Upload File

ntxissacsc4 - the rise of social engineering -- anatomy of a full scale attack

  • Home
  • Internet
  • NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack
27
The Rise of Social Engineering - Anatomy of a Full Scale Attack - Presenter: Dave Nelson, CISSP | President at Integrity

Upload: north-texas-chapter-of-the-issa

Post on 16-Apr-2017

390 views

Category:

Internet


0 download

Report

TRANSCRIPT

Page 1: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

TheRiseofSocialEngineering- AnatomyofaFullScaleAttack-

Presenter:DaveNelson,CISSP|PresidentatIntegrity

Page 2: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

DaveNelson,CISSP• CertifiedInformationSecurityProfessional(CISSP)

• Over20yearsexperienceasinformationsecurityprofessional

• FellowwiththeInformationSystemsSecurityAssociation

• PresidentEmeritusofISSADesMoinesIowaChapter

Page 3: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Overview

Whatis“SocialEngineering”?

TypesofAttacks&RealWorldExamples

BestDefense

Page 4: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Whatis“SocialEngineering”?WHAT IS

SOCIALENGINEERING?

Page 5: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Social Engineering

• Usingknowledgeofhumanbehaviortoelicitadefinedresponse.

• Putsimply…gettingyoutowillinglydosomethingformewhichislikelynotinyourbestinterest.

Page 6: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Sociology and Psychology

• Studyofhumanbehavior,interactionandsocietalnorms.

• Actionscanbepredictedquiteaccurately.

• Actionscanalsobeinfluencedquiteeasily.

Page 7: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Simple Human Behavior

• TwoTypesofResponses– Natural– Learned

Hackerswillcraftascenarioforyoutoenter,inordertoelicitaresponsewhichtheybelievewillgivethemtheresulttheyarelookingfor.

Page 8: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

TypesofAttacks&RealWorldExamples

Page 9: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Why talk about social engineering

Socialengineeringisacomponentoftheattackinnearly1of3successfuldatabreaches,andit’sontherise.

Source:2016VerizonDataBreachInvestigationReport

Page 10: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

5CommonAttackMethods

DumpsterDiving

Pretexting

Phishing

PhysicalEntry

Enticement

Page 11: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Dumpster Diving

• Scouringthroughdiscardeditems– Calendars&Dayplanners– Handwrittennotes– Phone&EmailLists– Operationmanualsorprocedures– Systemdiagrams&IPaddresses– Sourcecode

Page 12: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Pretexting

• Fraudulentphonecalls• Usedtoextractinformation• Alsousedtosetupotherattackssuchasfacilityentryorphishing

Page 13: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Phishing

Attemptstogetuserstoprovideinformationorperformanaction

TipsForIdentifyingPhishingAttempts– Askstoupdateaccountinformationviaemail– Noverificationimageorvaryinglayoutdesigns– Providesunfamiliarhyperlinks

Page 14: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Common Bait

• SweetDeals– FreeStuff– LimitedTimeOffers– PackageDelivery

• HelpMe,HelpYou!– TechSupport

• YouGotta’SeeThis!

Page 15: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Spear Phishing Example

GoodMorningMike,

Youmayormaynotknow,butMary(CFO)andIareinAtlantaworkingtocloseadealwithourpartnersXYZCompanyandABCLimitedona$70milliondollarcontractwithOurBigPayday,Inc.Inordertogetthecontractssigned,Ineedyoutowire$85,620toXYZCompanyand$67,980toABCLimited.MarysaysthisshouldcomefromourBankNameHereaccountnumber123456789.TheroutingandaccountnumberforXYZis12345678– 7788994455andforABCis98765432–336699774411.

BecauseOurBigPayday,Inc.isapubliclytradedcompany,thetermsofthisagreementcannotbediscloseduntiltheyfiletheirSECreportsforthequartersoyourabsolutediscretionisexpected.Undernocircumstancesareyoutodiscussthistransactionwithanyoneinthedepartment.AleakcouldresultinSECfinesorprisonforbothofusforinsidertrading.Ifyouhaveanyquestionsaboutthis,pleaserespondtothisemailwithyourdirectlineandI’llcallyouwhenI’moutofthenegotiationmeetings.IappreciateallyoudoforuswhichiswhyI’mtrustingyouwiththiskeyproject.

Keepupthegoodwork!Sandy(CEO)

Page 16: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Physical Presence

• Gainingphysicalaccesscanbeeasierthanvirtualaccess

• Mayprovideadditionalinformation

• Comesatahigherriskbutwithapotentiallygreaterreward

Page 17: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Physical Presence Examples• DeliveryDrivers• EmployeeTailgating• MaintenanceorEmergencyCrews

• Thekeyistoactlikeyoubelong.Ifyoubelieveitsowilleveryoneelse.

Page 18: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Enticement Examples

Afolderwithenticingtitle/labelleftongroundoutsideanemployeeentrancewithaUSBthumbdrivetapedinside.

• USB,CDorDVDsleftinconspicuousspaces.

• Maybeaccompaniedbyfakepaperfiles

• Curiositybeatscaution

Year-EndBonuses

Page 19: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Putting It All Together

• Targetedattackswillalwaysusesomeformofsocialengineering.

• Justlikeinmilitaryoperations,intelmakesorbreaksamission

• Hackersmayneverevenneedtousesophisticatedtechnicalattacksifyouprovidetheinformationwillingly

Page 20: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Stealth Mode

• Limitedsocialengineeringattackscanbehardtodetect.

• Relevantinformationallowsattackerstopinpointtheirattackwhichmakestheirfootprinthardtodiscover.

Page 21: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Don’t Fall for The Long Con

• Socialengineeringisnothingmorethanacon-game.

• Theold“LongCon”hasbeenportedtothedigitalworld.

• Goodconsarehardtospot.

Page 22: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

BestDefenses

Page 23: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Best Defenses

• Strongpaperdestructionprocess• Limitingfacilityingress/egresspoints• Challengeunknownpeopleinsecureareas• Implementtechnologytoscreenemailandwebsitesforattacks

Page 24: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Employee Training

• TraditionalCBTmethodsdon’twork• Engagetheemployee,makeapersonalplea• Usegamificationtoenhancelearning• Preparefordifferentlearningstyles(audio,visual,hands-on)

• Awarenessisnottrainingandtrainingisnotawareness

Page 25: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Program Validation

• Socialengineeringtestingengagementsprovideassessmentsofhowwellyourpeople,processandtechnologyarefunctioning.

Page 26: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Summary

• Socialengineeringisheretostayandit’sgrowing• Yourorganizationwillsufferadatabreachduetosocialengineering

• Thestudyofhumanbehaviorhasbeenusedbycriminalsforcenturies,cybercriminalsarenodifferent

• Employeesmustbetrainedtospotsocialengineeringandhowtoreact

Page 27: NTXISSACSC4 - The Rise of Social Engineering -- Anatomy of a Full Scale Attack

Question & Answer

[email protected]

www.integritysrc.com/blog

DaveNelsonCISSP

@IntegrityCEO- @IntegritySRC

515-965-3756


Anatomy of a Terrorist Attack

Photographic Anatomy of a Black-op Psi-Attack

Hackers, Attack Anatomy & Security Trends by Ted Harrington of ISE

NTXISSACSC4 - Layered Security / Defense in Depth

Anatomy of a Database Attack - gavinsoorma.com€¦ · Anatomy of a Database Attack ... dbms_output.put_line(str); execute immediate str; ... + Virtual Patching & Protocol Validation

Anatomy of an Attack - Sophos Day Belux 2014

Anatomy of an Enterprise Social Cyber Attack Part 2

IMA - Anatomy of an Attack - Presentation- 28Aug15

Gartner UK 2015 Anatomy of An Attack

NTXISSACSC4 - Security for a New World

Anatomy of an Attack: How to Defend Against a Multi-Stage Attack

NTXISSACSC4 - Cyber Insurance – Did You Know?

Anatomy of a Targeted Attack against Mobile Device Management (MDM)

Slide 1 Vitaly Shmatikov CS 395T Anatomy of an Attack

NTXISSACSC4 - The Art of Evading Anti-Virus

IPExpo 2013 - Anatomy of a Targeted Attack Against MDM Solutions

Anatomy of an Attack

Anatomy of a DDoS attackindex-of.es/Attacks/403 Forbidden Attack/Anatomy-of... · DDoS Attack Backfires: Targeted Site’s Performance Improves A few hours into the attack, the attacker’s

The Target Breach: Anatomy of an Attack

Bea con anatomy-of-web-attack

The Anatomy of an Anonymous Attack

RSA Anatomy of an Attack

ANATOMY OF AN ATTACK - TrapX Security · 2019-11-13 · Page _3 Page_2ABOUaT N222MM222YYYF ageCFOK3 ABOUT ANATOMY OF AN ATTACK The Anatomy of an Attack (AOA) Series highlights the

NTXISSACSC4 - World of Discovery

Special Anatomy of an Attack Or Layered Security Failure

Anatomy of a Public Cloud Attack | CSA Orlando

Anatomy of a Database Attack - Oracle DBA – Tips and ...gavinsoorma.com/.../uploads/2011/03/anatomy_of_a_database_attack… · Anatomy of a Database Attack ... –Implementation

Anatomy of a SOA, XML and Web Services Attack

Beslan - Anatomy of a Terrorist Attack - ACCUEIL

NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard

Anatomy of a Web Services Attack - Forum Systems · 01.03.2004 · Anatomy of a Web Services Attack A GUIDE TO THREATS AND PREVENTATIVE COUNTERMEASURES Forum Systems, Inc. BOSTON,

Cisco Connect Toronto 2017 - Anatomy-of-attack

Communities An Anatomy of a Mortar Attack: Sustainable

ANATOMY OF AN ATTACK - TrapX Security

Anatomy of a Malware Attack: The New Malware Ecosystem