P A G E

Protect Your Organization from Phishing Threats Andy Rappaport, Chief Architect

Tom Smit, Customer Experience Manager

P A G E 2

Agenda

• The Evolving Phishing Threat

• Attacker’s mentality - What CORE’s penetration testers tell us

• 5 minute Identity Harvest Challenge

• Best Practices – What You Can Do

• Organizational Preparedness with CORE Insight

P A G E 3

Phishing is Not the Same as Spam

• Spam: Unwanted email (and possibly texts)

• Phishing: malicious email – social engineering attack

− Pretending to be from someone you trust

− Designed to look like legitimate email from a trusted source.

• Types of Phishing: − Spear Phishing – Targets select individuals

− Clone Phishing – use previous emails to create legitimate appearances while changing the links in the email. Use existing trust.

− Long-lining – Mix of large volume of highly customized emails – intended to defeat filter-type defenses.

P A G E

• Frequency is declining1 but sophistication is increasing

• Spearphishing effectiveness has significantly increased2

• $1.5 Billion – total loses from phishing in 20123

• Why? Lowered barriers to achieve online trust − Decreased face-to-face contact: remote offices, outsource, partners, social nets − Tech by-pass the human: Single-sign-on, federation, browsers save a password − Mixed personas (personal & biz): BYOD.

Sources 1. Anti-phishing Working Group Attack Trend Reports: http://www.antiphishing.org/resources/apwg-reports/ 2. http://threatpost.com/spear-phishing-remains-preferred-point-entry-targeted-persistent-attacks-113012 3. http://www.emc.com/collateral/fraud-report/rsa-online-fraud-report-012013.pdf

4

The Evolving Phishing Threat

P A G E

• Social Engineering is the preferred attack vector.

• Users are easier: “We can always phish someone [in an engagement.] Its just a matter of how hard we need to try.”

• Establish, escalate and leverage trust: “until you get

someone [or something] you want”.

• Value of compromising an identity − Email account: send email as them leverage their trust network

− Browser or host: passwords logon as them

Note the significance of trust in each statement.

5

What CORE’s Pen. Testers Tell Us

P A G E

• Establish trust with non-threating message to small group. − We have been experiencing some errors with the XYZZY system. Sorry

for any inconvenience.

− We are scheduling an upgrade for the XYZZY system.

• … then send the Phish email − Sorry. Please use this temporary XYZZY system <some link>

• Make it look right − Use corporate branding / images. Duh.

• Personalize - if possible − Title: Attendee list for your XYZZY conference keynote

o (A person’s future conference schedule might be easy to discover)

6

What CORE’s Pen. Testers Tell Us – The Approach

P A G E

• Pick an important corporate user – your company or another

• Search for just 5 minutes to get spear-phish info

• Pick a few places to look: − Corporate site, news

− Financial: scheduled stock trades

− Search engine: blogs, conferences, speeches, planned travel

− Social: Linked-in (college – home-coming), Facebook (social, family)

− Physical Addresses: work, home, vaca

What could an attacker do with more time?

7

Try the 5 Minute Identity Harvest Challenge

P A G E

Phish Defenses – What You Can Do

• Defend - Technology deployments Blacklisting known phishing sites Spam filters Anti-virus software

• Educate - User awareness − Regular 2-way communication. Make humans part of your sensor network. − Share real-world examples

• Understand the risk - Establish Policy

− Ex: CSR or IT password reset – are they being helpful or insecure?

− Zip files through the firewall?

− Mixing personal and business.

• Test and measure your own exposure and risk − Test your own defenses

− Hands-on employee assessments

8

GOTCHA!

P A G E

• Goal: Understand and lower phish risk

• Systematic testing − Data-driven. Objective.

− Create an easily-repeatable process

− Not a one-time gotcha. (Hook-and-release)

• Test people and defenses/controls

• Different levels of sophistication − E.g. obvious form letter; targeted message w/specific but publically-

available information

9

Self-Phishing Best Practices

Test

Improve

Assess

P A G E

• Goal: understand/measure own risk from phish exposure.

• Questions: − Does the A/V on our IT ‘golden images’ detect spam/phish messages.

− Do our defenses provide useful clues to employees?

− Which of our users are susceptible to phishing?

− How much does our user awareness program reduce the risk?

• Metrics: Understanding effectiveness of your training − Measure over time and identify areas to improve

− Approach: Mix baselines (Nigerian prince) with more focused (spearphish)

• Identify users and groups who need additional education − Adequately trained? New hires? Admins? IT? Devs?

1 0

Benefits of Self-Phishing Data-driven Security - Goals-questions-metrics

P A G E

CORE Insight

1 1

P A G E 1 2

Insight Can Assess Over Time

Investments in training has proven productive.

Next quarter’s focus can be clearly identified.

On going evaluation is critical to minimizing risk.

P A G E 1 3

Insight Identifies Critical Areas

Identify current weaknesses in an organization.

Focus limited resources on more critical activities

Campaigns focus on different users. • Marketing Executives • Contractors • Web Developers

P A G E 1 4

Insight Builds Focused Campaigns

General Phishing

Spear Phishing

Clone Phishing

First Generic Bank <accounts@firstgenericbank.com

Please update your account information

Mar 12, 2013 3:23PM PST

P A G E 1 5

Reporting

P A G E

Go to www.coresecurity.com/videos/protecting-your-organization-phishing-threats to watch the recorded

presentation

For more information please contact Core Security at (617)399-6980 or info@coresecurity.com

1 6