As a summary, Accuvant’s Eric Milam and Martin Bos are providing some food for thought on why user awareness is insufficient for preventing phishing attacks.Martin Bos: Like in every good presentation, what we really wanted to talk about here is why user awareness isn’t working. Once again, this was more on the corporate side, but things to look for in an email: do you know the sender? Is there some malicious attachment to it? Can the information in the email be used to attack you or your company? This sounds elementary, but you’ve got to really read an email if you don’t know who it’s from, especially if it asks you to take some kind of action.
I’ll just give a quick example: at our work they contracted some third-party company just to do like a compensation survey kind of thing. I mean, it’s pretty standard in the industry: “Do you think you’re being compensated correctly?” But the company that was doing this didn’t consider that they were sending it to a security company, so everybody in our group got this email the other morning that was like: “Log on and fill out this survey,” and all of a sudden the emails start flying back and forth, we’re submitting it to our IT: “Why didn’t your firewall catch this? We’ve never fallen for this,” you know, on and on and on. And it was legit, it was a totally legit email, but the thing was they didn’t validate it. And so everybody in our group was like: “There’s no way we’re filling it out,” and so even after they said it was legit, nobody still filled it out, because it didn’t come from our company.
Eric Milam: I filled it out because I told them I wanted extra 100K a year.
Martin Bos: Anyway, you know, is the link suspicious or raising any flags? We showed you we like to use the actual links, we don’t like to obfuscate our links, so a lot of times people have been taught to hover their mouse over a link, and if it tells you to go somewhere else, then it’s not legit. But even if the entire URL is not legit, as long as the link is going to where it says it’s going to go, you see that match in your mind, and you almost always go there. I know nobody here would, but anybody else might do it.
And, obviously, IT or Security would never ask for your password. Once again, a lot of this stuff sounds kind of elementary, but people are falling for this stuff every day.
Eric Milam: We wouldn’t be up here talking about it if it weren’t happening all the time.Martin Bos: I hate to admit this, but one of the main ways that you can limit exposure to this stuff is patch your motherf**king systems. These are some of the most attacked things, everybody’s looking for an Adobe 0day, Flash, Java, Microsoft – I mean, all these things; these are the most widely attacked systems. So, one of the first things you can do is not buy some fancy piece of email equipment – work on your patching process. Is a 30-day cycle enough? Can we afford 30 days to patch Microsoft? I mean, there are things that we can do internally in our organizations that are already in place to prevent some of this stuff. Eric Milam: Like Martin was talking about limiting exposure: what do we want to do? One of the main things that we see when we’re at an organization is that their network segmentation is horrible. If I get on a laptop or desktop in California, I can usually see the entire organization in China, India, whatever. So, you want to think about network segmentation. And these are all the steps you want to think about: from the time that the user clicks the link until that shell gets out, like Martin’s did, to an attacking server. There’s all kinds of steps in between.
Did AV pick it up? If it didn’t, is there a host-based IPS to pick it up? The next step should be: is there IPS/IDS in place? Did that pick it up? If it gets past that, is there any type of egress filtering out there? Did that pick it up: yes or no? What exactly is out there? Is there advanced malware detection, did that pick it up? So, there’s all these steps that happen, even if the user falls for it, why don’t we say that user awareness is definitely important? We’re not saying: “Don’t educate the users,” what we’re saying is: “You guys as defenders of the network, or other individuals as defenders of the network – it’s not about testing the users. You want to test that entire path from the point that the user clicks it.”
Because if we’ve got 2000 individuals, you know at least one person is going to click it. The good thing about that is you can test that all the way through: what’s working, what’s not working, what caught it, what didn’t catch it, am I spending the money in the right places?
If you don’t have these types of items, things like, we’ll say, credential harvesting – there’s two factor authentication on OWA. Who actually has OWA exposed externally without two factor authentication? Does anybody want to raise their hand and admit it? So, basically, if you get that, and once you’ve got that, you log in to your OWA, then you do a search for the logins, and now you can just widen your spear phishing attack to everybody in the company. And you can send it internally now, from a legit email.
What you can do is you can take the email that they’ve got, we’ve done it before. Just forward it on and say: “Hey, Betty Joe, did you get this email? Can you click this link and try it and let me know?”, or send it out to a group and say: “Hey, I got this. I can’t get to it, can you guys click on this and check it out?” So, yes, user awareness is extremely important in educating them, but don’t put all your chips in that basket, because there’s lots of stuff that we defend or can use to defend within the network that we should be looking at.
Martin Bos: And network segmentation is the main thing that we don’t see. This is the stuff that is already in place in your organization: you do not have to buy a fancy appliance, you just have to get somebody who knows how to write Cisco rules or Juniper rules. And what I mean by network segmentation is, like, you know I was bashing on the HR department before, they’re blindly opening Word documents and PDFs all day long, but that’s their job. So, what can I do as an IT defender to segment the HR department, because that’s what they’re going to do, because that’s their job?
So, what I do is I take them as business units when I make combinations, and I say: “This is the HR department, and all they need to do is get to the Internet, Facebook, and there’s two or three internal applications where they enter in their customer data or their applicant data or whatever, and they need to be able to get to active directory, and that’s it.” So, I make up a list of what they need to be able to get to, and I block them from everything else in the network. And you can do every single unit in your organization that way. Is it difficult? Sure. Does it suck? Yeah, but you’re going to be protected when somebody clicks the link.
Eric Milam: And please, for the love of God, segment your dev environment. Because we destroy that; that’s the first place we’d look for, because we know shit’s going to be on the network that’s not patched.
Testing should encompass all defenses of an organization: again, we’ve got lots of blinky lights. You’ve spent all this money and budget making the organization solid or solidified or fortified, whatever you want to call it – make sure you’re spending that money in the right place. If you just spend too many dollars on a blinky light device and you test it and it doesn’t work – how are you going to feel about that?
Martin Bos: And do not hire the pentest team of the people that sold you the device. Hire a different team. And I’m saying that our company sells blinky lights stuff over here, and we’re on the pentest, we don’t have anything to do with that. But if our company sells you a device, we’re not going to have our company come in and pentest it. I mean, get a different company to do it.
Eric Milam: Plus, Martin and I, and I’m sure others in our group, have no problem blowing up our TS department. If they implemented something and we’re there to test it, we’re going to completely destroy it if we can. Not a lot of organizations are like that, but we pride ourselves on that. That’s it.
Martin Bos: Alright, thanks everybody!