Meetup July 16th, 2015
User awareness training will always fail to prevent 100% of social engineering attacks. However, consistent and reliable technical controls drastically mitigate an organization’s risk and increase the difficulty for malicious actors to launch successful attacks.
This talk describes social engineering from the perspectives of an attacker and a defender. The presentation will cover techniques designed to help organizations develop an ideal incident response plan crafted specifically for social engineering attacks. It will explain technical controls that are designed to inhibit attackers, as well as procedures that allow an incident response team to quickly identify successful attacks and eradicate their presence.
Bishop Fox conducted new research into the state of email spoofing defenses and identified organizations that are most commonly targeted for brand spoofing. This research will show that 99.9% of the top million domains are vulnerable to email spoofing and provide recommendations for avoiding attack.
This presentation covers attacks and defenses for dangerous social engineering activities, including:
· Email spoofing
· Domain hijacks
· Typo-squatting
· Client-side attacks
· Watering hole attacks
3. 33
Candis Orr
corr@bishopfox.com
@candysaur
Senior Security Analyst at
Bishop Fox (Enterprise Security
Team)
Alex DeFreese
adefreese@bishopfox.com
@lunarca_
Security Analyst at Bishop Fox
(Application Penetration Testing
Team)
WHY DO YOU CARE WHAT WE THINK?
Who are we?
4. 44
• Security Awareness Training
• Email Protections
• Domain Protections
• Deterring & Preventing Outbound Proxy
• Browser Protections
• Two-Factor Authentication
• Detecting Attacks
• Eradicating Attacks
• Further Information
• Q&A
WHAT WE ARE GOING TO COVER
Agenda
6. 66
Security
Awareness
Training
Documented
Policies and
Procedures
Technical
Controls
SUPPORTING INFRASTRUCTURE SHOULD BE IN PLACE
What is required to properly train?
• Technical controls need to
be implemented to reduce
the attack surface and
chance of attacks
• Documented policies and
procedures need to be
created for repeatable and
consistent processes for the
user to follow
• Security awareness training
must cover the document
policies and procedures and
the security controls so that
users can understand their
responsibilities within the
company
7. 77
IT CAN GO WELL SOMETIMES…
Best Case for Awareness Training
User awareness
training can help
identify and prevent
attacks when properly
administered.
8. 88
SINCE IT IS POORLY DONE MOST OF THE TIME
Best Case for Awareness Training
Most awareness
training programs try
to be the only line of
defense and suffer as
a result.
9. 99
• Real attacks are sophisticated.
• Email spoofing
• Website cloning
• Targeted for the victim
• Attackers prey on strong drives (politeness,
curiosity, confusion) to get compliance.
THE HACKERS ARE LEARNING FASTER THAN THE USERS
Failings of Awareness Training
13. 1313
Once an attacker compromises
one computer on the network, it
becomes an internal attack.
Tools like Mimikatz, WCE, and
Pass the Hash Toolkit help
attackers compromise full
domains from one compromised
computer.
ONE MATCH IS ENOUGH TO START A FIRE
It Only Takes One
14. 1414
“[…] users are neither stupid nor lazy. They are
musicians, parents, journalists, firefighters – it
isn’t fair to also expect them to become security
experts too. And they have other, important
things to do besides read our lovingly crafted
explanations of SSL. But they still deserve to
use the web safely, and it’s on us to figure out
that riddle.”
- Adrienne Porter Felt
Google Chrome Security Team
@__apf__ | adrienneporterfelt.com
IT’S NOT THEIR JOB, IT’S OURS.
Don’t Make Users Be the Judge
16. 1616
• Prepare, Detect, Analyze, Contain, Eradicate, Recover,
and Learn.
• Deter attackers and make it more difficult for them to
produce a convincing attack. Limit their options.
• Detect successful attacks immediately.
• Eradicate attackers’ network presence and respond to the
damage they caused.
BROAD STROKES
Technical Controls
18. 1818
• Email servers allow email spoofing by default.
• Spoofing gives social engineering emails
automatic credibility.
• Defenses exist to prevent spoofing but very few
domains actually use them.
GAPING WOUND IN INTERNET SECURITY
Email Spoofing
19. 1919
• Which servers can send from this domain?
• DNS TXT record
• dig txt $DOMAIN
• List of IP addresses, domains, and references
• ?all, ~all, and -all
EMAIL PROTECTIONS
Sender Policy Framework (SPF)
22. 2222
• Automatic digital signatures
• Public keys stored as DNS TXT records
• dig txt $SELECTOR._domainkey.$DOMAIN
• Selector and signature transmitted with email
EMAIL PROTECTIONS
DomainKeys Identified Mail (DKIM)
25. 2525
• Domain-based Message Authentication, Reporting,
and Conformance
• Defines what to do if mail fails SPF or DKIM
checks
• Send an email with details
• Make an HTTP request with details
• Mark the email as spam
• DNS TXT record
• dig txt _dmarc.$DOMAIN
EMAIL PROTECTIONS
DMARC
27. 2727
• Scanned top 1,000,000 domains for SPF and
DMARC
• Domains with SPF records: 40%
• Domains with DMARC records: 0.74%
BY THE NUMBERS
Analysis
28. 2828
THE SKY IS ON FIRE
The Core Problem
Mail Servers don’t
respect SPF or DKIM
alone.
29. 2929
THE SKY IS ON FIRE
DOMAINS THAT ARE
VULNERABLE TO EMAIL
SPOOFING
99.87%
The Core Problem
• DMARC policy of reject
or quarantine needed to
block emails
• Only 1,731 out of
1,000,000 domains are
protected.
40. 4040
IT’S NOT ALL TERRIBLE
What’s Vulnerable
Of the 84 organizations
with the most phishing
sites, 40% are protected
from email spoofing.
41. 4141
• Implement SPF, DKIM, and DMARC for your
domain if possible.
• Configure your email server to respect SPF
despite DMARC if possible.
• http://www.openspf.org/Implementations
• Exchange:
http://www.gfi.com/products-and-solutions/email-and-
messaging-solutions/gfi-mailessentials/specifications
HOW TO PROTECT YOURSELF
Solutions
44. 4444
• Attackers will register domains similar to your
company’s domain to host phishing websites.
• Typosquatting
• TLD squatting
• Register primary TLDs for your domain to protect
customers.
• Add all typos to internal DNS server to protect
employees.
• URLCrazy: tool to generate a list of domain typos
• Consider blocking mail from these domains as well
BY THE NUMBERS
Similar Domains
46. 4646
Client Transfer Prohibited
• Prevents attackers from transferring domain in same
registrar
• Usually default
Server Transfer Prohibited
• REGISTRAR LOCK status
• Prevents attackers from transferring domain to a
different registrar
• Sometimes not default
MALICIOUS DOMAIN TRANSFER
Domain Stealing
49. 4949
Java Applet Attack
• Still in use because it doesn’t need an exploit
Block the Java User Agent
• Very few legitimate applications use Java Applets.
• Block the Java User Agent outbound to prevent Java
Applet Attacks.
• Whitelist specific endpoints if absolutely necessary.
WHY EVEN ALLOW THIS?
Java User Agent
50. 5050
Regularly block all domains with an
authenticated splash page.
• First person can unblock it if it’s legitimate.
• Potentially whitelist company domains.
Block automated Command and Control.
Block watering hole attacks.
CROWDSOURCED AUTOMATED DEFENSE
Authenticated Splash Page
52. 5252
• Protects the computer if the browser gets
compromised
• Limits the amount of damage a browser-based
attack can do
• Effectively removes the browser from attack
surface
PROTECT YOURSELF FROM EVENTUALITY
Sandboxing
53. 5353
Reduce the browser’s attack surface.
• NoScript – prevent JS injection
• AdBlock – prevent malicious advertisements
• FlashBlock – prevent malicious flash documents
• Web of Trust – make it easier to spot phishing sites
• HTTPS Everywhere – force HTTPS when possible
SOME OF OUR FAVORITES
Browser Extensions
55. 5555
Implement 2FA for the VPN.
• Credentials are easier to compromise than computers.
• Don’t let credentials give access to your internal
network.
Duo Security’s system is easier for users than
traditional 2FA.
BECAUSE CREDENTIALS ARE EASY TO STEAL
Multi Factor Authentication
58. 5858
Even with all the previously mentioned controls, an
employee may still get compromised.
Learn that an attack is going on quickly, and act
immediately to contain and eradicate it.
IN A NUTSHELL
Detection
59. 5959
Alert system, not a prevention system
• Train users to report suspicious communications to
security officers.
• Track reported emails instead of clicked links to
measure campaign effectiveness.
Make reporting a positive experience.
• Reward users that report awareness training emails.
• Ensure the reporting system is clearly defined, simple,
and easy to use.
WHAT IT’S ACTUALLY GOOD FOR
User Awareness Training
60. 6060
Purposefully attractive targets
• Purposefully vulnerable high-value servers with dummy
data
• Purposefully insecure domain admin accounts with no
real power
Alert if someone starts using them
• Immediately start forensics and eradication.
IT’S A TRAP
Canaries and Honeypots
61. 6161
Monitoring Systems
• Absolutely necessary for tracking an attack path
• Need to know an attack is happening first
• Start with anything outbound
Intrusion Detection Systems
• Helpful for detecting obvious attackers or ones that
correspond to known attack patterns
• May not necessarily detect covert or subtle attackers
LEARN WHAT THEY DID AND WHAT THEY’RE DOING
Monitoring and IDS
62. 6262
What happened during the attack?
• Identify the phishing site.
• Identify C2 servers and channels.
• Identify campaign’s targets.
• Identify the campaign’s purpose.
Outbound Proxy Logs
LEARN WHAT THEY DID AND WHAT THEY’RE DOING
Forensics
64. 6464
• Block the IP and domain of phishing sites and C2 servers.
• Drop emails coming from attacker’s domains, email
addresses, and mail servers.
• Alert users about the social engineering campaign.
• This won’t stop the attack, but it’ll buy some time while the
attacker pivots to different infrastructure.
BUY SOME TIME TO BREATHE
Burn the Current Campaign
65. 6565
Force password resets.
• Users that gave up credentials
• Users with compromised computers
• Anyone with access to compromised computers
• Domain Admins
Reimage compromised machines.
• Don’t try to outsmart the malware.
• Reimage and restore from backup.
SCORCHED EARTH POLICY
Respond to the Attack
68. 6868
PLACES TO GO TO KNOW MORE
Further Information
Documents
• SANS: Incident Handler’s Handbook: http://www.sans.org/reading-room/
whitepapers/incident/incident-handlers-handbook-33901
Books
• Social Engineering: The Art of Human Hacking
Christopher Hadnagy
• Social Engineering Penetration Testing
Gavin Watson, Andrew Mason, Richard Ackroyd
• Influence: The Psychology of Persuasion
Robert B. Cialdini