Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Social Engineering: the Bad, Better, and Best Incident Response Plans

1,329 views

Published on

One of today's most challenging security issues is social engineering defense. Despite evidence proving the impact of a social engineering attack, we often see inadequate incident response plans in place. In this talk, we will share our experiences about what organizations are doing when (or, more commonly, if) they detect an attack, steps to strengthen the social engineering defensive strategy, and what best practices to enforce for the strongest possible security posture.

Published in: Technology
  • Be the first to comment

Social Engineering: the Bad, Better, and Best Incident Response Plans

  1. 1. TheBad, Better, andBest Social EngineeringIncidentResponse Rob Ragan @sweepthatleg | Alex DeFreese @lunarca_
  2. 2. We are Rob and Alex Security consultants at Bishop Fox. We help organizations secure their networks, applications, and people. Hello!
  3. 3. What are we talking about here? 1
  4. 4. What are we talking about here? 1 This talk explores the challenges of responding to social engineering incidents and improving defense.
  5. 5. What are we talking about here? 1 This talk explores the challenges of responding to social engineering incidents and improving defense. Does your organization have a social engineering-specific response plan?
  6. 6. Bad The worst incident responses
  7. 7. Phone Social Engineering
  8. 8. International News Agency • Impersonate an employee • Call helpdesk for password reset • Gain access to internal network and resources
  9. 9. “ Racorn/Shutterstock
  10. 10.
  11. 11.
  12. 12.
  13. 13.
  14. 14.
  15. 15. “ REQUIRE Verb ◉ Need for a particular purpose ◉ Cause to be necessary
  16. 16. Email Phishing
  17. 17. National Retail Company • Impersonate the head of Human Resources • Convince employees to log in to fake benefits portal • Gain access to internal network and resources
  18. 18. Incident Response Failures • Employees did not know who to report to • IR team did not know who was affected • No enforcement of IR policy • Allowed for persistent access to the internal network
  19. 19. Incident Response Failures • Employees did not know who to report to • IR team did not know who was affected • No enforcement of IR policy • Allowed for persistent access to the internal network
  20. 20. Incident Response Failures • Employees did not know who to report to • IR team did not know who was affected • No enforcement of IR policy • Allowed for persistent access to the internal network
  21. 21. Quick Wins
  22. 22. Physical Access
  23. 23. National Banking Institution • Impersonate IT contractors • Gain access to network ports • Plug in rogue device and gain access to internal network
  24. 24. “ ◉Picture of the mailslot ◉Picture of pwnplug
  25. 25. “ ◉Picture of the mailslot ◉Picture of pwnplug
  26. 26. “ ◉Picture of the mailslot ◉Picture of pwnplug
  27. 27. Quick Wins
  28. 28. Better Improving the Incident Response
  29. 29. Phone Social Engineering
  30. 30. National Retail Company • Impersonate an employee • Call helpdesk for password reset • Gain access to internal network and resources
  31. 31.
  32. 32. “ Kirill Wright/Shutterstock
  33. 33. Quick Wins
  34. 34. Email Phishing
  35. 35. National Retail Company • Impersonate automated emails • Convince employees to log in to fake OWA pages • Gain access to internal network and resources
  36. 36. “ wk1003mike/Shutterstock
  37. 37. “ aurielaki/Shutterstock
  38. 38. Quick Wins
  39. 39. Physical Access
  40. 40. Email Marketing Company • Bypass fingerprint reader to gain access to office • Use USB device to gain code execution on a laptop • Gain access to internal network and resources
  41. 41. “ ◉Picture of the fingerprint scanner ◉Picture of picked lock
  42. 42.
  43. 43.
  44. 44.
  45. 45. Quick Wins
  46. 46. Best
  47. 47. “ Do you know what to do?
  48. 48. “ Does anyone else?
  49. 49. “ What happens when… Employees start receiving large scale phishing emails? All network shares are suddenly encrypted? Malware is detected running on a computer?
  50. 50. Tailored IncidentResponsePlan • Identify the most common threats facing your company • Define and enforce incident response plans for these threats
  51. 51. Prepare Identify Contain Eradicate Remediate Lessons Learned IncidentResponseLifecycle
  52. 52. “ https://cert.societegenerale.com/en/publications.html
  53. 53. Tactical Recommendations
  54. 54. Phone Social Engineering
  55. 55. Authentication forsensitiveActions • Require authentication before accessing sensitive information • Focus training on employees who require access to sensitive information • Remove access to sensitive information for those that don’t need it
  56. 56. Email Phishing
  57. 57. Email Protections
  58. 58. Limitattackeroptions • Prevent email spoofing by implementing email protections • Monitor or buy domains similar to your own • Heuristic phishing detection • Identification of email recipients
  59. 59. Physical Access
  60. 60. U.S. Army Korea (Historical Image Archive) via Foter.com / CC BY-NC-ND
  61. 61. monticello/Shutterstock
  62. 62. Understandtheperimeter • Turnstiles and guards for ingress points • Network access controls • Badges and escorts for guests • Screen lock policy • Host-based and network detection capabilities
  63. 63. Strategic Recommendations
  64. 64. Policy,Processes,People • Technical controls provide enforcement for policies and processes • Without enforcement, social engineers will continue to exploit the people
  65. 65. Enforceprocesses • When performing sensitive actions, focus on enforceable processes • Authentication enforces who they are • Authorization enforces what they’re allowed to do
  66. 66. Conclusions
  67. 67. 1. Every organization will be compromised by human error 2. Require policies and processes be enforced 3. Continued assessment improves risk mitigation capabilities
  68. 68. 1. Every organization will be compromised by human error 2. Require policies and processes be enforced 3. Continued assessment improves risk mitigation capabilities
  69. 69. 1. Every organization will be compromised by human error 2. Require policies and processes be enforced 3. Continued assessment improves risk mitigation capabilities
  70. 70. Rinse andRepeat Social Engineering Incident Response Policies, Procedures, People Enterprise Security
  71. 71. Any questions ? You can find us at: • @bishopfox • facebook.com/bishopfoxconsulting • linkedin.com/company/bishop-fox • google.com/+bishopfox Thanks!
  72. 72. CREDITS Christina Camilleri (@0xkitty) for the slide design!

×