BSidesCharm - 2019 - Steven Becker - On The Line: What Phishing Really Impacts

they moved me up from being a backup speaker to speaking the one after lunch so yay no pressure big improvement right so like coming out of like the minor league bullpen into like a world series playoff game so good luck so i'm steve becker i work at berkeley college right so that is not uc berkeley that is not the berkeley school of music that's not the berkeley college at yale it's the other other other other berkeley college and that kind of we're in new york and new jersey so that makes some very interesting threat models because everyone seems to not really like uc berkeley right now uh so we get a lot of interesting hate

mail and things like that which you'll hear me talk about a little later i've been doing some different i.t and infosec stuff for a while so i have some cool stories you can see i make fun of the certifications like everyone else does but i also am shamelessly going to plug if anybody wants to come help fix the problems with certifications i do a lot of work with comptia to change their knowledge domains and actually write questions for them if anyone has questions about how to join that process and actually fix the problems rather than just calling them out come talk to me later so now we're going to dig into this actual talk a quick background about social

engineering itself to start with this is predominantly going to be about fishing right it's just getting somebody to do something that they probably shouldn't do i think that's a pretty obvious thing but just so that we're all on the same page we're all talking about the same stuff here it includes a lot of different kind of confidence tricks like quid pro quo is you could literally buy something from somebody if that's your choice uh it's all these different kinds of like tailgating when you walk in a door behind somebody too closely um it's obviously fishing voice fishing spearfishing whaling which is targeting ceos other presidents high level targets uh you could even text based phishing

you know sms networks and of course phishing is so important to talk about because according you know the verizon uh that of reach investigations report it's kind of one of the standard resources that get cited for these things phishing is the number three cause of incidents that are investigated and the number three causes breaches interestingly stolen credentials is actually number one but kind of fishing and stolen credentials go together so i'm not 100 sure why they split them in weird ways uh the really important part about this is 17 of these actually get reported to the i t department's help desk other kind of the infrastructure that you have set up to actually correct these

problems and what we're going to talk about now is how and why we could fix that and of course the important reason we do that in phishing is because before you even know this happens it's not getting reported to you right so before you know this is happening in your environment an attacker is going to dump the data they're going to reuse your credentials in other places that they can they're going to reset passwords other information and if you use single sign-on for you know if you have 10 different services behind the same single sign-on account they're just going to repeat that for all of your services again and again so we'll talk a little bit about some of

the basic prevention and detection and it's training i mean everyone remembers steve ballmer's developers developer i'm setting up your training training training training training now we're going to dig really quickly into four case studies that we're going to talk about how phishing actually has impacted organizations and this is a quick little legal note to say you know you can't really prove it was anybody i actually worked for because i've done a lot of consulting at different things and i've worked with some local peers of mine in some small organizations that might need assistance so you can't actually discover who these victims were in case there's still legal cases pending and some cases you'll see why in a

minute why that is the case the first case study is just a simple straightforward phishing attempt right so somebody targets some low-level employees at a company says you know it's an executive ceo president hey i need you to do xyz for me you need to log into this website could come from the help desk saying you need to relog in to confirm your account still exists all these kind of basic things that we talk about all the time and in this case i i don't think they found anything to actually monetize or steal right so they just dumped some strategy documents that they found because it was this low level uh employee so they put it on like a

pastebin website and if any of you have ever tried to search pastebin for these kind of dumps it gets very difficult their indexing engines run at weird times and in weird ways so the biggest recommendation i have here is to join your industries information sharing and analyst center right in isaac my case working for school we're a member of the research and education network isaf and isaac there's one for almost every major industry out there some of them get expensive to join but it's highly recommended because they'll have a lot more resources than like somebody like myself has again because i'm not uc berkeley with all their academic budgets like they have um so this is kind of just an obvious

phishing attempt right but uh and the last point i want to make there is there's also an unknown social media account in this case that said hey i found your data on facebook right so that's how we found out this happened so the person that fell for the phishing attack other people who got the phishing attack didn't report it to us we didn't know until somebody literally told us hey your information is out there and you know that that's way too late to do anything about it pandora's box has already been opened so you want to also partner with maybe your marketing department or whoever manages your social media accounts so they can scan twitter and things like

that for you if you don't have the capability a second case study is they used somebody's password as ransom proof right we've all seen these messages send you know some bitcoin whatever to this address because we have you know your webcam was turned on you saw what you're doing all these things and you'll start seeing the crossover into a lot of the emotional response now where you don't necessarily know what that person actually does at home right that's scary right because a lot of these people might think it's real they might have done something that actually is being talked about in this email this is why these attackers and these these malicious people use these pretexts

because they work because of the real the real things that people do in private right so it's a very delicate very sensitive situation to be in and it causes a lot of people to not report these incidents because they're embarrassed or afraid of what's going to happen so you need to break down those walls between the it organization your security organization and the people that need to do the reporting a lot of times you'll see the email addresses that are used for these attacks in a website like have ibmphone.com that just lists kind of the aggregate of other breaches obviously the actual passwords aren't seen there just you can quickly tell whether it's evicted but that person's a victim of

another breach or not and you see that quite frequently a third case study and this is one of the ones where the names are changed to protect the innocent kind of thing right an important announcement is received from a president ceo could be the help desk whatever you need to change something in whatever account right the fish employee in this case immediately had their direct deposit information changed not a request to hr to payroll to change it but they actually logged into the hr payroll system and changed it to a fake bank so they could steal money directly right this happened two days before payroll cycle so they knew what our payroll schedule was this also happened

in such a manner that they knew exactly how to do it in this payroll system within minutes of the person falling for this phishing attack luckily in this company's case there was a dual control setup so that person the policy is for payroll department to call that person's phone and say did you want to make this change is this legitimate and then they have to provide a voided check or a statement from the bank that extra layer of control saved it from actually happening one of the reasons why this attack was able to happen in this manner is does anybody have a company that any of your vendors partners you publicly release that information and do like a pr campaign in exchange

maybe for a discount or some sort of special treatment right say hey our company uses this awesome payroll system so now you're one you know you appear on their website as one of their valued customers that's an invitation to hackers and these different attackers to know exactly what system they're going to abuse if they reach out to your organization so it's a double-edged sword you want people to know that you're using the best of breed software all these different tools services but you're also opening the door to set up these pretexts and people know exactly what to say to get your colleagues to fall for it right so obviously the biggest thing you can do

here is set up multi-factor authentication on these systems do these out-of-band communication methods and the one of the key takeaways for me personally is the person who fell for one of the people actually there was a handful of people that actually fell for this it was a very well coordinated conducted attack called me crying in tears which this person is actually the inspiration for this talk right they were so distraught and so worried about what would happen to their personal information because now this person had access to the hr system they could access credit reports with their security numbers all these different things that are absolutely terrifying to most people and they went through this whole

remediation process of having to change bank accounts they got you know i think they went a little too far to the extreme right they wanted to change bank account they did they actually looked into the process of having their social security number changed which is a whole different talk because that's not easy to do and that became a really big way for me to change how i thought about these attacks more from the victim side and how to get them more engaged in the process the last one is the most interesting of course a foreign factory somewhere in a big country in asia right there was successfully fished the really crazy thing here is that they just redirected payment

information to you know the the attacker's bank account which was going to give you money laundering through some different pacific rim countries it's a very common tactic for them to launder money in that way the really crazy thing is that last line there the factory thought the payments were being held by bank because they were basically modifying messages in transit because they could just intercept it right they had the logging credentials for email so the people on the factory side thought they weren't getting paid the people on the buying side thought they just weren't getting shipments but they even had fake shipment a website spun up in amazon easy too because it's trivial for them to do that right

so they provided fake tracking numbers so like right let's think about that they went through such an effort it took three months for this attack to get detected because they said oh yeah you know your shipments being sent over the ocean right so on a boat takes a little while to get here from from asia right then oh yeah it's getting held in customs they need to do extra scanning all this different stuff three months and i think it was like 300 000 that got stolen in this case so i mean just think about this so this company now is out the three hundred thousand dollars for the product and they don't have the product to sell to make that

money back so now this the people who the accounts payable person who is responsible for this in the end right is absolutely terrified for their job because they basically could have bankrupted a whole company so that's another way you have to look at the response from that victim perspective because now you have to do all this research into what they actually did and how to prevent it in the future so now you have to deal with them on a very intimate personal level to figure out how to get those funds back and wire transfers once the money's out of the other account it's basically impossible to reverse that wire transfer right in this case knowledge about how your

insurance policies are written and how you can go about that actually is helpful in this case it was against their internal policy to change the wire transfer information without that adivan communication method so when the accounts payable person didn't do that because the time differences and other some you know the other pre-texting and the emails right they were able to get it covered by an erroneous insurance rather you know basically their general umbrella policy right so this wasn't really a cyber security problem because they weren't hacked or compromised because it was the factory side that was so they were able to get some money back in a different route so being well-rounded in some of those other

areas is important for this incident response which is where we're going to talk about now a quick uh little thing about there's a big difference right between regular incident response and information security or network security especially compared to phishing mostly because you need so much more training and so much more involvement of the actual victim in a phishing incident response than you do in the more traditional incident response policy or program right basically the problem is you can't contain an attack once your information is leaked out to the internet it's gone right and it's almost impossible to detect unless other people are reporting those phishing attacks until something bad has happened and of course there's two different

viewpoints to this too on the corporate side people are going to want to know how you let it happen how did that bad email get past your email filtering how did you let that person go to that bad website how did you know that was a bad website you know how are you going to cover the loss is the insurance cover going to cover it up but you also have to remember that there's that human being involved and they're your colleague or your boss your friend and this could happen to your family members in some different capacities and they are absolutely terrified of what might happen to them to their company to their personal information

and that really changes your outlook on how you're going to deal with incident response so just to be you know fully uh to get the whole picture here right there is this corporate business response right where you need to have all those detective controls all your log files because otherwise you won't really know what happened with any kind of assurance you need to corroborate what the person is saying happen with actual evidence right so then you can determine if anything has changed what alterations were made to your data what they stole i mean that's pretty straightforward incident response the big thing here is that you have to remember whatever personal bias you have against that victim is absolutely critical to

ignore right as soon as you start victim shaming or blaming somebody for falling for these attack types they're not going to be your friend anymore when you lose that connection they won't help you in the reporting process or the recovery process which is what we're going to talk about now these are increasingly very sophisticated attacks that people are falling for this generic kind of phishing blanket phishing attacks are slightly easier to detect by a lot of these new machine learning nonsense or whatever right so when they start getting more and more targeted this is when you're going to have a lot more problems when you place that blame on that victim again they're going to tell you the wrong

thing they're going to lie to you they're not going to want to deal with you and then you're not going to be able to actually fix the problem and that decreases their involvement in the entire process and you just have a much harder time as you move further so going back to that kind of generic incident response cycle right preparation that's really the key of where this starts and i think that the best way to do that is to increase your positive visibility as a security organization right you don't want to talk about what you did to increase security the average person that works in accounting or sales or whatever department in your company doesn't want to hear how about you

switch to a you know a longer key space in your encryption methodology they don't understand what any of that means all they want to know is if they upload something to a vendor how do they do it securely so if you come up with a new system that lets them send their vendors if you have printed material you see that a lot where i am these files are very very big because the vector images all this different stuff right if we have an easy way for them to send it they're very happy you know that's so that we avoid them using things like dropbox or these other systems that have all these other inherent problems to us so you want to

talk about good business use cases that are also secure not just the security stuff that the average person isn't going to really worry about and of course again training training training training training right especially when you do test fishes so you don't want to necessarily attack that person who falls for the test it just lets you know who the most likely people are to fall for them and you can work with them closer that's really the key takeaway from training and of course this is one of my favorite tweets um buy your help desk lunch right if you need a good relationship with your help desk because on average your support staff has the best

relationship hopefully if you work at a good organization right they have a good relationship with your entire customer base also that relationship is really what you want to exploit right so just think it's like hacking in reverse right you want to be able to have that positive relationship that they already get from a good support experience to also be more comfortable reporting all these different kinds of attack types which we move into in the next part of the incident response right detection so do the people who fall for these attacks or receive other kinds of phishing emails you know do they report it and how can you help them right so what logs do you have

available right how do you identify more victims so how do you s and how does support staff escalate that and that's really where it comes in is working with your help desk and your support staff lets you know what other victims you have and lets you better answer you know especially when you start preparing for a lot of false positives right there's a big difference between spam email somebody signing up for a newsletter they forgot they signed up for three years ago and this is gonna be you all day long just all day and you know what you can never ever be annoyed at somebody for thinking they're doing the right thing as soon as

you act annoyed and bothered by somebody coming to you you shut that relationship down again and then you have to start right back at the beginning proving that you're actually doing something positive for them now of course everyone at some point is going to fall for something somewhere right so how do you work with these people and you know the entire point of social engineering is when you convince somebody a sense of urgency right so they want you to act quickly to make some sort of change so it has nothing to do with your intelligence level you have every level of person and they're going to fall for something if it's targeted perfectly for them so it's just them being distracted

for that moment right and a big thing and uh don't call people users right no one no one wants to be called a user unless uh apparently the only people who get away with that are i t and drug dealers right so don't don't do that i also you know i think colleague a lot of people depending on what your industry is maybe you'll call them peers associates there's all these different terms different organizations use uh friend with whom i work i don't even know if i'm using whom right there but he's wearing a monocle and it sounded fancy so i did it uh you really need to build on that relationship and that's another way is

calling people by something they want to be called right then that enables them to actually report things to you another thing that is a huge improvement in your incident response is working with them no matter what their level involvement is even if you just ask them hey can you change your own password rather than forcing a password reset and now you should probably monitor to make sure they actually do it because you know they also don't restart the computers when they say they do but ask them to do it themselves rather than forcing them to do it that tiny little bit of involvement gives them a sense of ownership of fixing their problem again remember

they're scared that something bad is going to happen to them so if you involve them in the fixing process right they're a lot more likely to actually be part of the fixing process and you don't know how much more information you're going to need out of them until you start digging through those other log files that we talked about right when you start seeing those problems where you maybe you have a gap in your log file if somebody opens up this email on their phone or something from home you might not have like a dns entry yet from their office computer you don't have the firewall logs to know what website they went to whether they

actually clicked whether they actually submitted information so you really need to keep that relationship close i keep repeating that because it's absolutely critical if you want a better outcome from your phishing attacks because culture is everything right so i i like to turn these bad things into positive outcomes right so if somebody was able to detect a phishing attack report it to us and we were able to correct the problem before it was released to the public or something really bad happened those people then become our security champions for lack of a better way to say it and that kind of spreads that culture for you because that little pocket you know they all have four or five

people that they work with they have four or five friends that they've worked with all these different things and it spreads throughout your company in a much different way and you have to continually want to see that change and you have to continually be better than you were the day before and making that change happen because if you're not consistent with that it doesn't actually come to fruition you act annoyed once and that's what people remember when you're positive all the time even if they send you a newsletter rather than actual phishing attempt they're going to remember that too and finally i think one of the keys for working with these people that actually fell for these attacks is the personal

response side right so and you can't see this if they use mfa on facebook they won't complain about corporate mfa right because they understand the intrinsic value it has to them personally and it's much easier for them to see the value has to your company if they already see the personal side so when you work with these people and you start saying oh you know you should use multi-factor authentication or you should use a password manager well you're going to recommend one password you're going to recommend lastpass keypass all these different things and i don't think the best strategy is to tell them exactly what to do because what works for you and what you're used to doing

will not work for everybody else it will not work for your colleagues who don't have the same technical aptitude it won't work for your parents right like my mom still writes all of her passwords on a notebook that's not a problem and my company would be a problem because people have access to different desks things like that no one goes in her dress drawer to look at this notebook right so it works and it's safe and secure so you need to know what you can do to empower those choices at a personal level so i mean how many people have parents that don't have different passwords for all their different accounts right most people right in my case i

convinced my mom to do it by having her just write it down she never forgets it she never needs to reset her password now when she gets a password reset email saying hey you need to she knows it's junk so you need to really empower people to make those right choices for themselves and that's them owning that part of the security that then comes back into your corporate world too and another thing too is if you can't explain the topics you're talking about to them obviously they're going to have a little bit of problem leaving you in other areas right so preparation even as you're working through the other processes of the incident response life cycle right it's important to

remember to be prepared and then of course we have the post incident problems right so how are you going to prevent it from happening again because if it's happened once it'll happen twice it'll happen three times it's unavoidable in my opinion in the kind of internet-based culture that we have now right it's just it's too common for people to use these attack methods to really do harm to organizations so you really want to use those security champions right those people that have that little pocket of ownership of security will help spread throughout your organization and more people will own security and then it's free staff augmentation right and who wouldn't want to do less work

granted you'll have to do more of deciding no that's not really fishing it's spam but that's a small price to pay for not actually having as many fishing incidents a huge huge thing is when you start doing this training again and again and again you're seeing it in more organizations where people are doing it even more often than yearly there's a lot of regulations that you have to do it every year i think that's not always frequent enough in a lot of cases use these examples obviously don't name names and make people embarrassed because that defeats the whole purpose of what we just talked about right but you should use real examples in your training and

they'll know that it happened to your company and they'll know that it could happen to them they won't be nearly as embarrassed when something does happen and they'll actually report it to you when they actually report it to you you can do something to help them right that's the entire point of course when you're looking at how did your support staff and your other security staff should be lucky enough to have any other security staff how did you react to their their incident right and that's a huge way that you can improve the culture because if you fix the way the support staff and your security staff handled it it'll trickle down into all other groups

and people that that information spreads through back channels in your organization right if they have a bad experience they're going to tell their their peers their colleagues right if they have good experiences they might do that too and that's really important because i keep repeating it and of course you know you have to tune your logs and different recording frequencies because you might be able to catch other attack types once you have indicators of compromise right that's one of the key takeaways here to me too is if you get one person that gets targeted at phishing attack right they're probably going to fall for it when one person gets targeted there's going to be such a perfect pretext

they are not going to be able to not click that button it's just that's how human beings are built right if you get five people 10 people get the email which is much more common an attacker wants a higher chance of success that also increases your chance of detection because all you really need is 10 right if 10 of you your colleagues your customer base whatever the situation is report phishing attempts that means one out of every 10. you can take that information the 10 emails that you got are probably using the same from the same you know some other kind of header some other kind of metadata you can look at for these indicators of compromise

and you'll find the person who did fall for it because one other person reported it and didn't fall for it and that's your biggest way to actually detect these things are happening in your environment so now we can open up to some key takeaways contact information and i know it's a kind of a running troop at this point to say thanks for coming to my ted talk but this was not technical at all which makes it feel like a ted talk so and of course i do want to take one quick second to say what a great job a lot of the volunteers and staff here are doing with this i staying at the hotel i came down from

new jersey yesterday they were working at crazy hours last night to make this event actually happen so i'm gonna give a quick round of applause for them

so if anybody has any any questions anything they want to talk about i'm up here i'll be wandering around for a while so anybody oh yep sorry the light's a little funky so a product like know before i think there's a lot of products like that i think any of them are good right anything that you can do to find out who the most vulnerable people are in your organization the people who are most likely to fall for those fishing attempts i assume we're talking about the uh the capability to test to send fake fishes right you can work with those people to explain to them you know what the dangers are and then you also have

a better chance like i said if you get one person that reports it if one of those people that you know hasn't done well on the fishing tests you can look more closely at them depending on the size of your organization it scales a little bit differently if you have a smaller organization it's easy right you say hey i know this one person got it i know this other person is likely to fall for something let's make sure they didn't get it too but i think it's better to use that for statistical data than it is to use it to represent people things like that i think one thing i've heard of some companies doing and i'm a big supporter of it

is if you take a certain percentage of the people who reported that the no before phishing attempt send them a gift card like five bucks at starbucks people go bananas for a cup of coffee right like absolutely blows their mind and it costs an organization even if you send out a hundred of them that's 500 bucks so i mean depending on the size organization 500 dollars could be 10 of the people who recorded something from something like no before and you're going to get a huge increase in people who report things because that they get that response then maybe they'll send me something and we've actually we haven't done that in my organization right now but what we have done

is the people who do report real phishing attempts if it's one that could have caused us a real material loss send them 15 bucks 20 bucks to starbucks and they cannot believe we did that we were just doing our job i know you actually did something way better than the other 15 people who didn't record it and then they tell the 15 other people as it comes across through those you know lunchroom conversations you know i t staff sent me a gift card like for what like well i recorded an email and then of course like the next two weeks after we do that we get like 400 spam messages and i love each and every

one of them because that increases our chance of actually fixing the fishing problem so i'm hoping that was a really long-winded answer to your question anybody else somebody was right the lights really yeah i just see a hand in the air because they're like sorry uh that's a really so how do we keep leadership from actually blaming people luckily i work for an organization that lets me not blame people that's a really good question i think in a lot of cases it's just explaining to them what the risks in that are and taking something like the information we talked about today and bringing it back to them and saying you know if we convince people by our

actions to not report things here's what's going to happen here's what happens when people don't report things so it's like anything else in security it's uh a lot of luck that your you get the buying that you need from the people above sorry that's not a better answer that's uh be honest truth