Fighting Phishing I: Get phish or die tryin.

Size: px

Start display at page:

Download "Fighting Phishing I: Get phish or die tryin."

Giles Cummings
5 years ago
Views:

1 Fighting Phishing I: Get phish or die tryin. Micah Nelson and Max Hyppolite

2 bit.ly/nercomp_sap918 Please, don t forget to submit your feedback for today s session at the above URL. If you use social media please, use the following hashtag (aka Pound sign) --#NERCOMPPDO1

3 Phishing is a numbers game we can t win.

4 Phishing is a numbers game we can t win. It only takes One click Sending costs Very little More Scary gets More Clicky

5 Obligatory Stats Slide 76% 95% 30% 12% Businesses that were victim of Phishing attack in past year. Enterprise Network attacks that Start with Spearphish Phish Open Rate / Click Rate 100%

6 Obligatory Stats Slide 76% 95% 30% 12% 100% Businesses that were victim of Phishing attack in past year. Enterprise Network attacks that Start with Spearphish Phish Open Rate / Click Rate Phishing talks with a slide like This one.

7 What do we do about it?

8 Solutions Defense against known bad URLS Works wherever goes something.com/?=2uhe URL Rewriting Will rewrite bad links too Limits user ability to spot bad links

9 Solutions Removes malware from phishing messages before it arrives Attachment Defense Doesn t stop unsafe links May not stop new malware

10 Solutions Alerts the user to the source of a message External Sender! External Tag in Internal phishing (BEC) made easier Mailing services may get tagged

11 Solutions Engages users Shows examples Demonstrates Risk Phish Bowls Lots of effort on users to add Lots of effort to use Maintenance

12 Solutions Identifies risky groups and people Gives people a safe way to practice spotting phish People may feel tricked Consequences Phishing Assessments

13 Solutions Customize information to your needs and risks Engages people Really tough to do correctly (More on this later) Awareness Training

14 What is our solution?

15 Report Phishing Forward phishing s to

16 Phishing is a numbers game we can t win. It only takes One click Sending costs Very little More Scary gets More Clicky

17 Phishing is a numbers game we can t win, unless we Change the numbers. It only takes One report Reporting Costs little More Scary gets More Noticed

18 How do you get people to Report Phishing?

19 Do Anything How do you get people to Report Phishing?

20 Identify Phish Call Helpdesk / Open Ticket Attach Full Message With Headers

22 Behavior Ability Motivation Trigger (I want to, I know how, and I remember)

23 Can t Identify Phishing Don t want to Open Ticket Don t know how to report Don t think it matters

24 Don t want to open a ticket Don t think it matters M Can t Identify Phishing Don t know how to report A

25 Can t Identify Phishing A

26 Can t Identify Phishing A Too Complicated Too Simple

27 Can t Identify Phishing A How does this make you feel?

28 Don t Know How to Report A phishing@harvard.edu

29 Don t Know How to Report A phishing@harvard.edu

30 Don t think it matters M Stories > Stats

31 Don t think it matters M

32 Don t think it matters M You re so smart

33 Don t want to open a ticket M (phishing@harvard.edu)

34 Triggers T 1) Practice Assessments 2) Printed Materials 3) The Phish Itself

35 Increased Motivation Decreased Difficulty Added Triggers

36 Results

37 ~50 / Month

38 ~1000 / Month

39 Success Disaster!

40 To Be Continued!

41 Fighting Phishing 2: So long, and Thanks for all the phish! Micah Nelson and Max Hyppolite

42 42

43 43

44 Problem 1, ,113 1) Helpdesk 2) Call Christian Nov 2017 Dec 2017 Jan 2018 Feb

46 Mail Routing & Parsing PHISH PHISH PHISH Chum bucket ParseR Splunk 46

47 Automated Response to Reporter Reported Phish Your phishing report was received. Thank you for alerting us to a potential phishing threat within Harvard! What happens next? We take it from here and examine the message. If it is a phishing attack, we take steps to protect Harvard recipients and systems. Was it phishing or a real message I need to address? Unfortunately, we cannot provide individual responses to each case of suspected phishing. If you think the message could be legitimate, verify with the source outside of . For example, go directly to the website for your online account and log in don t use the link in the . If you received an unexpected file, call or text the sender to check with them don t ask via reply. What if I already clicked? If you already clicked an unsafe link or opened a file attached to a suspicious message, contact your local IT Support. 47 More questions? For tips on identifying phishing messages and how we use your phishing reports, visit

48 What are we going to do with all of these phish? What problem are we trying to solve? Investigate every message? No. Block every phish? No. Stop only phish that impact Harvard? Yes. Harvard accounts sending Phish Protect VIP recipients Harvard services being spoofed Important external services being spoofed 48

49 What are we going to do with all of these phish? Phish Reporting is a Threat Feed We don t respond to everything We automate, triage, and respond as appropriate. 49

50 Phishing Framework New Event Phishing/ Spam Triage Message Payload Phishing Spam Close Investigation - Who sent it? - Who received it? - What do they want? - Attachment? - Link? - Instructions? - Sophisticated forgery? - VIP Recipients? Level of Sophistication Determine Scope - Click rate - Submission Rate - After action review for large or impactful events Response Impact - Change Password - DNS Blocking - Google Reporting - CrowdStrike Containment 50

51 Automation New Event Phishing/ Spam Triage Message Payload Phishing Spam Close Investigation - Who sent it? - Who received it? - What do they want? - Attachment? - Link? - Instructions? - Sophisticated forgery? - VIP Recipients? Level of Sophistication Determine Scope - Click rate - Submission Rate - After action review for large or impactful events Response Impact - Change Password - DNS Blocking - Google Reporting - CrowdStrike Containment 51

52 $$$ Bad-Looking Legit Spam Possible Phish

53 Splunk Processing & Alerting Splunk - Filter out the noise: - Prescription Drugs - Known False Positives - Parse forwarded headers - Grab sender - Grab subject - Grab URLs - Grab file hashes - Every 30min: - Strip out previously alerted phish - Send out new Alert 53

54 Investigating Phish Review DNS queries Review Bro queries Snapshot Check Crowdstrike Dashboard 54

56 Splunk Dashboard Main Screen Enter the Domain Name or IP address of the Bad Domain 56

57 Phishing Dash Board Detailed cont 57

58 Phishing Dash Board Detailed cont 58

59 Phishing Dash Board Detailed cont 59

60 Key Takeaways Phishing is a Numbers Game. You can flip the tables on phish. Behaviors can change (B=MAT). Phishing reports are threat feeds. Volume can be filtered down. Remaining data is actionable. Part One Part Two

61 Questions? How do you engage people? Do you teach people not to send in spam? Isn t awareness a big waste of time? Part One What tools do you use to investigate? How long does it take to react? Can I use your malicious picture? Part Two

62 bit.ly/nercomp_sap918 Please, don t forget to submit your feedback for today s session at the above URL. If you use social media please, use the following hashtag (aka Pound sign) --#NERCOMPPDO1

One Phish, Two Phish, Three! Building an Active Threat Management Framework for Malicious

One Phish, Two Phish, Three! Building an Active Threat Management Framework for Malicious Email - Ron Weiss, Incident Response Team lead Disclaimer: The information in this presentation is based on lessons