Webinar--CSAM Social Engineering Webinar by Verizon Enterprise

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

Social engineering

Verizon Threat Research Advisory Center

Cyber Security Awareness Month

Week 3

This document and any attached materials are the sole property of Verizon and are not to be used by you

other than to evaluate Verizon's service.

© 2017 Verizon. All rights reserved. The Verizon name and logo and all other names, logos and slogans

identifying Verizon's products and services are trademarks and service marks or registered trademarks

and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other

countries.

All other trademarks and service marks are the property of their respective owners.

2

Proprietary statement

Please advance to the next slide where you can watch the video. The total slide deck is available for your

reference after the video. Thank you.

3


distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 4

2017 Data Breach Digest

This document and any attached materials are the sole property of Verizon and are not to be used by you other than to

evaluate Verizon's service.

This document and any attached materials are not to be disseminated, distributed, or otherwise conveyed throughout your

organization to employees without a need for this information or to any third parties without the express written permission

of Verizon.

© 2017 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying

Verizon's products and services are trademarks and service marks or registered trademarks and service marks of Verizon

Trademark Services LLC or its affiliates in the United States and/or other countries.

All other trademarks and service marks are the property of their respective owners.



Webinar recording

Please proceed to the next slide to view the recording of this webinar. The remaining slides from the presentation are

available after the video. Thank you.



Agenda

1. Social engineering defined

2. Financial pretexting

3. The numbers — social

engineering stats

4. Social engineering

5. The challenges of social engineering

6. Hacktivist attack

7. Countermeasures — prevention

and mitigation

8. Crypto malware

9. Countermeasures — detection

and validation

10. Digital extortion

11. Countermeasures — response

and investigation

12. Conclusion



Social engineering defined

"Social engineering bypasses all technologies, including firewalls."

Kevin Mitnick



Social engineering defined

"Eagerness. Distraction. Curiosity. Uncertainty. All of these

are drivers of human behavior, and one or more can be

leveraged to influence someone to disclose information."

2017 DBIR

What is social engineering?

Threat actors utilize social tactics employ deception,

manipulation, intimidation, etc. to exploit the "human element"

of information assets.

How big of an issue is social engineering?

In 2016, 43% of the confirmed data breaches reviewed in

Verizon's 2017 Data Breach Investigations Report (DBIR)

involved social attacks.

Social attacks used in the breaches seen in

2016 utilized:

• Phishing (spear phishing, whaling)

• Pretexting, websites (e.g. watering holes)

• Phone

• In-person

• Bribery, extortion



Financial pretexting —the Golden Fleece

Social engineering



Pretexting

"Financial pretexting involves threat actors leveraging

underlying human emotions, such as empathy, curiosity, trust

and fear to achieve financial gain."

2017 DBIR

What is pretexting?

• Involves a persona and dialog between threat actor and

victim.

• Leverages human emotions.

• Almost always targeted.

• Most often targeted at financial departments.

• Usually precedes a targeted phishing attack.

Examples of pretexting

• Impersonating executives for wire transfers.

• Password solicitation by the "IT department".

• PII solicitation by phone, email or even in person.



Financial pretexting

11

Financial pretexting involves threat actors leveraging underlying

human emotions, such as empathy, curiosity, trust and fear to achieve

financial gain.

the Golden Fleece

Down to the wire

• The CIO provided email approval for all company wire transfers.

• A wire transfer with a missing tax form led to an investigation by the

finance director.

• The paperwork seemed in order; however, neither the CIO nor the

accountant who submitted the transfer recalled the payment.

Chief Information Officer

verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf



Financial pretexting—the Golden Fleece

Response and investigation

• Investigators noticed the approval message came from a domain with one character

different than the corporate email.

• A phishing email was found on the accountant's laptop requesting email domain

credentials to pay a late invoice.

• The email contained a URL that was known to be malicious.

• The company's URL filtering tool didn't capture the message as the accountant was at

home, connected to his personal Wi-Fi network.

Attack-defend card


http://www.verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf




Financial pretexting—the Golden Fleece

Lessons learned

• Prepend a marker (e.g. "subject: [external] ... ") to the subject line denoting externally-

originated emails.

• Require secondary authorization for wire transactions over a certain dollar amount.

• Require VPN access for telecommuters accessing the corporate environment.






The numbers —social engineering stats

Social engineering plays a significant role in cybersecurity incidents and data breaches.



The numbers—2017 DBIR social engineering stats

"Almost all phishing attacks that led to a breach were followed

with some form of malware."

2017 DBIR

The data set

Verizon tracked 1,616 incidents, 828 with confirmed data

disclosure for the 2017 DBIR.

Social attacks in data breaches

• 43% of all breaches utilized social attacks.

• 98% of breaches with social attacks utilized phishing or

pretexting.

• 93% of incidents with social attacks utilized phishing.

• 95% of phishing attacks that led to a breach, were followed

with malware.

• 28% of breaches utilizing phishing were targeted attacks (e.g.

spear phishing and whaling).




Threat Actors

• External, 99%

• Internal, 1%

• Partners, <1%

Threat Motivations

• Financial, 66%

• Espionage, 33%

• Grudges, <1%

Data Compromised

• Credentials, 66%

• Secrets, 32%

• Personal, 8%

"Human beings play a significant role in data breaches and cybersecurity incidents. This

should come as no surprise after all, we are the ones who produce, consume, use, depend on,

and as a result, have to secure and protect digital data."

2017 DBIR

Attacker methodology

Social engineering is used to gain knowledge of the people, processes and technology that can

be compromised by the threat actor.

• People: Identifying who to target or impersonate.

• Processes: Identifying internal corporate processes or policies to exploit.

• Technology: Identifying software, hardware or other technology that can be compromised in an

attack.

Social attack methods are limited only by the imagination of the threat actors; new attack

scenarios are being developed every day.




"Social actions are typically part of a blended attack, with a

successful installation of malware or disclosure of credentials

as the goal of the social phase."

2017 DBIR

Communication methods

• Email: Primary method used; made up 95% of social

attacks.

• Phone: made up 2% of social attacks.

• In person: made up 2% of social attacks.

• All Other: Social attacks can occur via any form of human

communication: mail; social media; malicious websites;

even advertisements on the radio or newspaper.

Communication overlap

Social attacks often involve more than one communication

method to entice the victim to reveal information.



Social engineering —the Hyper Click

Social engineering



Phishing

Information targeted

• Usernames and passwords

• PII (Personally Identifiable Information)

• Financial data

• Employee/executive names

• Customer names/information

• Internal operational/security procedures

What is phishing?

Fraudulent attempt to induce an individual to disclose

personal or confidential information.

Types of phishing

• Phishing: Attempting to get information from any individual.

• Spear phishing: Targeting specific users or departments.

• Whaling: Targeting executives.

• Vishing: Phishing via voice, such as phone calling.

• Smishing: Phishing via text messaging.



Social engineering

20

Upstream phishing for a downstream profit

• An organization's competitor publicized a new piece of large

construction equipment.

• Equipment appeared to be an exact copy of organization's model;

competitor had not produced this type of equipment previously.

• Victim organization concerned design details for this and other

projects were compromised.

Social engineering attacks rely on influencing or tricking people in to

disclosing information or conducting an action, such as clicking on a

hyperlink or opening an

email attachment.

the Hyper Click

Endpoint Forensics Examiner






Social engineering – the Hyper Click


• After determining that equipment designs were likely compromised, interviews of

employees who worked on the design were conducted.

• A forensic examination of the chief design engineer's computer revealed a backdoor

shell script and evidence the threat actor located and copied the design plans.

• Evidence was found that a foreign threat actor targeted the chief design engineer with

a malicious attachment by posing as a recruiter.


Attack-defend card





Social engineering – the Hyper Click

Lessons learned

• Provide user education and training awareness programs to alert users to targeted

phishing attacks.

• Perform regular audits to check policy compliance.

• Enhance security controls with strong and mutual authentication combined with a

robust identity and access management program.






The challenges of social engineering

Even the most cautious of employees are prone to being deceived under the right circumstances.



Challenges of social engineering

"An employee of the organization receives a phishing email

and clicks on the malicious link or attachment it contains.

Then malware is installed in the form of a backdoor or C2, and

the bad guys return at their leisure to footprint the network and

take what they need."

2017 DBIR

Why do we keep getting fooled?

We receive yearly training on social engineering. Certainly,

everyone not living under a rock has heard the word "phish".

And so, we all know not to:

• Click on suspicious hyperlinks

• Open suspicious attachments

• Give out sensitive information

We also know that flashing banner saying "you won an iPad!"

is not legitimate.

And we would never, ever, ever, ever, ever give out our

password.

So why is social engineering still such a big part of data

breaches?



Challenges of social engineering

Fear

"It's fine if you can not give me your password, but it will result in your

boss having to do a lot of extra work and he will know it was because

you!"

Intimidation

"You're connected with a known terrorist on social media. Click on this

link to clear up the matter or you'll be arrested—the FBI."

Greed

"You've been left a million dollars in a distant relation's will, please

respond so we can get you your money!"

Desire to help

"If you can't send this wire transfer today I'm going to lose my job, I

promise I'll get you the paperwork later on today."

Distraction

Distracted or busy employees may be tempted to reveal information

rather than take the time to ensure the request is legitimate.

Convincing con

The threat actor has done enough research or has already exploited

another employee making a request appear legitimate.

Social engineering psychology

Threat actors use various methods to deceive even well-trained employees.



Hacktivist attack —the Epluribus Enum

Social engineering



Hacktivist attack

27

An executive doxxing match

• A multinational organization was attracting negative attention following

the handling of a restructuring.

• Although no evidence of an attack, threats were made on social

media, along with various derogatory hashtags.

• The company felt it was soft target for hacktivism, so it called in

outside entities to help it prepare for any attack.

Hacktivist attacks leverage hacking techniques as a form of activism.

Commonly, a hacktivist is motivated by a desire to harm or embarrass

their targeted victim in an effort to further a political or social agenda.

the Epluribus Enum

Lead Investigator






Hacktivist Attack—the Epluribus Enum


• Various social networks and online forums, as well as within the DarkNet, were

reviewed.

• Personal details for two executives had been obtained and leaked online; law

enforcement responded but this was just the start.

• Weeks of DDoS attacks were repelled, until one of the company's websites was

defaced.

• Threat actors had gained access to the domain registrar's systems.

• Turns out DNS was modified to point the company's URL to another website.

Attack-defend card






Hacktivist attack—the Epluribus Enum

Lessons learned

• Base defenses, detection mechanisms and response capabilities on sound cyber

threat intelligence.

• Use reputable domain name registrar that offers two-factor authentication or approved

IP address whitelisting.

• Establish IR plan early; regularly review, test and update.






Countermeasures —prevention and mitigation

Social engineering



Prevention and mitigation

Train and test

Ensure IR plan includes requirement for at least annual training

and testing employees with simulated phishing attacks.

Constantly remind

Utilize posters, login banners and regular email reminders for

employees not to fall victim to social engineering.

Multifactor authentication

Utilize multi-factor authentication (MFA) to validate

communication

sources (e.g. webmail access and financial transactions).

Block suspicious files

Deploy Group Policy Objects (GPOs) to block executable files,

disable macros and block other risky attachments.

Observe password hygiene

Strong passwords; changed frequently.

Reduce admin accounts

Remove local administrative rights.

Backup frequently

Test and validate backup process and maintain offline backups.

Patch and update frequently

Patch and update operating systems and third-party applications

as soon and as often as possible.




Sub-domains

Threat actors use domains such as "com[.]ru" to register

"YourBank[.]com[.]ru".

Diligence

Visit the legitimate site and navigate to the link.

Country codes

Ensure they match up with the organization.

Security warnings

Look out for warnings indicating the attachment may be malicious.

Compressed files

Beware of compressed attachments such as "invoice.zip".

Credentials

Beware of attachments requiring usernames and passwords.

Macros

Disable to prevent execution of macro malware.

Anti-virus

Keep it updated and set to scan email attachments before opening.

External markers

Prepend a marker to emails subject lines such as "subject:[external]…".

Practice what you preach. Make sure legitimate internal emails do not look suspicious,

creating bad habits such as clicking links. Consider these precautions to take.



Detection and validation

Technology: Employ security appliances that can detect and block malicious emails.

• Consider blocking compressed executables.

• Black list known malicious domains.

Process: Ensure IR plan covers social attacks.

• Implement procedures and tools to assist in social engineering detection.

• Implement procedures for validating requests made by unknown persons.

• Implement procedures for validating whether a reported social attack requires investigation.

People: Provide employees with quick and easy reporting methods.

• Ensure employees know what to report and how to report it.

• Provide multiple reporting methods such as phone, email and web application.



Crypto malware —the Fetid Cheez

Social engineering



Crypto malware

35

Backup to normal

• Key business-critical applications were offline and impacting daily

operations.

• Network shares with file extensions changed; ransom notes also

found.

• Business impacted; remediation and investigation conducted in

parallel.

• Backups reviewed for availability and time to restore normal business

ops.

• Network share files last modified by net admin account with domain

admin rights.

Prevents users from accessing system, file shares or files by

encrypting the data. After gaining access and control, data access

held for "ransom" until user pays.

the Fetid Cheez

Chief Information Security Officer






Crypto malware—the Fetid Cheez


• Disabled net admin account, collected logs and forensically imaged laptop.

• Files restored from backups; others retrieved from users; apps reinstalled.

• Net admin opened email attachment with recent ransomware variant.

• Ransomware exploited unpatched application vulnerability.

• Considered paying ransom to regain access to unrecoverable files.

• Ultimately decided not to pay; no guarantee to obtain key to decrypt files.

Attack-defend card






Crypto malware—the Fetid Cheez

Lessons learned

• Train and sensitize users to report phishing and suspicious system activity.

• Keep host-based and enterprise anti-virus solutions updated; patch third-party apps.

• Deploy a File Integrity Monitoring (FIM) solution; test and validate data backup

processes.

• Block access to C2 servers; recall known phishing emails from mailboxes.

• Deploy GPOs to block executable files and disable macros.






Countermeasures —detection and validation

Social engineering



Detection and validationSpotting phishing emails

• Check for sender typos, "compny" not "company".

• Check valid email name "Marry.Smith"(two 'Rs') not

"Msmith".• Beware of urgency.




• Hover over links.




• Look at attachment extensions

".doc.exe".

• Even legitimate emails can be

spoofed or compromised.

Beware of suspicious requests.

• When in doubt, pick up a phone

and verify with the sender.



Digital extortion —the Boss Hogg

Social engineering



Network Forensics SpecialistDigital extortion

43

The shakedown, takedown

• An IT employee at a large-scale manufacture and retailer received

two emails from a threat actor claiming to have obtained years worth

of customer order data.

• The emails contained a demand for $50 K and a sample of the data

for proof.

• Victim organization concerned with how the data was stolen and the

scope of the theft.

Often, victims are faced with the inevitable decision to give in, or not

give in, to threat actor demands as the clock counts down.

the Boss Hogg






Digital extortion—the Boss Hogg


• Verizon reviewed the e-commerce platform for vulnerabilities and discovered a

weakness in the authentication mechanism.

• The threat actor was "force browsing" purchase confirmation pages giving details of

customer purchases.

• Reviewing the e-commerce server access logs revealed the threat actor viewed

several hundred gigabytes of HTML-based transaction information.

Attack-defend card






Digital extortion—the Boss Hogg

Lessons learned

• Data does not need to be easily monetized, such as payment card data, to be

leveraged in an extortion attack.

• Conduct security audits against public facing systems to detect vulnerabilities

• Be prepared to take ownership of a breach in order to stop extortion on your own

terms.






Countermeasures —response and investigation

Social engineering




• Review the corporate IR plan to ensure it covers social

attacks including mitigation and response actions.

• Train for simulated social attacks using mock incident

tabletop exercises.

• Ensure the IR team has trained with the IR plan to help

react to and neutralize threats effectively.

• Maintain sufficient amount of email and network logs.

• Develop third-party relationships prior to an attack.

Third-party relationships

• Law enforcement (local and federal)

• Third-party forensic firms

• Outside counsel

• External PR firm

• Cyber insurance carrier




• Follow forensically sound methodologies during an

investigation.

• Collect evidence by order of volatility: volatile data;

memory dumps; then forensic disk images.

• Engage law enforcement when necessary.

• Know your IR team's skill limitations and do not attempt to

exceed your abilities; call a third-party forensic firm for

help when necessary.

Evidence collection

• Collect volatile data prior to shutting down a system.

• Utilize trusted forensic tools and methodologies.

• Document the investigative methodology used.

• Utilize chain of custody forms.

• Properly store evidence.





• Training, training and testing

• Multifactor authentication

• Policies

Detection and validation

• Easy reporting methods

• Security appliances

• Trained incident response team


• IR plan

• Forensically sound methodologies

• Engaging third-parties



Conclusion

• Social engineering

plays a major roll in

data breaches.

• Ensure the IR plan

covers social

engineering.

• As users become more

cautious, threat actors

change their tactics.

• Continuous up-to-date

training to detect social

engineering

is a must.

Social engineering leads to breaches.

• Reinforce

cybersecurity through

constant reminders to

help identify and thwart

social attacks.

• Provide easy ways for

end users to report

suspected social

engineering attempts.

• Implement MFA when

possible, especially for

sensitive information

transactions.



Cybersecurity awareness resources2017 Data Breach Investigations Report

The Verizon Data Breach Investigations Report (DBIR) is back. Now in its tenth year, it's an unparalleled source of information on

cybersecurity threats.

verizonenterprise.com/verizon-insights-lab/dbir/2017/

2017 Data Breach Digest: Perspective is Reality

Our 16 new cybercrime case studies provide insight into the biggest threats you face—plus tips on how to prevent them.

verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/

Insider Threat: Protecting the Keys to the Kingdom

Discover how to spot the signs of an Insider Threat using our cybercrime case studies and in doing so put measures in place to help

protect the keys to your kingdom.

verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/

Verizon Cybersecurity

Securing yourself against cyber attacks (covers five data breach scenarios).

verizon.com/about/responsibility/cybersecurity

Verizon Security Tips

Cybersecurity tips to help you stay safe online (covers the same five scenarios as above).

verizon.com/about/news/cybersecurity-tips-help-you-stay-safe-online

http://www.verizon.com/about/news/cybersecurity-tips-help-you-stay-safe-online

http://www.verizon.com/about/news/cybersecurity-tips-help-you-stay-safe-online

http://www.verizon.com/about/responsibility/cybersecurity

http://www.verizon.com/about/responsibility/cybersecurity

http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/




Thank you.



Social engineering