The Humanity of Phishing Attack and Defense 2016 Alabama ... · The Humanity of Phishing Attack and Defense 2016 Alabama Cyber Now Aaron Higbee Co-Founder & CTO of PhishMe @higbee

© Copyright 2015 PhishMe, Inc. All rights reserved. © Copyright 2015 PhishMe, Inc. All rights reserved.

The Humanity of Phishing Attack and Defense

2016 Alabama Cyber Now

Aaron Higbee

Co-Founder & CTO of PhishMe

@higbee @phishme

© Copyright 2015 PhishMe, Inc. All rights reserved.

What you are in for…

• A LOT of slides – don’t worry, they will be on Slideshare.

• Is Phishing easy? The operation examined from the Attackers perspective

• Multiple data points – Highlights from our Enterprise Susceptibility Report

– Examples of effective and popular phishing themes

– How much time do users spend consuming phishing education?

• Does it matter?

– New data from recent survey. Do we have an awareness problem?

• Why do humans fall for phishing?

© Copyright 2015 PhishMe, Inc. All rights reserved.

A TALE OF WOE

OPM

© Copyright 2015 PhishMe, Inc. All rights reserved.

Notice anything interesting?

© Copyright 2015 PhishMe, Inc. All rights reserved.

What likely caused the breach…

© Copyright 2015 PhishMe, Inc. All rights reserved.

The DHS Response…

“The campaign will feature short videos,

posters and literature on the do’s and

don’ts for better cyber hygiene”

© Copyright 2015 PhishMe, Inc. All rights reserved.

OPM Needs an extra 21 million (for encryption)

© Copyright 2015 PhishMe, Inc. All rights reserved.

© Copyright 2015 PhishMe, Inc. All rights reserved.

2002

• Incident Response

• Penetration Testing

• Taught a lot of Ultimate Hacking Classes

– Hands on, learn by doing

• Met a lot of these types

© Copyright 2015 PhishMe, Inc. All rights reserved.

Attackers Perspective: Is phishing easy?

The classic Attackers vs. Defenders arguments seem to

gloss over the effort involved…

© Copyright 2015 PhishMe, Inc. All rights reserved.

Phishing operations examined: Recon

• Reconnaissance for targeting

– Email addresses from simple internet searches

– Mining social networks

– Spam lists

– Paid private lists

*Image created by Seculert

© Copyright 2015 PhishMe, Inc. All rights reserved.

Phishing operations examined: Weaponization

• Exploit writers

• JavaScript expertise

• Code packers and obfuscation

• Remote Administration Tools – Custom or Modified

• Data-Entry credential stealing phishing?

*Image created by Seculert

© Copyright 2015 PhishMe, Inc. All rights reserved.

Phishing operations examined: Delivery

• Send email collect shells. Easy right?

• Brand protection & site take down. E.g. login.peypal.net

• Spoofing still viable? SPF, DKIM, …

• Attachment delivery? Zip it? Password zip it?

• Anti-Spam products are a problem…

– Attackers using gmail.com, yahoo.com, hotmail.com, etc..

• Time of day?

• Mobile devices?

*Image created by Seculert

© Copyright 2015 PhishMe, Inc. All rights reserved.

Phishing operations examined: Exploit

• x86 Win32 – time of day matters

• Advances in end-point protection

• Application whitelisting

• Email scanning gateways

• URL detonation

• Sandboxes

• Phishing with only links? – Site categorization

– Evolving browser protections

*Image created by Seculert

© Copyright 2015 PhishMe, Inc. All rights reserved.

Phishing operations examined: Recap

Let’s recap…

We found targets, prepared our email sending environment to ensure delivery and we’ve overcome the problems of exploitation. We can either get exploit attachments in, or lure phishing victims to our prepared, whitelisted, categorized site designed to deliver the payload. We are either defeating sandboxes or our malware is designed in such a way that analysis either takes too long or provides inconclusive results in the sandbox to set off alerts. Game Over?...

*Image created by Seculert

© Copyright 2015 PhishMe, Inc. All rights reserved.

Phishing operations examined

… But you are still not done.

Plant backdoors, connect outbound, exfiltration

*Image created by Seculert

© Copyright 2015 PhishMe, Inc. All rights reserved.

© Copyright 2015 PhishMe, Inc. All rights reserved.

Now let’s look at some Crimeware examples

Common themes: – Faxes, Voicemails, ACH notices, Package Delivery

– The PhishMe blog has many examples

– Cryptolocker

© Copyright 2015 PhishMe, Inc. All rights reserved.

Locky Message

© Copyright 2015 PhishMe, Inc. All rights reserved.

Notice the variations

© Copyright 2015 PhishMe, Inc. All rights reserved.

MOST USED AND HIGHEST

SUSCEPTIBILITY

© Copyright 2015 PhishMe, Inc. All rights reserved.

Introduction – Study Demographics • 400 PhishMe customers

• Fortune 500 and public sector organizations across 23 verticals

• 8 million simulation emails over a 13-month span

• 75% of organizations training 1000+ employees

© Copyright 2015 PhishMe, Inc. All rights reserved.

Questions Asked • Are certain themes or levels of complexity more difficult than others for

employees to recognize?

• What is the impact of emotional motivators on the likelihood of phishing

responses?

• Does timing of the phish influence user vulnerability?

• Can we see positive trend success metrics over time?

• What makes a phishing simulation program successful?

© Copyright 2015 PhishMe, Inc. All rights reserved.

Key Findings

• 87% of the employees who opened a phishing simulation email

opened it the SAME DAY it was sent.

• Most employees responded to a phishing email in the morning hours,

particularly at 8:00 AM local time.

• Employees who open a phishing email are 67% more likely to

respond to another phishing attempt.

• The most effective phishing emails contain a business communication

theme.

• Behavioral conditioning decreased susceptible employees’

likelihood to respond to malicious email by 97.14% after just 4

simulations.

© Copyright 2015 PhishMe, Inc. All rights reserved.

Scenario Themes and Complexity

What is a Phishing

Theme? PhishMe’s term for a collection of email

scenario templates that use the same context,

motivation, or topic to elicit user action.

– Office Communication

– Employee Wellness

– Computer Updates

© Copyright 2015 PhishMe, Inc. All rights reserved.

Theme Averages and Benchmarks

© Copyright 2015 PhishMe, Inc. All rights reserved.

Top Emotional Motivators

The strongest emotional motivators (above 20% average) were related to connection and reward (e.g.,

winning a prize).

Top Motivators: • Connection

• Reward

• Curiosity

• Urgency

• Fear

© Copyright 2015 PhishMe, Inc. All rights reserved.

Most Popular Simulations…

Type % Popularity Primary Motivators

Sent From Phone Attach (DB) 13.9 High Curiosity, Urgency

Package Delivery Click (BM) 18.43 High Curiosity

Inbox Over the Limit Click 19.7 High Fear, Urgency

eCard Alerts Click 25.98 High Curiosity, Reward, Social

File from Scanner Click 24.05 High Curiosity

Order Confirmation Click 17.38 High Curiosity, Fear

Unauthorized Access Data 29.16 High Curiosity, Fear, Urgency

Password Survey Data 16.58 Medium Fear, Urgency

Awards Season Click 5.6 Medium Entertainment

Scanned File Attach

(BM)

16.95 Medium Curiosity

© Copyright 2015 PhishMe, Inc. All rights reserved.

Highly Susceptible Themes

Type % Popularity Primary Motivators

Manager Evaluation Data 31.55 Low Curiosity, Fear, Reward

Time Off Request - Negative

Balance

Click 30.92 Medium Fear, Urgency

Unauthorized Access (Adult-

Oriented)

Data 30.02 Low Curiosity, Fear, Urgency

Unauthorized Access Data 29.16 Medium Curiosity, Fear, Urgency

Browser Update Required Data (DB) 26.8 Low Fear, Urgency

eCard Alerts Click 25.98 High Curiosity, Reward, Social

Employee Raffle Data 25.85 Low Reward

Financial Information Attach 25.5 Medium Curiosity

© Copyright 2015 PhishMe, Inc. All rights reserved.

Unauthorized Access 29.16% - Popular

© Copyright 2015 PhishMe, Inc. All rights reserved.

Unauthorized Web Use: 30% - Low popularity

© Copyright 2015 PhishMe, Inc. All rights reserved.

eCard Alerts – 29.58% - Popular

© Copyright 2015 PhishMe, Inc. All rights reserved.

Manager Evaluation 31.55% - Low popularity

© Copyright 2015 PhishMe, Inc. All rights reserved.

CREATING PHISHING AWARENESS

© Copyright 2015 PhishMe, Inc. All rights reserved.

“Sit down, let me aware you about Phishing…”

© Copyright 2015 PhishMe, Inc. All rights reserved.

Dear Awareness Professional, it’s not you…

© Copyright 2015 PhishMe, Inc. All rights reserved.

PhishMe Content Team

© Copyright 2015 PhishMe, Inc. All rights reserved.

Too Chinese…

© Copyright 2015 PhishMe, Inc. All rights reserved.

Too Alluring…

© Copyright 2015 PhishMe, Inc. All rights reserved.

Too American…

© Copyright 2015 PhishMe, Inc. All rights reserved.

27 seconds…

© Copyright 2015 PhishMe, Inc. All rights reserved.

Time spent improving “Awareness”

© Copyright 2015 PhishMe, Inc. All rights reserved.

How is it that susceptibility rates decline?

• People don’t read the education

• Yet there is a consistent reduction in susceptibility

© Copyright 2015 PhishMe, Inc. All rights reserved.

How is it that susceptibility rates decline?

• People don’t read the

education

• Yet there is a consistent

reduction in susceptibility

• People respond to emails

quickly

• Empowered and encouraged

users report

• IR & SOC teams get relevant

and timely threat intelligence

Potential threat intelligence

Can resilient humans be threat detectors?

© Copyright 2015 PhishMe, Inc. All rights reserved.

What customers tend to focus on

© Copyright 2015 PhishMe, Inc. All rights reserved.

Results: Conditioning vs. Awareness

© Copyright 2015 PhishMe, Inc. All rights reserved.

Yes!

© Copyright 2015 PhishMe, Inc. All rights reserved.

IS PHISHING AWARENESS THE

PROBLEM?

A survey conducted on the basics of Phishing…

© Copyright 2015 PhishMe, Inc. All rights reserved.

Introduction – Survey Demographics • PhishMe carried out a contracted survey in March 2016

• Sample: 216 US office workers who use email (outside of the IT & Security department)

Opening Question: Phishing is a term used to describe a deceptive email designed to infect your computer or steal your passwords. Were you already aware of that before reading this definition?

– Four follow-up questions about phishing tactics • Did you know that clicking a misleading link in an email has the potential to infect your

computer?

• Did you know an email taking you to a deceptive website designed to trick you into entering your username and password is also known as phishing?

• Did you know opening an attachment has the potential to infect your computer?

• How far do you agree / disagree with the following statement? ‘Mobile devices are equally susceptible to phishing as PCs’

© Copyright 2015 PhishMe, Inc. All rights reserved.

Spoiler: They are aware of phishing

‘Phishing’ is a term used to describe a deceptive email

designed to infect your computer or steal your passwords.

Were you already aware of that before reading this

definition?

0 10 20 30 40 50 60 70 80 90 100

6%

94%

Yes

No

94.4% aware

5.6% not

© Copyright 2015 PhishMe, Inc. All rights reserved.

Based on your knowledge of phishing emails today, please answer the following:

Did you know that clicking a misleading link in an email has the potential to infect your computer?

– Yes 98.1%

– No 1.9%

Did you know an email taking you to a deceptive website designed to trick you into entering your username and password is also known as phishing?

– Yes 91.2%

– No 8.8%

Did you know opening an

attachment has the potential

to infect your computer? – Yes 97.2%

– No 2.8%

© Copyright 2015 PhishMe, Inc. All rights reserved.

Bonus Question

How far do you agree / disagree

with the following statement?

‘Mobile devices are equally

susceptible to phishing as PCs’ – Strongly agree 58.8%

– Slightly agree 31.5%

– Slightly disagree 9.3%

– Strongly disagree .5%

90.3%

© Copyright 2015 PhishMe, Inc. All rights reserved.

Key Findings: Aware, but vulnerable

• 94.4% are aware of phishing – Some confusion remains about mobile and other attack vectors

Awareness is not the problem

© Copyright 2015 PhishMe, Inc. All rights reserved.

What do phishing simulations accomplish?

So you do awareness, but better?...

© Copyright 2015 PhishMe, Inc. All rights reserved.

Changing Behavior Ain’t Eazy…

© Copyright 2015 PhishMe, Inc. All rights reserved.

K3wp doesn’t like me… reddit/r/netsec

Aaronhigbee wrote: If you think that conditioning humans to avoid phishing should be part of every organizations security hygiene.... I'll raise a beer and toast you. Not everyone agrees.

K3wp responds:

I absolutely do not agree. You should be designing systems and networks that cannot be compromised via phishing attacks vs. trying to train a bunch of useless meat tubes to be competent.

© Copyright 2015 PhishMe, Inc. All rights reserved.

Security Engineers want to Engineer

© Copyright 2015 PhishMe, Inc. All rights reserved.

Behave Humans!

• For many it’s an intellectual challenge

– When the human doesn’t conform to the system as designed, they

want to fix their Engineering mistake. They want to contain it.

When they can’t, they get upset. They blame the human. Not their

system.

© Copyright 2015 PhishMe, Inc. All rights reserved.

What does history say?

© Copyright 2015 PhishMe, Inc. All rights reserved.

© Copyright 2015 PhishMe, Inc. All rights reserved.

Optical Sensors

Defeating coin optical sensors: Shaved Coins

© Copyright 2015 PhishMe, Inc. All rights reserved.

Defeating Optical sensors

Light Wand aka Monkey Paw

© Copyright 2015 PhishMe, Inc. All rights reserved.

• File.exe

• File.scr

• File.zip

• File.cab

• …

• http://Dropbox.com/file.exe

© Copyright 2015 PhishMe, Inc. All rights reserved.

Consider the malware sandbox…

© Copyright 2015 PhishMe, Inc. All rights reserved.

My Reaction

(sure you do)

“We STOP Phishing!”

© Copyright 2015 PhishMe, Inc. All rights reserved.

How does your security sandbox stop this?

Or This?

© Copyright 2015 PhishMe, Inc. All rights reserved.

Predictable response

After the tantrum is over… they blame the user

“the human is the weakest link”

“PEBKAC”

© Copyright 2015 PhishMe, Inc. All rights reserved.

Thinking Fast and Slow

• Nobel Prize Winner in Behavioral Economics

• System 1: Intuitive brain process

– Operates automatically

• System 2: Deliberate thinking process

– Requires effort

*Not Bernie Sanders

© Copyright 2015 PhishMe, Inc. All rights reserved.

How many emails do we process daily? • Receive ~71 legit emails

• Send 41 emails

• Must mentally discard 13 emails

• Assume 2 hours of meetings and 1 hour lunch break

• We perform 33 email related tasks per hour

• Source: http://www.radicati.com/wp/wp-content/uploads/2014/01/Email-Statistics-Report-2014-2018-Executive-Summary.pdf

© Copyright 2015 PhishMe, Inc. All rights reserved.

Consider the following…

2+2 = ? 10 x 2 = ?

1+8 = ?

7+4 = ?

5+5 = ?

85 x 97 = ?

© Copyright 2015 PhishMe, Inc. All rights reserved.

Another example…

LEFT

LEFT LEFT

LEFT

LEFT

Right

Right Right

Right

Right

© Copyright 2015 PhishMe, Inc. All rights reserved.

Another example…

LEFT

LEFT

LEFT

Right LEFT

Right

Right LEFT

LEFT

Right

© Copyright 2015 PhishMe, Inc. All rights reserved.

System 1 and 2 are always active

© Copyright 2015 PhishMe, Inc. All rights reserved.

© Copyright 2015 PhishMe, Inc. All rights reserved.

This should not trigger System 2

© Copyright 2015 PhishMe, Inc. All rights reserved.

This should trigger System 2

© Copyright 2015 PhishMe, Inc. All rights reserved.

System 1 to System 2 Success!

© Copyright 2015 PhishMe, Inc. All rights reserved.

So what you are saying is…

Simulations creates experiences using tactics similar to real

phishing emails to jolt repetitive lazy intuitive cognitive

functions into a deliberate thinking process that requires

effort!

© Copyright 2015 PhishMe, Inc. All rights reserved.

System 1 Recently Failed Me

© Copyright 2015 PhishMe, Inc. All rights reserved.

Failure in System 1

• Wow, This is a nice hotel! The bathroom is so clean.

• (washing my hands now)

– Hrm, no urinals?

• Hrm, what is this thing for?

• I have made a critical mistake

© Copyright 2015 PhishMe, Inc. All rights reserved.

You admit some useless meet

tubes will fail!

© Copyright 2015 PhishMe, Inc. All rights reserved.

“Can’t fix stupid” “The weakest link”

© Copyright 2015 PhishMe, Inc. All rights reserved.

Conclusions

• Good news! Phishing Awareness is solved

• Bad news! We are still susceptible to phishing -

• Somewhere, some technology vendor is creating an

Advanced Machine Learning - Hadoop clustering

engine to perform User Behavior Analytics to end the

Phish Du Jour.

• Or you could consider conditioning the user to avoid

and detect tomorrows attacks, today.