Meetup July 16th, 2015 User awareness training will always fail to prevent 100% of social engineering attacks. However, consistent and reliable technical controls drastically mitigate an organization’s risk and increase the difficulty for malicious actors to launch successful attacks. This talk describes social engineering from the perspectives of an attacker and a defender. The presentation will cover techniques designed to help organizations develop an ideal incident response plan crafted specifically for social engineering attacks. It will explain technical controls that are designed to inhibit attackers, as well as procedures that allow an incident response team to quickly identify successful attacks and eradicate their presence. Bishop Fox conducted new research into the state of email spoofing defenses and identified organizations that are most commonly targeted for brand spoofing. This research will show that 99.9% of the top million domains are vulnerable to email spoofing and provide recommendations for avoiding attack. This presentation covers attacks and defenses for dangerous social engineering activities, including: · Email spoofing · Domain hijacks · Typo-squatting · Client-side attacks · Watering hole attacks

1. Social Engineering
Technical ControlsTAKING EMOTIONS OUT OF DEFENSE
July 16, 2015

2. INTRODUCTION
FROM US TO YOU

3. 33
Candis Orr
corr@bishopfox.com
@candysaur
Senior Security Analyst at
Bishop Fox (Enterprise Security
Team)
Alex DeFreese
adefreese@bishopfox.com
@lunarca_
Security Analyst at Bishop Fox
(Application Penetration Testing
Team)
WHY DO YOU CARE WHAT WE THINK?
Who are we?

4. 44
• Security Awareness Training
• Email Protections
• Domain Protections
• Deterring & Preventing Outbound Proxy
• Browser Protections
• Two-Factor Authentication
• Detecting Attacks
• Eradicating Attacks
• Further Information
• Q&A
WHAT WE ARE GOING TO COVER
Agenda

5. SECURITY
AWARENESS
TRAINING
EASIER SAID THAN DONE

6. 66
Security
Awareness
Training
Documented
Policies and
Procedures
Technical
Controls
SUPPORTING INFRASTRUCTURE SHOULD BE IN PLACE
What is required to properly train?
• Technical controls need to
be implemented to reduce
the attack surface and
chance of attacks
• Documented policies and
procedures need to be
created for repeatable and
consistent processes for the
user to follow
• Security awareness training
must cover the document
policies and procedures and
the security controls so that
users can understand their
responsibilities within the
company

7. 77
IT CAN GO WELL SOMETIMES…
Best Case for Awareness Training
User awareness
training can help
identify and prevent
attacks when properly
administered.

8. 88
SINCE IT IS POORLY DONE MOST OF THE TIME
Best Case for Awareness Training
Most awareness
training programs try
to be the only line of
defense and suffer as
a result.

9. 99
• Real attacks are sophisticated.
• Email spoofing
• Website cloning
• Targeted for the victim
• Attackers prey on strong drives (politeness,
curiosity, confusion) to get compliance.
THE HACKERS ARE LEARNING FASTER THAN THE USERS
Failings of Awareness Training

10. 1010
EMAIL SPOOFING IN ACTION
Example Spoofed Email

11. 1111
EMAIL CLONING IN ACTION
Example Phishing Email

12. 1212
WEBSITE CLONING IN ACTION
Example Phishing Website

13. 1313
Once an attacker compromises
one computer on the network, it
becomes an internal attack.
Tools like Mimikatz, WCE, and
Pass the Hash Toolkit help
attackers compromise full
domains from one compromised
computer.
ONE MATCH IS ENOUGH TO START A FIRE
It Only Takes One

14. 1414
“[…] users are neither stupid nor lazy. They are
musicians, parents, journalists, firefighters – it
isn’t fair to also expect them to become security
experts too. And they have other, important
things to do besides read our lovingly crafted
explanations of SSL. But they still deserve to
use the web safely, and it’s on us to figure out
that riddle.”
- Adrienne Porter Felt
Google Chrome Security Team
@__apf__ | adrienneporterfelt.com
IT’S NOT THEIR JOB, IT’S OURS.
Don’t Make Users Be the Judge

15. TECHNICAL
CONTROLS
RELIABLE, REPEATABLE, CONSISTENT

16. 1616
• Prepare, Detect, Analyze, Contain, Eradicate, Recover,
and Learn.
• Deter attackers and make it more difficult for them to
produce a convincing attack. Limit their options.
• Detect successful attacks immediately.
• Eradicate attackers’ network presence and respond to the
damage they caused.
BROAD STROKES
Technical Controls

17. EMAIL
PROTECTIONS
DETER AND PREVENT

18. 1818
• Email servers allow email spoofing by default.
• Spoofing gives social engineering emails
automatic credibility.
• Defenses exist to prevent spoofing but very few
domains actually use them.
GAPING WOUND IN INTERNET SECURITY
Email Spoofing

19. 1919
• Which servers can send from this domain?
• DNS TXT record
• dig txt $DOMAIN
• List of IP addresses, domains, and references
• ?all, ~all, and -all
EMAIL PROTECTIONS
Sender Policy Framework (SPF)

20. 2020
EMAIL PROTECTIONS
SPF Summary

21. 2121

22. 2222
• Automatic digital signatures
• Public keys stored as DNS TXT records
• dig txt $SELECTOR._domainkey.$DOMAIN
• Selector and signature transmitted with email
EMAIL PROTECTIONS
DomainKeys Identified Mail (DKIM)

23. 2323
EMAIL PROTECTIONS
DKIM Summary

24. 2424

25. 2525
• Domain-based Message Authentication, Reporting,
and Conformance
• Defines what to do if mail fails SPF or DKIM
checks
• Send an email with details
• Make an HTTP request with details
• Mark the email as spam
• DNS TXT record
• dig txt _dmarc.$DOMAIN
EMAIL PROTECTIONS
DMARC

26. 2626
EMAIL PROTECTIONS
DMARC Summary

27. 2727
• Scanned top 1,000,000 domains for SPF and
DMARC
• Domains with SPF records: 40%
• Domains with DMARC records: 0.74%
BY THE NUMBERS
Analysis

28. 2828
THE SKY IS ON FIRE
The Core Problem
Mail Servers don’t
respect SPF or DKIM
alone.

29. 2929
THE SKY IS ON FIRE
DOMAINS THAT ARE
VULNERABLE TO EMAIL
SPOOFING
99.87%
The Core Problem
• DMARC policy of reject
or quarantine needed to
block emails
• Only 1,731 out of
1,000,000 domains are
protected.

30. 3030
HOW DO THE TOP DOMAINS COMPARE?
Analysis Results

31. 3131
HOW DO THE TOP DOMAINS COMPARE?
Analysis Results

32. 3232
Email Providers
FROM WHOM CAN I SPOOF?
What’s Vulnerable?

33. 3333
Financial Institutions
FROM WHOM CAN I SPOOF?
What’s Vulnerable?

34. 3434
Insurance
FROM WHOM CAN I SPOOF?
What’s Vulnerable?

35. 3535
Government
FROM WHOM CAN I SPOOF?
What’s Vulnerable?

36. 3636
Government
FROM WHOM CAN I SPOOF?
What’s Vulnerable?

37. 3737
Government
FROM WHOM CAN I SPOOF?
What’s Vulnerable?

38. 3838
Government
FROM WHOM CAN I SPOOF?
What’s Vulnerable?

39. 3939
TOP SPOOFED DOMAINS
What’s Vulnerable

40. 4040
IT’S NOT ALL TERRIBLE
What’s Vulnerable
Of the 84 organizations
with the most phishing
sites, 40% are protected
from email spoofing.

41. 4141
• Implement SPF, DKIM, and DMARC for your
domain if possible.
• Configure your email server to respect SPF
despite DMARC if possible.
• http://www.openspf.org/Implementations
• Exchange:
http://www.gfi.com/products-and-solutions/email-and-
messaging-solutions/gfi-mailessentials/specifications
HOW TO PROTECT YOURSELF
Solutions

42. 4242
HELP PROTECT EVERYONE
Solutions
Spread the word.

43. DOMAIN
PROTECTIONS
DETER AND PREVENT

44. 4444
• Attackers will register domains similar to your
company’s domain to host phishing websites.
• Typosquatting
• TLD squatting
• Register primary TLDs for your domain to protect
customers.
• Add all typos to internal DNS server to protect
employees.
• URLCrazy: tool to generate a list of domain typos
• Consider blocking mail from these domains as well
BY THE NUMBERS
Similar Domains

45. 4545
SIMILAR DOMAIN NAMES
URLCrazy Report

46. 4646
Client Transfer Prohibited
• Prevents attackers from transferring domain in same
registrar
• Usually default
Server Transfer Prohibited
• REGISTRAR LOCK status
• Prevents attackers from transferring domain to a
different registrar
• Sometimes not default
MALICIOUS DOMAIN TRANSFER
Domain Stealing

47. 4747
THIS ACTUALLY HAPPENS
Real World Example

48. OUTBOUND
PROXY
DETER AND PREVENT

49. 4949
Java Applet Attack
• Still in use because it doesn’t need an exploit
Block the Java User Agent
• Very few legitimate applications use Java Applets.
• Block the Java User Agent outbound to prevent Java
Applet Attacks.
• Whitelist specific endpoints if absolutely necessary.
WHY EVEN ALLOW THIS?
Java User Agent

50. 5050
Regularly block all domains with an
authenticated splash page.
• First person can unblock it if it’s legitimate.
• Potentially whitelist company domains.
Block automated Command and Control.
Block watering hole attacks.
CROWDSOURCED AUTOMATED DEFENSE
Authenticated Splash Page

51. BROWSER
PROTECTIONS
DETER AND PREVENT

52. 5252
• Protects the computer if the browser gets
compromised
• Limits the amount of damage a browser-based
attack can do
• Effectively removes the browser from attack
surface
PROTECT YOURSELF FROM EVENTUALITY
Sandboxing

53. 5353
Reduce the browser’s attack surface.
• NoScript – prevent JS injection
• AdBlock – prevent malicious advertisements
• FlashBlock – prevent malicious flash documents
• Web of Trust – make it easier to spot phishing sites
• HTTPS Everywhere – force HTTPS when possible
SOME OF OUR FAVORITES
Browser Extensions

54. MULTI-FACTOR
AUTHENTICATION
DETER AND PREVENT

55. 5555
Implement 2FA for the VPN.
• Credentials are easier to compromise than computers.
• Don’t let credentials give access to your internal
network.
Duo Security’s system is easier for users than
traditional 2FA.
BECAUSE CREDENTIALS ARE EASY TO STEAL
Multi Factor Authentication

56. DETECTION
KNOW WHAT’S GOING ON IN YOUR NETWORK

57. 5757
Know what’s going
on in your network.
IN A NUTSHELL
Detection

58. 5858
Even with all the previously mentioned controls, an
employee may still get compromised.
Learn that an attack is going on quickly, and act
immediately to contain and eradicate it.
IN A NUTSHELL
Detection

59. 5959
Alert system, not a prevention system
• Train users to report suspicious communications to
security officers.
• Track reported emails instead of clicked links to
measure campaign effectiveness.
Make reporting a positive experience.
• Reward users that report awareness training emails.
• Ensure the reporting system is clearly defined, simple,
and easy to use.
WHAT IT’S ACTUALLY GOOD FOR
User Awareness Training

60. 6060
Purposefully attractive targets
• Purposefully vulnerable high-value servers with dummy
data
• Purposefully insecure domain admin accounts with no
real power
Alert if someone starts using them
• Immediately start forensics and eradication.
IT’S A TRAP
Canaries and Honeypots

61. 6161
Monitoring Systems
• Absolutely necessary for tracking an attack path
• Need to know an attack is happening first
• Start with anything outbound
Intrusion Detection Systems
• Helpful for detecting obvious attackers or ones that
correspond to known attack patterns
• May not necessarily detect covert or subtle attackers
LEARN WHAT THEY DID AND WHAT THEY’RE DOING
Monitoring and IDS

62. 6262
What happened during the attack?
• Identify the phishing site.
• Identify C2 servers and channels.
• Identify campaign’s targets.
• Identify the campaign’s purpose.
Outbound Proxy Logs
LEARN WHAT THEY DID AND WHAT THEY’RE DOING
Forensics

63. ERADICATION
DELAY, RESPOND, RECOVER

64. 6464
• Block the IP and domain of phishing sites and C2 servers.
• Drop emails coming from attacker’s domains, email
addresses, and mail servers.
• Alert users about the social engineering campaign.
• This won’t stop the attack, but it’ll buy some time while the
attacker pivots to different infrastructure.
BUY SOME TIME TO BREATHE
Burn the Current Campaign

65. 6565
Force password resets.
• Users that gave up credentials
• Users with compromised computers
• Anyone with access to compromised computers
• Domain Admins
Reimage compromised machines.
• Don’t try to outsmart the malware.
• Reimage and restore from backup.
SCORCHED EARTH POLICY
Respond to the Attack

66. FURTHER
INFORMATION
WANT TO KNOW MORE?

67. 6767
Sites
• social-engineer.org
• openspf.net/Tools
• dkim.org
• dmarc.org
• sandboxie.com
• duosecurity.com
Presentations
• Attacker Ghost Stories
Rob Fuller
PLACES TO GO TO KNOW MORE
Further Information

68. 6868
PLACES TO GO TO KNOW MORE
Further Information
Documents
• SANS: Incident Handler’s Handbook: http://www.sans.org/reading-room/
whitepapers/incident/incident-handlers-handbook-33901
Books
• Social Engineering: The Art of Human Hacking
Christopher Hadnagy
• Social Engineering Penetration Testing
Gavin Watson, Andrew Mason, Richard Ackroyd
• Influence: The Psychology of Persuasion
Robert B. Cialdini

69. Q&A
ANY QUESTIONS YOU WANT TO ASK?

70. Thank You