker
• Provide E-Mail, Username, Password
and Date of Birth...
To how many Users was the mail delivered?
How many clicked?
How many filled out?
• Delivered to 2800 Employees before
being blocked
• 155 Employees clicked the link
• 144 Employees provided their
credentials
Source: GISEC 2015 Key Note – Ex CSO Dan Lohrmann
8. Why are phishing attacks seen as increased risk?
• More focused – social engineering
researches
• Localized
• No longer bad google translations
• Using valid graphics and formating
• Sent out to target people or groups
• Use e-mail accounts with good reputation
• Use common use cases to click a link
– No longer aka „validate bank credential“
– Download signature of post delivery
– Download of online PDF bill from YOUR
mobile provider
9. 9
Kill Chain—Breach Example
http (web) session to
faked web portal
Steal data
Persist in company
Sell access to third party
WEB
Discovery Delivery Exploitation Installation Command and Control (C2) Actions on Objectives
Enters login
credentials
Downloads malware
Attacker creates
custom webpage
emails
to the target
MAIL
Reads email, click link
Threat Intelligence
Access/Identity
Endpoint
Network
VPN Portals
Acting like a legitimate User
Stealing further PI
Information
Utilizing User authorizations
10. You need to have the
capability to answer every
question about an attack
that might raise within your
organisation
11. Questions that raise when you now about a
Phishing Mail?
Which of my users has received a DHL delivery e-mail in the past?
When did the DHL campaign start?
Did someone click on the link within the DHL E-Mail? Or are my users well trained enough to not click on such a link
e.g. hovering the mouse over the link first to validate the url is dhl.de?
Did my proxy block the file download or not if someone clicked the link?
Did the AV scanner from the endpoint block the malware if it was bypassed by the proxy and executed by the user?
Was there any unknown IP connection or change on the endpoint configuration after the download of the malware?
If the phishing website simulated a valid webpage (amazon, outlook web access etc.) – did the user try to logon/submit
their credentials?
Can I identify a pattern to find out more users that have got similar attacks – for example using simple statistic: rarely
accessed domains, first accessed domains for a user etc.
12. Questions that the press, investors, customers and management asks
an organization that has publicly disclosed an incident
• How did the attacker gain initial
access to the environment?
• How did the attacker maintain access
to the environment?
• What is the storyline of the attack?
• What data was stolen from the
environment?
• Have you contained the incident?
13. 2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET
www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"
08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300
process_image="John DoeDeviceHarddiskVolume1WindowsSystem32neverseenbefore.exe“ registry_type
="CreateKey"key_path="REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersion Printers
PrintProviders John Doe-PCPrinters{} NeverSeenbefore" data_type""
2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup-
00,,,STOREDRIVER,DELIVER,79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1
,,, hacker@neverseenbefore.com , Please open this attachment with payroll information,, ,2013-08-
09T22:40:24.975Z
Sources
Time Range
Endpoint
Logs
Web Proxy
Email Server
All three occurring within a 24-hour period
User Name
User Name
Rarely seen email domain
Rarely visited web site
User Name Rarely seen service
Phishing – Advanced Analytics
14. Using a Kill Chain Framework – Earlier Stage
Detection
Delivery & Installation
Rarely seen email,
Rarely seen web traffic
Abnormal registry
access
Email log
Web log
Host log
Delivery, exploit
installation
Gain trusted
access
ExfiltrationData GatheringUpgrade (escalate)
Lateral movement
Persist, Repeat
Use indicators & attributes to
find infected systems, users & verify controls
Protect
15. Reference @ Maastricht University
Before Splunk:
• User accounts got compromised and hajecked by phishing attacks
• User accounts have been used for sending out spam which did result in e-mail domain beeing blacklisted.
• interruption of e-mail service
• users getting locked out of their accounts, strugled to identify cause and fix
After Splunk:
• better understanding of what 'normal' looks like in their environment
• investigate any suspicious activities in student and staff accounts
• monitoring access to important or sensitive mailboxes for any unauthorized access
• monitoring for abnormally large volumes of mail to one inbox
• determine the attributes of a phishing attack
• react more quickly when other things go wrong
• sysadmin team can now immediately identify the device on which the wrong credentials were used
Phishing Attacks are so old since e-mail was estabilshed and business common. In the past it was mostly mass mailing to e-mail addresses that have been found somewhere on the web. The content of e-mails contained many spelling issues, they have been curious as they came from agencys like „tax refunding needs to your input to release your payback“ etc. in the past spam filters and sandboxing technologies such as fireye have been good to detect and filter them out. Also as it was mass mailing the reputation of e-mail addys had been bad very quickly and could be added to spamfilters as mallicious.
At GISEC2015 in Dubai – a large Security Show – Michigan‘s Ex CSO Dan Lohrmann hold a keynote and mentioned as one of the top concerns for CIO‘s is sophisticated phishing attempts. He showed a real sample where they faced an targeted attack. To over 2800 users e-mails have been sent that their mailbox reached the size limit and to increase them temporarly they should logon to outlook web access. Within the first hour – 155 employees clicked the link with a faked outlook web access page – even the customer colouring and design they use at the State of Michigan was done. 144 employees provided their credentials.
If that type of attack happens – you can‘t avoid it – you need to have the right procedures and technology in place to react quickly.
However time changes – and now the phishing attempts get more targeted, more professional. Even they are localized now with the right pictures like the original business is using it. Even Formatting is used similar. And the use cases also are no longer a crappy „PDF like file“ with an ending of .pdf.exe.
Look at that real world example landed in a mailbox from a user in germany. Which one is the original Spam mail? Both are not from @dhl.de. So verifying the sendor does not work as DHL uses the company sender address you bought something. Just if you do a mouse over of the hyperlink on the e-mail on the right will show you it is a spear phishing mail. The german has no spelling issues – and even my e-mail addy was @gmail.com someone has my e-mail addy and the information i‘m german speaking... Don‘t want to know via which channel they got that information.
The left one is the original one – i bought some door stoppers via Amazon Market Place.
Conclusion: even you‘re trained best on phishing – you might get catched and you click a link. Then you need to be ready.
Why is it today a high priority? There are no direct security technologies out that can prevent those stuff and it will happen again and again. You can‘t control everything without limiting producitivty for users. And the attacks get more focused – they use social engineering researches to learn your wording, how you interact and then they send out localized nicley tuned phishing mails.
The attacker performs via social engineering and researches about the organizations to learn what wordings they are using, what technologies they are using, how their IT is working, potentially even what e-mails they might get regularly, what’s their structure etc.
They are preparing a customer webpage that animates the victim to enter information (login, PI information) or download and open a infected document (bill mobile phone)
They are sending a custom phishing e-mail to the victim that includes his name, even nice formatting, no spelling information –using the information from the researches. That is the first time it hit’s a company network.
The victim thinks it’s a legitime e-mail and klicks the link in the mail and get’s to the faked webpage through the proxy as the page was created targeted for that one campaign and not seen malicious somehwere else – entering credentials or downloading malware
Attacker gains valid access to the victims organization acting like a legitimate user without using any malware.
From their on it all relays on the mission of the attacker what to do: compromise, manipulate, data stealing to gain further PI information, starting to get sticky in the network by exploiting machines as legitimate user etc.
Use case 4 of the traditional “use case” slide. Like prior slide so see notes at the top. But in this case the events being correlated on all are from “non-security” data sources. This is because the threats are “unknown” to traditional security products because no signature exists for them.
In this scenario above Splunk is keeping track of all the external email domains that are sending emails into the company, all external web sites being visited by internal employees, and all the services and executables running on internal machines. It can automatically count up things like # of emails received by each external domain, # of times employees visit external web domains, etc, to see the rarely seen items that are outliers. In the above scenario:
Splunk sees an email reach an internal employee from an external email domain that has never/rarely been seen before
That same employee then visits a web site that is never/rarely visited by internal employees
A service starts up on the employees machine that is never/rarely seen in the organization
Why these 3 events are bad: These 3 events happening on the same machine in a short time period indicates a hacker has performed a spearphising attack. They sent a realistic looking email to an internal employee that compelled the employee to click on a link or open an executable. This resulted in the web site dropping malware on the machine.
Splunk can correlate on all these 3 events happening on the same machine and within a short time period. Splunk can detect and/or alert on these sorts of correlations in real-time or on a scheduled bases.
Even if anomaly detection mechanism was used to find individual event or combined events (from splunk or something else), this is only a portion of a bigger transaction (as we discussed from the previous example.
Detecting the single event or the combination of events still requires additional information and additional action
Ask the audience, customer - Is the job done if you are responsible for this?
The job is not done – because this is an early stage detection and we see that someone is trying to deliver malware into your organization. With the kill chain framework, we know that phishing is the first step in trying to gain access so therefore we want to track where the email is coming from, who is sending it. Maybe capture the phishing email to look for the site it’s directing people to or look at the attachment to see what it does. Maybe look at the phishing details to look for similar artifacts, traffic across the company to determine if anyone else were targeted for fell for the phishing attempt.
By using the kill chain framework, we would also want to monitor the attacker attributes (where it came from, the domains associated with the attack, etc.).
The grey box describes the example, similar to the previous example
Animation is used to tell the story additional attributes to look for other targets, perform continuous monitoring of the targets, and the attacker, and the techniques they use.
The point is the kill chain helps someone think about what else to consider, what else to look for, and how to conduct “on-going monitoring” for the attack.
Customer quote – “an increase of phishing email means we’ve done a good job of eliminating malware (eliminate internal access) – the phishing attempts means they are trying to re-establish access to our network” – the conversation with this customer was that their network is too large and distributed and they know they will get infected allowing outsiders to gain access to their networks.