Fighting Phishing I: Get phish or die tryin.

Similar documents
One Phish, Two Phish, Three! Building an Active Threat Management Framework for Malicious

Machine-Powered Learning for People-Centered Security

How Enterprise Tackles Phishing. Nelson Yuen Technology Manager, Cybersecurity Microsoft Hong Kong

Train employees to avoid inadvertent cyber security breaches

Spam Protection Guide

Ages Donʼt Fall for Fake: Activity 1 Don t bite that phishing hook! Goals for children. Letʼs talk

IT & DATA SECURITY BREACH PREVENTION

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats.

RSA INCIDENT RESPONSE SERVICES

FAQ. Usually appear to be sent from official address

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organisation from Impostors, Phishers and Other Non-Malware Threats.

RSA INCIDENT RESPONSE SERVICES

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

Security and Privacy

Phishing. Eugene Davis UAH Information Security Club April 11, 2013

Cyber Security Guide for NHSmail

Security Automation Best Practices

Incident Play Book: Phishing

On the Surface. Security Datasheet. Security Datasheet

Getting Security Operations Right with TTP0

ThreatConnect Learning Exercises

Who We Are! Natalie Timpone

Security Automation Case Study Maricopa Community Colleges. Watch the full webinar replay

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

The Rise of the Purple Team

Detecting Credential Spearphishing Attacks in Enterprise Settings

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

The Mimecast Security Risk Assessment Quarterly Report May 2017

2 User Guide. Contents

KnowBe4 is the world s largest integrated platform for awareness training combined with simulated phishing attacks.

Trend Micro Business Support Portal

Evaluating the Wisdom of Crowds in Assessing Phishing Sites

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

PROTECTING YOUR BUSINESS ASSETS

Easy Activation Effortless web-based administration that can be activated in as little as one business day - no integration or migration necessary.

CS 161 Computer Security

Business Logic Attacks BATs and BLBs

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

6 TIPS FOR IMPROVING YOUR WEB PRESENCE

How to Conquer Targeted Threats: SANS Review of Agari Enterprise Protect

10 FOCUS AREAS FOR BREACH PREVENTION

Cyber Security Guide. For Politicians and Political Parties

Incident Response Agility: Leverage the Past and Present into the Future

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

PEOPLE CENTRIC SECURITY THE NEW

Trustwave SEG Cloud BEC Fraud Detection Basics

6 Ways Office 365 Keeps Your and Business Secure

Advanced Threat Intelligence to Detect Advanced Malware Jim Deerman

Reduce Your Network's Attack Surface

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

Cyber Hygiene Guide. Politicians and Political Parties

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Protection FAQs

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Online Scams. Ready to get started? Click on the green button to continue.

MPEG Frame Types intrapicture predicted picture bidirectional predicted picture. I frames reference frames

THE HOME BUILDER S GUIDE TO. Mastering New Home Marketing with Your CRM

The Fight Against Phishing: Defining Metrics That Matter

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

HTTP Security Headers Explained

Remote social engineering techniques involving Microsoft Universal Naming Convention (UNC) function.

TABLE OF CONTENTS Introduction: IS A TOP THREAT VECTOR... 3 THE PROBLEM: ATTACKS ARE EVOLVING FASTER THAN DEFENSES...

Manually Create Phishing Page For Facebook 2014

ELECTRONIC BANKING & ONLINE AUTHENTICATION

John Coggeshall Copyright 2006, Zend Technologies Inc.

Hello! we are here to share some stories

DEFENCE IN DEPTH HOW ANTIVIRUS, TRADITIONAL FIREWALLS, AND DNS FIREWALLS WORK TOGETHER

Using WebQuarantine for Managing Quarantined Messages

Phishing. What do phishing s do?

Security Awareness & Best Practices Best Practices for Maintaining Data Security in Your Business Environment

Phishing Discussion. Pete Scheidt Lead Information Security Analyst California ISO

to Stay Out of the Spam Folder

Introduction to

Kaspersky Security Network

Clickbank Domination Presents. A case study by Devin Zander. A look into how absolutely easy internet marketing is. Money Mindset Page 1

PHP-security Software lifecycle General Security Webserver security PHP security. Security Summary. Server-Side Web Languages

SEO: SEARCH ENGINE OPTIMISATION

Use and Abuse of Anti-Spam White/Black Lists

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

AMP-Based Flow Collection. Greg Virgin - RedJack

How Breaches Really Happen

Automated Context and Incident Response

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

BEST PRACTICES FOR PERSONAL Security

How to recognize phishing s

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

ybersecurity for the Modern Era Three Steps to Stopping malware, Credential Phishing, Fraud and More

TIPS TO AVOID PHISHING SCAMS


Jordan Levesque Making sure your business is PCI compliant

WHILE YOU RE GETTING ORGANIZED

Security. The DynaSis Education Series for C-Level Executives

Robust Defenses for Cross-Site Request Forgery

MESSAGING SECURITY GATEWAY. Solution overview

What are we going to talk about today?

Incident Response Tools

Frequently Asked Questions (FAQ)

Anti-Phishing Working Group

Etiquette FOR A BUSY WORLD. Brevity can be off-putting. Always reply

Transcription:

Fighting Phishing I: Get phish or die tryin. Micah Nelson and Max Hyppolite

bit.ly/nercomp_sap918 Please, don t forget to submit your feedback for today s session at the above URL. If you use social media please, use the following hashtag (aka Pound sign) --#NERCOMPPDO1

Phishing is a numbers game we can t win.

Phishing is a numbers game we can t win. It only takes One click Sending costs Very little More Scary gets More Clicky

Obligatory Stats Slide 76% 95% 30% 12% Businesses that were victim of Phishing attack in past year. Enterprise Network attacks that Start with Spearphish Phish Open Rate / Click Rate 100%

Obligatory Stats Slide 76% 95% 30% 12% 100% Businesses that were victim of Phishing attack in past year. Enterprise Network attacks that Start with Spearphish Phish Open Rate / Click Rate Phishing talks with a slide like This one.

What do we do about it?

Solutions http://noscamhere.com Defense against known bad URLS Works wherever email goes something.com/?=2uhe URL Rewriting Will rewrite bad links too Limits user ability to spot bad links

Solutions Removes malware from phishing messages before it arrives Attachment Defense Doesn t stop unsafe links May not stop new malware

Solutions Alerts the user to the source of a message External Sender! External Tag in Email Internal phishing (BEC) made easier Mailing services may get tagged

Solutions Engages users Shows examples Demonstrates Risk Phish Bowls Lots of effort on users to add Lots of effort to use Maintenance

Solutions Identifies risky groups and people Gives people a safe way to practice spotting phish People may feel tricked Consequences Phishing Assessments

Solutions Customize information to your needs and risks Engages people Really tough to do correctly (More on this later) Awareness Training

What is our solution?

Report Phishing Forward phishing emails to phishing@harvard.edu

Phishing is a numbers game we can t win. It only takes One click Sending costs Very little More Scary gets More Clicky

Phishing is a numbers game we can t win, unless we Change the numbers. It only takes One report Reporting Costs little More Scary gets More Noticed

How do you get people to Report Phishing?

Do Anything How do you get people to Report Phishing?

Identify Phish Call Helpdesk / Open Ticket Attach Full Message With Headers

Behavior Ability Motivation Trigger (I want to, I know how, and I remember)

Can t Identify Phishing Don t want to Open Ticket Don t know how to report Don t think it matters

Don t want to open a ticket Don t think it matters M Can t Identify Phishing Don t know how to report A

Can t Identify Phishing A

Can t Identify Phishing A Too Complicated Too Simple

Can t Identify Phishing A How does this make you feel?

Don t Know How to Report A phishing@harvard.edu

Don t Know How to Report A phishing@harvard.edu

Don t think it matters M Stories > Stats

Don t think it matters M

Don t think it matters M You re so smart

Don t want to open a ticket M (phishing@harvard.edu)

Triggers T 1) Practice Assessments 2) Printed Materials 3) The Phish Itself

Increased Motivation Decreased Difficulty Added Triggers

Results

~50 / Month

~1000 / Month

Success Disaster!

To Be Continued!

Fighting Phishing 2: So long, and Thanks for all the phish! Micah Nelson and Max Hyppolite

42

43

Problem 1,241 98 790 1,113 1) Helpdesk 2) Call Christian Nov 2017 Dec 2017 Jan 2018 Feb 2018 44

Mail Routing & Parsing PHISH PHISH PHISH Chum bucket ParseR Splunk 46

Automated Response to Reporter Reported Phish Your phishing report was received. Thank you for alerting us to a potential phishing threat within Harvard! What happens next? We take it from here and examine the message. If it is a phishing attack, we take steps to protect Harvard recipients and systems. Was it phishing or a real message I need to address? Unfortunately, we cannot provide individual responses to each case of suspected phishing. If you think the message could be legitimate, verify with the source outside of email. For example, go directly to the website for your online account and log in don t use the link in the email. If you received an unexpected file, call or text the sender to check with them don t ask via email reply. What if I already clicked? If you already clicked an unsafe link or opened a file attached to a suspicious message, contact your local IT Support. 47 More questions? For tips on identifying phishing messages and how we use your phishing reports, visit http://security.harvard.edu/click-wisely.

What are we going to do with all of these phish? What problem are we trying to solve? Investigate every message? No. Block every phish? No. Stop only phish that impact Harvard? Yes. Harvard accounts sending Phish Protect VIP recipients Harvard services being spoofed Important external services being spoofed 48

What are we going to do with all of these phish? Phish Reporting is a Threat Feed We don t respond to everything We automate, triage, and respond as appropriate. 49

Phishing Framework New Event Phishing/ Spam Triage Message Payload Phishing Spam Close Investigation - Who sent it? - Who received it? - What do they want? - Attachment? - Link? - Instructions? - Sophisticated forgery? - VIP Recipients? Level of Sophistication Determine Scope - Click rate - Submission Rate - After action review for large or impactful events Response Impact - Change Password - DNS Blocking - Google Reporting - CrowdStrike Containment 50

Automation New Event Phishing/ Spam Triage Message Payload Phishing Spam Close Investigation - Who sent it? - Who received it? - What do they want? - Attachment? - Link? - Instructions? - Sophisticated forgery? - VIP Recipients? Level of Sophistication Determine Scope - Click rate - Submission Rate - After action review for large or impactful events Response Impact - Change Password - DNS Blocking - Google Reporting - CrowdStrike Containment 51

$$$ Bad-Looking Legit Email Spam Possible Phish

Splunk Processing & Alerting Splunk - Filter out the noise: - Prescription Drugs - Known False Positives - Parse forwarded headers - Grab sender - Grab subject - Grab URLs - Grab file hashes - Every 30min: - Strip out previously alerted phish - Send out new Alert 53

Investigating Phish Review DNS queries Review Bro queries Snapshot Check Crowdstrike Dashboard 54

Splunk Dashboard Main Screen Enter the Domain Name or IP address of the Bad Domain 56

Phishing Dash Board Detailed cont 57

Phishing Dash Board Detailed cont 58

Phishing Dash Board Detailed cont 59

Key Takeaways Phishing is a Numbers Game. You can flip the tables on phish. Behaviors can change (B=MAT). Phishing reports are threat feeds. Volume can be filtered down. Remaining data is actionable. Part One Part Two

Questions? How do you engage people? Do you teach people not to send in spam? Isn t awareness a big waste of time? Part One What tools do you use to investigate? How long does it take to react? Can I use your malicious email picture? Part Two

bit.ly/nercomp_sap918 Please, don t forget to submit your feedback for today s session at the above URL. If you use social media please, use the following hashtag (aka Pound sign) --#NERCOMPPDO1

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback