Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Phishing Incident Response Playbook

Playbooks define the procedures for security event investigation and response. Phishing - Template allows you to perform a series of tasks designed to handle spear phishing emails on your network.

  • Be the first to comment

Phishing Incident Response Playbook

  1. 1. PHISHING INCIDENT RESPONSE PLAYBOOK Naushad MSc in Cyber Security, Ph.D Student -Enterprise Security Specialist with expertise in Cyber Defence, Cyber SecurityOperations,ThreatAnalysis, Incident Response, Forensic investigations, Malware Analysis, 0-Day Hunter, DarkWeb & DeepWebThreat Intelligence Analytics, SOC and REDTeam Lead. www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  2. 2. Content 1. Phishing and its evolution 2. Purpose of phishing 3. Impact of phishing 4. Types of Phishing 5. Techniques used in phishing 6. Defence mechanism 7. Incident Response www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  3. 3. PHISHING AND ITS EVOLUTION
  4. 4. About phishing? ■ Word “Phishing” originated from “Password Harvesting ” or “fishing for Passwords” ■ The “Ph” is linked to word “phreaking” – the hacking of telephone systems and early hackers who were called “phreaks”. ■ Phishing is an online pretexting or deception where the attacker tries to obtain sensitive information from the victim pretending as someone else. ■ The methodology used is social engineering and technical subterfuge ■ The basic trick is to send official looking messages to trick user towards counterfeit websites and acquire sensitive information from the user www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  5. 5. Phishing Evolution ■ Started with attackers stealing user passwords and creating randomized credit card numbers to open AOL account to send spam to other users in 1995. ■ Usenet newsgroup called AOHell mentioned the word “phishing for first time in 1996. ■ Real phishing attacks started when attackers started sending messages through AOL messenger and email posing asAOL employees ■ Hacked accounts were called "phish“ in 1996 ■ By 1997 phish were traded actively between hackers as a form of electronic currency ■ 10 AOL phish were traded for a piece of hacking software or warez. ■ Phishing started in big way in 2004 with attackers successfully making huge money including that from banking sites and their customers ■ Social engineering is most used source of phishing accounting for over 30% message in (Verizon’s Data Breach Investigations Report 2016) www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  6. 6. Phishing attacks by category, Q1 2017 ■ Maximum attacks on financial sector www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  7. 7. Spam emails with malicious attachments ■ Substantial rise in Spam emails containing malicious attachments ■ Spam is nuisance as well as the primary delivery mechanisms for attacks Source: IBM Threat Intelligence Index 2017 www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  8. 8. PURPOSE AND METHODOLOGY OF PHISHING
  9. 9. Purpose of Phishing ■ Theft of identity and users’ confidential details such as personal, bank, and credit information using forged email and fake web site – Cause financial losses to users – Lock them out from their own accounts ■ Theft of trade secrets ■ Distribution of botnet and DDoS agents – Loss of productivity. – Excessive resource consumption on corporate networks (bandwidth, saturated email systems, etc.). ■ Attack Propagation:Compromise host and install botnet for future attack. ■ Attackers leverage vulnerabilities in client software (mail user agents and web browsers) as well as design vulnerabilities in targeted website applications. www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  10. 10. Prompts for opening email attachments ■ Fake invoices as disguising malicious attachments most popular method for tricking users into opening phishing emails and taking the bait. Source: Symantec 2017 Internet Security Threat Report (ISTR) www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  11. 11. Phishing emails designed to steal credentials ■ Apple IDs targeted maximum Source: Proofpoint 2017 Human Factor Report www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  12. 12. IMPACT OF PHISHING
  13. 13. Major Financial losses ■ Fortune Apr 27, 2017 – Facebook andGoogle were victims of a $100 million dollar phishing scam – Evaldas Rimasauskas, a Lithuanian, forged email addresses, invoices, and corporate stamps to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business.Tricked companies into paying for computer supplies for over 2 years. ■ 2017 GlobalThreat Intelligence Report (GTIR)by NTT Security – 53% of the world’s phishing attacks originated in EMEA: ■ FBI Report – From October 2013 to December 2016 in 22,000 incidents investigated losses amounted to $1.6 billion https://www.nttcomsecurity.com/en/gtir-2017/ https://www.forbes.com/sites/leemathews/2017/05/05/phishing-scams-cost-american-businesses-half- a-billion-dollars-a-year/#4041d0e93fa1 www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  14. 14. Cost of phishing ■ As per IBM Security Services report: 1.5 million cyber-attacks reported in 2013 ■ Joint 2013 study from Symantec and the Ponemon Institute indicates the average total cost to an organization of a data breach was $5,403,644 ■ As 2013 UK study Range of total cost of a security breach: – Small businesses: $55,000 to $100,000 – Large businesses: $700,000 to $1,300,000 ■ About 64% of data breaches due to system problems and human mistakes www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  15. 15. TYPES OF PHISHING
  16. 16. PhishingThreat ■ Phishing attacks use a mix of technical deceit and social engineering practices. ■ The most popular channel are e-mail, web-pages, IRC and instant messaging services are popular ■ Phisher impersonates a trusted source for the victim to believe ■ The trusted source can be: – helpdesk of their bank, – automated support response from retailer use by the user – Government site www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  17. 17. Phases of Phishing attacks Criminalizing the information stolen Go to fake web site or send sensitive information or down load malware Victim taking suggestion in message or banner PotentialVictim Gets a phish www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  18. 18. Phishing attacks www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  19. 19. Types of Phishing attacks Spear Phishing • Targets specific group of individuals or organizations Whaling • Targeted at executive level individual Cloning • Duplicates legitimate email but the content is replaced with malicious attachment or links www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  20. 20. Spear Phishing ■ Targets particular company, organization, group or government agency ■ First, criminals gathers some inside information on their targets to convince them the e-mails are legitimate. ■ Obtain personal information by hacking into an organization’s computer network or, blogs, and social networking sites (Facebook, Linkdin etc.). ■ Send e-mails that look like the real thing to targeted victims, offering all sorts of urgent and legitimate-sounding explanations as to why they need your personal data. ■ Victims asked to click on a link inside the e-mail that takes them to a phony but realistic-looking website, where they are asked to provide passwords, account numbers, user IDs, access codes, PINs, etc. www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  21. 21. Spear Phishing www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  22. 22. Spear Phishing e-mail www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  23. 23. Whaling ■ Comes fromWhales and target big fish ■ Targeted attacks against small groups of high-level executives within a single organization, or executive positions common to multiple organizations ■ Tries to steal credentials using the installation of malware that provides back-door functionality and keylogging. www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  24. 24. Cloning ■ A legitimate, and previously delivered, email containing an attachment or link has is used to create an almost identical email. ■ The attachment or Link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. ■ May claim to be a re-send of the original or an updated version to the origin ■ Hacker may also clone a website that his victim usually visits. ■ Cloned website usually asks for login credentials, mimicking the real website and then steal these. www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  25. 25. Cloning website www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  26. 26. PHISHING MESSAGE DELIVERY
  27. 27. Phishing Methods www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  28. 28. E-mail and Spam ■ Most common Phishing attacks initiated by e-mail ■ Attacker can send specially crafted e-mails to millions of legitimate “live” e-mail addresses within a few hours ■ Normally phishing e-mails are purchased ■ Create e-mails with fake “Mail From:” headers and impersonate any organization using flaws in SMTP protocol used for email. ■ Also in some cases “RCPTTo:” field to an e-mail address to attacker's choice www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  29. 29. Techniques used within Phishing E-mails ■ Official looking and sounding e-mails – Sophisticated phishers send very legitimate looking mail with proper syntax and structure. ■ HTML based e-mail to obfuscate destination URL information – Use a text color the same as the background to hide suspect parts of the URL. – use a legitimateURL as the textual string, while the actual hyperlink points to the phishing URL – inclusion of graphics to look like a text message www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  30. 30. Techniques used within Phishing E-mails ■ Attachments to e-mails referenced within the text of the e-mail with instructions to open attachment in order to verify some transactional detail. – Attachments areTrojan keyloggers or other dangerous spyware ■ Anti spam-detection inclusions – Headers and references in email designed to bypass anti spasm software – use of deliberate spelling mistakes and spacing characters inside key words ■ Fake postings to popular message boards and mailing lists ■ Use of fake “Mail From:” addresses to fool the recipient into thinking that the e-mail has come from a legitimate source. www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  31. 31. Techniques used within Phishing E-mails ■ Use of font differences – Use of font that causes lowercase and uppercase characters to be used and appear as a different character to bypass anti-spam keyword filters – Example: substitution of uppercase “i” for lowercase “L”, and the number zero for uppercase “O” ■ Use of credit card digits – use the first four digits of a credit card number within the e-mail instead of last four digits which are unique to fool customers that mail is intended for them ■ Use of local language www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  32. 32. Characteristics of Phishing email ■ The content of a phishing e-mail intended to trigger a quick reaction from user ■ Uses upsetting or exciting information, demand an urgent response or employee a false pretence or statement. ■ Phishing messages are normally not personalized. ■ Typically, phishing messages will ask user to "update", "validate", or "confirm" their account information or face dire consequences. ■ Message even ask to make a phone call. ■ Often, the message or website includes official-looking logos and other identifying information taken directly from legitimate websites. www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  33. 33. Spotting a phishing email https://techviral.net/wp-content/uploads/2016/07/Identify-phishing-emails.jpg www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  34. 34. Spotting a phishing email www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  35. 35. Spotting a phishing email www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  36. 36. Typical Phishing email Messages ■ E-mail MoneyTransfer Alert: Please verify this payment information below… ■ It has come to our attention that your online banking profile needs to be updated as part of our continuous efforts to protect your account and reduce instances of fraud… ■ DearOnline Account Holder, AccessToYour Account Is Currently Unavailable… ■ Important Service Announcement from…,You have 1 unread Security Message! ■ We regret to inform you that we had to lock your bank account access.Call (telephone number) to restore your bank account. www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  37. 37. Web-based Delivery ■ Another popular method of conducting phishing attacks is through malicious website content ■ Use of HTML disguised links within popular websites, and message boards. ■ Use of third-party supplied, or fake, banner advertising graphics to lure customers to the phisher’s website ■ The use of web-bugs (hidden items within the page – such as a zero-sized graphic) to track a potential phishing customer ■ Use of pop-up or frameless windows to disguise the true source of the phisher’s message ■ Embedding malicious content in web page to exploits a known vulnerability within the customer’s web browser software to installs software of the phisher’s choice ■ Disguising the true source of the fake website by exploiting crosssite scripting flaws in a trusted website www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  38. 38. Paypal Fishing Flow https://umbrella.cisco.com/blog/blog/2015/02/11/paypal-phishing-sophistication-growing/ www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  39. 39. Phishing using Paypal account www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  40. 40. PayPal fake site Real Site Fake Site https://umbrella.cisco.com/blog/blog/2015/02/11/paypal-phishing-sophistication-growing/ www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  41. 41. Spoofing an Apple IDVerification page https://umbrella.cisco.com/blog/blog/2015/02/11/paypal-phishing-sophistication-growing/ www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  42. 42. PhishingWarning Posters www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  43. 43. PhishingWarning Posters www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  44. 44. Phishing AttackVectors Man-in-the-middle Attacks URL Obfuscation Attacks Cross-site Scripting Attacks Preset Session Attacks Observing Customer Data Client-sideVulnerability Exploitation www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  45. 45. Man-in-the-middleAttacks ■ Man-in-the-middle attacks is used to gaining control of customer information and resources ■ The attackers situate themselves between the customer and the real web-based application, and proxy all communications between the systems. ■ Thus they can monitor all transactions. ■ Methods used for directing customer to proxy server instead of real server are: – Transparent Proxies – DNS Cache Poisoning – URL Obfuscation – Browser Proxy Configuration www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  46. 46. Man-in-the-middleAttacks www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  47. 47. URL ObfuscationAttacks ■ Make user follow a hyperlink (URL) to the attacker’s server without realizing that they have been duped ■ Most common methods of URL obfuscation include – Bad domain names – Friendly login URLs – Third-party shortened URLs – Host name obfuscation – URL obfuscation www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  48. 48. PayPal fake site Real Site Fake Site www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  49. 49. Real & Fake (Issued by BOA for their clients) Real Fake All information with ‘%’ is used to customize the emails with personal information www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  50. 50. Cross-site Scripting Attacks (CSS or XSS) ■ Make use of custom URL or code injection into a valid web-based application URL or imbedded data field. ■ Customer has received the following URL via a phisher’s e-mail: http://mybank.com/ebanking?URL=http://evilsite.com/phis hing/fakepage.htm ■ While the customer is indeed directed and connected to the real MyBank web application, due to poor application coding by the bank, the e-banking component will accept an arbitrary URL for insertion within the URL field the returned page ■ Instead of the application providing a MyBank authentication form embedded within the page, the attacker manages to reference a page under control on an external server www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  51. 51. Cross Site Scripting www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  52. 52. Preset Session Attacks ■ Phishing message contains a web link to the real application server, but also contains a predefined SessionID field. ■ The attacker’s system constantly polls the application server for a restricted page using the preset SessionID ■ Phishing attacker waits until a message recipient follows the link and authenticates themselves using the SessionID. ■ Once authenticated, the application server will allow any connection using the authorized SessionID to access restricted content ■ Attacker uses the preset SessionID to access a restricted page and carryout his attack www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  53. 53. Preset Session Attacks • Phisher has e-mailed potential MyBank customers a fake message containing the URL https://mybank.com/ebanking?session=3V1L5e5 510N&Login=True containing a preset SessionID of 3V1L5e5510N • Attacker continually polls the MyBank server every minute for a restricted page that will allow customer FundTransfers (https://mybank.com/ebanking?session=3V1L5e 5510N&Transfer=True). • After the customer authenticates themselves the SessionID becomes valid, and the phisher can access the FundTransfer page www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  54. 54. Observing Customer Data ■ Attacker us key-loggers and screen-grabbers to observe confidential customer data as it is entered into a webbased application ■ Key loggers observes and record all key presses by the customer. ■ Screen-grabbers take screen shot of data that has been entered into a web-based application www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  55. 55. Client-sideVulnerability Exploitation ■ Attacker exploits browser’s to gain access to, or observe, confidential information of the customer. ■ Use of add on to browsers such as Flash, RealPlayer and other embedded applications adds more opportunities for attack ■ Example – A vulnerability existed within Microsoft Media Player that was exploitable through java coding with Microsoft Internet Explorer. It enabled remote servers to read local customer files, browse directories and finally execution of arbitrary software – The problem was the method used by Media Player to download customized skins and stored them. www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  56. 56. DEFENCE MECHANISMTO COMBAT PHISHING ATTACKS
  57. 57. Defense Mechanisms ■ Mix of information security technologies and techniques required. ■ Techniques deployment required at three locations: 1. The Client-side – User’s PC. 2. The Server-side –The business’ Internet visible systems and custom applications. 3. Enterprise Level – distributed technologies and third-party management services www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  58. 58. Client-side ■ Desktop protection technologies: – Antivirus, antispam, persona firewall, spyware detection etc. ■ Avoid html based email client to avoid clicking embed scripting elements. ■ Utilization of appropriate communication settings ■ User application-level monitoring solutions www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  59. 59. Client-side ■ Locking-down browser capabilities – Browser need to be configured security – Extended facilities may be avoided as these are exploited. – Disable all pop-up window functionality – DisableJava runtime support – Disable ActiveX support – Disable all multimedia and auto-play/auto-execute extensions – Prevent the storage of non-secure cookies – Ensure that any downloads cannot be automatically run from the browser – Use anti-phishing plugins www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  60. 60. Client-side ■ Digital signing and validation of email – This will ensure that mail received is from know source ■ General security vigilance – Carefully inspecting email content as per guidelines provided in previous slides – No response to HTML e-mail with embedded submission forms – Avoid e-mailing personal and financial information unless website lock icon is seen – For sites that indicate they are secure, review the SSL certificate that has been received and ensure that it has been issued by a trusted certificate authority. – SSL certificate information can be obtained by double-clicking on the “lock” icon at the bottom of the browser, or by right-clicking on a page and selecting properties – Review credit card and bank account statements fro any unauthorised charges www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  61. 61. Server-side ■ Intelligent anti-phishing techniques into the organization’s web application security, ■ developing internal processes to combat phishing vectors and educating customers ■ Improving customer awareness – Repeatedly and constantly inform all users and customers of the dangers from phishing attacks and what preventative actions are available – Provide easy reporting of phishing scam noticed or fraudulent email received – Establish company’s security policy and enforce then strictly – Quick response to phishing scams identified. www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  62. 62. Server-side ■ Providing validation information for official communications – This will help in identifying phishing attacks – Try to send only personalized emails – Referencing previous mail to instill trust – Use digital signatures where feasible ■ Ensuring that the Internet web application is securely developed and doesn’t include easily exploitable attack vectors – Strong implementation of content validation processes – Never present submitted data directly back to an application user without sanitizing it first. – Always sanitize data before processing or storing it. – Remove html characters that can be exploited by safe characters. www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  63. 63. Server-side ■ Using strong token-based authentication systems – Minimum two phase login process should be used – Provide Use of anti key-logging processes such as onscreen keyboard – Use of personalized content to identify fake websites – Keeping naming systems simple and understandable – Keep authentication process simple – Use one time password or token based authentication. ■ Use simple DNS naming system that can be easily identified by customer/user – Use only root domain – Automatically redirect regional or other registered domain names to the main corporate domain. – Never keep session information in a URL format – Use host names that represent the nature of the web-based application. – For example: https://secure.mybank.com instead of https://www.mybank.com www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  64. 64. Enterprise Level ■ Automatic validation of sending e-mail server addresses ■ Digital signing of e-mail services ■ Monitoring of corporate domains and notification of “similar” registrations ■ Perimeter or gateway protection agents – To monitor and control both inbound and outbound communications to identify malicious phishing content ■ Third-party managed services – Can analyze e-mail messages delivered at a global level, and identify common threads between malicious e-mail – agent-based bots to monitor URLs and web content from remote sites, actively searching for all instances of an organization’s logo, trademark, or unique web content www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  65. 65. www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  66. 66. INCIDENT RESPONSE
  67. 67. Incident Response Prepare Detect Analyze Contain Eradicate Recover • Most important part of security system www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  68. 68. Prepare ■ Identify the IT security manager responsible and advertise his contact and email for reporting incident to every staff and customers ■ Ensure that IT Manager selected is trained in handing phishing ■ Prepare internal escalation list, including names, contact information, and responsibilities for all staff involved in incident response and management ■ Create a methodology for user to inform security manager immediately using email as well as phone about the incident. ■ The IT manager need to check the mail regularly for any urgent messages. ■ Keep list of contact information for external resources that may be involved in handing incident response for ready reference. ■ Keep list of all Internet domains owned by the company ■ Prepare informational web page that warns partners and customers about an active phishing attack www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  69. 69. Detect ■ On receiving the information about incident the IT manager should get all phishing email or URLs from user ■ These emails, URLs and another information provided need to be investigated on priority ■ As standard practice the IT manager need to keep watch on: – E-Mails flagged by various filters – Non returnable and non deliverable emails – Notification by third part of suspicious emails – Emails linked to internal and external URLs – Notification from ISP and law enforcement agencies about emails – Suspicious activity on organization’s web site. www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  70. 70. Analyze ■ The suspicious activity once detected should be analyzed using available tools or external help as the case may be. ■ Once suspicious activity is confirmed to be attack related to phishing it should be categorized according to threat it poses to organization ■ Use various means including logs and tools to gather information and analyze to: – Identify the protected information that has been compromised – Identify the information exposed – Users, customers, public likely to get exposed – Who might have launched the activity – Who all have knowledge of this activity – Worst case impact on the system – If this can be exploited for any criminal activity www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  71. 71. Contain ■ Identify the system effected and how wide spread the attack is. ■ Isolate system including user or servers effected by the attack ■ Inform all users of the problems and immediate action need to be taken by them to contain the attack www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  72. 72. Eradicate ■ Use various tools to get the system free from the malware etc. installed during the attack ■ Install patch, update rules and modify content filter to avoid problem in future ■ Test the system to ensure the problem does not occur again ■ Modify or change the affected system/site/network ■ Co-ordinate with ISP to initiate counter measures ■ Co-ordinate with any third party to take down the site if required ■ Add problem to incident database along with all details for future reference www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  73. 73. Recover ■ Updated system, firewall, IDS and remove temporary containment ■ Wipe and Baseline the system ■ Update system with fresh signatures ■ Prepared detailed advisory and publicize it widely to avoid future such attacks. ■ Review the incident in detail ■ Update policy and processes ■ Document problem and actions taken including policy changes, process modifications and configuration changes. ■ Get ready for any new attack www.naushad.co.uk | || Computer Forensic Analyst || Information Security Analyst || Vulnerability Detective || Network Examiner || Digital Data Interpreter || || Digital Intelligence Tactical Solutions Developer || Cyber Criminology || Criminal Science ||
  74. 74. THANKYOU www.naushad.co.uk | || Computer Forensic Analyst || Information SecurityAnalyst ||Vulnerability Detective || Network Examiner || Digital Data Interpreter ||

    Be the first to comment

    Login to see the comments

  • JacqCISSPHolloway

    Feb. 6, 2019
  • AhthirMohamed

    May. 29, 2019
  • harrynch

    Sep. 5, 2019
  • bmunrosmith

    Jan. 19, 2020
  • YogeshSharma246

    May. 18, 2020

Playbooks define the procedures for security event investigation and response. Phishing - Template allows you to perform a series of tasks designed to handle spear phishing emails on your network.

Views

Total views

2,761

On Slideshare

0

From embeds

0

Number of embeds

15

Actions

Downloads

129

Shares

0

Comments

0

Likes

5

×