This document discusses phishing techniques and metrics for evaluating phishing campaigns. It begins by listing various topics to avoid that could cause offense and introduces the author, Chris Nickerson. The bulk of the document outlines different phishing methods an attacker could use, such as shoulder surfing, smoking targets, and browser attacks. It also discusses important metrics for phishing campaigns like click ratios and response times of defensive systems. The document emphasizes that collecting real metrics allows making real decisions to strengthen defenses and reduce phishing risks over time through improved training, technology, and follow through.

1. Who Clicked? Who Cares?
24, March 2015
right now
Chris Nickerson
Founder
Lares

2. hi. =)

3. Thanks

8. • Cursing
• Racism
• Religious Prejudice
• Sex
• Drugs
• Daddy /
Abandonment issues
• Socio Economic Hate
crimes
• Thin Skin
• Lack of sense of
humor
• Sexual orientation
• Sexism
• Violence
• Vomiting
• Abuse
• Truth
• Honesty
• Facts

10. Anyway...

11. I’m Chris
AKA
@indi303
cnickerson@laresconsulting.com
https://vimeo.com/laresconsulting
http://www.scribd.com/Lares_

18. LARES

25. Custom Services
OSINT
SIGINT
TSCM/ Bug Sweeping
Exploit Development
Tool Creation
Attack Planning
Offensive Consultation
Adversarial Intelligence
Competitive Intelligence
Attack Modeling
Business Chain Vuln
Assessments
Custom Physical Bypass
Tool Design
Reverse Engineering
Other stuff I can’t write
down…

26. What Do We Know?
www.socalengineer.org

27. Dumpster Diving

28. Shoulder Surfing

29. Phishing

30. Target PHONE Support Staff

31. Human Resources

32. Smoking is Bad

33. Transit Systems

34. Social Functions

35. Client Side Attacks

36. But that’s not phishin’
chris…. Phishing is all
about EMAIL!

38. Directed Phishing

39. lather
Choose
an
attack
Rinse
Send out
an
attack,
get basic
metrics
Repeat
Send em
a cbt
and
phish
em
again

40. Slide 41
CLICKS

41. Slide 42
huh?

42. Slide 43

43. Slide 44

44. Slide 45
PHISHING
CLICK RATIO

45. Slide 46
 Training
 Metrics
 Testing of layered defense
 Creating durability
 Testing Identification skills
 EXPERIENCE
 Solidarity
 USER EMPOWERMENT
 BUSINESS
What’s it about then?

46. Slide 47

47. Slide 48
“If it weren’t for the users we
would be secure”
– Some idiot in infosec who should have taken a job as a used car
salesperson
“Users are our BIGGEST
vulnerability”
– Some Infosec “professional” who diesn’t know what vulnerability
means

48. Slide 49

49. Slide 50

50. Slide 51
Intelligence Leakage
 Contact info
 emails [userID]
 phone numbers
 Metadata
 Dox reference checks
 Pastebin, support forums, wikis, etc

51. Slide 52
Mail Configuration
 Pure vanilla spoof (forged internal from Internet)
 Validate/verify addresses
 Recipient and Sender
 MX, SPF, RBL, Spam
 Block known bad senders/Blacklists
 Throttle after X in an hour

52. Slide 53
Spam/Proxy Configuration
 In line spam detection
 Proxy in use
 Content inspection
 Content filtering
 Exceptions
 Inspect (Decrypt) SSL

53. Slide 54
Malicious Attachments/Content
 Malicious Attachments
 Java applet
 Excel macros
 Calendar invites
 PDFs
 Executables and more
 Linked (hosted) executables

54. Slide 55
Browser Attacks
 Corporate Standards
 Vulnerable type/version
 Frame injection/Keyloggers
 3rd party add-ons/Plugins
 Mobile platforms
 Credential theft (SCORING)
 Integration with Red Team

55. Slide 56
Malicious Detection
 IPS/NIPS/HIPS
 AV process protection
 100% coverage
 File integrity monitoring
 System process protection
 Injection
 migration

56. Slide 57
Ingress/Egress Filtering
 Can an attacker call home?
 What are all the ways?

57. Slide 58
On Device Vulnerability
 Does the user have rights
 Can you priv esc
 Can you get to the “Mothership”
 Is there IP I can take?
 Can I pivot and “Go for the gold”

58. Slide 59
Post Phish Value
 Did your IR team catch it?
 How long did it take to kick in response
 How effective was response
 Is there skill gaps
 What do you need to do
to close the gaps?

59. Slide 60
What other metrics do you need to be
tracking to make informed decisions and
ACTUALLY reduce the risk of phishing

60. Slide 61
 User data (Demographics)
 User Role
 Position
 Paygrade
 Education level
 Etc.
 Automated Defensive measurements
 Technology effectiveness
REAL METRICS REAL DECISIONS

61. Slide 62
 Response timing
 Time for emails to get delivered
 Time til first detection
 Time til enterprise notification
 Time required to create incident team
 Time to identify threat vectors
 Time required to identify/quarantine threat
 Time to analyze indicators accurately
 Mean time to incident eradication
REAL METRICS REAL DECISIONS

62. Slide 63
 After we analyze metrics we need to make a REAL plan
to stop this from happening the SAME way again
 Increased user training
 Increased technology and automated defenses
 Process improvement opportunities
 Blue team Improvement
 IR process review
 War boarding advanced threat
 Always asking, WHAT IF we didn’t get it ALL!
FOLLOW THROUGH

63. THANK YOU!
[Chris Nickerson,
cnickerson@lares.com]
Please Remember To Fill Out Your
Session Evaluation Forms!