Upgrade to Pro — share decks privately, control downloads, hide ads and more …

I Got 99 Email Problems, and Spearphishing Ain't One

bromiley
March 19, 2019
Technology
0
85

I Got 99 Email Problems, and Spearphishing Ain't One

When defenders think of email threats, they often think of spearphishing and how to defend against it. However, ask an attacker about email threats, and their opinion may be very different. Many attackers are taking advantage of email servers to gain footholds into the environment, steal accounts, or in some cases, even steal the entire Active Directory! Come join me for a fun night where we turn the tables back to blue.

In this talk, we are going to examine the other side of email threats. Via an examination of attack and detection techniques, attendees will walk away with greater knowledge of how these attacks are orchestrated. Furthermore, we are going to look at how to potentially detect and defend within your own environment.

bromiley

March 19, 2019
Tweet

More Decks by bromiley

See All by bromiley
Purple Packets - BSides Austin 2019
bromiley
0
270
SANS 2019 CTI Summit Keynote
bromiley
1
80
Event Logs? What Event Logs?
bromiley
0
35
Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years
bromiley
0
130
Going Right to the Data, Part 2: An Advanced Look at MS SQL Forensic Analysis
bromiley
0
71
Database Forensics without the Database
bromiley
0
4.6k
Cache Me If You Can!
bromiley
1
430
Beef Up Your DFIR Toolbox with Elasticsearch
bromiley
0
220
NoSQL Forensics: What to do with (No)ARTIFACTS
bromiley
2
400

Other Decks in Technology

See All in Technology
開発パフォーマンスを最大化するための開発体制
ham0215
2
440
Azure犬駆動開発の記録/GlobalAzureFukuoka2024_20240420
nina01
1
220
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.3k
私が trocco を推す理由
__allllllllez__
1
250
現代CSSフレームワークの内部実装とその仕組み
poteboy
7
3.6k
Além do else! Categorizando Pokemóns com Pattern Matching no JavaScript
wmsbill
0
640
非同期推論システムによるコスト削減と信頼性向上
koki_nishihara
0
260
ServiceNow Knowledge Learning Rise up
manarobot
0
210
オーナーシップを持つ領域を明確にする
konifar
13
3.2k
生産性向上チームの紹介
cybozuinsideout
PRO
1
870
Meta Quest 3 で動く桜マシマシ WebXR アプリを IBM Cloud Code Engine と Babylon.js で作った話
1ftseabass
PRO
0
120
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
360

Featured

See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
19
1.7k
Done Done
chrislema
178
15k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
BBQ
matthewcrist
80
8.8k
Writing Fast Ruby
sferik
621
60k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
The Invisible Customer
myddelton
114
12k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
241
1.2M
Atom: Resistance is Futile
akmur
259
25k

Transcript

  1. I GOT 99 EMAIL PROBLEMS, AND SPEAR PHISHING AIN’T ONE

  2. HOW WE GOT HERE

  3. HOW WE GOT HERE What have we been saying for

    years? You must put MFA in front of everything!

  4. HOW WE GOT HERE What have applications been doing for

    years? Finding ways around it.

  5. HOW WE GOT HERE What have users been doing? Developing

    bad habits.

  6. HOW WE GOT HERE New Old

  7. HOW WE GOT HERE New Old Modern Authentication Basic Authentication

  8. HOW WE GOT HERE New Old Modern Authentication Basic Authentication

    Multi-Factor EWS, IMAP, POP

  9. HOW WE GOT HERE New Old Modern Authentication Basic Authentication

    Multi-Factor EWS, IMAP, POP O365/Cloud-Hosted On-Prem Needs

  10. WEAK AUTHENTICATION KEEPING YOU DOWN?

  11. WEAK AUTHENTICATION KEEPING YOU DOWN? • Many recent Exchange vulnerabilities

    have dealt with NTLM abuse • A recently-disclosed attack allows for privilege escalate via NTLM Relay + Exchange

  12. IN WITH THE NEW

  13. IN WITH THE NEW

  14. IN WITH THE NEW

  15. IN WITH THE NEW

  16. IN WITH THE NEW

  17. WEAK AUTHENTICATION KEEPING YOU DOWN? • Weak authentication is allowing

    more than advanced attacks… …it’s allowing attackers to use older tools and protocols.

  18. NIGERIA: DOING EMAIL RIGHT

  19. OUT WITH THE OLD

  20. not an actual forward acmeacb =/= acmeabc OUT WITH THE

    OLD

  21. IN WITH THE NEW

  22. OUT WITH THE OLD

  23. IN WITH THE NEW

  24. IN WITH THE NEW

  25. SPEAR PHISHING TECHNIQUES (I KNOW, WE SAID WE WOULDN’T TALK

    ABOUT THESE) • Transposed/Character Substitution Domains • Unicode Play • Email Body Encoding/Obfuscation • Anyone here know RFC 2047? • Encoded Email Header Data: Subject: =?utf- 8?B?0JDRgdGB0L51bnQgU3XRgNGA0L5ydCBO0L50aWZp0YHQsHRp 0L5uICNJRDox?==?utf-8?Q?72932?=

  26. TECHNIQUE CALL OUT: WEBSITE REPLICTION DATA ENCODING DATA OBFUSCTION SPEAR

    PHISHING LINK TARGETED CAMPAIGNS

  27. IN WITH THE NEW

  28. TECHNIQUE CALL OUT: AUTOMATED CREDENTIAL COLLECTION, NORMALIZATION, AND ENRICHMENT

  29. IN WITH THE NEW Once credentials are obtained, attackers will

    take two roads: 1) Synchronize mailboxes 1) Do this by subverting MFA with application passwords. 2) Learn flow of money. 2) Steal address books 1) Do this by using a Mac. 2) Learn who you trust.

  30. IN WITH THE NEW

  31. IN WITH THE NEW

  32. IN WITH THE NEW

  33. IN WITH THE NEW

  34. IN WITH THE NEW

  35. IN WITH THE NEW

  36. TECHNIQUE CLASSIFICATION: INTRA- and INTER-ORGANIZATIONAL LATERAL MOVEMENT VIA EMAIL

  37. IN WITH THE NEW

  38. IN WITH THE NEW

  39. IN WITH THE NEW

  40. TECHNIQUE CALL OUT: TRUSTED RELATIONSHIP ABUSE

  41. NOT YOUR MAILBOX ANYMORE • Subvert trust with address book

    sending • Implement Inbox Rules to forward, delete and hide mail • SMTP Forwarding • Searching for keywords (“wire”, “payment”, “invoice”, “remittance”) • MFA 0-Fs given • Application Passwords • Users accept anyways

  42. TECHNIQUE ROUNDUP • Well-Funded • Trusted Relationship Abuse • Intra-

    and Inter-Organizational Lateral Movement • Data Obfuscation • Data Encoding • Automated Credential Theft • Targeted Campaigns • Website Replication • Multiple Types of Spear phishing • MFA Bypass • Exfiltration via Email

  43. TECHNIQUE ROUNDUP • Well-Funded • Trusted Relationship Abuse • Intra-

    and Inter-Organizational Lateral Movement • Data Obfuscation • Data Encoding • Automated Credential Theft • Targeted Campaigns • Website Replication • Multiple Types of Spear phishing • MFA Bypass • Exfiltration via Email

  44. DEFENSE

  45. DEFEN(S|C)E

  46. None

  47. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Multi-Factor Hover-Over Verbal Verify Strong Passwords Don’t Click Things Visual Verify Monitor Application Passwords External Address Flagging Invoice Template Signing Active Directory Integration DMARC Multi-Person Verification Post-Click URL Validation

  48. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Recovery Multi-Factor Hover-Over Verbal Verify Notify FBI Strong Passwords Don’t Click Things Visual Verify Notify Bank Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Active Directory Integration DMARC Multi-Person Verification Change Passwords Post-Click URL Validation

  49. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Recovery All Else Fails Multi-Factor Hover-Over Verbal Verify Notify FBI Unplug Internet Strong Passwords Don’t Click Things Visual Verify Notify Bank Go Home, Polish Resume Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Do Nothing. Active Directory Integration DMARC Multi-Person Verification Change Passwords Post-Click URL Validation

  50. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Recovery All Else Fails Human Multi-Factor Hover-Over Verbal Verify Notify FBI Unplug Internet Funny Feeling Strong Passwords Don’t Click Things Visual Verify Notify Bank Go Home, Polish Resume Not Normal Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Do Nothing. “Not Done Like This” Active Directory Integration DMARC Multi-Person Verification Change Passwords Uncomfortabl e. Post-Click URL Validation

  51. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Recovery All Else Fails Human Multi-Factor Hover-Over Verbal Verify Notify FBI Unplug Internet Funny Feeling Strong Passwords Don’t Click Things Visual Verify Notify Bank Go Home, Polish Resume Not Normal Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Do Nothing “Not Done Like This” Active Directory Integration DMARC Multi-Person Verification Change Passwords Uncomfortable Post-Click URL Validation Pay Attention

  52. HOW DO WE DEFEND AGAINST SPEAR PHISHING? We don’t.. We

    teach users to be better.

  53. ” “ SOLVING PROBLEMS TOGETHER

  54. None
  55. None
  56. None
  57. None
  58. None
  59. None
  60. None

  61. October 2013 – May 2016 $3.1bn in losses $3.168 mil/day

    Source: https://threatpost.com/fbi-email-scams-take-3-1-billion-toll-on-businesses/118696/

  62. October 2013 – June 2018 $12.5bn in losses $7.366 mil/day

    Source: https://www.ic3.gov/media/2018/180712.aspx

  63. I GOT 99 EMAIL PROBLEMS, AND SPEAR PHISHING AIN’T ONE

    BUT – IT’S USUALLY THE START

  64. ” “ Work Together.

  65. ” “ Work Together. We keep dreams afloat.

  66. Thank You. @mbromileyDFIR