5

Click here to load reader

FBI & Secret Service- Business Email Compromise Workshop

Embed Size (px)

Citation preview

Page 1: FBI & Secret Service- Business Email Compromise Workshop

BEC Open Source or low-cost Solutions (Mostly) offerings:

Test Email Server with KnowBe4 Can your email system (Server) be Spoofed for a BEC spear

Phishing Attack. https://info.knowbe4.com/dst-sweepstakes-102017 Pwned: Has your email password been compromised? Have I Been Pwned Check Personal/Work accounts https://haveibeenpwned.com/

Check all users of your email domain https://haveibeenpwned.com/DomainSearch

Google Alerts to protect/track your Staff, Company, Websites online

https://www.google.com/alerts#

Maltego is capable of querying various public data sources and graphically depicting the relationships between entities such as people, companies, websites, and documents. https://www.paterva.com/web7/buy/maltego-clients/maltego-ce.php

Digital Shadows: Prevent & Mitigate Increasingly Targeted Attacks Situational Awareness https://www.digitalshadows.com/ Great Free Digital Detox kit https://myshadow.org/detox

About the Data What is stored about you online by trackers:

https://aboutthedata.com/portal/registration/step1

Panopticlick tool that will tell if online trackers and the site itself may be able to identify you

https://panopticlick.eff.org

Photo MetaData: What is hidden in your photos http://regex.info/exif.cgi

Private Internet Access: A good VPN Service: For secure use of Internet on public WiFi https://www.privateinternetaccess.com

Security IQ Free Personal

https://securityiq.infosecinstitute.com/ What’s Included:

Page 2: FBI & Secret Service- Business Email Compromise Workshop

Maximum Learners 10 Drive By Phishing Attacks

Automated Campaign Limit 5 Core Security Awareness Modules Report Open, Phish, Avoid Rates and Learner Progress

Check your Systems Find Open Source:

IoT Scanner: Do you have IoT devices that are putting a hole in your network? A free IoT Scanner https://iotscanner.bullguard.com CheckPoints free Firewall Check •Ransomware •Anonymizer Usage •Identity Theft / Phishing •Sensitive Data leakage •Zero Day Vulnerability •Browser Attack •Bot Infection http://www.cpcheckme.com/checkme/ OpenVas: A great Open Source vulnerability scanner and manager http://www.openvas.org

NTOP: Does flow analysis that can be configured for anomaly detection http://www.ntop.org

Xplico: Network Forensic Analysis Tool (NFAT) https://www.xplico.org Google Rapid Response: GRR (Google Rapid Response) is an incident response framework to help with remote live forensics. https://github.com/google/grr Skyline: a real-time anomaly detection system that enables us to monitor hundreds of

thousands of metrics https://github.com/etsy/skyline

SQLMap: Detects SQL injection vulnerability in a website http://sqlmap.org/

Google Nogotofail: Network traffic security testing tool for SSL/TLS https://github.com/google/nogotofail

FOCA What MetaData is leaking on your websites:

https://www.elevenpaths.com/labstools/foca/index.html

Open Source Threat Intel TC Open

https://www.threatconnect.com/register-for-free/

What’s Included:

1 user license Access to 100+ open source intelligence feeds (OSINT)

Access to threat, incident, and adversary data

Page 3: FBI & Secret Service- Business Email Compromise Workshop

A Long list of Open Source Security Software : http://sectools.org/

15 Essential Open Source Security Tools 1. Nmap - map your network and ports with the number one port scanning tool. Nmap now features powerful NSE scripts that can detect vulnerabilities, misconfiguration and security

related information around network services. 2. OpenVAS - open source vulnerability scanning suite that grew from a fork of the Nessus engine when it went commercial. 3. OSSEC - host based intrusion detection system or HIDS, easy to setup and configure. OSSEC has far reaching benefits for both security and operations staff. 4. Security Onion - a network security monitoring distribution. Detect everything from brute force scanning kids to those nasty APT's. 5. Metasploit Framework - test all aspects of your security with an offensive focus. Primarily a

penetration testing tool, Metasploit has modules that not only include exploits but also scanning and auditing.

6. OpenSSH - secure all your traffic between two points by tunnelling insecure protocols through an SSH tunnel. 7. Wireshark - view traffic in as much detail as you want. Use Wireshark to follow network streams and find problems.

8. Kali Linux Kali is a security testing Linux distribution. It comes prepackaged with hundreds of powerful security testing tools.

9. Nikto - is great for firing at a web server to find known vulnerable scripts, configuration

mistakes and related security problems.

10. Truecrypt - encrypt all the things. As of 2014, the TrueCrypt product is no longer being maintained. VeraCrypt was forked and has been through extensive security audits.

Website https://veracrypt.codeplex.com

11. Moloch is packet capture analysis, and has great support for protocol decoding and display

of captured data.

12. Bro IDS totes itself as more than an Intrusion Detection System, it decodes protocols and looks for anomalies within the traffic.

Page 4: FBI & Secret Service- Business Email Compromise Workshop

13. Snort is a real time traffic analysis and packet logging tool.

14. OSQuery monitors a host for changes and is built to be performant from the ground up.

15. GRR - Google Rapid Response a tool developed by Google for security incident response.

Open Source Tools for Developers and Network Admins: Commit Watcher: Check code repos for secrets SourceClear came up with Commit Watcher, a free open source tool that looks for potentially hazardous commits in public and private Git repositories. Jak: Encrypt your secrets in Git It’s Developer 101 to keep secrets out of your code. Instead, you should keep them in a configuration file, then add the config file to the .gitignore list to prevent it from being committed to the code repository. Keys to connect to items like payment systems, emailers, and virtual machines, which have to be manually placed directly onto application servers, must be managed completely separately from the source code. This presents challenges when those keys need to be shared. The Python project Jak tackles this problem by letting developers commit encrypted versions of sensitive files into Git. Instead of .gitignore, developers list sensitive files in a jakfile, and when it’s time to commit, Jak ensures that only the encrypted versions of the files wind up in the repository. Jak takes care of encrypting and decrypting the file as necessary, and it automatically generates and updates the encryption keys. Yara: Use pattern-matching to find trouble Malware researchers like to use Yara, to identify and classify malicious file samples. It can also be useful as part of incident response and forensics investigations. You create rules—composed of text strings, hexadecimal values, or regular expressions—and Yara crawls through the suspicious directories and files looking for any matches. ProcFilter: Use pattern-matching to stop trouble ProcFilter, an open source project, allows you to apply Yara rules to running processes, as well as block or log executables (and quarantine associated files) based on matches. ProcFilter runs as a Windows service and integrates with Microsoft’s Event Tracing for Windows (ETW) API, so it can log its activities directly into Windows Event Log. OSquery: Query the endpoint for system state Locate malicious processes, rogue plugins, or software vulnerabilities in your Windows, MacOS, and Linux endpoints by using a SQL query. OSquery, an open source tool collects operating system information such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events, and file hashes into a relational database. If you can write a SQL query, that’s all you need to get answers to security questions—no complex code required.

Page 5: FBI & Secret Service- Business Email Compromise Workshop

For example, the following query would find all processes listening on network ports: SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid; This query would find anomalies in the Address Resolution Protocol (ARP) cache, which contains information about IP addresses and their resolved Ethernet physical addresses: SELECT address, mac, COUNT (mac)AS mac_count FROM arp_cache GROUP BY mac HAVING COUNT(mac)>1; 40 Open Source and Free Business Intelligence Software in 2017 https://www.predictiveanalyticstoday.com/open-source-free-business-intelligence-solutions https ://www.highya.com/articles-guides/how-to-avoid-business-email-compromise-bec-scams

https ://www.fincen.gov/resources/advisories/fincen-advisory-fin-2016-a003

https ://verafin.com/wp-content/uploads/2016/12/email-compromise-fraud-schemes-IG-Verafin-161004.pdf https ://verafin.com/2017/07/business-email-compromise-bec-fraud/

https ://www.us-cert.gov/ncas/current-activi ty/2017/05/04/IC3-Warns-Increase-BECEAC-Schemes