Explaining Bitcoins will be the easy part: Email Borne Attacks and How You Can Defend Against Them Michael Burke
median time-to-open malicious email 1 minute 40 seconds median time-to-open malicious email 1M 22 SECONDS THE MEDIAN TIME FOR SOMEONE TO CLICK on a phishing link That’s the Median, imagine what the lower outliers are. And.. 50% of those people who do click the link will do it within the first hour. Verizon 2016 Data Breach Investigations Report (DBIR)
91% of all incidents start with a phish WHATS WORSE, WE KNOW… 95% For the purposes of this talk, we’ll use the phrase phish To mean spear-phishing, whaling and phishing But in a business context Wired 2015
Think Your Employees are Alert Enough to Stop Them? The second layer of defense is employee awareness and vigilance. The aim here is to a create herd alertness in your organization. The intention is not to make everyone suspicious of everything, or make everyone a security pro, but make them alert enough to linger over a link or attachment. The Mimecast security awareness tools help in this mission to compliment the other tactics you should use like training and perhaps simulated exercises. Confidential |
You are susceptible to email-borne attacks if…. You use email as a key business application You have certain letters in your domain name You accept resumes on your website You have a team of people in finance You have a profile Your life is deemed interesting enough to be on You run Windows…or any other OS You are susceptible to email-borne attacks if….
How Do The Attackers Do It?
Do You Have a Page Like This On Your Website? How do Attackers get their information? An easy way to find out about a company is visit their website. Most companies have information about their executive teams. What better way to entice a user to open an email than having it look like it’s from the CEO, the CFO or some other senior leader? Remember that it only takes one employee to “click before they think” to compromise an entire organization.
SOC. ENG. THE NEW MALWARE-LESS DANGER. Lifetime study, useful outside of work too. Train tickets. BUT Attackers know we have the technology. They know, we know their tactics So they try to stay ahead of us and our scanners. They’re increasingly turning to social engineering to exploit users. MAKING THEIR ATTACKS MALWARE-LESS AND HARDER TO DETECT Test your own staff. Social engineering toolkit by Dave kennedy.
Another way to gather information is to use a program that will harvest email addresses. These are cheap and easy to use. Just type in a domain and you’ll get a list of email addresses for that organization.
You don’t even need to know how to code… Crimeware as a Service - CaaS Attackers don’t have to know how to code, they don’t even have to be smart. They can download TOX, a ransomware construction tool that provides an easy to use graphical interface that allows attackers to track how many folks have been infected and track the ransom paid
Cybercriminals Operate Like Any Other Business If you’re an attacker and can code but don’t know how to evade sandbox detection, that’s not a problem there’s an online service that can help. FUD- fully undetectable crypting services uses obfuscation, encryption and code manipulation.
Occasionally the Attacks Hit the General Media WannaCry? But usually they don’t If you’re an attacker and can code but don’t know how to evade sandbox detection, that’s not a problem there’s an online service that can help. FUD- fully undetectable crypting services uses obfuscation, encryption and code manipulation.
Real life examples with Email
Vector: Phishing attack with malicious URL Threat: Entering credentials Target: Random mass-mailing
Vector: Phishing email with attachment Threat: Opening the document and activating malicious code Target: Targeted mailing
Business Email Compromise Whaling Wire transfer W-2 Fraud Who Says Attacks Need to Involve Malware? Business Email Compromise Whaling Wire transfer W-2 Fraud These attacks are often called Business Email Compromise, wire transfer fraud, W-2 fraud or whaling What’s sets these attacks apart is that they don’t use malware to achieve their goal They rely purely on the power of social engineering and the inherent trust in email Impersonation attacks are a huge threat because Traditional security systems like AV cannot detect this type of attack. Even solutions that scan URLs and detonates attachments in a sandbox are powerless in preventing these attacks Defending against these attacks requires specialised tools that monitor multiple indicators of potential compromise.
Vector: Spear phishing attack Threat: Impersonating senior staff Target: An employee with authority
Vector: Spear phishing attack Threat: Impersonating senior staff Target: An employee with authority
Vector: Email attack from the inside using a hacked email account Threat: Impersonating employees Target: Spreading the attack internally
Are Users Part of the Solution or Part of the Problem? The Compromised Insider The Careless Insider The Malicious Insider
Herd alertness helps, but… The second layer of defense is employee awareness and vigilance. The aim here is to a create herd alertness in your organization. The intention is not to make everyone suspicious of everything, or make everyone a security pro, but make them alert enough to linger over a link or attachment. The Mimecast security awareness tools help in this mission to compliment the other tactics you should use like training and perhaps simulated exercises. Confidential |
Can we do more with technology? - YES! Layer one is of course the technology Can we do more with technology? - YES! Confidential |
Mimecast Email Security Suite Cyber Resiliency Mimecast Email Security Suite Secure Gateway - Anti-virus / malware - Anti-spam - Reputation analysis - Continuity - Independent Archive - Backup & Recovery Comprehensive protection, simply achieved in the cloud Targeted Threat Protection URL Attachment Impersonation Internal Emails
Confidential | Protect You need the technology that provides the best possible multi-layered protection Continue You need to continue to work while the issue is resolved Remediate You need to get back to the last known good state Cyber Resilience