Protect Your Organization from
Andy Rappaport, Chief Architect
Tom Smit, Customer Experience Manager
PA G E
The Evolving Phishing Threat
Attacker’s mentality - What CORE’s penetration testers tell us
5 minute Identity Harvest Challenge
Best Practices – What You Can Do
Organizational Preparedness with CORE Insight
PA G E 2
Phishing is Not the Same as Spam
• Spam: Unwanted email (and possibly texts)
• Phishing: malicious email – social engineering attack
− Pretending to be from someone you trust
− Designed to look like legitimate email from a trusted source.
• Types of Phishing:
− Spear Phishing – Targets select individuals
− Clone Phishing – use previous emails to create legitimate appearances
while changing the links in the email. Use existing trust.
− Long-lining – Mix of large volume of highly customized emails –
intended to defeat filter-type defenses.
PA G E 3
The Evolving Phishing Threat
• Frequency is declining1 but sophistication is increasing
• Spearphishing effectiveness has significantly increased2
• $1.5 Billion – total loses from phishing in 20123
• Why? Lowered barriers to achieve online trust
− Decreased face-to-face contact: remote offices, outsource, partners, social nets
− Tech by-pass the human: Single-sign-on, federation, browsers save a password
− Mixed personas (personal & biz): BYOD.
1. Anti-phishing Working Group Attack Trend Reports: http://www.antiphishing.org/resources/apwg-reports/
PA G E 4
What CORE’s Pen. Testers Tell Us
• Social Engineering is the preferred attack vector.
• Users are easier: “We can always phish someone [in an
engagement.] Its just a matter of how hard we need to try.”
• Establish, escalate and leverage trust: “until you get
someone [or something] you want”.
• Value of compromising an identity
− Email account: send email as them leverage their trust network
− Browser or host: passwords logon as them
Note the significance of trust in each statement.
PA G E 5
What CORE’s Pen. Testers Tell Us – The Approach
• Establish trust with non-threating message to small group.
− We have been experiencing some errors with the XYZZY system. Sorry
for any inconvenience.
− We are scheduling an upgrade for the XYZZY system.
• … then send the Phish email
− Sorry. Please use this temporary XYZZY system <some link>
• Make it look right
− Use corporate branding / images. Duh.
• Personalize - if possible
− Title: Attendee list for your XYZZY conference keynote
o (A person’s future conference schedule might be easy to discover)
PA G E 6
Try the 5 Minute Identity Harvest Challenge
• Pick an important corporate user – your company or another
• Search for just 5 minutes to get spear-phish info
• Pick a few places to look:
Corporate site, news
Financial: scheduled stock trades
Search engine: blogs, conferences, speeches, planned travel
Social: Linked-in (college – home-coming), Facebook (social, family)
Physical Addresses: work, home, vaca
What could an attacker do with more time?
PA G E 7
Phish Defenses – What You Can Do
• Defend - Technology deployments
Blacklisting known phishing sites
• Educate - User awareness
− Regular 2-way communication. Make humans part of your sensor network.
− Share real-world examples
• Understand the risk - Establish Policy
− Ex: CSR or IT password reset – are they being helpful or insecure?
− Zip files through the firewall?
− Mixing personal and business.
• Test and measure your own exposure and risk
− Test your own defenses
− Hands-on employee assessments
PA G E 8
Self-Phishing Best Practices
• Goal: Understand and lower phish risk
• Systematic testing
− Data-driven. Objective.
− Create an easily-repeatable process
− Not a one-time gotcha. (Hook-and-release)
• Test people and defenses/controls
• Different levels of sophistication
− E.g. obvious form letter; targeted message w/specific but publicallyavailable information
PA G E 9
Benefits of Self-Phishing
Data-driven Security - Goals-questions-metrics
• Goal: understand/measure own risk from phish exposure.
Does the A/V on our IT ‘golden images’ detect spam/phish messages.
Do our defenses provide useful clues to employees?
Which of our users are susceptible to phishing?
How much does our user awareness program reduce the risk?
• Metrics: Understanding effectiveness of your training
− Measure over time and identify areas to improve
− Approach: Mix baselines (Nigerian prince) with more focused
• Identify users and groups who need additional education
− Adequately trained? New hires? Admins? IT? Devs?
PA G E 1 0
Insight Can Assess Over Time
Investments in training has
On going evaluation is
critical to minimizing risk.
PA G E 1 2
Next quarter’s focus can be
Insight Identifies Critical Areas
Identify current weaknesses
in an organization.
Campaigns focus on different users.
PA G E 1 3
Focus limited resources
on more critical activities
Insight Builds Focused Campaigns
First Generic Bank <email@example.com
Please update your account information
Mar 12, 2013 3:23PM PST
PA G E 1 4
Go to www.coresecurity.com/videos/protecting-yourorganization-phishing-threats to watch the recorded
For more information please contact Core Security at
(617)399-6980 or firstname.lastname@example.org
PA G E 1 6