Fighting Phishing I: Get phish or die tryin. Micah Nelson and Max Hyppolite
bit.ly/nercomp_sap918 Please, don t forget to submit your feedback for today s session at the above URL. If you use social media please, use the following hashtag (aka Pound sign) --#NERCOMPPDO1
Phishing is a numbers game we can t win.
Phishing is a numbers game we can t win. It only takes One click Sending costs Very little More Scary gets More Clicky
Obligatory Stats Slide 76% 95% 30% 12% Businesses that were victim of Phishing attack in past year. Enterprise Network attacks that Start with Spearphish Phish Open Rate / Click Rate 100%
Obligatory Stats Slide 76% 95% 30% 12% 100% Businesses that were victim of Phishing attack in past year. Enterprise Network attacks that Start with Spearphish Phish Open Rate / Click Rate Phishing talks with a slide like This one.
What do we do about it?
Solutions http://noscamhere.com Defense against known bad URLS Works wherever email goes something.com/?=2uhe URL Rewriting Will rewrite bad links too Limits user ability to spot bad links
Solutions Removes malware from phishing messages before it arrives Attachment Defense Doesn t stop unsafe links May not stop new malware
Solutions Alerts the user to the source of a message External Sender! External Tag in Email Internal phishing (BEC) made easier Mailing services may get tagged
Solutions Engages users Shows examples Demonstrates Risk Phish Bowls Lots of effort on users to add Lots of effort to use Maintenance
Solutions Identifies risky groups and people Gives people a safe way to practice spotting phish People may feel tricked Consequences Phishing Assessments
Solutions Customize information to your needs and risks Engages people Really tough to do correctly (More on this later) Awareness Training
What is our solution?
Report Phishing Forward phishing emails to phishing@harvard.edu
Phishing is a numbers game we can t win. It only takes One click Sending costs Very little More Scary gets More Clicky
Phishing is a numbers game we can t win, unless we Change the numbers. It only takes One report Reporting Costs little More Scary gets More Noticed
How do you get people to Report Phishing?
Do Anything How do you get people to Report Phishing?
Identify Phish Call Helpdesk / Open Ticket Attach Full Message With Headers
Behavior Ability Motivation Trigger (I want to, I know how, and I remember)
Can t Identify Phishing Don t want to Open Ticket Don t know how to report Don t think it matters
Don t want to open a ticket Don t think it matters M Can t Identify Phishing Don t know how to report A
Can t Identify Phishing A
Can t Identify Phishing A Too Complicated Too Simple
Can t Identify Phishing A How does this make you feel?
Don t Know How to Report A phishing@harvard.edu
Don t Know How to Report A phishing@harvard.edu
Don t think it matters M Stories > Stats
Don t think it matters M
Don t think it matters M You re so smart
Don t want to open a ticket M (phishing@harvard.edu)
Triggers T 1) Practice Assessments 2) Printed Materials 3) The Phish Itself
Increased Motivation Decreased Difficulty Added Triggers
Results
~50 / Month
~1000 / Month
Success Disaster!
To Be Continued!
Fighting Phishing 2: So long, and Thanks for all the phish! Micah Nelson and Max Hyppolite
42
43
Problem 1,241 98 790 1,113 1) Helpdesk 2) Call Christian Nov 2017 Dec 2017 Jan 2018 Feb 2018 44
Mail Routing & Parsing PHISH PHISH PHISH Chum bucket ParseR Splunk 46
Automated Response to Reporter Reported Phish Your phishing report was received. Thank you for alerting us to a potential phishing threat within Harvard! What happens next? We take it from here and examine the message. If it is a phishing attack, we take steps to protect Harvard recipients and systems. Was it phishing or a real message I need to address? Unfortunately, we cannot provide individual responses to each case of suspected phishing. If you think the message could be legitimate, verify with the source outside of email. For example, go directly to the website for your online account and log in don t use the link in the email. If you received an unexpected file, call or text the sender to check with them don t ask via email reply. What if I already clicked? If you already clicked an unsafe link or opened a file attached to a suspicious message, contact your local IT Support. 47 More questions? For tips on identifying phishing messages and how we use your phishing reports, visit http://security.harvard.edu/click-wisely.
What are we going to do with all of these phish? What problem are we trying to solve? Investigate every message? No. Block every phish? No. Stop only phish that impact Harvard? Yes. Harvard accounts sending Phish Protect VIP recipients Harvard services being spoofed Important external services being spoofed 48
What are we going to do with all of these phish? Phish Reporting is a Threat Feed We don t respond to everything We automate, triage, and respond as appropriate. 49
Phishing Framework New Event Phishing/ Spam Triage Message Payload Phishing Spam Close Investigation - Who sent it? - Who received it? - What do they want? - Attachment? - Link? - Instructions? - Sophisticated forgery? - VIP Recipients? Level of Sophistication Determine Scope - Click rate - Submission Rate - After action review for large or impactful events Response Impact - Change Password - DNS Blocking - Google Reporting - CrowdStrike Containment 50
Automation New Event Phishing/ Spam Triage Message Payload Phishing Spam Close Investigation - Who sent it? - Who received it? - What do they want? - Attachment? - Link? - Instructions? - Sophisticated forgery? - VIP Recipients? Level of Sophistication Determine Scope - Click rate - Submission Rate - After action review for large or impactful events Response Impact - Change Password - DNS Blocking - Google Reporting - CrowdStrike Containment 51
$$$ Bad-Looking Legit Email Spam Possible Phish
Splunk Processing & Alerting Splunk - Filter out the noise: - Prescription Drugs - Known False Positives - Parse forwarded headers - Grab sender - Grab subject - Grab URLs - Grab file hashes - Every 30min: - Strip out previously alerted phish - Send out new Alert 53
Investigating Phish Review DNS queries Review Bro queries Snapshot Check Crowdstrike Dashboard 54
Splunk Dashboard Main Screen Enter the Domain Name or IP address of the Bad Domain 56
Phishing Dash Board Detailed cont 57
Phishing Dash Board Detailed cont 58
Phishing Dash Board Detailed cont 59
Key Takeaways Phishing is a Numbers Game. You can flip the tables on phish. Behaviors can change (B=MAT). Phishing reports are threat feeds. Volume can be filtered down. Remaining data is actionable. Part One Part Two
Questions? How do you engage people? Do you teach people not to send in spam? Isn t awareness a big waste of time? Part One What tools do you use to investigate? How long does it take to react? Can I use your malicious email picture? Part Two
bit.ly/nercomp_sap918 Please, don t forget to submit your feedback for today s session at the above URL. If you use social media please, use the following hashtag (aka Pound sign) --#NERCOMPPDO1