Over 90 percent of cyber attacks start the same way: with a phishing message. Attackers slip all manner of malware into your organization just by convincing users -- even admin-level users in the IT department -- to click on a link. Fraudsters carrying out business email compromise attacks are even more clever, forgoing malware and malicious links altogether, and scamming companies out of $47 million, $75 million and more, simply by asking for it the right way. Social engineering is, at the very least, how attackers get their foot in the door, and at worst, how they get away with your crown jewels. In this session, learn about attackers' new twists on the oldest tricks in the book, and how to protect your organization against them.

1. Defeating Social
Engineering, BECs, &
Phishing
Rob Ragan
@sweepthatleg | Alex DeFreese
@lunarca_

2. We are Rob and Alex
Security consultants at Bishop Fox.
We help organizations secure their networks,
applications, and people.
Hello!

3. Trap the
Phisherman

4. Trap the
Phisherman
Lure attackers into traps that betray their presence

5. Trap the
Phisherman
Lure attackers into traps that betray their presence
Trigger rapid incident response

6. Warning:
No Silver Bullets

7. Email Phishing 101

8. Email phishing was the first step in
91% of data breaches in 2016

11. The Anatomy of an
Attack
• Find Targets
• Create Payload
• Deliver Attack

14. Email Address
Formats
• example.user@company.com
• euser@company.com
• user.example@company.com
• example.m.user@company.com

15. Attack Payload
• Compromise Accounts and Credentials
• Compromise Computers
• Perform an Action
$

18. Deliver Attack

20. Link to Attack Site

22. Business Email Compromise

24. • Business Working with a Foreign Supplier
• Business Executive Receiving or Initiating a Request for a Wire
Transfer
• Business Contacts Receiving Fraudulent Correspondence
through Compromised E-mail
• Data Theft
• Business Executive and Attorney Impersonation
https://www.ic3.gov/media/2017/170504.aspx
Most Common BEC Scenarios

26. • Business Working with a Foreign Supplier
• Business Executive Receiving or Initiating a Request for a Wire
Transfer
• Business Contacts Receiving Fraudulent Correspondence
through Compromised E-mail
• Data Theft
• Business Executive and Attorney Impersonation
https://www.ic3.gov/media/2017/170504.aspx
Most Common BEC Scenarios

28. • Clearly-defined process for financial transactions
• Out-of-band verification for transactions beyond a threshold
• Multi-factor authentication
Mitigation Strategies

29. Event of the Year

31. “

32. “

34. Common Ineffectual Techniques
What Doesn’t
Work

35. Excessive Awareness Training1.

36. Not useless
• Reduce attack surface
• Improve detection rates

37. “
But it’s nowhere near enough
on its own

38. It only takes one

39. Punishing User Mistakes2.

40. Social engineering attacks will always
succeed without technical controls
for defense

41. • Helpful
• Naïve
• Trusting
• Routine-oriented
Because people are…

42. Not security experts
Because people are…

43. And they shouldn’t have to be

44. Limit Delivery Options

45. Email Protections

46. v=spf1 include:spf.protection.outlook.com
include:mailgun.org -all
v=DMARC1; p=reject; pct=100;
rua=mailto:re+mlszd9zhq4y@dmarc.postmarkapp.com; aspf=r;
SPF
DMARC

50. Mark External Emails

51. http://blogs.perficient.com/microsoft/2016/04/office-365-providing-your-users-visual-cues-about-email-safety/

52. Set up Canary Emails

54. Limit Payload Options

55. Block Unknown Executables

57. Block at First Sight

60. Block Office Macros

62. https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-
2016-can-block-macros-and-help-prevent-infection/

63. Limit Access to PowerShell

65. https://blogs.technet.microsoft.com/mmpc/2016/10/19/the-new-lnk-between-spam-and-locky-infection/

66. Multi-Factor Authentication

67. Image: Duo Security

68. Password Manager

70. Refuser

73. Incident Response

74. Tailored
Incident Response Plan
• Identify the most common threats facing your company
• Define and enforce incident response plans for these threats

75. Detect

76. Use your Employees

77. It still only
takes one

78. mailto:phishing@bishopfox.com
http://www.nerdosaur.com/network-security/add-a-report-phishing-button-in-outlook/

79. Domain Protections
• DNS RPZ
• Automate redirection of known-bad domains
• Redirect DNS Homoglyphs
• Tripwire to alert on attacks in progress

81. Contain

82. Identify Compromised Targets

83. Force Password Resets

84. Eradicate

85. Revert to Known-
Good Backup
• Getting around persistence is hard and not
worth it
• Difficult to tell if its actually eradicated

86. Burn Payload
Infrastructure
• Break Command and Control channels
• Blacklist server IP addresses and DNS names
• Buy time to respond
• Make attackers spend money

87. Burn Delivery
Infrastructure
• Block emails from attacking MTA
• Prevent further attacks from that server
• Make attackers spend money

88. Raise the alarm

90. Any questions ?
You can find us at:
• @bishopfox
• facebook.com/bishopfoxconsulting
• linkedin.com/company/bishop-fox
• google.com/+bishopfox
Thanks!

91. CREDITS
Christina Camilleri (@0xkitty) for the slide design!