Tweet
Tweet

Slide 1

Slide 1 text

I GOT 99 EMAIL PROBLEMS, AND SPEAR PHISHING AIN’T ONE

Slide 2

Slide 2 text

HOW WE GOT HERE

Slide 3

Slide 3 text

HOW WE GOT HERE What have we been saying for years? You must put MFA in front of everything!

Slide 4

Slide 4 text

HOW WE GOT HERE What have applications been doing for years? Finding ways around it.

Slide 5

Slide 5 text

HOW WE GOT HERE What have users been doing? Developing bad habits.

Slide 6

Slide 6 text

HOW WE GOT HERE New Old

Slide 7

Slide 7 text

HOW WE GOT HERE New Old Modern Authentication Basic Authentication

Slide 8

Slide 8 text

HOW WE GOT HERE New Old Modern Authentication Basic Authentication Multi-Factor EWS, IMAP, POP

Slide 9

Slide 9 text

HOW WE GOT HERE New Old Modern Authentication Basic Authentication Multi-Factor EWS, IMAP, POP O365/Cloud-Hosted On-Prem Needs

Slide 10

Slide 10 text

WEAK AUTHENTICATION KEEPING YOU DOWN?

Slide 11

Slide 11 text

WEAK AUTHENTICATION KEEPING YOU DOWN? • Many recent Exchange vulnerabilities have dealt with NTLM abuse • A recently-disclosed attack allows for privilege escalate via NTLM Relay + Exchange

Slide 12

Slide 12 text

IN WITH THE NEW

Slide 13

Slide 13 text

IN WITH THE NEW

Slide 14

Slide 14 text

IN WITH THE NEW

Slide 15

Slide 15 text

IN WITH THE NEW

Slide 16

Slide 16 text

IN WITH THE NEW

Slide 17

Slide 17 text

WEAK AUTHENTICATION KEEPING YOU DOWN? • Weak authentication is allowing more than advanced attacks… …it’s allowing attackers to use older tools and protocols.

Slide 18

Slide 18 text

NIGERIA: DOING EMAIL RIGHT

Slide 19

Slide 19 text

OUT WITH THE OLD

Slide 20

Slide 20 text

not an actual forward acmeacb =/= acmeabc OUT WITH THE OLD

Slide 21

Slide 21 text

IN WITH THE NEW

Slide 22

Slide 22 text

OUT WITH THE OLD

Slide 23

Slide 23 text

IN WITH THE NEW

Slide 24

Slide 24 text

IN WITH THE NEW

Slide 25

Slide 25 text

SPEAR PHISHING TECHNIQUES (I KNOW, WE SAID WE WOULDN’T TALK ABOUT THESE) • Transposed/Character Substitution Domains • Unicode Play • Email Body Encoding/Obfuscation • Anyone here know RFC 2047? • Encoded Email Header Data: Subject: =?utf- 8?B?0JDRgdGB0L51bnQgU3XRgNGA0L5ydCBO0L50aWZp0YHQsHRp 0L5uICNJRDox?==?utf-8?Q?72932?=

Slide 26

Slide 26 text

TECHNIQUE CALL OUT: WEBSITE REPLICTION DATA ENCODING DATA OBFUSCTION SPEAR PHISHING LINK TARGETED CAMPAIGNS

Slide 27

Slide 27 text

IN WITH THE NEW

Slide 28

Slide 28 text

TECHNIQUE CALL OUT: AUTOMATED CREDENTIAL COLLECTION, NORMALIZATION, AND ENRICHMENT

Slide 29

Slide 29 text

IN WITH THE NEW Once credentials are obtained, attackers will take two roads: 1) Synchronize mailboxes 1) Do this by subverting MFA with application passwords. 2) Learn flow of money. 2) Steal address books 1) Do this by using a Mac. 2) Learn who you trust.

Slide 30

Slide 30 text

IN WITH THE NEW

Slide 31

Slide 31 text

IN WITH THE NEW

Slide 32

Slide 32 text

IN WITH THE NEW

Slide 33

Slide 33 text

IN WITH THE NEW

Slide 34

Slide 34 text

IN WITH THE NEW

Slide 35

Slide 35 text

IN WITH THE NEW

Slide 36

Slide 36 text

TECHNIQUE CLASSIFICATION: INTRA- and INTER-ORGANIZATIONAL LATERAL MOVEMENT VIA EMAIL

Slide 37

Slide 37 text

IN WITH THE NEW

Slide 38

Slide 38 text

IN WITH THE NEW

Slide 39

Slide 39 text

IN WITH THE NEW

Slide 40

Slide 40 text

TECHNIQUE CALL OUT: TRUSTED RELATIONSHIP ABUSE

Slide 41

Slide 41 text

NOT YOUR MAILBOX ANYMORE • Subvert trust with address book sending • Implement Inbox Rules to forward, delete and hide mail • SMTP Forwarding • Searching for keywords (“wire”, “payment”, “invoice”, “remittance”) • MFA 0-Fs given • Application Passwords • Users accept anyways

Slide 42

Slide 42 text

TECHNIQUE ROUNDUP • Well-Funded • Trusted Relationship Abuse • Intra- and Inter-Organizational Lateral Movement • Data Obfuscation • Data Encoding • Automated Credential Theft • Targeted Campaigns • Website Replication • Multiple Types of Spear phishing • MFA Bypass • Exfiltration via Email

Slide 43

Slide 43 text

TECHNIQUE ROUNDUP • Well-Funded • Trusted Relationship Abuse • Intra- and Inter-Organizational Lateral Movement • Data Obfuscation • Data Encoding • Automated Credential Theft • Targeted Campaigns • Website Replication • Multiple Types of Spear phishing • MFA Bypass • Exfiltration via Email

Slide 44

Slide 44 text

DEFENSE

Slide 45

Slide 45 text

DEFEN(S|C)E

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments Multi-Factor Hover-Over Verbal Verify Strong Passwords Don’t Click Things Visual Verify Monitor Application Passwords External Address Flagging Invoice Template Signing Active Directory Integration DMARC Multi-Person Verification Post-Click URL Validation

Slide 48

Slide 48 text

DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments Recovery Multi-Factor Hover-Over Verbal Verify Notify FBI Strong Passwords Don’t Click Things Visual Verify Notify Bank Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Active Directory Integration DMARC Multi-Person Verification Change Passwords Post-Click URL Validation

Slide 49

Slide 49 text

DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments Recovery All Else Fails Multi-Factor Hover-Over Verbal Verify Notify FBI Unplug Internet Strong Passwords Don’t Click Things Visual Verify Notify Bank Go Home, Polish Resume Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Do Nothing. Active Directory Integration DMARC Multi-Person Verification Change Passwords Post-Click URL Validation

Slide 50

Slide 50 text

DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments Recovery All Else Fails Human Multi-Factor Hover-Over Verbal Verify Notify FBI Unplug Internet Funny Feeling Strong Passwords Don’t Click Things Visual Verify Notify Bank Go Home, Polish Resume Not Normal Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Do Nothing. “Not Done Like This” Active Directory Integration DMARC Multi-Person Verification Change Passwords Uncomfortabl e. Post-Click URL Validation

Slide 51

Slide 51 text

DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments Recovery All Else Fails Human Multi-Factor Hover-Over Verbal Verify Notify FBI Unplug Internet Funny Feeling Strong Passwords Don’t Click Things Visual Verify Notify Bank Go Home, Polish Resume Not Normal Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Do Nothing “Not Done Like This” Active Directory Integration DMARC Multi-Person Verification Change Passwords Uncomfortable Post-Click URL Validation Pay Attention

Slide 52

Slide 52 text

HOW DO WE DEFEND AGAINST SPEAR PHISHING? We don’t.. We teach users to be better.

Slide 53

Slide 53 text

” “ SOLVING PROBLEMS TOGETHER

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

No content

Slide 57

Slide 57 text

No content

Slide 58

Slide 58 text

No content

Slide 59

Slide 59 text

No content

Slide 60

Slide 60 text

No content

Slide 61

Slide 61 text

October 2013 – May 2016 $3.1bn in losses $3.168 mil/day Source: https://threatpost.com/fbi-email-scams-take-3-1-billion-toll-on-businesses/118696/

Slide 62

Slide 62 text

October 2013 – June 2018 $12.5bn in losses $7.366 mil/day Source: https://www.ic3.gov/media/2018/180712.aspx

Slide 63

Slide 63 text

I GOT 99 EMAIL PROBLEMS, AND SPEAR PHISHING AIN’T ONE BUT – IT’S USUALLY THE START

Slide 64

Slide 64 text

” “ Work Together.

Slide 65

Slide 65 text

” “ Work Together. We keep dreams afloat.

Slide 66

Slide 66 text

Thank You. @mbromileyDFIR