Phishing Attacks - Are You Ready to Respond?
•
4 likes•718 views
Phishing and Spear Phishing attacks are the number one starting point for most large data breaches. But there is currently no efficient prevention technology available to mitigate this risk. Learn what capabilities organizations need to have in order to respond to phishing attacks and lower the risk. - Learn how to detect and respond to phishing attacks - Understand how an average user behaves when faced with a phishing attack and why they are so successful - Get insight into the questions that you will need to answer if a phishing campaign is running against your organisation - Learn the capabilities organisations will need to have in order to answer those questions and protect against phishing attacks - Learn how you improve your incident response capabilities
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (12)
Similar to Phishing Attacks - Are You Ready to Respond?
Similar to Phishing Attacks - Are You Ready to Respond? (20)
More from Splunk
More from Splunk (20)
Recently uploaded
Recently uploaded (20)
Phishing Attacks - Are You Ready to Respond?
- 1. Next Presentation begins at 10.40 Phishing Attacks Are you Ready to Respond? Matthias Maier CISSP & CEH
- 2. Phishing Attacks Are you Ready to Respond? Matthias Maier CISSP & CEH
- 3. Recent Headlines Source: FBI Source: Computerworld UK
- 4. Verizon DBR2015 Source: Verizon DBR2015 23%OF RECIPENTS OPEN PHISHING MESSAGES 11%OF RECIPENTS CLICK ON ATTACHMENTS 50%CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR
- 5. The traditional way Focus on mass mailing Direct delivery or indirect delivery of malware Spam filters and sandboxing technologies are good to detect Tax return picture from https://www.proofpoint.com
- 6. True Story: State of Michigan (SOM) – User account spoofing • Phishing Mail: Mailbox reached storage limit... • Outlook Web Access Portal custom design of SOM was rebuilt by attacker • Provide E-Mail, Username, Password and Date of Birth... To how many Users was the mail delivered? How many clicked? How many filled out? • Delivered to 2800 Employees before being blocked • 155 Employees clicked the link • 144 Employees provided their credentials Source: GISEC 2015 Key Note – Ex CSO Dan Lohrmann
- 7. The trend: Which one is the valid one?
- 8. Why are phishing attacks seen as increased risk? • More focused – social engineering researches • Localized • No longer bad google translations • Using valid graphics and formating • Sent out to target people or groups • Use e-mail accounts with good reputation • Use common use cases to click a link – No longer aka „validate bank credential“ – Download signature of post delivery – Download of online PDF bill from YOUR mobile provider
- 9. 9 Kill Chain—Breach Example http (web) session to faked web portal Steal data Persist in company Sell access to third party WEB Discovery Delivery Exploitation Installation Command and Control (C2) Actions on Objectives Enters login credentials Downloads malware Attacker creates custom webpage emails to the target MAIL Reads email, click link Threat Intelligence Access/Identity Endpoint Network VPN Portals Acting like a legitimate User Stealing further PI Information Utilizing User authorizations
- 10. You need to have the capability to answer every question about an attack that might raise within your organisation
- 11. Questions that raise when you now about a Phishing Mail? Which of my users has received a DHL delivery e-mail in the past? When did the DHL campaign start? Did someone click on the link within the DHL E-Mail? Or are my users well trained enough to not click on such a link e.g. hovering the mouse over the link first to validate the url is dhl.de? Did my proxy block the file download or not if someone clicked the link? Did the AV scanner from the endpoint block the malware if it was bypassed by the proxy and executed by the user? Was there any unknown IP connection or change on the endpoint configuration after the download of the malware? If the phishing website simulated a valid webpage (amazon, outlook web access etc.) – did the user try to logon/submit their credentials? Can I identify a pattern to find out more users that have got similar attacks – for example using simple statistic: rarely accessed domains, first accessed domains for a user etc.
- 12. Questions that the press, investors, customers and management asks an organization that has publicly disclosed an incident • How did the attacker gain initial access to the environment? • How did the attacker maintain access to the environment? • What is the storyline of the attack? • What data was stolen from the environment? • Have you contained the incident?
- 13. 2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe," 08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300 process_image="John DoeDeviceHarddiskVolume1WindowsSystem32neverseenbefore.exe“ registry_type ="CreateKey"key_path="REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersion Printers PrintProviders John Doe-PCPrinters{} NeverSeenbefore" data_type"" 2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup- 00,,,STOREDRIVER,DELIVER,79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1 ,,, hacker@neverseenbefore.com , Please open this attachment with payroll information,, ,2013-08- 09T22:40:24.975Z Sources Time Range Endpoint Logs Web Proxy Email Server All three occurring within a 24-hour period User Name User Name Rarely seen email domain Rarely visited web site User Name Rarely seen service Phishing – Advanced Analytics
- 14. Using a Kill Chain Framework – Earlier Stage Detection Delivery & Installation Rarely seen email, Rarely seen web traffic Abnormal registry access Email log Web log Host log Delivery, exploit installation Gain trusted access ExfiltrationData GatheringUpgrade (escalate) Lateral movement Persist, Repeat Use indicators & attributes to find infected systems, users & verify controls Protect
- 15. Reference @ Maastricht University Before Splunk: • User accounts got compromised and hajecked by phishing attacks • User accounts have been used for sending out spam which did result in e-mail domain beeing blacklisted. • interruption of e-mail service • users getting locked out of their accounts, strugled to identify cause and fix After Splunk: • better understanding of what 'normal' looks like in their environment • investigate any suspicious activities in student and staff accounts • monitoring access to important or sensitive mailboxes for any unauthorized access • monitoring for abnormally large volumes of mail to one inbox • determine the attributes of a phishing attack • react more quickly when other things go wrong • sysadmin team can now immediately identify the device on which the wrong credentials were used
- 16. Thanks Q&A Visit Splunk at Stand C20
Editor's Notes
- Verzion Data Breach Report 2015 – Section Phishing – Page 16-18
- Phishing Attacks are so old since e-mail was estabilshed and business common. In the past it was mostly mass mailing to e-mail addresses that have been found somewhere on the web. The content of e-mails contained many spelling issues, they have been curious as they came from agencys like „tax refunding needs to your input to release your payback“ etc. in the past spam filters and sandboxing technologies such as fireye have been good to detect and filter them out. Also as it was mass mailing the reputation of e-mail addys had been bad very quickly and could be added to spamfilters as mallicious.
- At GISEC2015 in Dubai – a large Security Show – Michigan‘s Ex CSO Dan Lohrmann hold a keynote and mentioned as one of the top concerns for CIO‘s is sophisticated phishing attempts. He showed a real sample where they faced an targeted attack. To over 2800 users e-mails have been sent that their mailbox reached the size limit and to increase them temporarly they should logon to outlook web access. Within the first hour – 155 employees clicked the link with a faked outlook web access page – even the customer colouring and design they use at the State of Michigan was done. 144 employees provided their credentials. If that type of attack happens – you can‘t avoid it – you need to have the right procedures and technology in place to react quickly.
- However time changes – and now the phishing attempts get more targeted, more professional. Even they are localized now with the right pictures like the original business is using it. Even Formatting is used similar. And the use cases also are no longer a crappy „PDF like file“ with an ending of .pdf.exe. Look at that real world example landed in a mailbox from a user in germany. Which one is the original Spam mail? Both are not from @dhl.de. So verifying the sendor does not work as DHL uses the company sender address you bought something. Just if you do a mouse over of the hyperlink on the e-mail on the right will show you it is a spear phishing mail. The german has no spelling issues – and even my e-mail addy was @gmail.com someone has my e-mail addy and the information i‘m german speaking... Don‘t want to know via which channel they got that information. The left one is the original one – i bought some door stoppers via Amazon Market Place. Conclusion: even you‘re trained best on phishing – you might get catched and you click a link. Then you need to be ready.
- Why is it today a high priority? There are no direct security technologies out that can prevent those stuff and it will happen again and again. You can‘t control everything without limiting producitivty for users. And the attacks get more focused – they use social engineering researches to learn your wording, how you interact and then they send out localized nicley tuned phishing mails.
- The attacker performs via social engineering and researches about the organizations to learn what wordings they are using, what technologies they are using, how their IT is working, potentially even what e-mails they might get regularly, what’s their structure etc. They are preparing a customer webpage that animates the victim to enter information (login, PI information) or download and open a infected document (bill mobile phone) They are sending a custom phishing e-mail to the victim that includes his name, even nice formatting, no spelling information –using the information from the researches. That is the first time it hit’s a company network. The victim thinks it’s a legitime e-mail and klicks the link in the mail and get’s to the faked webpage through the proxy as the page was created targeted for that one campaign and not seen malicious somehwere else – entering credentials or downloading malware Attacker gains valid access to the victims organization acting like a legitimate user without using any malware. From their on it all relays on the mission of the attacker what to do: compromise, manipulate, data stealing to gain further PI information, starting to get sticky in the network by exploiting machines as legitimate user etc.
- Use case 4 of the traditional “use case” slide. Like prior slide so see notes at the top. But in this case the events being correlated on all are from “non-security” data sources. This is because the threats are “unknown” to traditional security products because no signature exists for them. In this scenario above Splunk is keeping track of all the external email domains that are sending emails into the company, all external web sites being visited by internal employees, and all the services and executables running on internal machines. It can automatically count up things like # of emails received by each external domain, # of times employees visit external web domains, etc, to see the rarely seen items that are outliers. In the above scenario: Splunk sees an email reach an internal employee from an external email domain that has never/rarely been seen before That same employee then visits a web site that is never/rarely visited by internal employees A service starts up on the employees machine that is never/rarely seen in the organization Why these 3 events are bad: These 3 events happening on the same machine in a short time period indicates a hacker has performed a spearphising attack. They sent a realistic looking email to an internal employee that compelled the employee to click on a link or open an executable. This resulted in the web site dropping malware on the machine. Splunk can correlate on all these 3 events happening on the same machine and within a short time period. Splunk can detect and/or alert on these sorts of correlations in real-time or on a scheduled bases. Even if anomaly detection mechanism was used to find individual event or combined events (from splunk or something else), this is only a portion of a bigger transaction (as we discussed from the previous example. Detecting the single event or the combination of events still requires additional information and additional action Ask the audience, customer - Is the job done if you are responsible for this?
- The job is not done – because this is an early stage detection and we see that someone is trying to deliver malware into your organization. With the kill chain framework, we know that phishing is the first step in trying to gain access so therefore we want to track where the email is coming from, who is sending it. Maybe capture the phishing email to look for the site it’s directing people to or look at the attachment to see what it does. Maybe look at the phishing details to look for similar artifacts, traffic across the company to determine if anyone else were targeted for fell for the phishing attempt. By using the kill chain framework, we would also want to monitor the attacker attributes (where it came from, the domains associated with the attack, etc.). The grey box describes the example, similar to the previous example Animation is used to tell the story additional attributes to look for other targets, perform continuous monitoring of the targets, and the attacker, and the techniques they use. The point is the kill chain helps someone think about what else to consider, what else to look for, and how to conduct “on-going monitoring” for the attack. Customer quote – “an increase of phishing email means we’ve done a good job of eliminating malware (eliminate internal access) – the phishing attempts means they are trying to re-establish access to our network” – the conversation with this customer was that their network is too large and distributed and they know they will get infected allowing outsiders to gain access to their networks.
- http://de.splunk.com/view/splunk-at-maastricht-university/SP-CAAAM7B