who clicked who cares
Post on 17-Jan-2016
41 Views
Preview:
DESCRIPTION
TRANSCRIPT
Who Clicked? Who Cares? 24, March 2015
right now
Chris Nickerson
Founder
Lares
hi. =)
Thanks
Trigger Warnings
• Cursing• Racism
• Religious Prejudice• Sex
• Drugs• Daddy /
Abandonment issues • Socio Economic Hate
crimes• Thin Skin
• Lack of sense of humor
• Sexual orientation• Sexism
• Violence• Vomiting
• Abuse• Truth
• Honesty• Facts
·Anyway...
· I’m Chris
AKA
@indi303
cnickerson@laresconsulting.com
https://vimeo.com/laresconsulting
http://www.scribd.com/Lares_
LARES
Custom Services
OSINTSIGINT
TSCM/ Bug SweepingExploit Development
Tool CreationAttack Planning
Offensive ConsultationAdversarial IntelligenceCompetitive Intelligence
Attack ModelingBusiness Chain Vuln
AssessmentsCustom Physical Bypass
Tool DesignReverse Engineering
Other stuff I can’t write down…
What Do We Know?
· www.socalengineer.org
Dumpster Diving
Shoulder Surfing
Phishing
Target PHONE Support Staff
Human Resources
Smoking is Bad
Transit Systems
Social Functions
Client Side Attacks
But that’s not phishin’ chris….
Phishing is all about EMAIL!
Directed Phishing
· lath
er ·Choos
e an attack · R
inse ·Send
out an attack, get basic metrics
· Rep
eat ·Send
em a cbt and phish em again
Slide 41
CLICKS
Slide 42
huh?
Slide 43
Slide 44
Slide 45
PHISHING
CLICK RATIO
Slide 46
Training Metrics Testing of layered defense Creating durability Testing Identification skills EXPERIENCE Solidarity USER EMPOWERMENT BUSINESS
What’s it about then?
Slide 47
Slide 48
“If it weren’t for the users we would be secure” – Some idiot in infosec who should have taken a job as a used car salesperson
“Users are our BIGGEST vulnerability” – Some Infosec “professional” who diesn’t know what vulnerability means
Slide 49
Slide 50
Slide 51
Intelligence Leakage
Contact info emails [userID] phone numbers Metadata Dox reference checks
Pastebin, support forums, wikis, etc
Slide 52
Mail Configuration
Pure vanilla spoof (forged internal from Internet) Validate/verify addresses
Recipient and Sender MX, SPF, RBL, Spam Block known bad senders/Blacklists Throttle after X in an hour
Slide 53
Spam/Proxy Configuration
In line spam detection Proxy in use Content inspection Content filtering
Exceptions Inspect (Decrypt) SSL
Slide 54
Malicious Attachments/Content
Malicious Attachments Java applet Excel macros Calendar invites PDFs Executables and more
Linked (hosted) executables
Slide 55
Browser Attacks
Corporate Standards Vulnerable type/version Frame injection/Keyloggers 3rd party add-ons/Plugins Mobile platforms Credential theft (SCORING) Integration with Red Team
Slide 56
Malicious Detection
IPS/NIPS/HIPS AV process protection 100% coverage File integrity monitoring System process protection Injection migration
Slide 57
Ingress/Egress Filtering
Can an attacker call home? What are all the ways?
Slide 58
On Device Vulnerability
Does the user have rights Can you priv esc Can you get to the “Mothership” Is there IP I can take? Can I pivot and “Go for the gold”
Slide 59
Post Phish Value Did your IR team catch it? How long did it take to kick in response How effective was response Is there skill gaps What do you need to do
to close the gaps?
Slide 60
What other metrics do you need to be tracking to make informed
decisions and ACTUALLY reduce the risk of phishing
Slide 61
User data (Demographics) User Role Position Paygrade Education level Etc.
Automated Defensive measurements Technology effectiveness
REAL METRICS REAL DECISIONS
Slide 62
Response timing Time for emails to get delivered Time til first detection Time til enterprise notification Time required to create incident team Time to identify threat vectors Time required to identify/quarantine threat
Time to analyze indicators accurately Mean time to incident eradication
REAL METRICS REAL DECISIONS
Slide 63
After we analyze metrics we need to make a REAL plan to stop this from happening the SAME way again
Increased user training Increased technology and automated defenses Process improvement opportunities Blue team Improvement IR process review War boarding advanced threat Always asking, WHAT IF we didn’t get it ALL!
FOLLOW THROUGH
THANK YOU!
[Chris Nickerson,
cnickerson@lares.com]
Please Remember To Fill Out Your
Session Evaluation Forms!
top related