OWASP ATL - Social Engineering Technical Controls Presentation
4 likes818 views
The document discusses the importance of security awareness training, technical controls, and best practices to mitigate social engineering attacks such as email spoofing and phishing. It highlights the need for proper implementation of policies, procedures, and technical measures like SPF, DKIM, and DMARC to protect organizations from vulnerabilities. Additionally, it emphasizes the role of user education and monitoring systems in detecting and responding to potential threats.
![1414
“[…] users are neither stupid nor lazy. They are
musicians, parents, journalists, firefighters – it
isn’t fair to also expect them to become security
experts too. And they have other, important
things to do besides read our lovingly crafted
explanations of SSL. But they still deserve to
use the web safely, and it’s on us to figure out
that riddle.”
- Adrienne Porter Felt
Google Chrome Security Team
@__apf__ | adrienneporterfelt.com
IT’S NOT THEIR JOB, IT’S OURS.
Don’t Make Users Be the Judge](https://image.slidesharecdn.com/owasp-socialengineeringtechnicalcontrolspresentation-150727014841-lva1-app6892/85/OWASP-ATL-Social-Engineering-Technical-Controls-Presentation-14-320.jpg)
OWASP ATL - Social Engineering Technical Controls Presentation
- 1. Social Engineering Technical ControlsTAKING EMOTIONS OUT OF DEFENSE July 16, 2015
- 2. INTRODUCTION FROM US TO YOU
- 3. 33 Candis Orr corr@bishopfox.com @candysaur Senior Security Analyst at Bishop Fox (Enterprise Security Team) Alex DeFreese adefreese@bishopfox.com @lunarca_ Security Analyst at Bishop Fox (Application Penetration Testing Team) WHY DO YOU CARE WHAT WE THINK? Who are we?
- 4. 44 • Security Awareness Training • Email Protections • Domain Protections • Deterring & Preventing Outbound Proxy • Browser Protections • Two-Factor Authentication • Detecting Attacks • Eradicating Attacks • Further Information • Q&A WHAT WE ARE GOING TO COVER Agenda
- 6. 66 Security Awareness Training Documented Policies and Procedures Technical Controls SUPPORTING INFRASTRUCTURE SHOULD BE IN PLACE What is required to properly train? • Technical controls need to be implemented to reduce the attack surface and chance of attacks • Documented policies and procedures need to be created for repeatable and consistent processes for the user to follow • Security awareness training must cover the document policies and procedures and the security controls so that users can understand their responsibilities within the company
- 7. 77 IT CAN GO WELL SOMETIMES… Best Case for Awareness Training User awareness training can help identify and prevent attacks when properly administered.
- 8. 88 SINCE IT IS POORLY DONE MOST OF THE TIME Best Case for Awareness Training Most awareness training programs try to be the only line of defense and suffer as a result.
- 9. 99 • Real attacks are sophisticated. • Email spoofing • Website cloning • Targeted for the victim • Attackers prey on strong drives (politeness, curiosity, confusion) to get compliance. THE HACKERS ARE LEARNING FASTER THAN THE USERS Failings of Awareness Training
- 10. 1010 EMAIL SPOOFING IN ACTION Example Spoofed Email
- 11. 1111 EMAIL CLONING IN ACTION Example Phishing Email
- 12. 1212 WEBSITE CLONING IN ACTION Example Phishing Website
- 13. 1313 Once an attacker compromises one computer on the network, it becomes an internal attack. Tools like Mimikatz, WCE, and Pass the Hash Toolkit help attackers compromise full domains from one compromised computer. ONE MATCH IS ENOUGH TO START A FIRE It Only Takes One
- 14. 1414 “[…] users are neither stupid nor lazy. They are musicians, parents, journalists, firefighters – it isn’t fair to also expect them to become security experts too. And they have other, important things to do besides read our lovingly crafted explanations of SSL. But they still deserve to use the web safely, and it’s on us to figure out that riddle.” - Adrienne Porter Felt Google Chrome Security Team @__apf__ | adrienneporterfelt.com IT’S NOT THEIR JOB, IT’S OURS. Don’t Make Users Be the Judge
- 16. 1616 • Prepare, Detect, Analyze, Contain, Eradicate, Recover, and Learn. • Deter attackers and make it more difficult for them to produce a convincing attack. Limit their options. • Detect successful attacks immediately. • Eradicate attackers’ network presence and respond to the damage they caused. BROAD STROKES Technical Controls
- 18. 1818 • Email servers allow email spoofing by default. • Spoofing gives social engineering emails automatic credibility. • Defenses exist to prevent spoofing but very few domains actually use them. GAPING WOUND IN INTERNET SECURITY Email Spoofing
- 19. 1919 • Which servers can send from this domain? • DNS TXT record • dig txt $DOMAIN • List of IP addresses, domains, and references • ?all, ~all, and -all EMAIL PROTECTIONS Sender Policy Framework (SPF)
- 21. 2121
- 22. 2222 • Automatic digital signatures • Public keys stored as DNS TXT records • dig txt $SELECTOR._domainkey.$DOMAIN • Selector and signature transmitted with email EMAIL PROTECTIONS DomainKeys Identified Mail (DKIM)
- 24. 2424
- 25. 2525 • Domain-based Message Authentication, Reporting, and Conformance • Defines what to do if mail fails SPF or DKIM checks • Send an email with details • Make an HTTP request with details • Mark the email as spam • DNS TXT record • dig txt _dmarc.$DOMAIN EMAIL PROTECTIONS DMARC
- 27. 2727 • Scanned top 1,000,000 domains for SPF and DMARC • Domains with SPF records: 40% • Domains with DMARC records: 0.74% BY THE NUMBERS Analysis
- 28. 2828 THE SKY IS ON FIRE The Core Problem Mail Servers don’t respect SPF or DKIM alone.
- 29. 2929 THE SKY IS ON FIRE DOMAINS THAT ARE VULNERABLE TO EMAIL SPOOFING 99.87% The Core Problem • DMARC policy of reject or quarantine needed to block emails • Only 1,731 out of 1,000,000 domains are protected.
- 30. 3030 HOW DO THE TOP DOMAINS COMPARE? Analysis Results
- 31. 3131 HOW DO THE TOP DOMAINS COMPARE? Analysis Results
- 32. 3232 Email Providers FROM WHOM CAN I SPOOF? What’s Vulnerable?
- 33. 3333 Financial Institutions FROM WHOM CAN I SPOOF? What’s Vulnerable?
- 34. 3434 Insurance FROM WHOM CAN I SPOOF? What’s Vulnerable?
- 35. 3535 Government FROM WHOM CAN I SPOOF? What’s Vulnerable?
- 36. 3636 Government FROM WHOM CAN I SPOOF? What’s Vulnerable?
- 37. 3737 Government FROM WHOM CAN I SPOOF? What’s Vulnerable?
- 38. 3838 Government FROM WHOM CAN I SPOOF? What’s Vulnerable?
- 39. 3939 TOP SPOOFED DOMAINS What’s Vulnerable
- 40. 4040 IT’S NOT ALL TERRIBLE What’s Vulnerable Of the 84 organizations with the most phishing sites, 40% are protected from email spoofing.
- 41. 4141 • Implement SPF, DKIM, and DMARC for your domain if possible. • Configure your email server to respect SPF despite DMARC if possible. • http://www.openspf.org/Implementations • Exchange: http://www.gfi.com/products-and-solutions/email-and- messaging-solutions/gfi-mailessentials/specifications HOW TO PROTECT YOURSELF Solutions
- 42. 4242 HELP PROTECT EVERYONE Solutions Spread the word.
- 44. 4444 • Attackers will register domains similar to your company’s domain to host phishing websites. • Typosquatting • TLD squatting • Register primary TLDs for your domain to protect customers. • Add all typos to internal DNS server to protect employees. • URLCrazy: tool to generate a list of domain typos • Consider blocking mail from these domains as well BY THE NUMBERS Similar Domains
- 45. 4545 SIMILAR DOMAIN NAMES URLCrazy Report
- 46. 4646 Client Transfer Prohibited • Prevents attackers from transferring domain in same registrar • Usually default Server Transfer Prohibited • REGISTRAR LOCK status • Prevents attackers from transferring domain to a different registrar • Sometimes not default MALICIOUS DOMAIN TRANSFER Domain Stealing
- 47. 4747 THIS ACTUALLY HAPPENS Real World Example
- 49. 4949 Java Applet Attack • Still in use because it doesn’t need an exploit Block the Java User Agent • Very few legitimate applications use Java Applets. • Block the Java User Agent outbound to prevent Java Applet Attacks. • Whitelist specific endpoints if absolutely necessary. WHY EVEN ALLOW THIS? Java User Agent
- 50. 5050 Regularly block all domains with an authenticated splash page. • First person can unblock it if it’s legitimate. • Potentially whitelist company domains. Block automated Command and Control. Block watering hole attacks. CROWDSOURCED AUTOMATED DEFENSE Authenticated Splash Page
- 52. 5252 • Protects the computer if the browser gets compromised • Limits the amount of damage a browser-based attack can do • Effectively removes the browser from attack surface PROTECT YOURSELF FROM EVENTUALITY Sandboxing
- 53. 5353 Reduce the browser’s attack surface. • NoScript – prevent JS injection • AdBlock – prevent malicious advertisements • FlashBlock – prevent malicious flash documents • Web of Trust – make it easier to spot phishing sites • HTTPS Everywhere – force HTTPS when possible SOME OF OUR FAVORITES Browser Extensions
- 55. 5555 Implement 2FA for the VPN. • Credentials are easier to compromise than computers. • Don’t let credentials give access to your internal network. Duo Security’s system is easier for users than traditional 2FA. BECAUSE CREDENTIALS ARE EASY TO STEAL Multi Factor Authentication
- 56. DETECTION KNOW WHAT’S GOING ON IN YOUR NETWORK
- 57. 5757 Know what’s going on in your network. IN A NUTSHELL Detection
- 58. 5858 Even with all the previously mentioned controls, an employee may still get compromised. Learn that an attack is going on quickly, and act immediately to contain and eradicate it. IN A NUTSHELL Detection
- 59. 5959 Alert system, not a prevention system • Train users to report suspicious communications to security officers. • Track reported emails instead of clicked links to measure campaign effectiveness. Make reporting a positive experience. • Reward users that report awareness training emails. • Ensure the reporting system is clearly defined, simple, and easy to use. WHAT IT’S ACTUALLY GOOD FOR User Awareness Training
- 60. 6060 Purposefully attractive targets • Purposefully vulnerable high-value servers with dummy data • Purposefully insecure domain admin accounts with no real power Alert if someone starts using them • Immediately start forensics and eradication. IT’S A TRAP Canaries and Honeypots
- 61. 6161 Monitoring Systems • Absolutely necessary for tracking an attack path • Need to know an attack is happening first • Start with anything outbound Intrusion Detection Systems • Helpful for detecting obvious attackers or ones that correspond to known attack patterns • May not necessarily detect covert or subtle attackers LEARN WHAT THEY DID AND WHAT THEY’RE DOING Monitoring and IDS
- 62. 6262 What happened during the attack? • Identify the phishing site. • Identify C2 servers and channels. • Identify campaign’s targets. • Identify the campaign’s purpose. Outbound Proxy Logs LEARN WHAT THEY DID AND WHAT THEY’RE DOING Forensics
- 64. 6464 • Block the IP and domain of phishing sites and C2 servers. • Drop emails coming from attacker’s domains, email addresses, and mail servers. • Alert users about the social engineering campaign. • This won’t stop the attack, but it’ll buy some time while the attacker pivots to different infrastructure. BUY SOME TIME TO BREATHE Burn the Current Campaign
- 65. 6565 Force password resets. • Users that gave up credentials • Users with compromised computers • Anyone with access to compromised computers • Domain Admins Reimage compromised machines. • Don’t try to outsmart the malware. • Reimage and restore from backup. SCORCHED EARTH POLICY Respond to the Attack
- 66. FURTHER INFORMATION WANT TO KNOW MORE?
- 67. 6767 Sites • social-engineer.org • openspf.net/Tools • dkim.org • dmarc.org • sandboxie.com • duosecurity.com Presentations • Attacker Ghost Stories Rob Fuller PLACES TO GO TO KNOW MORE Further Information
- 68. 6868 PLACES TO GO TO KNOW MORE Further Information Documents • SANS: Incident Handler’s Handbook: http://www.sans.org/reading-room/ whitepapers/incident/incident-handlers-handbook-33901 Books • Social Engineering: The Art of Human Hacking Christopher Hadnagy • Social Engineering Penetration Testing Gavin Watson, Andrew Mason, Richard Ackroyd • Influence: The Psychology of Persuasion Robert B. Cialdini
- 69. Q&A ANY QUESTIONS YOU WANT TO ASK?
- 70. Thank You