Phishing and Ransomware Pragmatic Security Response Tim Ehrhart Key Focus Pragmatic Solutions • Low- or no-cost solutions to enterprise problems • Rapidly deployable • Small changes with big impact Phishing CREDENTIAL HARVESTING Phishing An Eternal Problem • Every employee has email • Email filtering isn’t perfect • Well-crafted phishing works – Expected content – Known senders – Good formatting • Employees will fall for phishing Phishing Getting Out of Hand • In August 2014 a series of phishing emails targeted Roche employees requesting Google credentials • ~15% of employees did not have two-factor enabled on accounts • The phishing sites automatically used harvested credentials to resend the phishing emails internally – Employee-to-employee phishing has very high click rates – Internal emails are harder to filter with existing controls – Internal email distribution lists caused the problem to explode • ~8 compromised passwords led to more than 10,000 employees receiving similar emails – Hundreds of incidents opened by users/service desks reporting the issue – Incident response team was flooded with reports, trying to sort out who was actually compromised Phishing Getting It Under Control – Finding the Phish • Nearly all credential-harvesting Phishing sites were “kits”, deployed over and over again • Analysis of the most relevant and common phishing themes led us to about 30 kits, covering nearly all credential-harvesting Phishing seen in the company • Being able to detect a phishing kit, means proactively detecting the phishing activity • If we can detect it, we can block it! Phishing Step 1 – Find Sample Phishing • Users report phishing to service desks or global phishing inbox • Gather active phishing sites from PhishTank or other services Phishing Step 2 – Analyse How it Works • Focus on password theft • Forms tend to be static • Often taken from legitimate pages, normally served over HTTPS • Key fields can be used to identify the phishing kit Phishing Step 3 – Build and Test Detection • Snort formatted rules for maximum IPS flexibility – Snort, SourceFire, Surricata, BroIDS • Drop or reset the connections to prevent passwords from being leaked alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"[Roche] POST Password Compromise to Possible Phishing Site Detected - Variant 12"; flow:established,to_server; content:"POST"; content:"x-www-formurlencoded"; content:"continue=https"; content:"mail.google.com"; content:"&name="; content:"&Passwd="; classtype:successful-user; rev:1;) Phishing Step 4 – Design Response Actions • IPS events sent to Splunk • Splunk extracts IPs, URLs, etc and: • Incident Response team sends URLs to Microsoft, Google, etc. • From time of compromise to time of password reset is – Sends immediate email to Incident Response team typically under 10 minutes – Sends URLs to PhishTank and BlueCoat automatically Phishing Comprehensive Response Actions Sources Reporting Protection Phish Tank Multiple Vendors Blue Coat BlueCoat Proxy SG Google Chrome / Firefox / Gmail Microsoft Internet Explorer Phish Tank Sourcefire Roche Incident Response SEP HIPS Users Symantec SEP HIPS Chrome Password Alert Palo Alto Networks PAN Threat Prevention Phishing CEO FRAUD CEO Fraud Real and Effective • 7 August 2015 – “Tech Firm Ubiquiti Suffers $46M Cyberheist” – “This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties” • 18 January 2016 – “Firm Sues Cyber Insurer Over $480K Loss” – “scammers impersonating AFGlobal’s CEO convinced the company’s accountant to wire $480,000 to a bank in China” CEO Fraud Google Content Compliance to the Rescue Google Content Compliance allowed Roche IT Security to redirect any external emails sent using the CEO’s name but without the his email addresses CEO Fraud Google Content Compliance to the Rescue • Delivered directly to Roche IT Security – User unaffected – Email headers and attachments available for analysis – Fastest possible reporting to IT security Phishing Small Changes, Big Impact • No CEO phishing since 2015 Counter-Phishing Actions Taken 250 – 50+ incidents interdicted in 2016 200 • Hundreds of users protected each month – Protects personal and work email • No increased costs • Immediate results 150 100 50 0 Feb-15 Mar-15 Apr-15 Sourcefire (Landing Pages) May-15 Jun-15 Symantec (Passwords) Jul-15 Aug-15 SourceFire (Passwords) The Ugly Threat of RANSOMWARE Ransomware Background • Malicious software that encrypts files, holding the key to unlocking those files for ransom. • Typically files are held for 0.2-2 Bitcoins (50-500 USD/CHF/EUR) • Home users likely lose data on one device; businesses can lose much more… Ransomware Background • 26 February – “Medical superbugs: Two German hospitals hit with ransomware” • 29 February 2016 – “Ransomware attack takes down LA hospital for hours” http://www.theregister.co.uk/2016/02/26/german_hospitals_ransomware/ http://www.pbs.org/newshour/bb/ransomware-attack-takes-down-la-hospital-for-hours/ • Ransomware in the enterprise can be devastating • Shared network drives can also be encrypted, disrupting entire organizations • New variants actively seek open file shares to encrypt (e.g. Cerber) Ransomware Quick Solutions that Work • Least-privilege rights on files and file-shares – Easier said than done • Key to dealing with ransomware in the enterprise is speed – Detect quickly – Disconnect quickly – Restore quickly Ransomware Quick Solutions that Work – Solution 1 – Google Drive • Ransomware uses predictable file extensions and file names • Roche uses Google Drive heavily for internal collaboration • Drive Sync client saves local file changes to the cloud within seconds • Google’s Admin Reports functionality allows real-time reporting on any activity Custom alerts via Google Reporting provides real-time alerting when a client computer is infected with ransomware, even outside of the network Ransomware Quick Solutions that Work – Solution 1 – Google Drive Ransomware Quick Solutions that Work – Solution 2 – Symantec Endpoint Protection • Better than Google Drive, Symantec Endpoint Protection (SEP) monitorins: – Workstations and servers – All folders • SEP can protect – not just detect – from a ransomware attack – Kill parent process for *.locky, *.BITCRYPT, etc. – Protect shadow copies (block access to vssadmin.exe) Tracking file writes with SEP (or a similar AV or DLP tool) for known ransomware files can prevent ransomware from encrypting files across an organization Summary • Good incident response teams are dynamic • Solutions don’t have to cost money • Small changes can have big impact • For technical data, including Anti-Phishing Snort rules and known Ransomware filenames please visit: https://goo.gl/9VNi7g • Email: [email protected] Doing now what patients need next
© Copyright 2026 Paperzz