Who Clicked? Who Cares? 24, March 2015

right now

Chris Nickerson

Founder

Lares

hi. =)

Thanks

Trigger Warnings

• Cursing• Racism

• Religious Prejudice• Sex

• Drugs• Daddy /

Abandonment issues • Socio Economic Hate

crimes• Thin Skin

• Lack of sense of humor

• Sexual orientation• Sexism

• Violence• Vomiting

• Abuse• Truth

• Honesty• Facts

·Anyway...

· I’m Chris

AKA

@indi303

cnickerson@laresconsulting.com

https://vimeo.com/laresconsulting

http://www.scribd.com/Lares_

LARES

Custom Services

OSINTSIGINT

TSCM/ Bug SweepingExploit Development

Tool CreationAttack Planning

Offensive ConsultationAdversarial IntelligenceCompetitive Intelligence

Attack ModelingBusiness Chain Vuln

AssessmentsCustom Physical Bypass

Tool DesignReverse Engineering

Other stuff I can’t write down…

What Do We Know?

· www.socalengineer.org

Dumpster Diving

Shoulder Surfing

Phishing

Target PHONE Support Staff

Human Resources

Smoking is Bad

Transit Systems

Social Functions

Client Side Attacks

But that’s not phishin’ chris….

Phishing is all about EMAIL!

Directed Phishing

· lath

er ·Choos

e an attack · R

inse ·Send

out an attack, get basic metrics

· Rep

eat ·Send

em a cbt and phish em again

Slide 41

CLICKS

Slide 42

huh?

Slide 43

Slide 44

Slide 45

PHISHING

CLICK RATIO

Slide 46

Training Metrics Testing of layered defense Creating durability Testing Identification skills EXPERIENCE Solidarity USER EMPOWERMENT BUSINESS

What’s it about then?

Slide 47

Slide 48

“If it weren’t for the users we would be secure” – Some idiot in infosec who should have taken a job as a used car salesperson

“Users are our BIGGEST vulnerability” – Some Infosec “professional” who diesn’t know what vulnerability means

Slide 49

Slide 50

Slide 51

Intelligence Leakage

Contact info emails [userID] phone numbers Metadata Dox reference checks

Pastebin, support forums, wikis, etc

Slide 52

Mail Configuration

Pure vanilla spoof (forged internal from Internet) Validate/verify addresses

Recipient and Sender MX, SPF, RBL, Spam Block known bad senders/Blacklists Throttle after X in an hour

Slide 53

Spam/Proxy Configuration

In line spam detection Proxy in use Content inspection Content filtering

Exceptions Inspect (Decrypt) SSL

Slide 54

Malicious Attachments/Content

Malicious Attachments Java applet Excel macros Calendar invites PDFs Executables and more

Linked (hosted) executables

Slide 55

Browser Attacks

Corporate Standards Vulnerable type/version Frame injection/Keyloggers 3rd party add-ons/Plugins Mobile platforms Credential theft (SCORING) Integration with Red Team

Slide 56

Malicious Detection

IPS/NIPS/HIPS AV process protection 100% coverage File integrity monitoring System process protection Injection migration

Slide 57

Ingress/Egress Filtering

Can an attacker call home? What are all the ways?

Slide 58

On Device Vulnerability

Does the user have rights Can you priv esc Can you get to the “Mothership” Is there IP I can take? Can I pivot and “Go for the gold”

Slide 59

Post Phish Value Did your IR team catch it? How long did it take to kick in response How effective was response Is there skill gaps What do you need to do

to close the gaps?

Slide 60

What other metrics do you need to be tracking to make informed

decisions and ACTUALLY reduce the risk of phishing

Slide 61

User data (Demographics) User Role Position Paygrade Education level Etc.

Automated Defensive measurements Technology effectiveness

REAL METRICS REAL DECISIONS

Slide 62

Response timing Time for emails to get delivered Time til first detection Time til enterprise notification Time required to create incident team Time to identify threat vectors Time required to identify/quarantine threat

Time to analyze indicators accurately Mean time to incident eradication

REAL METRICS REAL DECISIONS

Slide 63

After we analyze metrics we need to make a REAL plan to stop this from happening the SAME way again

Increased user training Increased technology and automated defenses Process improvement opportunities Blue team Improvement IR process review War boarding advanced threat Always asking, WHAT IF we didn’t get it ALL!

FOLLOW THROUGH

THANK YOU!

[Chris Nickerson,

cnickerson@lares.com]

Please Remember To Fill Out Your

Session Evaluation Forms!