Aaron Higbee - The Humanity of Phishing Attack & Defense

© Copyright 2015 PhishMe, Inc. All rights reserved.© Copyright 2015 PhishMe, Inc. All rights reserved.

The Humanity of Phishing Attack and Defense2016 Central Ohio InfoSec Summit

Aaron HigbeeCo-Founder & CTO of PhishMe@higbee @phishme

© Copyright 2015 PhishMe, Inc. All rights reserved.

What you are in for…• A LOT of slides – don’t worry, they will be on the portal and

Slideshare.• Is Phishing easy? The operation examined from the Attackers

perspective• Multiple data points

– Highlights from our Enterprise Susceptibility Report– Examples of effective and popular phishing themes– How much time do users spend consuming phishing education?

• Does it matter?– New data from recent survey. Do we have an awareness problem?

• Why do humans fall for phishing?


A TALE OF WOEOPM


Notice anything interesting?


What likely caused the breach…


The DHS Response…

“The campaign will feature short videos, posters and literature on the do’s and don’ts for better cyber hygiene”


OPM Needs an extra 21 million (for encryption)



2002• Incident Response• Penetration Testing• Taught a lot of Ultimate Hacking Classes

– Hands on, learn by doing

• Met a lot of these types


Attackers Perspective: Is phishing easy?

The classic Attackers vs. Defenders arguments seem to gloss over the effort involved…

“…but it only takes one phishing

email. Game over! “


Phishing operations examined: Recon• Reconnaissance for targeting

– Email addresses from simple internet searches– Mining social networks– Spam lists– Paid private lists

*Image created by Seculert


Phishing operations examined: Weaponization• Exploit writers• JavaScript expertise• Code packers and obfuscation• Remote Administration Tools – Custom or Modified• Data-Entry credential stealing phishing?



Phishing operations examined: Delivery• Send email collect shells. Easy right?• Brand protection & site take down. E.g. login.peypal.net• Spoofing still viable? SPF, DKIM, …• Attachment delivery? Zip it? Password zip it?• Anti-Spam products are a problem…

– Attackers using gmail.com, yahoo.com, hotmail.com, etc..• Time of day? • Mobile devices?



Phishing operations examined: Exploit

• x86 Win32 – time of day matters• Advances in end-point protection• Application whitelisting• Email scanning gateways• URL detonation• Sandboxes• Phishing with only links?

– Site categorization– Evolving browser protections



Phishing operations examined: Recap

Let’s recap…We found targets, prepared our email sending environment to ensure delivery and we’ve overcome the problems of exploitation. We can either get exploit attachments in, or lure phishing victims to our prepared, whitelisted, categorized site designed to deliver the payload. We are either defeating sandboxes or our malware is designed in such a way that analysis either takes too long or provides inconclusive results in the sandbox to set off alerts. Game Over?...

*Image created by Seculert? ??


Phishing operations examined

… But you are still not done.Plant backdoors, connect outbound, exfiltration

*Image created by Seculert? ??




Now let’s look at some Crimeware examplesCommon themes:

– Faxes, Voicemails, ACH notices, Package Delivery– The PhishMe blog has many examples– Cryptolocker


Locky Message


Rising Trend: Phishing Randomization• Message randomization continues to increase

– Sender– Subject– Variable message body– Varied hashes


Notice the variations


Let’s review this campaign• Observed

– 1200 samples– From 700 different sending IP’s– Using 1100 sender domains– Having 500 different sender names– Utilizing over 700 different attachments– 100 C2 IP’s identified– 150 C2 URL’s identified


Exploring some Dyre randomization• 218 Campaigns Reviewed

– 30,000 unique samples• Only 1 Subject line used a dozen times

– Example subjectsNew Fax - 800273336New Fax - 800312316New Fax - 800575757

You are our most valued customer. Your ID 23677222

You are our most valued customer. Your ID 237673972You are our most valued customer. Your ID 2377474You are our most valued customer. Your ID 237986


MOST USED AND HIGHEST SUSCEPTIBILITY


Introduction – Study Demographics• 400 PhishMe customers • Fortune 500 and public sector organizations across 23 verticals• 8 million simulation emails over a 13-month span• 75% of organizations training 1000+ employees


Questions Asked• Are certain themes or levels of complexity more difficult than others for

employees to recognize?• What is the impact of emotional motivators on the likelihood of phishing

responses?• Can we see differences by verticals?• Does timing of the phish influence user vulnerability?• Can we see positive trend success metrics over time?• What makes a phishing program successful?


Key Findings• 87% of the employees who opened a phishing simulation email

opened it the SAME DAY it was sent. • Most employees responded to a phishing email in the morning hours,

particularly at 8:00 AM local time. • Employees who open a phishing email are 67% more likely to

respond to another phishing attempt. • The most effective phishing emails contain a business communication

theme. • Behavioral conditioning decreased susceptible employees’

likelihood to respond to malicious email by 97.14% after just 4 simulations.


Scenario Themes and ComplexityWhat is a Phishing Theme? PhishMe’s term for a collection of email scenario templates that use the same context, motivation, or topic to elicit user action.

– Office Communication– Employee Wellness– Computer Updates


Theme Averages and Benchmarks


Result Variation Across Verticals – Package Delivery Benchmark

• Wide variance in average response rates across verticals

• Underscores the need to understand culture and individual business processes when analyzing results


Top Emotional Motivators

The strongest emotional motivators (above 20% average) were related to connection and reward (e.g., winning a prize).

Top Motivators:• Connection• Reward• Curiosity• Urgency• Fear


Most Popular Simulations…Type % Popularity Primary Motivators

Sent From Phone Attach (DB) 13.9 High Curiosity, UrgencyPackage Delivery Click (BM) 18.43 High CuriosityInbox Over the Limit Click 19.7 High Fear, UrgencyeCard Alerts Click 25.98 High Curiosity, Reward, SocialFile from Scanner Click 24.05 High CuriosityOrder Confirmation Click 17.38 High Curiosity, FearUnauthorized Access Data 29.16 High Curiosity, Fear, UrgencyPassword Survey Data 16.58 Medium Fear, UrgencyAwards Season Click 5.6 Medium EntertainmentScanned File Attach

(BM)16.95 Medium Curiosity


Highly Susceptible Themes

Type % Popularity Primary MotivatorsManager Evaluation Data 31.55 Low Curiosity, Fear, RewardTime Off Request - Negative Balance

Click 30.92 Medium Fear, Urgency

Unauthorized Access (Adult-Oriented)

Data 30.02 Low Curiosity, Fear, Urgency

Unauthorized Access Data 29.16 Medium Curiosity, Fear, UrgencyBrowser Update Required Data (DB) 26.8 Low Fear, UrgencyeCard Alerts Click 25.98 High Curiosity, Reward, SocialEmployee Raffle Data 25.85 Low RewardFinancial Information Attach 25.5 Medium Curiosity


Unauthorized Access 29.16% - Popular


eCard Alerts – 29.58% - Popular


Manager Evaluation 31.55% - Low popularity


Unauthorized Web Use: 30% - Low popularity


CREATING PHISHING AWARENESS


“Sit down, let me aware you about Phishing…”


PhishMe Content Team


Too Chinese…


Too Alluring…


Too American…


27 seconds…


Time spent improving “Awareness”


How is it that susceptibility rates improve?

• People don’t read the education• Yet there is a consistent reduction in

susceptibility


What customers tend to focus on


Results: Conditioning vs. Awareness


The bigger picture

• People respond to emails quickly

• Empowered and encouraged users report

• IR & SOC teams get relevant and timely threat intelligence

Potential threat intelligence

Can resilient humans be threat detectors?


Yes!


IS PHISHING AWARENESS THE PROBLEM?

A survey conducted on the basics of Phishing…


Introduction – Survey Demographics• PhishMe carried out a contracted survey in March 2016• Sample: 205 US office workers who use email (outside of the IT &

Security department)

• Opening Question: Are you aware of phishing and spear phishing?

– Four follow-up questions about phishing tactics• Phishing emails can contain attachments?• Phishing emails can contain links to websites?• Phishing emails ask for information or link you to a website to fill in data?• Phishing emails come from people within my company

• If instructions were given, where do you report suspicious emails?


Q1 Are you aware of phishing and spear phishing?‘Phishing’ is a term used to describe a deceptive email designed to infect your computer or steal your passwords. Were you already aware of that before reading this definition?• 15.6% not aware of phishing of spear phishing• 76.6% reported being aware of phishing• 20% reported being aware of spear phishing

AbsoluteBase %Respondents

Base

Q1

Yes, I am aware ofphishing

Yes, I am aware ofspear phishing

No, I am not awareof phishing or spear

phishing

205100.0%

15776.6%

4120.0%

3215.6%

0 10 20 30 40 50 60 70 80

16%

20%

77%

Yes, I am aware of phishing

Yes, I am aware of spear phishing

No, I am not aware of phishing or spear phishing


Based on your knowledge of phishing emails today, please indicate what you believe to be TRUE and what you believe to be FALSE about phishing emails:

Phishing emails can contain attachments?

– True 138 67.3%– False 36 17.6%– Don’t know 31 15.1%

Phishing emails can contain links to websites?

– True 162 79%– False 19 9.3%– Don’t know 24 11.7%

Phishing emails ask for information or link you to a website to fill in data?


Phishing emails come from people within my company



0 10 20 30 40 50 60

1%

3%

17%

33%

38%

59%

We send suspicious emails to a person in IT

We use the SPAM filter function in email

We send suspicious emails to a special email box

We have a dedicated process to send suspicious emails for research

We send suspicious emails elsewhere (please specify)

Other (please specify)

If instructions were given, where do you report suspicious emails?AbsoluteBreak %Respondents

BaseBase

Profess-ional

services

Q4

We send suspiciousemails to a person

in IT

We use the SPAMfilter function in

email

We send suspiciousemails to a special

email box

We have a dedicatedprocess to send

suspicious emailsfor research

We send suspiciousemails elsewhere

(please specify)

Other (pleasespecify)

156 23

9259.0%

1147.8%

5937.8%

1043.5%

5132.7%

939.1%

2717.3%

626.1%

42.6%

--

21.3%

--


Key Findings: Aware, but vulnerable• ~76% are aware of phishing

– Lack of confidence on specific terminology spear phishing vs. phishing– Some confusion remains on specific attacker vectors. Ex: links, attachments, credential theft

• Most employees have been given instructions on how to report suspicious email.– Of that subset, most are forwarding to IT or Spam team

• Awareness is not the problem

“…but 90% of breaches start

with phishing?“


Changing Behavior Ain’t Eazy…


K3wp doesn’t like me… reddit/r/netsec

Aaronhigbee wrote:If you think that conditioning humans to avoid phishing should be part of every organizations security hygiene.... I'll raise a beer and toast you. Not everyone agrees.

K3wp responds:I absolutely do not agree. You should be designing systems and networks that cannot be compromised via phishing attacks vs. trying to train a bunch of useless meat tubes to be competent.


Security Engineers want to Engineer


Behave Humans!• For many it’s an intellectual challenge

– When the human doesn’t conform to the system as designed, they want to fix their Engineering mistake. They want to contain it. When they can’t, they get upset. They blame the human. Not their system.


What does history say?



Optical Sensors

Defeating coin optical sensors: Shaved Coins


Defeating Optical sensors

Light Wand aka Monkey Paw


• File.exe• File.scr• File.zip• File.cab• …

• http://Dropbox.com/file.exe


K3wp designed this…


Consider the malware sandbox…


“We STOP Phishing!!!”

My Reaction

(sure you do)


How does your security sandbox stop this?

Or This?


Predictable responseAfter the tantrum is over… they blame the user

“the human is the weakest link” “PEBKAC”


So what do simulations do?

So you do awareness, but better?... No


Thinking Fast and Slow• Nobel Prize Winner in Behavioral Economics• System 1: Intuitive brain process

– Operates automatically• System 2: Deliberate thinking process

– Requires effort


How many emails do we process daily?• Receive ~71 legit emails• Send 41 emails• Must mentally discard 13 emails• Assume 2 hours of meetings and 1 hour lunch break• We perform 33 email related tasks per hour

• Source: http://www.radicati.com/wp/wp-content/uploads/2014/01/Email-Statistics-Report-2014-2018-Executive-Summary.pdf


Consider the following…

2+2 = ? 10 x 2 = ?

1+8 = ?7+4 = ?

5+5 = ?

85 x 97 = ?


Another example…

LEFTLEFT

LEFTLEFT

LEFT

RightRightRightRight

Right


Another example…

LEFTLEFT

LEFTRight

LEFT

RightRight

LEFTLEFT

Right


System 1 and 2 are always active



This should not trigger System 2


This should trigger System 2


System 1 to System 2 Success!


So what you are saying is…Simulations creates experiences using tactics similar to real phishing emails to jolt repetitive lazy intuitive cognitive functions into a deliberate thinking process that requires effort!


System 1 Recently Failed Me


Failure in System 1 • Wow, This is a nice hotel! The bathroom is so clean.

• (washing my hands now) – Hrm, no urinals?

• Hrm, what is this thing for?

• I have made a critical mistake


You admit some people will fail!


Adoption and Use• Over 168 Customers deployed

• Over 2.5 MM endpoints

• 1395 scenarios with Reporting metrics

• 58% (779) with more reports than responses

• 24% average report rate

• More then 400,000 scenario reports

• More than 750,000 suspicious email reports


Conclusions• Good news! Phishing Awareness is solved• Bad news! We are still susceptible to phishing -

• Somewhere, some technology vendor is creating an Advanced Machine Learning - Hadoop clustering engine to perform User Behavior Analytics to end the Phish Du Jour.

• Or you could consider conditioning the user to avoid and detect tomorrows attacks today.

Technology

Aaron Higbee - The Humanity of Phishing Attack & Defense