One Phish, Two Phish, Three! Building an Active Threat Management Framework for Malicious

Transcription

1 One Phish, Two Phish, Three! Building an Active Threat Management Framework for Malicious - Ron Weiss, Incident Response Team lead

2 Disclaimer: The information in this presentation is based on lessons I have learned (often the hard way) while working digital investigations in both the private and public sectors. All information is based on research and real life security incidents. Any examples have been anonymized to protect the parties involved in any of these matters.

3 Goals of this Talk Understand how phishers work! Dissect a phish so we know what to look for Explore techniques to proactively hunt for malicious that made it past your defenses Optimize the reporting of malicious Discuss how to use and share phishing threat data with the HITRUST CTX

4 Premise of this Presentation: Phishers gotta phish! Security Controls will not catch everything! Users gonna click!

5 The Threat Landscape Electronic mail is an important business tool that is being subverted for malicious purposes. Too much trust in and the associated security controls. is an effective delivery vehicle to get inside of an organization!

6 How much Phishing is out there? 2015:

7 Phishing and Consequences

8 More Recent Headlines:

9 Ever Growing Threat 2016: h5ps://nakedsecurity.sophos.com/2016/02/22/irs-reports-400-increase-in-phishing-malware-in-the-past-12- months/

10 An Ever Present Threat 1995: h5p://simson.net/clips/1995/95.sjmn.aol_hackers.html

11 Deceit/Social Engineering

12 Sometimes all you have to do is ask the right way:

13 Business Compromise and Spoofing (BEC and BES) W2 Phishing Wire Transfer

14 Credential Theft

15 Malicious Payloads Malicious Links Malicious Attachments

16 Invoice in a ZIP to Infect Machines

17 Multiple Payloads and Themes Malicious Office Documents Strange File Types

18 Anatomy for Threat Hunting 1. Header and Header Fields 2. Subject Line and the Message Body 3. Payloads: URLs and Attachments 4. Message Theme and the Business Operations Context

19 1. The Header Sender Address Reply To Address Subject Line Attachment (name, type) Advanced: Does the originating IP address match the responsible organization?

20 2. Subject and Content 1. Generic? Sense of pressure or urgency? 2. Strange URLs or attachments? 3. Is this the way things are normally done or an expected element of an existing project? 4. The usual: Spelling, grammar, etc.

21 3. Payloads: URLs and Attachments Malicious often contains a payload in the form of an attachment or malicious link or both! File type, file name, file size, file contents URL Display Text versus the Actual Address Do these elements match normal messages and/or contain anomalies?

22 4. Business Context Is this part of a current business effort or project? Is this the normal way that this user or process operates? If I followed through with this request could it have an impact if malicious?

23 Hunting What it is: Active Searching Proactive Analysis Research Why should I hunt? Stopping threats before they have an impact Learn how attackers operate and adjust Reducing dwell time

24 Review of Logs Take indicators of threat intel and search your mail feed for them. If you use only a single data point for searching or you make the search parameters to strict you may miss some of the phish Success by searching with keywords from the phishing theme and attachment types

25 Review of Filtering and A/V Activity Your controls caught one, but did it catch all of them? Retrospective Analysis

26 Other Investigative Patterns User Web Activity Do you monitor user web activity? Threat Intel? High Risk Users Analyzing the links and attachments received by users that could impact the organization if compromised. Malware Investigations If you find an infected system infected do you determine how it was compromised?

27 Things to know about a phish How many did the organization receive? How many of the suspicious messages were delivered to your employees? Were any of the recipients critical users? How many users reported the suspicious message? How many opened the attachment or clicked on the link?

28 Build up your Birdies! Show them how to identify phishing indicators Teach em what attackers are doing Make it easy for them to REPORT suspicious !

29 Malicious Identification Flyer

30 Treat Users Well Ø Robot versus Suit or Geek versus Business - Don t make your community feel stupid! Ø Communicate and learn from each other - Building a relationship will help when incidents occur Ø Create Cyber-Security Liaisons/Attachés! - Send Situational Alerts - Expedite reporting when suspicious is discovered

31 Phishing and HITRUST CTX Repository for threat indicators and information about phishing threats from multiple sources. Basic offering is free! Investigative platform that can be used add context to investigations. Share and Receive threat indicators with the HITRUST community via an automated and secure manner. Integrate HITRUST CTX with your Enterprise security monitoring infrastructure for the most value

32 Phishing Threat Indicators in HITRUST CTX Phishing Domain, Phishing Address Phishing IP Phishing IPv6 Phishing URL Compromised Account Malware APT Subject Line APT APT Mail Transfer Agent

33 Threat Bulletins More detailed reports about threats Bulletins can be updated Community members can add additional information to the bulletin.

34 Threat Bulletin with Indicators

35 CTX Conversations

36 Sandbox for Payloads Analyze attachments and URLs Grab network and other indicators that you can act on and share

37 Sharing Phishing Related IOCs Header Info Payloads and their associated indicators if executed Theme and Content Share and Learn from your Peers!