SlideShare a Scribd company logo

A Night of Phishing @ IUPUI Cyber Security Club

Download as PPTX, PDF
C
Curtis Brazzell

I was honored to present to students an the public about phishing techniques we use at Pondurance. By request I also demonstrated my PhishAPI tool @ https://github.com/curtbraz/Phishing-API

Technology
1 of 39
Phishing IUPUI Cyber Security Club Curtis Brazzell Principal Security Consultant
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING CONTENTS Introduction Phishing vs Spear-phishing Reconnaissance Statistics Campaign Creation Techniques Demo? Q & A
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 01 | INTRODUCTION
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING PHISHING INTRO » Purpose • Security Awareness • NOT for Humiliation » Phishing vs Spear-Phishing • KnowBe4, etc » Lateral » Under the Umbrella of Social Engineering
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 02 | PHISHING VS SPEAR-PHISHING
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Phishing • Casts a Wide Net • Not as Effective • lack of personalization / too generic • spam filters • poor grammar • 1% of 1,000 is still 10 • Scams and Spams • Scripted and Automated » Spear-phishing • Targeted Attacks • Mission / Objective Based • Highly Effective • Takes Time / Not Easily Automated PHISHING vs SPEAR- PHISHING
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 03 | RECONNAISSANCE
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING OSINT RECONNAISSANCE » What is OSINT? » Doing Our Homework (sorry) » Targets • Organizations • Individuals
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING ORGANIZATIONS RECON - OSINT » Subdomains / Attack Surface • Mail Server • Remote Access (MFA?) • Citrix / TeamViewer / Logmein / VMWare Horizon, etc • VPN • Careers Portal • Contact Us • Wappalyzer • OS Fingerprinting » Information Disclosure • Google Dorking (Files, Dir Listing, Exposed Portals) • Configuration Mistakes » Vulnerabilities (Legitimate URLs) • Cross-Site Scripting (XSS) • Content Modification (iframes) • Redirects • Form Jacking • Session Hijacking • Click Jacking • Open Redirects • Unrestricted File Uploads » URL Encoding Techniques / Obfuscation
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING ORGANIZATIONS RECON - OSINT » Tools • Passive vs Active Enumeration • Active - MailSniper - Application Vuln Scanners (Burp Suite, ZAP, etc) - Network Vuln Scanners (Nessus, Nexpose, Qualys, OpenVAS, etc) • Passive - Shodan - Discover - Dnstwist - Amass - Dnsdumpster - Prowl
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING INDIVIDUALS RECON - OSINT » Breach Lists • HIBP / Paste sites • Shared Creds • SSO » About Us » Google » LinkedIn » Tools (Limited List) • LinkedINT • Recon-ng • theHarvester • Maltego
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Company’s “About Us” Page PONDURANC E 12 INDIVIDUALS RECON - OSINT
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Social Media (Linked-In, etc) PONDURANC E 13 INDIVIDUALS RECON - OSINT
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Recon-ng PONDURANC E 14 INDIVIDUALS RECON - OSINT
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Breach Lists PONDURANC E 15 INDIVIDUALS RECON - OSINT
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Maltego PONDURANC E 16 INDIVIDUALS RECON - OSINT
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Non-Targeted • Information Gathering • TheHarvester PONDURANC E 17 INDIVIDUALS RECON - OSINT
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 04 | STATISTICS
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING TRACKING STATISTICS » Ties Back to Purpose - Reporting » Opened Emails • 1x1 Pixel Image <IMG SRC="https://DOMAIN.com/campaigns?target=EMAIL@RECIPIENT.COM&camp aignname=ITCAMPAIGN" height="1" width="1">
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING TRACKING STATISTICS » Link Clicks • Landing Page Requests • BeEF Hooking • Google Analytics, etc
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING TRACKING STATISTICS » Captured Credentials • Password Strength • Password Uniqueness • HIBP • Internal » Compromised Hosts
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 05 | CAMPAIGN CREATION
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING BELIEVABILITY » How to create a convincing email? • Choose a scenario • Work from Home • Employee Gift Card Raffle • Management Request • IT Department • PhishAPI has a re-usable repository • Will be community driven soon PONDURANC E 23
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING BELIEVABILITY CAMPAIGN CREATION » Customized • TO field instead of BCC • Match formatting of body and writing style • Grab an email signature • Sales Reps • Customer Support • Job Application • Create your own w/ Logo
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING BELIEVABILITY CAMPAIGN CREATION » Exploit Relationships Between Employees • HR • IT • Hierarchy of Seniority » Social Tactics • Scare • Urgent • Context • Calendar Events • Ticketing Portals / Help Desk
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING • Spoof the Sender PONDURANC E 26 BELIEVABILITY
THREAT HUNTING AND RESPONSE | SECURITY CONSULTINGPONDURANC E 27 • Spoof the Sender BELIEVABILITY
THREAT HUNTING AND RESPONSE | SECURITY CONSULTINGPONDURANC E 28 • Spoof the Sender BELIEVABILITY
THREAT HUNTING AND RESPONSE | SECURITY CONSULTINGPONDURANC E 29 • If spoofing isn’t an option, create similar domain BELIEVABILITY
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING OBJECTIVES CAMPAIGN CREATION » Credentials • Fake Landing Pages (New Citrix Login, Finance Page, etc) • Existing Cloned Pages w/ Company Logo • OWA / VPN / Remote Admin Portals » Malicious Documents (maldocs) • Hashes • Macros • Credentials » Malware • Trojans, Keyloggers, Ransomware, etc
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING CREDENTIALS CAMPAIGN CREATION » Components • Keep Independent • Front-end • Static Web Page - GitHub Pages - Google Sites - EC2 • Submits Critical Info (Project, Target, etc) • Back-end • Receives Requests • Processes Results • Alert Capability - Necessary for MFA tokens - Time is critical for account takeover, especially when suspicious » Cloning Tools • Social Engineering Toolkit (SET) • PhishAPI • Manual • Browser Tools • Backend
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING CREDENTIALS CAMPAIGN CREATION » Exploit User’s Misunderstanding of Security • Subdomains • secure-iupui.edu VS secure.iupui.edu • HTTPS • LetsEncrypt • Mention “Security” in the body • Disable “Protected View” • Double security banners (lol) • Hash Stealing in email (“But I didn’t open it!”) • BeEF Hooking (“But I didn’t enter my credentials!”) • Failure to Properly Terminate Sessions / Persistence
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING CREDENTIALS CAMPAIGN CREATION » Tools for Capturing Credentials (Limited List) • Phishery • Plaintext Creds via Basic Auth • Evilnginx • Session Tokens via Transparent Proxy • Modlishka • Session Tokens via Transparent Proxy • PhishAPI • Plaintext Creds with Real-time Alerting (+ Basic Auth and Hashes) • Old School (netcat, verbose python simple web server, etc) » Once Captured • Use Domain / SSO Creds to Log Into External Services (Email, VPN) • Reset Passwords for Third Party Sites (MFA Services, etc) • Search keywords in inboxes (“password”, “vault”, etc) • Check Cloud Storage for Goodies (OneDrive if O365 / Google Drive, etc) • Phish Laterally • Inbox Rules - Delete Replies, Password Reset Emails / Sent Messages - Alert on keywords
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING MALDOCS CAMPAIGN CREATION » Examples • PDF Adobe Reader Zero Day • Weaponized MS Office Documents • Macros • Basic Auth Requests - Captured Plaintext Credentials • SMB / UNC Requests - Hash Disclosure • Other Techniques - DDE - Protected View Bypass - HTTP Calls (Information Disclosure)
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING MALWARE CAMPAIGN CREATION » Traditional Malware » Compromise of Internal Environment » Leverage Cloud Storage • OneDrive Sharing • Google Drive Sharing » More Easily Detected » File Type Blocking
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 06 | TECHNIQUES
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING TECHNIQUES » Phish early or late in the day » Calendar invites » MFA bypass » SIM swapping » Hashes in email body » Check Out of Office in O365 » Establish persistence • Log in with multiple sessions • Try credentials on other services » Use valid creds to export GAL or phish laterally » Look for patterns • Password length / requirements • Repeated default passwords • Season + Year
THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 07 | DEMO?
QUESTIONS? THANK YOU! THREAT HUNTING AND RESPONSE | SECURITY CONSULTING

Recommended

One, Two... Vulns are Coming for You
One, Two... Vulns are Coming for YouOne, Two... Vulns are Coming for You
One, Two... Vulns are Coming for You
Curtis Brazzell
 
2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One
FRSecure
 
Utilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident ResponseUtilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident Response
Christopher Beiring
 
Effective tactics used by hackers and how to avoid being the next cyber victim
Effective tactics used by hackers and how to avoid being the next cyber victimEffective tactics used by hackers and how to avoid being the next cyber victim
Effective tactics used by hackers and how to avoid being the next cyber victim
Christian Espinosa
 
2020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 12020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 1
FRSecure
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales
Ahmed Musaad
 
Large scale social recommender systems and their evaluation
Large scale social recommender systems and their evaluationLarge scale social recommender systems and their evaluation
Large scale social recommender systems and their evaluation
Mitul Tiwari
 
DECEPTICONv2
DECEPTICONv2DECEPTICONv2
DECEPTICONv2
👀 Joe Gray
 

Recommended

One, Two... Vulns are Coming for You
One, Two... Vulns are Coming for YouOne, Two... Vulns are Coming for You
One, Two... Vulns are Coming for You
Curtis Brazzell
 
2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One
FRSecure
 
Utilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident ResponseUtilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident Response
Christopher Beiring
 
Effective tactics used by hackers and how to avoid being the next cyber victim
Effective tactics used by hackers and how to avoid being the next cyber victimEffective tactics used by hackers and how to avoid being the next cyber victim
Effective tactics used by hackers and how to avoid being the next cyber victim
Christian Espinosa
 
2020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 12020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 1
FRSecure
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales
Ahmed Musaad
 
Large scale social recommender systems and their evaluation
Large scale social recommender systems and their evaluationLarge scale social recommender systems and their evaluation
Large scale social recommender systems and their evaluation
Mitul Tiwari
 
DECEPTICONv2
DECEPTICONv2DECEPTICONv2
DECEPTICONv2
👀 Joe Gray
 
Global CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipGlobal CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy Partnership
EC-Council
 
Online Privacy, the next Battleground
Online Privacy, the next BattlegroundOnline Privacy, the next Battleground
Online Privacy, the next Battleground
SensePost
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
APNIC
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
PECB
 
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web ThreatsUsing SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
SurfWatch Labs
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environment
Evan Francen
 
C01 office 365, DLP data loss preventions, privacy, compliance, regulations
C01 office 365, DLP data loss preventions, privacy, compliance, regulationsC01 office 365, DLP data loss preventions, privacy, compliance, regulations
C01 office 365, DLP data loss preventions, privacy, compliance, regulations
Edge Pereira
 
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...Edge Pereira
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
Scott Sutherland
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
James Mulhern
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
TI Safe
 
DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015T. J. Saotome
 
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
Kevin Fisher
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
Evan Francen
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1
FRSecure
 
Webinar cybersecurity presentation-6-2018 (final)
Webinar cybersecurity presentation-6-2018 (final)Webinar cybersecurity presentation-6-2018 (final)
Webinar cybersecurity presentation-6-2018 (final)
AT-NET Services, Inc. - Charleston Division
 
Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cade Zvavanjanja
 
UW Cybersecurity Lecture 9 - Social Media
UW Cybersecurity Lecture 9 - Social MediaUW Cybersecurity Lecture 9 - Social Media
UW Cybersecurity Lecture 9 - Social Media
Dr Stylianos Mystakidis
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
Tudor Damian
 
CI-ISSA '23 - Bad Multi-Factor
CI-ISSA '23 - Bad Multi-FactorCI-ISSA '23 - Bad Multi-Factor
CI-ISSA '23 - Bad Multi-Factor
Curtis Brazzell
 
Beyond Passwords: The Future of Cybersecurity
Beyond Passwords: The Future of CybersecurityBeyond Passwords: The Future of Cybersecurity
Beyond Passwords: The Future of Cybersecurity
Curtis Brazzell
 

More Related Content

Similar to A Night of Phishing @ IUPUI Cyber Security Club

Global CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipGlobal CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy Partnership
EC-Council
 
Online Privacy, the next Battleground
Online Privacy, the next BattlegroundOnline Privacy, the next Battleground
Online Privacy, the next Battleground
SensePost
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
APNIC
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
PECB
 
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web ThreatsUsing SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
SurfWatch Labs
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environment
Evan Francen
 
C01 office 365, DLP data loss preventions, privacy, compliance, regulations
C01 office 365, DLP data loss preventions, privacy, compliance, regulationsC01 office 365, DLP data loss preventions, privacy, compliance, regulations
C01 office 365, DLP data loss preventions, privacy, compliance, regulations
Edge Pereira
 
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...Edge Pereira
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
Scott Sutherland
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
James Mulhern
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
TI Safe
 
DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015T. J. Saotome
 
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
Kevin Fisher
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
Evan Francen
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1
FRSecure
 
Webinar cybersecurity presentation-6-2018 (final)
Webinar cybersecurity presentation-6-2018 (final)Webinar cybersecurity presentation-6-2018 (final)
Webinar cybersecurity presentation-6-2018 (final)
AT-NET Services, Inc. - Charleston Division
 
Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cade Zvavanjanja
 
UW Cybersecurity Lecture 9 - Social Media
UW Cybersecurity Lecture 9 - Social MediaUW Cybersecurity Lecture 9 - Social Media
UW Cybersecurity Lecture 9 - Social Media
Dr Stylianos Mystakidis
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
Tudor Damian
 

Similar to A Night of Phishing @ IUPUI Cyber Security Club (20)

Global CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipGlobal CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy Partnership
 
Online Privacy, the next Battleground
Online Privacy, the next BattlegroundOnline Privacy, the next Battleground
Online Privacy, the next Battleground
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
 
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web ThreatsUsing SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
 
Information security challenges in today’s banking environment
Information security challenges in today’s banking environmentInformation security challenges in today’s banking environment
Information security challenges in today’s banking environment
 
C01 office 365, DLP data loss preventions, privacy, compliance, regulations
C01 office 365, DLP data loss preventions, privacy, compliance, regulationsC01 office 365, DLP data loss preventions, privacy, compliance, regulations
C01 office 365, DLP data loss preventions, privacy, compliance, regulations
 
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
 
DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015DRC -- Cybersecurity concepts2015
DRC -- Cybersecurity concepts2015
 
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1
 
Webinar cybersecurity presentation-6-2018 (final)
Webinar cybersecurity presentation-6-2018 (final)Webinar cybersecurity presentation-6-2018 (final)
Webinar cybersecurity presentation-6-2018 (final)
 
Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1
 
UW Cybersecurity Lecture 9 - Social Media
UW Cybersecurity Lecture 9 - Social MediaUW Cybersecurity Lecture 9 - Social Media
UW Cybersecurity Lecture 9 - Social Media
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
 

More from Curtis Brazzell

CI-ISSA '23 - Bad Multi-Factor
CI-ISSA '23 - Bad Multi-FactorCI-ISSA '23 - Bad Multi-Factor
CI-ISSA '23 - Bad Multi-Factor
Curtis Brazzell
 
Beyond Passwords: The Future of Cybersecurity
Beyond Passwords: The Future of CybersecurityBeyond Passwords: The Future of Cybersecurity
Beyond Passwords: The Future of Cybersecurity
Curtis Brazzell
 
Using Vuln Chaining and Other Factors for a Better Risk Perspective
Using Vuln Chaining and Other Factors for a Better Risk PerspectiveUsing Vuln Chaining and Other Factors for a Better Risk Perspective
Using Vuln Chaining and Other Factors for a Better Risk Perspective
Curtis Brazzell
 
2020 KringleCon HolidayHack Report - Brazzell
2020 KringleCon HolidayHack Report - Brazzell2020 KringleCon HolidayHack Report - Brazzell
2020 KringleCon HolidayHack Report - Brazzell
Curtis Brazzell
 
Phishing 101
Phishing 101Phishing 101
Phishing 101
Curtis Brazzell
 
2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable
Curtis Brazzell
 

More from Curtis Brazzell (6)

CI-ISSA '23 - Bad Multi-Factor
CI-ISSA '23 - Bad Multi-FactorCI-ISSA '23 - Bad Multi-Factor
CI-ISSA '23 - Bad Multi-Factor
 
Beyond Passwords: The Future of Cybersecurity
Beyond Passwords: The Future of CybersecurityBeyond Passwords: The Future of Cybersecurity
Beyond Passwords: The Future of Cybersecurity
 
Using Vuln Chaining and Other Factors for a Better Risk Perspective
Using Vuln Chaining and Other Factors for a Better Risk PerspectiveUsing Vuln Chaining and Other Factors for a Better Risk Perspective
Using Vuln Chaining and Other Factors for a Better Risk Perspective
 
2020 KringleCon HolidayHack Report - Brazzell
2020 KringleCon HolidayHack Report - Brazzell2020 KringleCon HolidayHack Report - Brazzell
2020 KringleCon HolidayHack Report - Brazzell
 
Phishing 101
Phishing 101Phishing 101
Phishing 101
 
2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable
 

Recently uploaded

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 

Recently uploaded (20)

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 

A Night of Phishing @ IUPUI Cyber Security Club

  • 1. Phishing IUPUI Cyber Security Club Curtis Brazzell Principal Security Consultant
  • 2. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING CONTENTS Introduction Phishing vs Spear-phishing Reconnaissance Statistics Campaign Creation Techniques Demo? Q & A
  • 3. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 01 | INTRODUCTION
  • 4. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING PHISHING INTRO » Purpose • Security Awareness • NOT for Humiliation » Phishing vs Spear-Phishing • KnowBe4, etc » Lateral » Under the Umbrella of Social Engineering
  • 5. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 02 | PHISHING VS SPEAR-PHISHING
  • 6. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Phishing • Casts a Wide Net • Not as Effective • lack of personalization / too generic • spam filters • poor grammar • 1% of 1,000 is still 10 • Scams and Spams • Scripted and Automated » Spear-phishing • Targeted Attacks • Mission / Objective Based • Highly Effective • Takes Time / Not Easily Automated PHISHING vs SPEAR- PHISHING
  • 7. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 03 | RECONNAISSANCE
  • 8. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING OSINT RECONNAISSANCE » What is OSINT? » Doing Our Homework (sorry) » Targets • Organizations • Individuals
  • 9. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING ORGANIZATIONS RECON - OSINT » Subdomains / Attack Surface • Mail Server • Remote Access (MFA?) • Citrix / TeamViewer / Logmein / VMWare Horizon, etc • VPN • Careers Portal • Contact Us • Wappalyzer • OS Fingerprinting » Information Disclosure • Google Dorking (Files, Dir Listing, Exposed Portals) • Configuration Mistakes » Vulnerabilities (Legitimate URLs) • Cross-Site Scripting (XSS) • Content Modification (iframes) • Redirects • Form Jacking • Session Hijacking • Click Jacking • Open Redirects • Unrestricted File Uploads » URL Encoding Techniques / Obfuscation
  • 10. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING ORGANIZATIONS RECON - OSINT » Tools • Passive vs Active Enumeration • Active - MailSniper - Application Vuln Scanners (Burp Suite, ZAP, etc) - Network Vuln Scanners (Nessus, Nexpose, Qualys, OpenVAS, etc) • Passive - Shodan - Discover - Dnstwist - Amass - Dnsdumpster - Prowl
  • 11. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING INDIVIDUALS RECON - OSINT » Breach Lists • HIBP / Paste sites • Shared Creds • SSO » About Us » Google » LinkedIn » Tools (Limited List) • LinkedINT • Recon-ng • theHarvester • Maltego
  • 12. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Company’s “About Us” Page PONDURANC E 12 INDIVIDUALS RECON - OSINT
  • 13. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Social Media (Linked-In, etc) PONDURANC E 13 INDIVIDUALS RECON - OSINT
  • 14. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Recon-ng PONDURANC E 14 INDIVIDUALS RECON - OSINT
  • 15. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Breach Lists PONDURANC E 15 INDIVIDUALS RECON - OSINT
  • 16. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Spear-phishing (Targeted) • Information Gathering • Maltego PONDURANC E 16 INDIVIDUALS RECON - OSINT
  • 17. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING » Non-Targeted • Information Gathering • TheHarvester PONDURANC E 17 INDIVIDUALS RECON - OSINT
  • 18. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 04 | STATISTICS
  • 19. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING TRACKING STATISTICS » Ties Back to Purpose - Reporting » Opened Emails • 1x1 Pixel Image <IMG SRC="https://DOMAIN.com/campaigns?target=EMAIL@RECIPIENT.COM&camp aignname=ITCAMPAIGN" height="1" width="1">
  • 20. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING TRACKING STATISTICS » Link Clicks • Landing Page Requests • BeEF Hooking • Google Analytics, etc
  • 21. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING TRACKING STATISTICS » Captured Credentials • Password Strength • Password Uniqueness • HIBP • Internal » Compromised Hosts
  • 22. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 05 | CAMPAIGN CREATION
  • 23. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING BELIEVABILITY » How to create a convincing email? • Choose a scenario • Work from Home • Employee Gift Card Raffle • Management Request • IT Department • PhishAPI has a re-usable repository • Will be community driven soon PONDURANC E 23
  • 24. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING BELIEVABILITY CAMPAIGN CREATION » Customized • TO field instead of BCC • Match formatting of body and writing style • Grab an email signature • Sales Reps • Customer Support • Job Application • Create your own w/ Logo
  • 25. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING BELIEVABILITY CAMPAIGN CREATION » Exploit Relationships Between Employees • HR • IT • Hierarchy of Seniority » Social Tactics • Scare • Urgent • Context • Calendar Events • Ticketing Portals / Help Desk
  • 26. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING • Spoof the Sender PONDURANC E 26 BELIEVABILITY
  • 27. THREAT HUNTING AND RESPONSE | SECURITY CONSULTINGPONDURANC E 27 • Spoof the Sender BELIEVABILITY
  • 28. THREAT HUNTING AND RESPONSE | SECURITY CONSULTINGPONDURANC E 28 • Spoof the Sender BELIEVABILITY
  • 29. THREAT HUNTING AND RESPONSE | SECURITY CONSULTINGPONDURANC E 29 • If spoofing isn’t an option, create similar domain BELIEVABILITY
  • 30. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING OBJECTIVES CAMPAIGN CREATION » Credentials • Fake Landing Pages (New Citrix Login, Finance Page, etc) • Existing Cloned Pages w/ Company Logo • OWA / VPN / Remote Admin Portals » Malicious Documents (maldocs) • Hashes • Macros • Credentials » Malware • Trojans, Keyloggers, Ransomware, etc
  • 31. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING CREDENTIALS CAMPAIGN CREATION » Components • Keep Independent • Front-end • Static Web Page - GitHub Pages - Google Sites - EC2 • Submits Critical Info (Project, Target, etc) • Back-end • Receives Requests • Processes Results • Alert Capability - Necessary for MFA tokens - Time is critical for account takeover, especially when suspicious » Cloning Tools • Social Engineering Toolkit (SET) • PhishAPI • Manual • Browser Tools • Backend
  • 32. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING CREDENTIALS CAMPAIGN CREATION » Exploit User’s Misunderstanding of Security • Subdomains • secure-iupui.edu VS secure.iupui.edu • HTTPS • LetsEncrypt • Mention “Security” in the body • Disable “Protected View” • Double security banners (lol) • Hash Stealing in email (“But I didn’t open it!”) • BeEF Hooking (“But I didn’t enter my credentials!”) • Failure to Properly Terminate Sessions / Persistence
  • 33. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING CREDENTIALS CAMPAIGN CREATION » Tools for Capturing Credentials (Limited List) • Phishery • Plaintext Creds via Basic Auth • Evilnginx • Session Tokens via Transparent Proxy • Modlishka • Session Tokens via Transparent Proxy • PhishAPI • Plaintext Creds with Real-time Alerting (+ Basic Auth and Hashes) • Old School (netcat, verbose python simple web server, etc) » Once Captured • Use Domain / SSO Creds to Log Into External Services (Email, VPN) • Reset Passwords for Third Party Sites (MFA Services, etc) • Search keywords in inboxes (“password”, “vault”, etc) • Check Cloud Storage for Goodies (OneDrive if O365 / Google Drive, etc) • Phish Laterally • Inbox Rules - Delete Replies, Password Reset Emails / Sent Messages - Alert on keywords
  • 34. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING MALDOCS CAMPAIGN CREATION » Examples • PDF Adobe Reader Zero Day • Weaponized MS Office Documents • Macros • Basic Auth Requests - Captured Plaintext Credentials • SMB / UNC Requests - Hash Disclosure • Other Techniques - DDE - Protected View Bypass - HTTP Calls (Information Disclosure)
  • 35. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING MALWARE CAMPAIGN CREATION » Traditional Malware » Compromise of Internal Environment » Leverage Cloud Storage • OneDrive Sharing • Google Drive Sharing » More Easily Detected » File Type Blocking
  • 36. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 06 | TECHNIQUES
  • 37. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING TECHNIQUES » Phish early or late in the day » Calendar invites » MFA bypass » SIM swapping » Hashes in email body » Check Out of Office in O365 » Establish persistence • Log in with multiple sessions • Try credentials on other services » Use valid creds to export GAL or phish laterally » Look for patterns • Password length / requirements • Repeated default passwords • Season + Year
  • 38. THREAT HUNTING AND RESPONSE | SECURITY CONSULTING 07 | DEMO?
  • 39. QUESTIONS? THANK YOU! THREAT HUNTING AND RESPONSE | SECURITY CONSULTING