Phishing - Prevention and Detection and Remediation
•Download as PPSX, PDF•
1 like•1,564 views
This document discusses strategies for preventing, detecting, and remediating phishing attacks. It describes how credential phishing has become a widespread problem, with over 250,000 credentials stolen each week. The document promotes using Phish Finder to prevent credential theft and using Phish Hunter for detection and automated remediation. Phish Hunter integrates with Microsoft cloud services like Azure Active Directory, Office 365, and Microsoft Cloud App Security to provide defense in depth against phishing attacks.
More Related Content
What's hot
What's hot (20)
Similar to Phishing - Prevention and Detection and Remediation
Similar to Phishing - Prevention and Detection and Remediation (20)
Recently uploaded
Recently uploaded (20)
Phishing - Prevention and Detection and Remediation
- 1. Forsyte Sensitivity: Public Phishing – Prevention, Detection and Remediation Christopher Irwin Forsyte IT Solutions
- 2. Forsyte Sensitivity: Public Evolution of Phishing
- 3. Forsyte Sensitivity: Public Trusted User Phishing • Compromised Accounts • Researched Communications • Internal Phishing • Lateral Movement • Low Message Volume • Zero Day
- 4. Forsyte Sensitivity: Public Credential Phishing Credential Phishing - Is it real and how wide spread? 61% of data breaches result from weak or stolen passwords 91% of phishing attacks were after credentials Over 250,000 credentials stolen every week Over 900,000 unique phishing websites last year Average-sized organization loses $3.7 million to phishing scams per year
- 5. Forsyte Sensitivity: Public Remediate with Phish Hunter to limit exposure to potential phishing threats The Forsyte Approach User Education Prevent with Phish Finder a credential theft prevention tool
- 6. Forsyte Sensitivity: Public User Education What can you do to educate your users?
- 7. Forsyte Sensitivity: Public User Education 1. Preform initial Phishing Security Test (PST) to establish a baseline Phish-prone percentage 2. Use baseline reporting to identity phishing-prone users and provide phishing awareness training and tools 3. Follow up with regular PSTs that continue to probe and identity uneducated users
- 8. Forsyte Sensitivity: Public Credential Theft What happens after a user falls for a Phishing email?
- 9. Forsyte Sensitivity: Public How Credential Theft happens
- 10. Forsyte Sensitivity: Public Credential Theft Prevention Phish Finder
- 11. Forsyte Sensitivity: Public Credential Theft Prevention Phish Finder Demo
- 12. Forsyte Sensitivity: Public Credential Theft Prevention
- 13. Forsyte Sensitivity: Public Phishing Detection and Remediation Phish Hunter
- 14. Forsyte Sensitivity: Public BlockKnownBadMail ProtectUnknownLinks BlockRiskySignIn ChallengeRiskySignIn DetectRiskySignIn DetectKnownAttacks TrackUnknownAttacks InvestigateAttack CorrelateAttackVectors Email Identity Behavior Insights InvestigateEndpoints DetectEndpointAttack BlockUnknownMalware DefenseinDepth
- 15. Forsyte Sensitivity: Public Remediate automatically and respond quickly when a new targeted phishing strategy emerges ATPATP CASCAS PowerBIPowerBI AzureAzure PhishingEmailCredentialCompromiseAttackSignatureMatchAutomaticRemediationAttackProfileAnalysisBlockAttackSourceAttackBlockedUnauthorizedAccess TrustedUserPhishingAttack
- 16. Forsyte Sensitivity: Public Add local insights to cloud intelligence and enforcement Bettertogether
- 17. Forsyte Sensitivity: Public Built-inAnomalydetectionarchitecture Risks: Location User- Agent Admin user? Anonymo us proxy? Time since last activity ISP . . . Session Risk Session #1 39 71 100 0 68 84 97 Session #2 97 56 0 100 50 34 80 Session #3 39 5 0 0 2 26 49 Session #4 59 85 0 0 48 50 29 … Session #N 5 76 0 0 39 40 14 Threshold Session-based: Recent user activities across apps, devices and locations are combined to create a user session Risk score: Risk factors are calculated for each session and combined to calculate the total session risk score Alert trigger: sessions above risk threshold trigger an alert (top k sessions) containing risk breakdown & related activities User feedback: anomaly engine is customized by turning on/off risk factors for specific users/groups
- 18. Forsyte Sensitivity: Public Phish Hunter Architecture High-level view of key components 1) ETR and CAS Policy Rules are sent into Azure for processing. 2) The user’s activity is checked against the Threat Matrix 3) High and Medium risk events are sent for action 4) Automated Account Remediation takes place 5) On-Prem AD account is disabled
- 19. Forsyte Sensitivity: Public Phish Hunter Demo
- 32. Forsyte Sensitivity: Public Phish Hunter Defense-in-depth Azure Active Directory P1 conditional access policies and MFA block attackers from signing in to Office 365. Azure Active Directory P2 baselines and monitors user logins, detect anomalies, and applies risk tags to accounts and sessions. Office 365 Advanced Threat Protection protects users from phishing URLs at time-of-click and allows revocation/blocking of the attack URLs. Microsoft Cloud App Security provides forensic behavioral data and multiple pivots for attack investigation, maintains known attack signature policies, and tracks indications of compromise for discovering unknown attacks. Power BI visually correlates data gathered from threat assessment and tracking indications of compromise in order to determine sources of compromise and common attack vectors. Azure Automation dramatically reduces response times by enforcing account protection, account remediation, and modification of access policies automatically or via workflow/delegation based on the threat assessment.
Editor's Notes
- Over time, email-based phishing attacks have changed significantly. Mass phishing with bad grammar and unconvincing logic relied on high volume to offset low click-through rates. 2) Spear phishing was an innovation that showed reduced volume with higher quality social engineering tactics that used personal information from social media or public websites to build trust and legitimacy landed more click-throughs while helping to evade or prolong detection significantly. 3) Whaling was a phishing innovation where attackers realized higher value out of attacks than just monetizing the sending of SPAM messages. By impersonating high-value targets such as CEOs, CFOs, celebrities, or political candidates attackers could achieve greater results. Not sending massive amounts of SPAM from accounts also made the intrusion more difficult to detect which allowed attackers to remain “stealthed” within the accounts for long periods of time. 4) TU Phishing or Trusted User Phishing is a relatively new innovation of attackers that leverages a trusted sender in order to significantly increase the odds of compromising the recipient. Just as the identity of the recipient is key to the whaling attack the identity of the sender is the key to TU Phish. It is most often executed with full impersonation of the sender (as opposed to spoofing) which bypasses traditional SPF-based phishing detection and since the sender’s account was compromised the user’s entire social graph is exploited to gather intel on possible targets which yields even more convincing message content. Previous emails between the parties can be copied and resent with slight modifications (account numbers, link destinations, etc). Even advanced users or the most advanced phishing detection using machine learning based on content or social graph likely won’t detect the attack.