A PRACTICAL APPROACH TO MANAGE PHISHING INCIDENT WITH URL FILTERING

Kasom Koth-Arsa, Surachai Chitpinityon, Julllawadee Maneesilp

Kasetsart University, Bangkok, Thailand.

AGENDA

IntroductionObjectivePhishing Management System Conclusion

INTRODUCTION

What is Phishing?Why Phishing is important? Who are our concern about

Phishing?

WHAT IS PHISHING?

Phishing is an online form of deception

Attacker pretends to be someone elseTo obtain sensitive information from

the victim

WHY PHISHING IS IMPORTANT?

A serious threat to Internet usageGrowing very fastFrauds that affect many websites

and organizationsMore advanced and complex

techniques to convert the organization websites to the

seemingly trusted financial websites to gain confidential user information.

WHO ARE OUR CONCERN ABOUT PHISHING?

One of the most attacked organizations is education institution.

Organize their network systems by dividing into many sub-departments.

This hierarchical structure causes challenge in management effectiveness and network-security enforcement.

UNINET Largest university network provider in Thailand running by Ministry of Education 1Gbps and 10Gbps link

countrywide UniNet has 431

member institutes 240 Universities 134 Vocational School 57 Primary School

100,000 plus users

Phishing becomes a serious problem!

UniNet

OBJECTIVE

Developing a phishing management solution which covers to handle the whole anti-phishing processes for UniNet Systematic procedureFast responseTracking, monitoring and collecting

phishing information Intelligent URL Filtering system to enforce

the blocking specified URLBlock only the phishing URL, not the whole

site

PHISHING MANAGEMENT SYSTEM

System ModuleAccount ManagementTicket ManagementWeb Filtering

Interaction DiagramUse Case DiagramSystem Configuration

SYSTEM MODULE

Incident Management

Tracker & Reporter

URL Filtering

Account Management

Account Database

PhishingDatabase

Ticket Management

ACCOUNT MANAGEMENT MODULE

Users must register with our system before report the phishing website

Using the following information: Full name Company E-mail Username Password

Identification procedure

TICKET MANAGEMENT MODULE

Manage Phishing events

Easy to manage and track incidents using ticket status

Ticket management

Incident management

Created

Deleted

Tracking & Reporting

Opened

Verified

Canceled

Blocked

Site Take Down

Closed

URL FILTERING (WEB SCREEN)

Phishing system can block/unblock web access to the phishing site through the URL filtering system.

URL Filtering

TCP Session Hijacking Technique

Intercept HTTP request

Inject forged HTTP replyBlock or redirect access of any given URL

PASS-BY URL FILTERING

Traffics are captured and passed by without queuing Zero delay, independent from traffic volume

Ease of Installation (No Traffic Interruption)

Non Blocking Traffic Stream

No Single Point of Failure Scalable

Gateway

Filtering Engine

Client

Internet

3

??

1 2

2

TCP SESSION HIJACKINGFiltering

SYN J

SYN K , ACK J+1

ACK K+1

FIN L

Client Server

Data (HTTP request)

Data (reply)

Packet will be ignored

Faked FIN by Filtering Engine

INTERACTION DIAGRAM

CompanyUniNet

AdministratorUniversity

AdministratorWeb Filtering

Engine

Block the phishing URL

Inform the corresponding university administrator to investigate the incident

Re-verify the URLCancel the blocking of the URL

The ticket is set to canceled

Server investigation/cleaning

Close the ticket, inform both party

Inform that the server already clean

Report a phishing URL (open a ticket)Verify URL

USE CASE DIAGRAM

Company

UniNetAdministrator

UniversityAdministrator

Create

ticket

Manage Account

Block/unblock URL

View ticket

Change

ticket status

Notify incident cleared

Create Account

SYSTEM CONFIGURATION

Gateway

Phishing Filtering Engine

Internet UniNet

Network Backbone

Phishing Management

10G

10G 10G

10G

1G

1G

1G

1G

SPAN

management

USER TICKET TRACKING SCREENSHOT

CONCLUSION

Phishing Management System is now initial deploy on UniNet InfrastructureEnable UniNet to response quicker to

phishing incidentEnable a statistic logging that helps UniNet

anticipate the future problem and improve network security

Design for handle 10Gbps Network (need some more hardware to complete)

THANK YOU.