Derek Rush of LBMC Information Security presented at Techfest Louisville 2017 which was hosted by the Technology Association of Louisville Kentucky (TALK.)
4. One phish, two phish, red phish, blue phish
Phishing
• Generic attempts via email to acquire sensitive information by tricking users.
Vishing
• Cold calls to an entity attempting to trick the recipient of the phone call into
performing some action.
Spear phishing
• Targeted phishing attempts aimed at specific individuals or groups within an
organization where the attempts are personalized to increase credibility.
Whaling
• Highly targeted attempts using email as the communication medium to gather
sensitive information from high-value individuals within an organization.
6. High Level Overview of Phishing
Initial
Foothold
System
Access
Pivot
Mercilessly
Today we’ll be focusing on how a threat actor may achieve the initial foothold
on a corporation’s systems.
7. The Initial Foothold – One Approach
Let’s bring the phishing process to life by going through a process from the start
with a fake company called False, Inc. How does this process begin?
Research False, Inc. to understand organizational structure, business drivers,
vendors, employee’s social media content, and other information repositories.
• Initial reconnaissance is the most important step
• Reveals phishing approaches that would likely succeed
• Technical and non-technical in nature
– LinkedIn, PGP keys, corporate websites, search engines, whois points of
contact, identifying remote access services, FaceBook, Instagram,
Twitter, GitHub, professional resumes, document metadata, SEC filings,
and other publicly available information.
8. The Initial Foothold – One Approach
Now we know a lot about the company and likely have some good phishing
approaches that are likely succeed, let’s get a list of emails.
Obtain email addresses for the company by harvesting publicly available emails,
and “mangling” known employee names .
• Some clients prefer us to gather our own email addresses for a more real
world attack scenario.
• Some clients prefer to communicate a list of employee emails for testing to
test the effectiveness of corporate security awareness campaigns.
• Once the syntax of one corporate email is known, employee names can be
mangled to the syntax of corporate email to derive a list of employees to
phish.
9. The Initial Foothold – One Approach
Now that we have knowledge of the company, internal personnel, and a list of
emails, let’s figure out where our email should come from.
Purchase a domain name similar to false.com or a company that False, Inc. does
business with and select a person for the emails to be sent from.
• Usage of tools can help identify mangled domain names if our approach
involves creating an email that appears as if it is from someone internal to
the company being phished.
• When we identified known vendors during the reconnaissance portion, we
could also register mangled vendor domains such as microsofton1ine.com,
trustvvave.com, or even lbnnc.com.
• Are we sending the message from a Director of IT, from the account rep at a
vendor, perhaps from a headhunter from a fake recruiting firm to HR, or from
a business development analyst to their supervisor?
10. HowTo: Mangling a Domain – Part 1
Mangling a domain is a common technique for phishermen to use when they want
their message to appear as if it’s from someone at a given company. Here’s an
example of what mangling a domain looks like—
11. HowTo: Mangling a Domain – Part 2
Mangling a domain can be performed with multiple tools. In the first example,
URLCrazy was used against false.com and came up with 74 mangled domains.The
next example is from DNSTwist and what it was able to come up with 138 variants.
12. HowTo: Mangling a Domain – Part 3
Mangling a domain consists of taking a list of known ways to mistype a domain
while still having it resemble the original domain. Here are the techniques used for
false.com by both URLCrazy and DNSTwist
These of course aren’t all the possibilities, but this is a great starting place.
13. The Initial Foothold – One Approach
To recap, we now have knowledge of the company, internal personnel, a list of
emails, and where our emails are going to come from. Now let’s think of what we’d
like to try and get our phishing targets to do.
A common approach is to clone a familiar website that resembles a false.com
login portal users would authenticate to or develop a document with malware
that someone inside the company would be likely to open.
• A critical failure in an email system occurred overnight and had to be
replaced.Take action now to restore your access.
• Business development leads from an internal resource with a malware
macro.
• Sending a social media link from a known associate’s spoofed email.
• Posting a link onTwitter about the company if they have aTwitter presence.
14. The Initial Foothold – One Approach
If we’re running short on creativity there are some great tools out there that come
with templates for phishing that might get the creativity flowing—
15. Why Site Cloning?
Site cloning is a popular tactic used by phishermen where a login portal is cloned,
hosted on a threat actor’s server, and modified slightly so that whatever a user
types in for the username and password is sent back to the attacker. Alternatively,
the threat actor could include an exploit on the cloned site that they believe would
be effective.
Email portals, remote access portals, social media login portals, and anything else
a user may login to are good choices.
16. Why Documents with Malware?
Malware within electronic office documents is another popular tactic used by
phishermen where a purportedly legitimate document contains malicious code
that will either trigger when the user opens the document or when the user opens
the document and enables macros.
Macros and recent exploits for Microsoft, Java, Adobe, and other common third
party products are used to conduct successful phishing campaigns.
18. Phishing Example 1
Here’s a phishing campaign where someone in need of a job sent their resume to
an IT Recruiter that worked at a company.
19. Phishing Example 2
Here’s a phishing campaign
that was sent out by a
“Helpdesk Supervisor”
letting employees know
they need to take action to
restore access to their email.
20. Phishing Example 3
Here’s a phishing campaign
that was sent out by a
“Helpdesk Supervisor”
trying to educate employees
with security awareness
training for phishing
attempts.
21. How IT Can Help
The role of education, technology, and
policies in limiting damage of phishing
attempts if successful or preventing phishing
attempts from the start.
22. Multi-factorAuthentication
All remotely accessible services that are facing the Internet should be secured
with multi-factor authentication.
• In the event of a successful phish where credentials are disclosed to an
attacker, multi-factor authentication, when appropriately configured, can
prevent the attacker from successfully using the credentials.
• Third party services that are not on the company’s premises should also be
secured.
– Office365, a technology more and more organizations are moving to, is
an example of a third party service that does provide multi-factor
authentication that should be enabled.
23. Employee Awareness
All employees should be regularly educated to raise their awareness of phishing
attacks.
• Phishing quizzes
• Monthly phishing email reminders with actual phishing attempts
• Visual reminders around the office, such as educational posters
– An especially good idea for preventing tail-gating
24. AssessTraining Effectiveness
The level of awareness of employees can be assessed by conducting regular
phishing campaigns either internally or by having a third party do it.
• Metrics from a simulated phishing campaign can highlight areas where
training can be improved or identify employees who need additional help.
• Social assessments should include multiple types of phishing (vishing, spear
phishing, and whaling).
25. Keep Systems Patched
In the event of a successful phishing campaign, having systems patched is
critical to preventing further damage.
• Many phishing payloads deliver recent exploits that allow for remote code
execution in the event that a user takes the action that the attacker is
attempting to elicit.
– Remote code execution = attacker is in your computer and has a degree
of control over the computer depending on the permissions of the user
who was phished.
• MicrosoftAND 3rd party products should be patched
– Weaponization of exploits after a patch is released usually occurs before
the time allotted for patching within an organization’s patch policy
26. Spam Detection
While not a cure-all, an email gateway with spam detection capabilities will
have an impact on the amount of spam and phishing attempts that reaches
each end user.
• Preventing excess spam from being delivered to end users will prevent
message fatigue and make it more likely that users will spot phishing
attempts with a higher level of sophistication.
27. Limit Access – Least Privilege
Users need access to do their jobs, but many companies suffer from access
creep or allotting more permissions than needed for an employee to do their job
effectively.
• Enforcing least privilege at the operating system level may limit an attacker
to a low privileged account (non-administrative).
• Enforcing least privilege at the mapped drives and file shares will also limit
the impact of ransomware and what it is able to encrypt.
28. Visual Indicators for Employees
Additional visual cues to assist employees in identifying phishing attempts.
• Utilize the mail gateway to append [EXTERNAL] to emails that originate
from outside of the company.
• Have corporate photos displayed within the mail client so that when a
picture is not present but the email appears to be from someone internal,
users will report the phishing attempt.
• Use plug-ins within the mail client that displays a button to a user that can be
clicked if a suspected phishing attempt is identified. When clicked, the
button will forward it to the helpdesk.
32. Compliance
andAudit
Services
Managed
Security
Services
Security
Consulting
Navigate the complex maze of
compliance regulations
HIPAA / HITRUST
Security Controls Assessment
(SCA)
CMS / FISMA / NIST
FedRAMP / CSA CCM
Service Organization Control
(SOC)
SOX / COSO
Payment Card Industry (PCI)
Minimize threats and respond
Intrusion prevention and
detection services
Security information and event
management
Incident response and forensics
Vulnerability and threat
management
Tap in to our unaffiliated and
objective assessments
Risk assessment / current state
assessments
Security program design and
implementation
Penetration testing
Web application assessments
LBMC Information Security - a full spectrum of services