Aaron Higbee - The Humanity of Phishing Attack & Defense

© Copyright 2015 PhishMe, Inc. All rights reserved.© Copyright 2015 PhishMe, Inc. All rights reserved.
The Humanity of Phishing Attack and Defense
2016 Central Ohio InfoSec Summit
Aaron Higbee
Co-Founder & CTO of PhishMe
@higbee @phishme

© Copyright 2015 PhishMe, Inc. All rights reserved.
What you are in for…
• A LOT of slides – don’t worry, they will be on the portal and
Slideshare.
• Is Phishing easy? The operation examined from the Attackers
perspective
• Multiple data points
– Highlights from our Enterprise Susceptibility Report
– Examples of effective and popular phishing themes
– How much time do users spend consuming phishing education?
• Does it matter?
– New data from recent survey. Do we have an awareness problem?
• Why do humans fall for phishing?

A TALE OF WOE
OPM

Notice anything interesting?

What likely caused the breach…

The DHS Response…
“The campaign will feature short videos,
posters and literature on the do’s and
don’ts for better cyber hygiene”

OPM Needs an extra 21 million (for encryption)

2002
• Incident Response
• Penetration Testing
• Taught a lot of Ultimate Hacking Classes
– Hands on, learn by doing
• Met a lot of these types 

Attackers Perspective: Is phishing easy?
The classic Attackers vs. Defenders arguments seem to
gloss over the effort involved…

Phishing operations examined: Recon
• Reconnaissance for targeting
– Email addresses from simple internet searches
– Mining social networks
– Spam lists
– Paid private lists
*Image created by Seculert

Phishing operations examined: Weaponization
• Exploit writers
• JavaScript expertise
• Code packers and obfuscation
• Remote Administration Tools – Custom or Modified
• Data-Entry credential stealing phishing?

Phishing operations examined: Delivery
• Send email collect shells. Easy right?
• Brand protection & site take down. E.g. login.peypal.net
• Spoofing still viable? SPF, DKIM, …
• Attachment delivery? Zip it? Password zip it?
• Anti-Spam products are a problem…
– Attackers using gmail.com, yahoo.com, hotmail.com, etc..
• Time of day?
• Mobile devices?

Phishing operations examined: Exploit
• x86 Win32 – time of day matters
• Advances in end-point protection
• Application whitelisting
• Email scanning gateways
• URL detonation
• Sandboxes
• Phishing with only links?
– Site categorization
– Evolving browser protections

Phishing operations examined: Recap
Let’s recap…
We found targets, prepared our email sending environment to
ensure delivery and we’ve overcome the problems of exploitation.
We can either get exploit attachments in, or lure phishing victims
to our prepared, whitelisted, categorized site designed to deliver
the payload. We are either defeating sandboxes or our malware is
designed in such a way that analysis either takes too long or
provides inconclusive results in the sandbox to set off alerts.
Game Over?...

Phishing operations examined
… But you are still not done.
Plant backdoors, connect outbound, exfiltration

Now let’s look at some Crimeware examples
Common themes:
– Faxes, Voicemails, ACH notices, Package Delivery
– The PhishMe blog has many examples
– Cryptolocker

Locky Message

Rising Trend: Phishing Randomization
• Message randomization continues to increase
– Sender
– Subject
– Variable message body
– Varied hashes

Notice the variations

Let’s review this campaign
• Observed
– 1200 samples
– From 700 different sending IP’s
– Using 1100 sender domains
– Having 500 different sender names
– Utilizing over 700 different attachments
– 100 C2 IP’s identified
– 150 C2 URL’s identified

Exploring some Dyre randomization
• 218 Campaigns Reviewed
– 30,000 unique samples
• Only 1 Subject line used a dozen times
– Example subjects
New Fax - 800273336
New Fax - 800312316
New Fax - 800575757
You are our most valued customer. Your ID 23677222

MOST USED AND HIGHEST
SUSCEPTIBILITY

Introduction – Study Demographics
• 400 PhishMe customers
• Fortune 500 and public sector organizations across 23 verticals
• 8 million simulation emails over a 13-month span
• 75% of organizations training 1000+ employees

Questions Asked
• Are certain themes or levels of complexity more difficult than others for
employees to recognize?
• What is the impact of emotional motivators on the likelihood of phishing
responses?
• Can we see differences by verticals?
• Does timing of the phish influence user vulnerability?
• Can we see positive trend success metrics over time?
• What makes a phishing program successful?

Key Findings
• 87% of the employees who opened a phishing simulation email
opened it the SAME DAY it was sent.
• Most employees responded to a phishing email in the morning hours,
particularly at 8:00 AM local time.
• Employees who open a phishing email are 67% more likely to
respond to another phishing attempt.
• The most effective phishing emails contain a business communication
theme.
• Behavioral conditioning decreased susceptible employees’
likelihood to respond to malicious email by 97.14% after just 4
simulations.

Scenario Themes and Complexity
What is a Phishing
Theme?
PhishMe’s term for a collection of email
scenario templates that use the same context,
motivation, or topic to elicit user action.
– Office Communication
– Employee Wellness
– Computer Updates

Theme Averages and Benchmarks

Result Variation Across Verticals – Package Delivery
Benchmark
• Wide variance in average
response rates across
verticals
• Underscores the need to
understand culture and
individual business processes
when analyzing results

Top Emotional Motivators
The strongest emotional motivators (above 20% average) were related to connection and reward (e.g.,
winning a prize).
Top Motivators:
• Connection
• Reward
• Curiosity
• Urgency
• Fear

Most Popular Simulations…
Type % Popularity Primary Motivators
Sent From Phone Attach (DB) 13.9 High Curiosity, Urgency
Package Delivery Click (BM) 18.43 High Curiosity
Inbox Over the Limit Click 19.7 High Fear, Urgency
eCard Alerts Click 25.98 High Curiosity, Reward, Social
File from Scanner Click 24.05 High Curiosity
Order Confirmation Click 17.38 High Curiosity, Fear
Unauthorized Access Data 29.16 High Curiosity, Fear, Urgency
Password Survey Data 16.58 Medium Fear, Urgency
Awards Season Click 5.6 Medium Entertainment
Scanned File Attach
(BM)
16.95 Medium Curiosity

Highly Susceptible Themes
Type % Popularity Primary Motivators
Manager Evaluation Data 31.55 Low Curiosity, Fear, Reward
Time Off Request - Negative
Balance
Click 30.92 Medium Fear, Urgency
Unauthorized Access (Adult-
Oriented)
Data 30.02 Low Curiosity, Fear, Urgency
Unauthorized Access Data 29.16 Medium Curiosity, Fear, Urgency
Browser Update Required Data (DB) 26.8 Low Fear, Urgency
eCard Alerts Click 25.98 High Curiosity, Reward, Social
Employee Raffle Data 25.85 Low Reward
Financial Information Attach 25.5 Medium Curiosity

Unauthorized Access 29.16% - Popular

eCard Alerts – 29.58% - Popular

Manager Evaluation 31.55% - Low popularity

Unauthorized Web Use: 30% - Low popularity

CREATING PHISHING AWARENESS

“Sit down, let me aware you about Phishing…”

PhishMe Content Team

Too Chinese…

Too Alluring…

Too American…

27 seconds…

Time spent improving “Awareness”

How is it that susceptibility rates improve?
• People don’t read the education
• Yet there is a consistent reduction in
susceptibility

What customers tend to focus on

Results: Conditioning vs. Awareness

The bigger picture
• People respond to
emails quickly
• Empowered and
encouraged users
report
• IR & SOC teams get
relevant and timely
threat intelligence
Potential threat intelligence
Can resilient humans be threat detectors?

Yes!

IS PHISHING AWARENESS THE
PROBLEM?
A survey conducted on the basics of Phishing…

Introduction – Survey Demographics
• PhishMe carried out a contracted survey in March 2016
• Sample: 205 US office workers who use email (outside of the IT &
Security department)
• Opening Question: Are you aware of phishing
and spear phishing?
– Four follow-up questions about phishing tactics
• Phishing emails can contain attachments?
• Phishing emails can contain links to websites?
• Phishing emails ask for information or link you to a website to fill in data?
• Phishing emails come from people within my company
• If instructions were given, where do you report suspicious emails?

Q1 Are you aware of phishing and spear phishing?
‘Phishing’ is a term used to describe a deceptive email designed to infect your
computer or steal your passwords. Were you already aware of that before reading
this definition?
• 15.6% not aware of phishing of spear phishing
• 76.6% reported being aware of phishing
• 20% reported being aware of spear phishing
Absolute
Base %
Respondents
Base
Q1
Yes, I am aware of
phishing
Yes, I am aware of
spear phishing
No, I am not aware
of phishing or spear
phishing
205
100.0%
157
76.6%
41
20.0%
32
15.6%0 10 20 30 40 50 60 70 80
16%
20%
77%
Yes, I am aware of phishing
Yes, I am aware of spearphishing
No, I am not aware of phishing orspearphishing

Based on your knowledge of phishing emails today, please indicate what you believe
to be TRUE and what you believe to be FALSE about phishing emails:
Phishing emails can contain
attachments?
– True 138 67.3%
– False 36 17.6%
– Don’t know 31 15.1%
Phishing emails can contain
links to websites?
– True 162 79%
– False 19 9.3%
– Don’t know 24 11.7%
Phishing emails ask for
information or link you to a
website to fill in data?
– True 148 72.2%
– False 22 10.7%
– Don’t know 35 17.1%
Phishing emails come from
people within my company
– True 60 29.3%
– False 113 55.10%
– Don’t know 32 15.6%

0 10 20 30 40 50 60
1%
3%
17%
33%
38%
59%
We send suspicious emails to a person in IT
We use the SPAM filter function in email
We send suspicious emails to a special email box
We have a dedicated process to send suspicious emails for research
We send suspicious emails elsewhere (please specify)
Other (please specify)
If instructions were given, where do you report suspicious emails?
Absolute
Break %
Respondents
Base
Base
Industry Sector
Profess-
ional
services
Arts &
Culture Legal HR
IT & Tel-
ecoms Finance
Sales,
Media
& Mark-
eting
Retail,
Catering
&
Leisure
Healthc-
are
Manuf-
acturing
&
Utilities
Archite-
cture, E-
ngineer-
ing &
Building
Travel &
Transp-
ort
Educati-
on Other
Q4
We send suspicious
emails to a person
in IT
We use the SPAM
filter function in
email
We send suspicious
emails to a special
email box
We have a dedicated
process to send
suspicious emails
for research
We send suspicious
emails elsewhere
(please specify)
Other (please
specify)
156 23 6 7 8 7 14 9 14 11 5 3 5 15 29
92
59.0%
11
47.8%
3
50.0%
3
42.9%
5
62.5%
4
57.1%
7
50.0%
7
77.8%
11
78.6%
5
45.5%
2
40.0%
2
66.7%
4
80.0%
9
60.0%
19
65.5%
59
37.8%
10
43.5%
2
33.3%
3
42.9%
3
37.5%
1
14.3%
4
28.6%
2
22.2%
4
28.6%
5
45.5%
2
40.0%
2
66.7%
1
20.0%
7
46.7%
13
44.8%
51
32.7%
9
39.1%
1
16.7%
3
42.9%
4
50.0%
3
42.9%
6
42.9%
2
22.2%
3
21.4%
5
45.5%
2
40.0%
1
33.3%
2
40.0%
3
20.0%
7
24.1%
27
17.3%
6
26.1%
1
16.7%
2
28.6%
1
12.5%
1
14.3%
5
35.7%
1
11.1%
1
7.1%
1
9.1%
1
20.0%
1
33.3%
1
20.0%
1
6.7%
4
13.8%
4
2.6%
-
-
1
16.7%
-
-
-
-
-
-
-
-
1
11.1%
-
-
1
9.1%
-
-
1
33.3%
-
-
-
-
-
-
2
1.3%
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
2
18.2%
-
-
-
-
-
-
-
-
-
-

Key Findings: Aware, but vulnerable
• ~76% are aware of phishing
– Lack of confidence on specific terminology spear phishing vs. phishing
– Some confusion remains on specific attacker vectors. Ex: links, attachments, credential theft
• Most employees have been given instructions on how to report
suspicious email.
– Of that subset, most are forwarding to IT or Spam team
• Awareness is not the problem

Changing Behavior Ain’t Eazy…

K3wp doesn’t like me… reddit/r/netsec
Aaronhigbee wrote:
If you think that conditioning humans to avoid phishing
should be part of every organizations security hygiene....
I'll raise a beer and toast you. Not everyone agrees.
K3wp responds:
I absolutely do not agree. You should be designing systems
and networks that cannot be compromised via phishing
attacks vs. trying to train a bunch of useless meat
tubes to be competent.

Security Engineers want to Engineer

Behave Humans!
• For many it’s an intellectual challenge
– When the human doesn’t conform to the system as designed, they
want to fix their Engineering mistake. They want to contain it.
When they can’t, they get upset. They blame the human. Not their
system.

What does history say?

Optical Sensors
Defeating coin optical sensors: Shaved Coins

Defeating Optical sensors
Light Wand aka Monkey Paw

• File.exe
• File.scr
• File.zip
• File.cab
• …
• http://Dropbox.com/file.ex
e

K3wp designed this…

Consider the malware sandbox…

“We STOP Phishing!!!”
My Reaction 
(sure you do)

How does your security sandbox stop this?
Or This?

Predictable response
After the tantrum is over… they blame the user
“the human is the weakest link”
“PEBKAC”

So what do simulations do?
So you do awareness, but better?... No

Thinking Fast and Slow
• Nobel Prize Winner in Behavioral Economics
• System 1: Intuitive brain process
– Operates automatically
• System 2: Deliberate thinking process
– Requires effort

How many emails do we process daily?
• Receive ~71 legit emails
• Send 41 emails
• Must mentally discard 13 emails
• Assume 2 hours of meetings and 1 hour lunch break
• We perform 33 email related tasks per hour 
• Source: http://www.radicati.com/wp/wp-content/uploads/2014/01/Email-Statistics-Report-2014-2018-Executive-Summary.pdf

Consider the following…
2+2 = ?
10 x 2 = ?
1+8 = ?
7+4 = ?
5+5 = ?
85 x 97 = ?

Another example…
LEFT
LEFT
LEFT
LEFT
LEFT
Right
Right
Right
Right
Right

Another example…
LEFT
LEFT
LEFT
Right
LEFT
Right
Right
LEFT
LEFT
Right

System 1 and 2 are always active

This should not trigger System 2

This should trigger System 2

System 1 to System 2 Success!

So what you are saying is…
Simulations creates experiences using tactics similar to real
phishing emails to jolt repetitive lazy intuitive cognitive
functions into a deliberate thinking process that requires
effort!

System 1 Recently Failed Me

Failure in System 1
• Wow, This is a nice hotel! The bathroom is so clean.
• (washing my hands now)
– Hrm, no urinals?
• Hrm, what is this thing for? 
•  I have made a critical mistake

You admit some people will fail!

Adoption and Use
• Over 168 Customers deployed
• Over 2.5 MM endpoints
• 1395 scenarios with Reporting metrics
• 58% (779) with more reports than responses
• 24% average report rate
• More then 400,000 scenario reports
• More than 750,000 suspicious email reports

Conclusions
• Good news! Phishing Awareness is solved
• Bad news! We are still susceptible to phishing - 
• Somewhere, some technology vendor is creating an
Advanced Machine Learning - Hadoop clustering
engine to perform User Behavior Analytics to end the
Phish Du Jour.
• Or you could consider conditioning the user to avoid
and detect tomorrows attacks today.

Aaron Higbee - The Humanity of Phishing Attack & Defense

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (12)

Similar to Aaron Higbee - The Humanity of Phishing Attack & Defense

Similar to Aaron Higbee - The Humanity of Phishing Attack & Defense (20)

Recently uploaded

Recently uploaded (20)

Aaron Higbee - The Humanity of Phishing Attack & Defense

Editor's Notes