Upload
verizon-enterprise-solutions
View
225
Download
0
Embed Size (px)
Citation preview
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Social engineering
Verizon Threat Research Advisory Center
Cyber Security Awareness Month
Week 3
This document and any attached materials are the sole property of Verizon and are not to be used by you
other than to evaluate Verizon's service.
© 2017 Verizon. All rights reserved. The Verizon name and logo and all other names, logos and slogans
identifying Verizon's products and services are trademarks and service marks or registered trademarks
and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other
countries.
All other trademarks and service marks are the property of their respective owners.
2
Proprietary statement
Please advance to the next slide where you can watch the video. The total slide deck is available for your
reference after the video. Thank you.
3
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 4
2017 Data Breach Digest
This document and any attached materials are the sole property of Verizon and are not to be used by you other than to
evaluate Verizon's service.
This document and any attached materials are not to be disseminated, distributed, or otherwise conveyed throughout your
organization to employees without a need for this information or to any third parties without the express written permission
of Verizon.
© 2017 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying
Verizon's products and services are trademarks and service marks or registered trademarks and service marks of Verizon
Trademark Services LLC or its affiliates in the United States and/or other countries.
All other trademarks and service marks are the property of their respective owners.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 5
Webinar recording
Please proceed to the next slide to view the recording of this webinar. The remaining slides from the presentation are
available after the video. Thank you.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 6
Agenda
1. Social engineering defined
2. Financial pretexting
3. The numbers — social
engineering stats
4. Social engineering
5. The challenges of social engineering
6. Hacktivist attack
7. Countermeasures — prevention
and mitigation
8. Crypto malware
9. Countermeasures — detection
and validation
10. Digital extortion
11. Countermeasures — response
and investigation
12. Conclusion
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Social engineering defined
"Social engineering bypasses all technologies, including firewalls."
Kevin Mitnick
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 8
Social engineering defined
"Eagerness. Distraction. Curiosity. Uncertainty. All of these
are drivers of human behavior, and one or more can be
leveraged to influence someone to disclose information."
2017 DBIR
What is social engineering?
Threat actors utilize social tactics employ deception,
manipulation, intimidation, etc. to exploit the "human element"
of information assets.
How big of an issue is social engineering?
In 2016, 43% of the confirmed data breaches reviewed in
Verizon's 2017 Data Breach Investigations Report (DBIR)
involved social attacks.
Social attacks used in the breaches seen in
2016 utilized:
• Phishing (spear phishing, whaling)
• Pretexting, websites (e.g. watering holes)
• Phone
• In-person
• Bribery, extortion
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Financial pretexting —the Golden Fleece
Social engineering
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 10
Pretexting
"Financial pretexting involves threat actors leveraging
underlying human emotions, such as empathy, curiosity, trust
and fear to achieve financial gain."
2017 DBIR
What is pretexting?
• Involves a persona and dialog between threat actor and
victim.
• Leverages human emotions.
• Almost always targeted.
• Most often targeted at financial departments.
• Usually precedes a targeted phishing attack.
Examples of pretexting
• Impersonating executives for wire transfers.
• Password solicitation by the "IT department".
• PII solicitation by phone, email or even in person.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Financial pretexting
11
Financial pretexting involves threat actors leveraging underlying
human emotions, such as empathy, curiosity, trust and fear to achieve
financial gain.
the Golden Fleece
Down to the wire
• The CIO provided email approval for all company wire transfers.
• A wire transfer with a missing tax form led to an investigation by the
finance director.
• The paperwork seemed in order; however, neither the CIO nor the
accountant who submitted the transfer recalled the payment.
Chief Information Officer
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 12
Financial pretexting—the Golden Fleece
Response and investigation
• Investigators noticed the approval message came from a domain with one character
different than the corporate email.
• A phishing email was found on the accountant's laptop requesting email domain
credentials to pay a late invoice.
• The email contained a URL that was known to be malicious.
• The company's URL filtering tool didn't capture the message as the accountant was at
home, connected to his personal Wi-Fi network.
Attack-defend card
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 13
Financial pretexting—the Golden Fleece
Lessons learned
• Prepend a marker (e.g. "subject: [external] ... ") to the subject line denoting externally-
originated emails.
• Require secondary authorization for wire transactions over a certain dollar amount.
• Require VPN access for telecommuters accessing the corporate environment.
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
The numbers —social engineering stats
Social engineering plays a significant role in cybersecurity incidents and data breaches.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 15
The numbers—2017 DBIR social engineering stats
"Almost all phishing attacks that led to a breach were followed
with some form of malware."
2017 DBIR
The data set
Verizon tracked 1,616 incidents, 828 with confirmed data
disclosure for the 2017 DBIR.
Social attacks in data breaches
• 43% of all breaches utilized social attacks.
• 98% of breaches with social attacks utilized phishing or
pretexting.
• 93% of incidents with social attacks utilized phishing.
• 95% of phishing attacks that led to a breach, were followed
with malware.
• 28% of breaches utilizing phishing were targeted attacks (e.g.
spear phishing and whaling).
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 16
The numbers—2017 DBIR social engineering stats
Threat Actors
• External, 99%
• Internal, 1%
• Partners, <1%
Threat Motivations
• Financial, 66%
• Espionage, 33%
• Grudges, <1%
Data Compromised
• Credentials, 66%
• Secrets, 32%
• Personal, 8%
"Human beings play a significant role in data breaches and cybersecurity incidents. This
should come as no surprise after all, we are the ones who produce, consume, use, depend on,
and as a result, have to secure and protect digital data."
2017 DBIR
Attacker methodology
Social engineering is used to gain knowledge of the people, processes and technology that can
be compromised by the threat actor.
• People: Identifying who to target or impersonate.
• Processes: Identifying internal corporate processes or policies to exploit.
• Technology: Identifying software, hardware or other technology that can be compromised in an
attack.
Social attack methods are limited only by the imagination of the threat actors; new attack
scenarios are being developed every day.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 17
The numbers—2017 DBIR social engineering stats
"Social actions are typically part of a blended attack, with a
successful installation of malware or disclosure of credentials
as the goal of the social phase."
2017 DBIR
Communication methods
• Email: Primary method used; made up 95% of social
attacks.
• Phone: made up 2% of social attacks.
• In person: made up 2% of social attacks.
• All Other: Social attacks can occur via any form of human
communication: mail; social media; malicious websites;
even advertisements on the radio or newspaper.
Communication overlap
Social attacks often involve more than one communication
method to entice the victim to reveal information.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Social engineering —the Hyper Click
Social engineering
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 19
Phishing
Information targeted
• Usernames and passwords
• PII (Personally Identifiable Information)
• Financial data
• Employee/executive names
• Customer names/information
• Internal operational/security procedures
What is phishing?
Fraudulent attempt to induce an individual to disclose
personal or confidential information.
Types of phishing
• Phishing: Attempting to get information from any individual.
• Spear phishing: Targeting specific users or departments.
• Whaling: Targeting executives.
• Vishing: Phishing via voice, such as phone calling.
• Smishing: Phishing via text messaging.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Social engineering
20
Upstream phishing for a downstream profit
• An organization's competitor publicized a new piece of large
construction equipment.
• Equipment appeared to be an exact copy of organization's model;
competitor had not produced this type of equipment previously.
• Victim organization concerned design details for this and other
projects were compromised.
Social engineering attacks rely on influencing or tricking people in to
disclosing information or conducting an action, such as clicking on a
hyperlink or opening an
email attachment.
the Hyper Click
Endpoint Forensics Examiner
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 21
Social engineering – the Hyper Click
Response and investigation
• After determining that equipment designs were likely compromised, interviews of
employees who worked on the design were conducted.
• A forensic examination of the chief design engineer's computer revealed a backdoor
shell script and evidence the threat actor located and copied the design plans.
• Evidence was found that a foreign threat actor targeted the chief design engineer with
a malicious attachment by posing as a recruiter.
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Attack-defend card
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 22
Social engineering – the Hyper Click
Lessons learned
• Provide user education and training awareness programs to alert users to targeted
phishing attacks.
• Perform regular audits to check policy compliance.
• Enhance security controls with strong and mutual authentication combined with a
robust identity and access management program.
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
The challenges of social engineering
Even the most cautious of employees are prone to being deceived under the right circumstances.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 24
Challenges of social engineering
"An employee of the organization receives a phishing email
and clicks on the malicious link or attachment it contains.
Then malware is installed in the form of a backdoor or C2, and
the bad guys return at their leisure to footprint the network and
take what they need."
2017 DBIR
Why do we keep getting fooled?
We receive yearly training on social engineering. Certainly,
everyone not living under a rock has heard the word "phish".
And so, we all know not to:
• Click on suspicious hyperlinks
• Open suspicious attachments
• Give out sensitive information
We also know that flashing banner saying "you won an iPad!"
is not legitimate.
And we would never, ever, ever, ever, ever give out our
password.
So why is social engineering still such a big part of data
breaches?
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 25
Challenges of social engineering
Fear
"It's fine if you can not give me your password, but it will result in your
boss having to do a lot of extra work and he will know it was because
you!"
Intimidation
"You're connected with a known terrorist on social media. Click on this
link to clear up the matter or you'll be arrested—the FBI."
Greed
"You've been left a million dollars in a distant relation's will, please
respond so we can get you your money!"
Desire to help
"If you can't send this wire transfer today I'm going to lose my job, I
promise I'll get you the paperwork later on today."
Distraction
Distracted or busy employees may be tempted to reveal information
rather than take the time to ensure the request is legitimate.
Convincing con
The threat actor has done enough research or has already exploited
another employee making a request appear legitimate.
Social engineering psychology
Threat actors use various methods to deceive even well-trained employees.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Hacktivist attack —the Epluribus Enum
Social engineering
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Hacktivist attack
27
An executive doxxing match
• A multinational organization was attracting negative attention following
the handling of a restructuring.
• Although no evidence of an attack, threats were made on social
media, along with various derogatory hashtags.
• The company felt it was soft target for hacktivism, so it called in
outside entities to help it prepare for any attack.
Hacktivist attacks leverage hacking techniques as a form of activism.
Commonly, a hacktivist is motivated by a desire to harm or embarrass
their targeted victim in an effort to further a political or social agenda.
the Epluribus Enum
Lead Investigator
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 28
Hacktivist Attack—the Epluribus Enum
Response and investigation
• Various social networks and online forums, as well as within the DarkNet, were
reviewed.
• Personal details for two executives had been obtained and leaked online; law
enforcement responded but this was just the start.
• Weeks of DDoS attacks were repelled, until one of the company's websites was
defaced.
• Threat actors had gained access to the domain registrar's systems.
• Turns out DNS was modified to point the company's URL to another website.
Attack-defend card
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 29
Hacktivist attack—the Epluribus Enum
Lessons learned
• Base defenses, detection mechanisms and response capabilities on sound cyber
threat intelligence.
• Use reputable domain name registrar that offers two-factor authentication or approved
IP address whitelisting.
• Establish IR plan early; regularly review, test and update.
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Countermeasures —prevention and mitigation
Social engineering
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 31
Prevention and mitigation
Train and test
Ensure IR plan includes requirement for at least annual training
and testing employees with simulated phishing attacks.
Constantly remind
Utilize posters, login banners and regular email reminders for
employees not to fall victim to social engineering.
Multifactor authentication
Utilize multi-factor authentication (MFA) to validate
communication
sources (e.g. webmail access and financial transactions).
Block suspicious files
Deploy Group Policy Objects (GPOs) to block executable files,
disable macros and block other risky attachments.
Observe password hygiene
Strong passwords; changed frequently.
Reduce admin accounts
Remove local administrative rights.
Backup frequently
Test and validate backup process and maintain offline backups.
Patch and update frequently
Patch and update operating systems and third-party applications
as soon and as often as possible.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 32
Prevention and mitigation
Sub-domains
Threat actors use domains such as "com[.]ru" to register
"YourBank[.]com[.]ru".
Diligence
Visit the legitimate site and navigate to the link.
Country codes
Ensure they match up with the organization.
Security warnings
Look out for warnings indicating the attachment may be malicious.
Compressed files
Beware of compressed attachments such as "invoice.zip".
Credentials
Beware of attachments requiring usernames and passwords.
Macros
Disable to prevent execution of macro malware.
Anti-virus
Keep it updated and set to scan email attachments before opening.
External markers
Prepend a marker to emails subject lines such as "subject:[external]…".
Practice what you preach. Make sure legitimate internal emails do not look suspicious,
creating bad habits such as clicking links. Consider these precautions to take.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 33
Detection and validation
Technology: Employ security appliances that can detect and block malicious emails.
• Consider blocking compressed executables.
• Black list known malicious domains.
Process: Ensure IR plan covers social attacks.
• Implement procedures and tools to assist in social engineering detection.
• Implement procedures for validating requests made by unknown persons.
• Implement procedures for validating whether a reported social attack requires investigation.
People: Provide employees with quick and easy reporting methods.
• Ensure employees know what to report and how to report it.
• Provide multiple reporting methods such as phone, email and web application.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Crypto malware —the Fetid Cheez
Social engineering
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Crypto malware
35
Backup to normal
• Key business-critical applications were offline and impacting daily
operations.
• Network shares with file extensions changed; ransom notes also
found.
• Business impacted; remediation and investigation conducted in
parallel.
• Backups reviewed for availability and time to restore normal business
ops.
• Network share files last modified by net admin account with domain
admin rights.
Prevents users from accessing system, file shares or files by
encrypting the data. After gaining access and control, data access
held for "ransom" until user pays.
the Fetid Cheez
Chief Information Security Officer
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 36
Crypto malware—the Fetid Cheez
Response and investigation
• Disabled net admin account, collected logs and forensically imaged laptop.
• Files restored from backups; others retrieved from users; apps reinstalled.
• Net admin opened email attachment with recent ransomware variant.
• Ransomware exploited unpatched application vulnerability.
• Considered paying ransom to regain access to unrecoverable files.
• Ultimately decided not to pay; no guarantee to obtain key to decrypt files.
Attack-defend card
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 37
Crypto malware—the Fetid Cheez
Lessons learned
• Train and sensitize users to report phishing and suspicious system activity.
• Keep host-based and enterprise anti-virus solutions updated; patch third-party apps.
• Deploy a File Integrity Monitoring (FIM) solution; test and validate data backup
processes.
• Block access to C2 servers; recall known phishing emails from mailboxes.
• Deploy GPOs to block executable files and disable macros.
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Countermeasures —detection and validation
Social engineering
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 39
Detection and validationSpotting phishing emails
• Check for sender typos, "compny" not "company".
• Check valid email name "Marry.Smith"(two 'Rs') not
"Msmith".• Beware of urgency.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 40
Detection and validationSpotting phishing emails
• Hover over links.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 41
Detection and validationSpotting phishing emails
• Look at attachment extensions
".doc.exe".
• Even legitimate emails can be
spoofed or compromised.
Beware of suspicious requests.
• When in doubt, pick up a phone
and verify with the sender.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Digital extortion —the Boss Hogg
Social engineering
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Network Forensics SpecialistDigital extortion
43
The shakedown, takedown
• An IT employee at a large-scale manufacture and retailer received
two emails from a threat actor claiming to have obtained years worth
of customer order data.
• The emails contained a demand for $50 K and a sample of the data
for proof.
• Victim organization concerned with how the data was stolen and the
scope of the theft.
Often, victims are faced with the inevitable decision to give in, or not
give in, to threat actor demands as the clock counts down.
the Boss Hogg
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 44
Digital extortion—the Boss Hogg
Response and investigation
• Verizon reviewed the e-commerce platform for vulnerabilities and discovered a
weakness in the authentication mechanism.
• The threat actor was "force browsing" purchase confirmation pages giving details of
customer purchases.
• Reviewing the e-commerce server access logs revealed the threat actor viewed
several hundred gigabytes of HTML-based transaction information.
Attack-defend card
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 45
Digital extortion—the Boss Hogg
Lessons learned
• Data does not need to be easily monetized, such as payment card data, to be
leveraged in an extortion attack.
• Conduct security audits against public facing systems to detect vulnerabilities
• Be prepared to take ownership of a breach in order to stop extortion on your own
terms.
verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Countermeasures —response and investigation
Social engineering
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 47
Response and investigation
• Review the corporate IR plan to ensure it covers social
attacks including mitigation and response actions.
• Train for simulated social attacks using mock incident
tabletop exercises.
• Ensure the IR team has trained with the IR plan to help
react to and neutralize threats effectively.
• Maintain sufficient amount of email and network logs.
• Develop third-party relationships prior to an attack.
Third-party relationships
• Law enforcement (local and federal)
• Third-party forensic firms
• Outside counsel
• External PR firm
• Cyber insurance carrier
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 48
Response and investigation
• Follow forensically sound methodologies during an
investigation.
• Collect evidence by order of volatility: volatile data;
memory dumps; then forensic disk images.
• Engage law enforcement when necessary.
• Know your IR team's skill limitations and do not attempt to
exceed your abilities; call a third-party forensic firm for
help when necessary.
Evidence collection
• Collect volatile data prior to shutting down a system.
• Utilize trusted forensic tools and methodologies.
• Document the investigative methodology used.
• Utilize chain of custody forms.
• Properly store evidence.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 49
Response and investigation
Prevention and mitigation
• Training, training and testing
• Multifactor authentication
• Policies
Detection and validation
• Easy reporting methods
• Security appliances
• Trained incident response team
Response and investigation
• IR plan
• Forensically sound methodologies
• Engaging third-parties
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 50
Conclusion
• Social engineering
plays a major roll in
data breaches.
• Ensure the IR plan
covers social
engineering.
• As users become more
cautious, threat actors
change their tactics.
• Continuous up-to-date
training to detect social
engineering
is a must.
Social engineering leads to breaches.
• Reinforce
cybersecurity through
constant reminders to
help identify and thwart
social attacks.
• Provide easy ways for
end users to report
suspected social
engineering attempts.
• Implement MFA when
possible, especially for
sensitive information
transactions.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 51
Cybersecurity awareness resources2017 Data Breach Investigations Report
The Verizon Data Breach Investigations Report (DBIR) is back. Now in its tenth year, it's an unparalleled source of information on
cybersecurity threats.
verizonenterprise.com/verizon-insights-lab/dbir/2017/
2017 Data Breach Digest: Perspective is Reality
Our 16 new cybercrime case studies provide insight into the biggest threats you face—plus tips on how to prevent them.
verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/
Insider Threat: Protecting the Keys to the Kingdom
Discover how to spot the signs of an Insider Threat using our cybercrime case studies and in doing so put measures in place to help
protect the keys to your kingdom.
verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/
Verizon Cybersecurity
Securing yourself against cyber attacks (covers five data breach scenarios).
verizon.com/about/responsibility/cybersecurity
Verizon Security Tips
Cybersecurity tips to help you stay safe online (covers the same five scenarios as above).
verizon.com/about/news/cybersecurity-tips-help-you-stay-safe-online